Implementation of IPsec VPN on Cisco Routers and implementing it on ISP 1 1. INTRODUCTION 1.0 Introduction to TCP and IP concepts: TCP and IP were developed by a Department of Defence (DOD) research project to connect a number different networks designed by different vendors into a network of networks (the "Internet"). It was initially successful because it delivered a few basic services that everyone needs (file transfer, electronic mail, remote logon) across a very large number of client and server systems. Several computers in a small department can use TCP/IP (along with other protocols) on a single LAN. The IP component provides routing from the department to the enterprise network, then to regional networks, and finally to the global Internet. On the battlefield a communications network will sustain damage, so the DOD designed TCP/IP to be robust and automatically recover from any node or phone line failure. This design allows the construction of very large networks with less central management. However, because of the automatic recovery, network problems can go undiagnosed and uncorrected for long periods of time. As with all other communications protocol, TCP/IP is composed of layers: IP - is responsible for moving packet of data from node to node. IP forwards each packet based on a four byte destination address (the IP number). The Internet authorities assign ranges of numbers to different organizations. The organizations assign groups of their numbers to departments. IP operates on gateway machines that move data from department to organization to region and then around the world. TCP - is responsible for verifying the correct delivery of data from client to server. Data can be lost in the intermediate network. TCP adds support to detect errors or lost data and to trigger retransmission until the data is correctly and completely received Sockets - is a name given to the package of subroutines that provide access to TCP/IP on most system. 1.1EXISTING SYSTEM: There is no standard for what constitutes a VPN. VPNs can be implemented using a number of different technologies, each of which have their own strengths and weaknesses. This section presents a
99
Embed
Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
1
1. INTRODUCTION
1.0 Introduction to TCP and IP concepts:
TCP and IP were developed by a Department of Defence (DOD) research
project to connect a number different networks designed by different vendors
into a network of networks (the "Internet"). It was initially successful because it
delivered a few basic services that everyone needs (file transfer, electronic mail,
remote logon) across a very large number of client and server systems. Several
computers in a small department can use TCP/IP (along with other protocols) on
a single LAN. The IP component provides routing from the department to the
enterprise network, then to regional networks, and finally to the global Internet.
On the battlefield a communications network will sustain damage, so the DOD
designed TCP/IP to be robust and automatically recover from any node or
phone line failure. This design allows the construction of very large networks
with less central management. However, because of the automatic recovery,
network problems can go undiagnosed and uncorrected for long periods of time.
As with all other communications protocol, TCP/IP is composed of layers:
IP - is responsible for moving packet of data from node to node. IP
forwards each packet based on a four byte destination address (the IP
number). The Internet authorities assign ranges of numbers to different
organizations. The organizations assign groups of their numbers to
departments. IP operates on gateway machines that move data from
department to organization to region and then around the world.
TCP - is responsible for verifying the correct delivery of data from client
to server. Data can be lost in the intermediate network. TCP adds support
to detect errors or lost data and to trigger retransmission until the data is
correctly and completely received
Sockets - is a name given to the package of subroutines that provide
access to TCP/IP on most system.
1.1EXISTING SYSTEM:
There is no standard for what constitutes a VPN. VPNs can be
implemented using a number of different technologies, each of which
have their own strengths and weaknesses. This section presents a
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
2
scenario, and the strategies used for implementing a VPN for this
scenario.
For Example: The Scenario: Two networks, one home based and
one corporate based. Both are connected to the Internet, and expected, via
this VPN to behave as one.
The premise is as follows:
You have at least two sites
Both sites are using IP internally
Both sites are connected to the Internet, through a gateway that is
running FreeBSD.
The gateway on each network has at least one public IP address.
The internal addresses of the two networks can be public or private IP
addresses, it does not matter. They just may not collide; e.g.: may not
both use 192.168.1.x.
1.2 PROPOSED SYSTEM:
Internet Protocol Security (IPsec) is a protocol suite for securing Internet
Protocol (IP) communications by authenticating and encrypting each IP
packet of a communication session. IPsec also includes protocols for
establishing mutual authentication between agents at the beginning of the
session and negotiation of cryptographic keys to be used during the session.
IPsec is an end-to-end security scheme operating in the Internet Layer of
the Internet Protocol Suite. It can be used in protecting data flows between a
pair of hosts (host-to-host), between a pair of security gateways (network-to-
network), or between a security gateway and a host (network-to-host).
Some other Internet security systems in widespread use, such as Secure Sockets
Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate
in the upperlayers of the TCP/IP model. In the past, the use of TLS/SSL had to
be designed into an application to protect the application protocols. In contrast,
since day one, applications did not need to be specifically designed to use IPsec.
Hence, IPsec protects any application traffic across an IP network.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
3
1.3ARCHITECTURE:
1.3.1 TCP/IP INTERNET ARCHITECTURE:
Fig 1.1 : Architecture of OSI and TCP/IP model
The Internet architecture is of a layered design, which makes testing and
future development of Internet protocols easy. The architecture and major
protocols of the Internet are controlled by the Internet Architecture Board
(IAB).
The Internet provides three sets of services. At the lowest level is a
connectionless delivery service (network layer) called the Internet protocol (IP).
