-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 1
Chng 1: Tng Quan V VPN
1 Tng Quan.
Cng vi s pht trin mnh m ca nn cng nghip, nhu cu trao i thng
tin,
d liu gia nhng t chc, cng ty, tp th v cc c nhn tr nn bc thit v
vy
Internet bng n. Mi ngi s dng my tnh kt ni Internet thng qua nh
cung
cp dch v (ISP Internet service Provide), s dng mt giao thc chung
l TCP/IP.
iu m k thut cn tip tc phi gii quyt l nng lc truyn thng ca mng
vin
thng cng cng. Vi Internet, nhng dch v nh mua bn trc tuyn, gio dc
t xa
hay t vn trc tuyn tr nn d dng. Tuy nhin Internet c phm vi ton
cu
v khng t chc hay chnh ph no c th qun l , cho nn vic m bo an ton
v
bo mt d liu hay qun l cc dch v l mt vn ln cn phi gii quyt. T
cc nh khoa hc nghin cu v a ra mt m hnh mng mi, nhm p ng
c nhu cu trn m vn tn dng c s h tng ang c ca Internet, l m
hnh
mng ring o (VPN Virtual Private Network ). Vi m hnh ny, chng ta
khng
phi u t thm qu nhiu trang thit b , c s h tng m vn m bo cc
tnh
nng nh bo mt, tin cy ng thi c th qun l ring hot ng ca mng
ny.
VPN cho php ngi s dng lm vic ti nh ring, trn ng i hay cc vn
phng
chi nhnh c th kt ni an ton n my ch ca t chc mnh bng c s h
tng
c cung cp bi mng cng cng. N m bo an ton thng tin gia cc t
chc,
cng ty hoc chi nhnh, vn phng, ngi cung cp hay cc i tc kinh doanh
trong
mi trng truyn thng rng ln.
Nh vy c tnh quan trng nht ca VPN l c th s dng c mng cng
cng nh Internet, m vn m bo tnh bo mt v tit kim chi ph.
1.1 Lch s pht trin ca VPN
S xut hin mng chuyn dng o, cn gi l mng ring o (VPN), bt ngun
t yu cu ca khch hng (client), mong mun c th kt ni mt cch c hiu
qu
vi cc tng i thu bao (PBX) li vi nhau thng qua mng din rng
(WAN).
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 2
Trc kia, h thng in thoi nhm hoc l mng cc b (LAN) trc kia s
dng
cc ng thu ring cho vic t chc mng chuyn dng thc hin vic thng
tin
vi nhau.
Cc mc nh du s pht trin ca VPN:
- Nm 1975, Franch Telecom a ra dch v Colisee, cung cp dch v
dy
chuyn dng cho cc khch hng ln. Colisee c th cung cp phng thc
gi
s chuyn dng cho khch hng. Dch v ny cn c vo lng dch v m a
ra cc ph v nhiu tnh nng qun l khc.
- Nm 1985, Sprint a ra VPN, AT&T a ra dch v VPN c tn ring
l
mng c nh ngha bng phn mm SDN.
- Nm 1986, Sprint a ra Vnet, Telefonica Ty Ban Nha a ra
Ibercom.
- Nm 1988, n ra i chin cc ph dch v VPN M, lm cho mt s x
nghip va v nh chu ni cc ph s dng VPN v c th tit kim gn 30%
chi ph, kch thch s pht trin nhanh chng dch v ny ti M.
- Nm 1989, AT&T a ra dch v quc t IVPN l GSDN.
- Nm 1990, MCI v Sprint a ra dch v VPN quc t VPN; Telstra ca
-
xtry-li-a a ra dich v VPN rong nc u tin khu vc chu Thi
Bnh Dng.
- Nm 1992, Vin thng H Lan v Telia Thu in thnh lp cng ty hp
tc
u t Unisource, cung cp dch v VPN.
- Nm 1993, AT&T, KDD v vin thng Singapo tuyn b thnh lp Lin
minh
ton cu Worldparners, cung cp hng lot dch v quc t, trong c dch
v
VPN.
- Nm 1994, BT v MCI thnh lp cng ty hp tc u t Concert, cung
cp
dch v VPN, dch v chuyn tip khung (Frame relay)
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 3
- Nm 1995, ITU-T a ra khuyn ngh F-16 v dch v VPN ton cu
(GVPNS).
- Nm 1996, Sprint v vin thng c (Deustch Telecom), Vin thng
Php
(French Telecom) kt thnh lin minh Global One.
- Nm 1997 c th coi l mt nm rc r i vi cng ngh VPN, Cng ngh
ny c mt trn khp cc tp ch khoa hc cng ngh, cc cuc hi thoCc
mng VPN xy dng trn c s h tng mng Internet cng cng mang li
mt kh nng mi, mt ci nhn mi cho VPN. Cng ngh VPN l gii php
thng tin ti u cho cc cng ty, t chc c nhiu vn phng, chi nhnh
la
chn. Ngy nay, vi s pht trin ca cng ngh, c s h tng mng IP
(Internet) ngy mt hon thin lm cho kh nng ca VPN ngy mt hon
thin.
Hin nay, VPN khng ch dng cho dch v thoi m cn dng cho cc dch v
d
liu, hnh nh v cc dch v a phng tin.
1.2 nh ngha VPN
VPN c hiu n gin l s m rng ca mt mng ring (Private Network)
thng qua cc mng cng cng. V cn bn, mi VPN l mt mng ring r s
dng
mt mng chung (thng l Internet) kt ni cng vi cc site (cc mng ring
l)
hay nhiu ngi s dng t xa. Thay cho vic s dng kt ni thc, chuyn dng
nh
ng leased-line, mi VPN s dng cc kt ni o c dn qua ng Internet
t
mng ring ca cc cng ty ti cc site cc nhn vin t xa. c th gi v nhn
d
liu thng qua mng cng cng m vn m bo tnh an ton v bo mt, VPN
cung
cp cc c ch m ha d liu trn ng truyn to ra mt ng ng bo mt gia
ni nhn v ni gi gi l Tunnel , Tunnel ging nh mt kt ni
point-to-point trn
mng ring. c th to ra mt ng ng bo mt , d liu phi c m ha
theo c ch giu i, ch cung cp phn u gi tin (header) l thng tin v
ng i
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 4
cho php n c th i ti ch thng qua mng cng cng mt cch nhanh chng.
d
liu c m ha mt cch cn thn do nu cc packet b bt trn ng truyn
cng cng cng khng th c ni dung v khng c kha gii m, lin kt vi
d
liu m ha v ng gi c gi l kt ni VPN. Cc ng kt ni VPN thng
c gi l ng ng VPN (Tunnel).
Hnh 1: M Hnh Kt Ni VPN.
1.3 Cc thnh phn to nn VPN.
trin khai mt h thng VPN bn cn c mt s thnh phn c bn sau,
nhng