The next level is the transport layer service. Multiple transport layer services
use the IP service. The highest level is the application layer services. Layering
of the services permits research and development on one without affecting the
others.The physical/link layer envelops the IP layer header and data. If the
physical layer is an Ethernet LAN, the IP layer places its message (datagram) in
the Ethernet (physical/link) frame data field. The transport layer places its
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
4
message (segment) in the IP data field. The application layer places its data in
the transport layer data field.
1.3.2 INTERNET PROTOCOL (IP)
The IP provides a connectionless delivery system that is unreliable and on a
best-effort basis. The IP specifies the basic unit of data transfer in a TCP/IP
internet as the datagram. Data grams may be delayed, lost, duplicated, delivered
out of sequence, or intentionally fragmented, to permit a node with limited
buffer space to handle the IP datagram. It is the responsibility of the IP to
reassemble any fragmented data grams. In some error situations, data grams are
silently discarded while in other situations, error messages are sent to the
originators (via the ICMP, a utility protocol.) The IP specifications also define
how to choose the initial path over which data will be sent, and defines a set of
rules governing the unreliable datagram service.
Fig 1.2: IP-datagram format.
1.3.2.1 Header Length – 4 Bit field
The value represents the number of octets in the header divided by four,
which makes it the number of 4-octet groups in the header. The header length is
used as a pointer to the beginning of data. The header length is usually equal to
5, which defines the normal, 20-octet header without options. When options are
Destination address
Source address
Header checksum
Fragment offset Identification
Version Total length IHL Type of service
D
F M
F
Time to live Protocol
32 Bits
Options (o or more words)
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
5
used, padding may be required to make the total size of the header an even
multiple of 4-octet groups. The range of value for the header length is 5 to 15.
1.3.2.2 Version – 4 Bit field
All other values are reserved or unassigned. Although the range of values
is 0 to 15, the value used by IP is 4. By means of this field, different versions of
the IP could operate in the Internet.
1.3.2.2 Type of Service – 8 Bit field
Specifies the precedence and priority of the IP datagram. Bits +5, +6, and
+7 make up the precedence field, with a range of 0 to 7. Zero is the normal
precedence and 7 is reserved for network control. Most gateways presently
ignore this field.
The four bits (+1, +2, +3, and +4) define the priority field, which has the
field range of 0 to 15. The four priorities presently assigned (the remaining 12
values are reserved) are: value 0 (the default, normal service), value 1
(minimize monetary cost), value 2 (maximize reliability), value 4 (maximize
throughput), and value 8 (bit+4 equal to one, defines minimize delay option).
These values are used by routers to select paths that accommodate the user’s
request.
Fig 1.3: Type-of-service field.
1.3.2.3 Total Length – 16 Bit field
The total length field is used to identify the number of octets in the entire
datagram. The field has 16 bits, and the range is between 0 and 65,535 octets.
Since the datagram typically is contained in an Ethernet frame, the size usually
will be less than 1,500 octets. Larger datagrams may be handled by some
0 Priority Precedence
27 26 25 24 23 22 21 20
7 6 5 4 3 2 1
msb Isb
0
Bit order of
transmission
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
6
intermediate networks of the Internet but are segmented if a gateway of a
network is unable to handle the larger size. IP specifications set a minimum size
of 576 octets that must be handled by routers without fragmentation. Larger
datagrams are subject to fragmentation.
1.3.2.4 Identification – 16 Bit field
The value of the identification field is a sequential number assigned by
the originating host. The numbers cycle between 0 and 65,535 which when
combined with the originating host address makes it a unique number in the
Internet. The number is used to aid in the assembling of a fragmented datagram.
1.3.2.5 Fragment Offset – 13 Bit field
When the size of a datagram exceeds the maximum of an intermediate
network, it is segmented by that network. The fragment offset represents the
displacement (in increments of eight octets) of this segment form the beginning
of the entire datagram. This is a 13-bit field and provides an offset to the proper
location of this fragmented segment within the original datagram. Since the
value represents groups of eight octets, the effective range of the offset is
between 0 and 8191 octets. The resulting fragments are treated as complete
datagrams, and remain that way until they reach the destination host where they
are reassembled into the original datagram. Each fragment has the same header
as the original header except for the fragment offset field, identification field,
and the flags fields. Since the resulting datagrams may arrive out of order, these
fields are used to assemble the collection of fragments into the original
datagram.
1.3.2.6 Flags – 2 Bits
The flag field contains two flags. The low-order bit (MF) of the flags
fields is used to denote the last fragmented datagram when set to zero. That is,
intermediate (not-last) datagrams have the bit set equal to one to denote more
datagrams are to follow. The high-order bit (DF) of the flags field is set by an
originating host to prevent fragmentation of the datagram. When this bit is set
and the length of the datagram exceeds that of an intermediate network, the
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
7
datagram is discarded by the intermediate network and an error message
returned to the originating host via the ICMP.
1.3.2.7 Time to Live (TTL) – 8 Bit field
It represents a count set by the originator, which the datagram can exist in the
Internet before being discarded. Hence, a datagram may loop around an internet
for a maximum of 28 – 1 or 255 before being discarded. The current
recommended default TTL for the IP is 64. Since each gateway handling a
datagram decrements the TTL by a minimum of one, the TTL can also represent
a hop count. However, if the gateway holds the datagram for more than one
second, then it decrements the TTL by the number of seconds held. The
originator of the datagram is sent an error message via the ICMP when the
datagram is discarded.
1.3.2.8 Protocol – 8 Bit field
The protocol field is used to identify the next higher layer protocol using the IP.
It will normally identify either the TCP (value equal to 6) or UDP (value equal
to 17) transport layer, but may identify up to 255 different transport layer
protocols. An upper layer protocol using the IP must have a unique protocol
number.
1.3.2.9 Checksum – 16 Bit field
The checksum provides assurance that the header has not been corrupted during
transmission. The checksum includes all fields in the IP header, starting with the
version number and ending with the octet immediately preceding the IP data
field, which may be a pad field if the option field is present.
The checksum includes the checksum field itself, which is set to zero for
the calculation. The checksum represents the 16-bit, one’s complement of the
one’s complement sum of all 16-bit groups in the header.
An intermediate network (node or gateway) the changes a field in the IP header
(e.g., time-to-live) must recompute the checksum before forwarding it. Users of
the IP must provide their own data integrity, since the IP checksum is only for
the header.
1.3.2.10 Source Address – 32 Bit field
The source address field contains the network identifier and host
identifier of the originator.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
8
1.3.2.11 Destination Address – 32 Bit field
The destination address field contains the network and identifier & Host
identifier of the destination.
1.3.2.12 Options – variable field
The presence of the “options” field is determined from the value of the
header length field. If the header length is greater than five, at least one option
is present. Although it is not required that a host set options, it must be able to
accept and process options received in a datagram. The options field is variable
in length. Each option declared begins with a single octet that defines that
format of the remainder of the option.
1.3.2.13 Padding – variable field
The pad field, when present, consists of 1 to 3 octets of zero, as required, to
make the total number of octets in the header divisible by four. (The header
length is in increments of 32-bit groups.)
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
9
2. LITERATURE SURVEY
2.1 INTRODUCTION
Information does not exist in a vacuum. Just as the need to share
information between desktop computers in an office has forced the proliferation
of LANs, the need to share information beyond a single workgroup is forcing
the adoption of LAN-to-LAN links, host gateways, asynchronous
communication servers, and other methods of communication with other
systems.
2.2 OBJECTIVES
The objectives of this chapter are to familiarize with the following: -
i) The LAN components and terminology
ii) Networking basics and topologies
iii) Hub
iv) Switch
v) Router
vi) Gateway
2.2.1 TOPOLOGY - Topology is the way that each node is physically
connected to the network. Common topologies include:
2.2.1.1 Bus :-
Fig 2.1:Bus network topology
Each node is daisy-chained (connected one right after the other)
along the same backbone. Information sent from a node travels along the
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
10
backbone until it reaches its destination node. Each end of a bus network
must be terminated with a resistor to keep the signal that is sent by a
node across the network from bouncing back when it reaches the end of
the cable.
2.2.1.2 Ring -
Fig 2.2: Ring network topology
Like a bus network, rings have the nodes daisy-chained. The difference is that the end of the network comes back around to the first node, creating a complete
circuit. In a ring network, each node takes a turn sending and receiving information through the use of a token. The token, along with any data, is sent
from the first node to the second node, which extracts the data addressed to it and adds any data it wishes to send. Then, the second node passes the token and
data to the third node, and so on until it comes back around to the first node again. Only the node with the token is allowed to send data. All other nodes
must wait for the token to come to them.
2.1.1.3 Star –
Fig 2.3: Star network topology
In a star network, each node is connected to a central device called a hub. The
hub takes a signal that comes from any node and passes it along to all the other
nodes.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
11
2.2.1.4 SWITCHES:
Switches are a fundamental part of most networks. They make it possible
for several users to send information over a network at the same time without
slowing each other down. Just like routers allow different networks to
communicate with each other, switches allow different nodes (a network
connection point, typically a computer) of a network to communicate directly
with one another in a smooth and efficient manner.
While hubs provide an easy way to scale up and shorten the distance that
the packets must travel to get from one node to another, they do not break up
the actual network into discrete segments. That is where switches come in.
Fig2.4: Imagine that each vehicle is a packet of data waiting for an
opportunity to continue on its trip.
In a fully switched network, switches replace all the hubs of an Ethernet
network with a dedicated segment for every node. These segments connect to a
switch, which supports multiple dedicated segments (sometimes in the
hundreds). Since the only devices on each segment are the switch and the node,
the switch picks up every transmission before it reaches another node. The
switch then forwards the frame over the appropriate segment. Since any
segment contains only a single node, the frame only reaches the intended
recipient. This allows many conversations to occur simultaneously on a
switched network.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
12
Fig 2.5: An example of a network using a switch
Switching allows a network to maintain full-duplex Ethernet. Before switching,
Ethernet was half-duplex, which means that data could be transmitted in only
one direction at a time. In a fully switched network, each node communicates
only with the switch, not directly with other nodes. Information can travel from
node to switch and from switch to node simultaneously.
2.2.1.5 ROUTERS
Routers connect LANs at the Network layer of the OSI model Routers
connect LANs that use the same Network-layer protocol, such as IPX-to-IPX
and IP-to-IP. Because routers operate at the Network layer, they can be used to
link dissimilar LANs, such as ARCNET, Ethernet, and Token Ring.
Fig 2.6:Example of Routers
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
13
Two networks connected via a router are physically and logically separate
networks. Network-layer protocols have their own addressing scheme separate
from the addressing scheme of MAC-layer protocols. This addressing scheme
may or may not include the MAC-layer addresses of the network cards. Each
network attached to a router must be assigned a logical identifier, or network
address, to designate it as unique from other physical networks.
For example, NetWare’s IPX routers (NetWare file servers or external
NetWare routers using ROUTER.EXE) use each LAN card’s MAC-layer
address and a logical address for each network assigned by the router installer.
Routers only forward traffic addressed to the other side. This means that
local traffic on one LAN will not affect performance on another. Routers can be
proprietary devices, or can be software and hardware res iding in a general
purpose computer, such as a PC.
Like transparent bridges, routers maintain routing tables. A router’s
routing table, however, keeps track of network addresses and possible routes
between networks, not individual node addresses. Using routers, redundant
paths between networks can be established, and traffic will be routed between
networks based on some algorithm to determine the best path. The simplest
routers usually select the path with the fewest number of router hops as the best
path. More intelligent routers consider other factors, such as the relative
response times of various possible routes, when selecting the best path.
2.2.1.6 GATEWAYS
A gateway is a fundamentally different type of device than a router or
switch and can be used in conjunction with them. A gateway makes it possible
for an application program, running on a system, confirming to network
architecture, to communicate with an application program running on a system
confirming to some other network architecture.
A gateway performs its function in the Application layer of the OSI
model. The function of a gateway is to convert one set of communication
protocols to some other set of communication protocols. Protocol conversion
may include the following:
Message Format Conversion- Different networks may employ different
message format, maximum message size, or character codes. The gateway
must be able to convert messages to appropriate format, size and coding.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
14
Address translation- Different networks may employ different addressing
mechanism and network address structures. The gateway must be able to
interpret network address in one network and convert them into network
address in other network.
Protocol conversion- When a message is prepared for transmission, each
layer adds control information, unique to the protocol used in that layer. The
gateway must be able to convert control information used by each layer so
that the receiving system receives the control information in the format it
expects.
2.3 IPv4 ADDRESSING
2.3.1 IP Addressing:
For any two systems to communicate, they must be able to identify and locate
each other. While these addresses in below Figure are not actual network
addresses, they represent and show the concept of address grouping. This uses
the A or B to identify the network and the number sequence to identify the
individual host. A computer may be connected to more than one network. In
this situation, the system must be given more than one address. Each address
will identify the connection of the computer to a different network.
Fig 2.7: Network system.
A device is not said to have an address, but that each of the connection
points, or interfaces, on that device has an address to a network. This will allow
other computers to locate the device on that particular network. The
combination of letter (network address) and the number (host address) create a
unique address for each device on the network. Each computer in a TCP/IP
network must be given a unique identifier, or IP address. This address,
operating at Layer 3, allows one computer to locate another computer on a
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
15
network. All computers also have a unique physical address, known as a MAC
address. These are assigned by the manufacturer of the network interface card.
MAC addresses operate at Layer 2 of the OSI model.
2.3.2 IPv4 addressing
A router forwards packets from the originating network to the destination
network using the IP protocol. The packets must include an identifier for both
the source and destination networks. Using the IP address of destination
network, a router can deliver a packet to the correct network. When the packet
arrives at a router connected to the destination network, the router uses the IP
address to locate the particular computer connected to that network. This system
works in much the same way as the national postal system. When the mail is
routed, it must first be delivered to the post office at the destination city using
the zip code. That post office then must locate the final destination in that city
using the street address. This is a two-step process.
Accordingly, every IP address has two parts. One part identifies the
network where the system is connected, and a second part identifies that
particular system on the network.
This kind of address is called a hierarchical address, because it contains
different levels. An IP address combines these two identifiers into one number.
This number must be a unique number, because duplicate addresses would
make routing impossible. The first part identifies the system's network address.
The second part, called the host part, identifies which particular machine it is on
the network.
IP addresses are divided into classes to define the large, medium, and
small networks. Class A addresses are assigned to larger networks. Class B
addresses are used for medium-sized networks and Class C for small networks.
The first step in determining which part of the address identifies the network
and which part identifies the host is identifying the class of an IP address.
2.3.3 Class A, B, C, D, and E IP addresses:
To accommodate different size networks and aid in classifying these
networks, IP addresses are divided into groups called classes. This is known as
class ful addressing. Each complete 32-bit IP address is broken down into a
network part and a host part. A bit or bit sequence at the start of each address
determines the class of the address. There are five IP address classes as shown
in the Figure below.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
16
Fig 2.8: Class A, B, C, D &E IP address
The Class A address was designed to support extremely large networks, with
more than 16 million host addresses available. Class A IP addresses use only the
first octet to indicate the network address. The remaining three octets provide
for host addresses.
The first bit of a Class A address is always 0. With that first bit a 0, the
lowest number that can be represented is 00000000, decimal 0. The highest
number that can be represented is 01111111, decimal 127. The numbers 0 and
127 are reserved and cannot be used as network addresses. Any address that
starts with a value between 1 and 126 in the first octet is a Class A address.
The 127.0.0.0 network is reserved for loopback testing. Routers or local
machines can use this address to send packets back to themselves. Therefore,
this number cannot be assigned to a network.
The Class B address was designed to support the needs of moderate to
large-sized networks. A Class B IP address uses the first two of the four octets
to indicate the network address. The other two octets specify host addresses.
The first two bits of the first octet of a Class B address are always 10. The
remaining six bits may be populated with either 1s or 0s. Therefore, the lowest
number that can be represented with a Class B address is 10000000, decimal
128. The highest number that can be represented is 10111111, decimal 191.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
17
Any address that starts with a value in the range of 128 to 191 in the first octet
is a Class B address.
The Class C address space is the most commonly used of the original
address classes. This address space was intended to support small networks
with a maximum of 254 hosts.
A Class C address begins with binary 110. Therefore, the lowest number that
can be represented is 11000000, decimal 192. The highest number that can be
represented is 11011111, decimal 223. If an address contains a number in the
range of 192 to 223 in the first octet, it is a Class C address.
The Class D address class was created to enable multicasting in an IP
address. A multicast address is a unique network address that directs packets
with that destination address to predefined groups of IP addresses. Therefore, a
single station can simultaneously transmit a single stream of data to multiple
recipients.
The Class D address space, much like the other address spaces, is
mathematically constrained. The first four bits of a Class D address must be
1110. Therefore, the first octet range for Class D addresses is 11100000 to
11101111, or 224 to 239. An IP address that starts with a value in the range of
224 to 239 in the first octet is a Class D address.
A Class E address has been defined. However, the Internet Engineering
Task Force (IETF) reserves these addresses for its own research. Therefore, no
Class E addresses have been released for use in the Internet. The first four bits
of a Class E address are always set to 1s. Therefore, the first octet range for
Class E addresses is 11110000 to 11111111, or 240 to 255.
2.3.4 Reserved IP addresses:
Certain host addresses are reserved and cannot be assigned to devices on
a network. These reserved host addresses include the following:
2.3.4.1 Introduction to subnetting:
Subnetting is another method of managing IP addresses. This method of
dividing full network address classes into smaller pieces has prevented complete
IP address exhaustion. It is important to understand subnetting as a means of
dividing and identifying separate networks throughout the LAN. It is not always
necessary to subnet a small network. However, for large or extremely large
networks, subnetting is required. Subnetting a network means to use the subnet
mask to divide the network and break a large network up into smaller, more
efficient and manageable segments, or subnets. An example would be the U.S.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
18
telephone system which is broken into area codes, exchange codes, and local
numbers.
The system administrator must resolve these issues when adding and
expanding the network. It is important to know how many subnets or networks
are needed and how many hosts will be needed on each network. With
subnetting, the network is not limited to the default Class A, B, or C network
Fig2.9: An Example Subnet System
Subnet addresses include the network portion, plus a subnet field and a
host field. The subnet field and the host field are created from the original host
portion for the entire network. The ability to decide how to divide the original
host portion into the new subnet and host fields provides addressing flexibility
for the network administrator.
To create a subnet address, a network administrator borrows bits from the
host field and designates them as the subnet field. The minimum number of bits
that can be borrowed is two. When creating a subnet, where only one bit was
borrowed the network number would be the .0 network. The broadcast number
would then be the .255 network.
The method that was used to create the subnet chart can be used to solve
all subnetting problems. This method uses the following formula:
Number of usable subnets= two to the power of the assigned subnet bits
or borrowed bits, minus two (reserved addresses for subnetwork id and
subnetwork broadcast)
(2 power of borrowed bits) – 2 = usable subnets
(23) – 2 = 6
Number of usable hosts= two to the power of the bits remaining, minus
two (reserved addresses for subnet id and subnet broadcast)
(2 power of remaining host bits) – 2 = usable hosts
(25) – 2 = 30
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
19
As early as 1992, the Internet Engineering Task Force (IETF) identified
the following two specific concerns: Exhaustion of the remaining, unassigned
IPv4 network addresses. At the time, the Class B space was on the verge of
depletion.
The rapid and large increase in the size of Internet routing tables occurred
as more Class C networks came online. The resulting flood of new network
information threatened the ability of Internet routers to cope ef
Fig2.10: Assigning the addresses to different regions
2.3.4.3 Applying the subnet mask:
Once the subnet mask has been established it then can be used to create
the subnet scheme. The chart in the Figure is an example of the subnets and
addresses created by assigning three bits to the subnet field. This will create
Fig 2.10(a): Applying the subnet mask
eight subnets with 32 hosts per subnet. Start with zero (0) when
numbering subnets. The first subnet is always referenced as the zero subnet.
When filling in the subnet chart three of the fields are automatic, others require
some calculation.
The sub network ID of subnet zero is the same as the major network
number, in this case 192.168.10.0. The broadcast ID for the whole network is
the largest number possible, in this case 192.168.10.255. The third number that
IANA
National
Local
Consumer
InterNIC
America
RIPE
Europe
APNIC
Asia Regional
IANA
NationalNational
LocalLocal
ConsumerConsumer
InterNIC
America
RIPE
Europe
APNIC
Asia RegionalInterNIC
America
RIPE
Europe
APNIC
Asia
InterNIC
America
RIPE
Europe
APNIC
Asia Regional
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
20
is given is the subnetwork ID for subnet number seven. This number is the three
network octets with the subnet mask number inserted in the fourth octet
position. Three bits were assigned to the subnet field with a cumulative value of
224. The ID for subnet seven is 192.168.10.224. By inserting these numbers,
checkpoints have been established that will verify the accuracy when the chart
is completed.
When consulting the subnetting chart or using the formula, the three bits
assigned to the subnet field will result in 32 total hosts assigned to each subnet.
This information provides the step count for each subnetwork ID. Adding 32 to
each preceding number, starting with subnet zero, the ID for each subnet is
established. Notice that the subnet ID has all binary 0s in the host portion.
Fig 2.10(b): Appling the subnet mask
The broadcast field is the last number in each subnetwork, and has all
binary ones in the host portion. This address has the ability to broadcast only to
the members of a single subnet. Since the subnetwork ID for subnet zero is
192.168.10.0 and there are 32 total hosts the broadcast ID would be
192.168.10.31. Starting at zero the 32nd sequential number is 31. It is important
to remember that zero (0) is a real number in the world of networking.
The balance of the broadcast ID column can be filled in using the same
process that was used in the subnetwork ID column. Simply add 32 to the
preceding broadcast ID of the subnet. Another option is to start at the bottom of
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
21
this column and work up to the top by subtracting one from the preceding
subnetwork ID.
2.4 ROUTING CONCEPTS:
2.4.1 Introduction to Routing:
This chapter introduces the underlying concepts widely used in routing
protocols. Topics summarized here include routing protocol components and
algorithms. In addition, the role of routing protocols is briefly contrasted with
the role of routed or network protocols.
2.4.2 What is Routing?
Routing is the act of moving information across an inter-network from a source
to a destination. Along the way, at least one intermediate node typically is
encountered. Routing is often contrasted with bridging, which might seem to
accomplish precisely the same thing to the casual observer. The primary
difference between the two is that bridging occurs at Layer 2 (the link layer) of
the OSI reference model, whereas routing occurs at Layer 3 (the network layer).
This distinction provides routing and bridging with different information to use
in the process of moving information from source to destination, so the two
functions accomplish their tasks in different ways.
The topic of routing has been covered in computer science literature for
more than two decades, but routing achieved commercial popularity as late as
the mid-1980s. The primary reason for this time lag is that networks in the
1970s were simple, homogeneous environments. Only relatively recently has
large-scale internetworking become popular.
2.4.3 Routing Components:
Routing involves two basic activities: determining optimal routing paths and
transporting information groups (typically called packets) through an
internet-work. In the context of the routing process, the latter of these is referred
to as packet switching. Although packet switching is relatively straightforward,
path determination can be very complex.
2.4.4 Path Determination:
Routing protocols use metrics to evaluate what path will be the best for a packet
to travel. A metric is a standard of measurement, such as path bandwidth, that is
used by routing algorithms to determine the optimal path to a destination. To aid
the process of path determination, routing algorithms initialize and maintain
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
22
routing tables, which contain route information. Route information varies
depending on the routing algorithm used.
Routing algorithms fill routing tables with a variety of information.
Destination/next hop associations tell a router that a particular destination can
be reached optimally by sending the packet to a particular router representing
the "next hop" on the way to the final destination. When a router receives an
incoming packet, it checks the destination address and attempts to associate this
address with a next hop.
Routing tables also can contain other information, such as data about the
desirability of a path. Routers compare metrics to determine optimal routes, and
these metrics differ depending on the design of the routing algorithm used. A
variety of common metrics will be introduced and described later in this
chapter.
Routers communicate with one another and maintain their routing tables
through the transmission of a variety of messages. The routing update message
is one such message that generally consists of all or a portion of a routing table.
By analyzing routing updates from all other routers, a router can build a detailed
picture of network topology. A link-state advertisement, another example of a
message sent between routers, informs other routers of the state of the sender's
links. Link information also can be used to build a complete picture of network
topology to enable routers to determine optimal routes to network destinations.
2.4.5 Routing Algorithms
Routing algorithms can be differentiated based on several key characteristics.
First, the particular goals of the algorithm designer affect the operation of the
resulting routing protocol. Second, various types of routing algorithms exist,
and each algorithm has a different impact on network and router resources.
Finally, routing algorithms use a variety of metrics that affect calculation of
optimal routes. The following sections analyze these routing algorithm
attributes.
2.4.5.1 Routing Algorithms Design Goals
Routing algorithms often have one or more of the following design goals:
Optimality
Simplicity and low overhead
Robustness and stability
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
23
Rapid convergence
Flexibility
Optimality refers to the capability of the routing algorithm to select the
best route, which depends on the metrics and metric weightings used to make
the calculation. For example, one routing algorithm may use a number of hops
and delays, but it may weigh delay more heavily in the calculation. Naturally,
routing protocols must define their metric calculation algorithms strictly.
Routing algorithms also are designed to be as simple as possible. In other
words, the routing algorithm must offer its functionality efficiently, with a
minimum of software and utilization overhead. Efficiency is particularly
important when the software implementing the routing algorithm must run on a
computer with limited physical resources.
Routing algorithms must be robust, which means that they should
perform correctly in the face of unusual or unforeseen circumstances, such as
hardware failures, high load conditions, and incorrect implementations. Because
routers are located at network junction points, they can cause considerable
problems when they fail. The best routing algorithms are often those that have
withstood the test of time and that have proven stable under a variety of network
conditions.
In addition, routing algorithms must converge rapidly. Convergence is the
process of agreement, by all routers, on optimal routes. When a network event
causes routes to either go down or become available, routers distribute routing
update messages that permeate networks, stimulating recalculation of optimal
routes and eventually causing all routers to agree on these routes. Routing
algorithms that converge slowly can cause routing loops or network outages.
Routing algorithms should also be flexible, which means that they should
quickly and accurately adapt to a variety of network circumstances. Assume, for
example, that a network segment has gone down. As many routing algorithms
become aware of the problem, they will quickly select the next-best path for all
routes normally using that segment. Routing algorithms can be programmed to
adapt to changes in network bandwidth, router queue size, and network delay,
among other variables.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
24
2.4.6 Types of Routing:
Static Routing
Dynamic Routing
Default Routing
2.4.6.1 Static Routing
Static routing is a data communication concept describing one way of
configuring path selection of routers in computer networks. It is the type
of routing characterized by the absence of communication between routers
regarding the current of the network. This is achieved by manually
adding routes to the routing table. In these systems, routes through a data
network are described by fixed paths (statically). The system administrator
usually enters these routes into the router. An entire network can be configured
using static routes, but this type of configuration is not fault tolerant. When
there is a change in the network or a failure occurs between two statically
defined nodes, traffic will not be rerouted. This means that anything that wishes
to take an affected path will either have to wait for the failure to be repaired or
the static route to be updated by the administrator before restarting its journey.
Most requests will time out (ultimately failing) before these repairs can be
made. There are, however, times when static routes can improve the
performance of a network. Some of these include stub networks and default
routes.
Static Routing:
a. Routes for each destination network have to be manually configured by the
administrator.
b. Requires destination network ID for the configuration
c. Used in small networks.
d. Administrative distance for static route is
Disadvantages of static routing:
a. Topology changes cannot be dynamically updated
b. Compulsory need of all destination network ID's
c. Administrative work is more
d. Used for only small organizations
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
25
Syntax for Static Routing:
Router (config)# ip route <destination network ID><destination subnet
mask><next hop IP address> [Permanent]
Or
Router (config)# ip route <destination network ID><destination subnet
The information in this document was created from the devices in a
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
40
specific lab environment. All of the devices used in this document
started with a cleared (default) configuration. If your network is live, make
sure that you understand the potential impact of any command.
Windows XP, Windows server 2003, Server & Client .And also this
document is not restricted to specific software and hardware versions.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
41
4.SYSTEM STUDY
4.1 Feasibility Study:
It is a very important aspect of any project report. There is always chance of
manual errors. Cost factor is also there which depends upon the size of the
work.
Feasibility studies aim to objectively and rationally uncover the
strengths and weaknesses of the existing business or proposed venture,
opportunities and threats as presented by the environment, the resources
required to carry through, and ultimately the prospects for success. In its
simplest term, the two criteria to judge feasibility are cost required and value to
be attained. As such, a well-designed feasibility study should provide a
historical background of the business or project, description of the product or
service, accounting statements, details of the operations and management,
marketing research and policies, financial data, legal requirements and tax
obligations. Generally, feasibility studies precede technical development and
project implementation.
4.1.1 Technical Feasibility:
In the preliminary investigation phase, we examine the feasibility of the
project. We find the likelihood the Network which we established will be useful
to the organization. We determine whether the solution is a viable or not. For
thispurpose, the analyst clearly establishes the feasibility of each alternative
testing for benefits, costs and other resources.
4.1.2 Behavioral / Operational Feasibility :
For any network which we implemented and used by an
organization, its behavioral nature must be analyzed. It means that if any
organization want to access the net on many systems by using only one
internet service provider then it can be done by with the help of NAT
Operational feasibility is a measure of how well a proposed system
solves the problems, and takes advantage of the opportunities identified
during scope definition and how it satisfies the requirements identified in
the requirements analysis phase of system development.
4.1.3 Economic Feasibility:
This project does not specify an Internet standard of any kind.
Distribution of this project is unlimited. You can use private addresses on your
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
42
inside networks. Private addresses are not routable on the Internet. NAT hides
the local addresses from other networks, so attackers cannot learn the real
address of a server in the data center You can resolve IP routing problems such
as overlapping addresses when you have two interfaces connected to
overlapping subnets.
Economic analysis is the most frequently used method for evaluating the
effectiveness of a new system. More commonly known as cost/benefit analysis,
the procedure is to determine the benefits and savings that are expected from a
candidate system and compare them with costs. If benefits outweigh costs, then
the decision is made to design and implement the system. An entrepreneur must
accurately weigh the cost versus benefits before taking an action.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
43
5. SYSTEM DESIGN
5.1.1 Introduction to DFD Diagrams:
The Data Flow diagram is a graphic tool used for expressing system
requirements in a graphical form. The DFD also known as the “bubble chart”
has the purpose of clarifying system requirements and identifying major
transformations that to become program in system design.
Thus DFD can be stated as the starting point of the design phase that
functionally decomposes the requirements specifications down to the lowest
level of detail.
The DFD consists of series of bubbles joined by lines. The bubbles
represent data transformations and the lines represent data flows in the system.
A DFD describes what data flow is rather than how they are processed, so it
does not depend on hardware, software, data structure or file organization.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
44
5.2 At Source IP address:
5.1 Incoming Packet
Fig 5.1 : At source IP Address.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
45
5.3 At receiving IP Address
Source Application:
Fig 5.1 : DFD for Source IP address
At the receiving end:
Fig. 5.2 – Packet receiving from the Source IP address.
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
46
6. SYSTEM IMPLEMENTATION
6.1 ALGORITHMS USED:
6.1.1 MD5:
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value. Specified in RFC 1321,
MD5 has been utilized in a wide variety of security applications, and is also commonly used to check data integrity. MD5 was designed by Ron Rivest in
1991 to replace an earlier hash function, MD4. An MD5 hash is typically expressed as a hexadecimal number, 32 digits long.
However, it has since been shown that MD5 is not resistant; as such, MD5 is not suitable for applications like SSL certificates or digital signatures that rely
on this property. In 1996, a flaw was found with the design of MD5, and while it was not a clearly fatal weakness, cryptographers began recommending the use
of other algorithms, such as SHA-1—which has since been found to be vulnerable as well. In 2004, more serious flaws were discovered in MD5,
making further use of the algorithm for security purposes questionable—specifically, a group of researchers described how to create a pair of files that
share the same MD5 checksum. Further advances were made in breaking MD5 in 2005, 2006, and 2007. In December 2008, a group of researchers used this technique to fake SSL certificate validity, and CMU Software Engineering
Institute now says that MD5 "should be considered cryptographically broken and unsuitable for further use", and most U.S. government applications now
require the SHA-2 family of hash functions.
6.1.2 SHA( SECURE HASH ALGORITHM):
In cryptography, SHA-1 is a cryptographic hash function designed by the
United States National Security Agency and published by the United States NIST as a U.S. Federal Information Processing Standard. SHA stands for
"secure hash algorithm". The four SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, SHA-2, and SHA-3. SHA-1 is very similar
to SHA-0, but corrects an error in the original SHA hash specification that led to significant weaknesses. The SHA-0 algorithm was not adopted by many applications. SHA-2 on the other hand significantly differs from the SHA-1
hash function.
SHA-1 is the most widely used of the existing SHA hash functions, and is
employed in several widely used applications and protocols.
In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm
might not be secure enough for ongoing use. NIST required many applications in federal agencies to move to SHA-2 after 2010 because of the
Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
47
weakness. Although no successful attacks have yet been reported on SHA-2, they are algorithmically similar to SHA-1. In 2012, following a long-running
competition, NIST selected an additional algorithm, Keccak, for standardization as SHA-3 .
Algorithm and
variant
Output
size
(bits)
Internal
state
size
(bits)
Block
size
(bits)
Max
message
size
(bits)
Word
size
(bits)
Rounds Operations Collisions
found?
SHA-0
160 160 512 264 – 1 32 80
add, and, or,
xor, rotate,
mod
Yes
SHA-1 Theoretical
attack (251)[6]
SHA-
2
SHA-
256/224 256/224 256 512 264 – 1 32 64
add, and, or,
xor, rotate,
mod, shift
No
SHA-
512/384 512/384 512 1024 2128 – 1 64 80
Table-6.1.2: Details about SHA-0,SHA-1,SHA-2
6.1.3 MD5 VS SHA:
MD5 has been cryptographically broken for quite some time now. This basically means that some of the properties usually guaranteed by hash
algorithms, do not hold anymore. For example it is possible to find hash collisions in much less time than potentially necessary for the output length.
SHA-512 (one of the SHA-2 family of hash functions) is, for now, secure enough but possibly not much longer for the foreseeable future. That's why the
NIST started a contest for SHA-3.Generally, you want hash algorithms to be one-way functions. They map some input to some output. Usually the output
is of a fixed length, thereby providing a "digest" of the original input. However, flaws in design or implementation often result in reduced complexity for attacks. Once those are known it's time to evaluate whether still using a hash
function. If the attack complexity drops far enough practical attacks easily get in the range of people without specialized computing equipment.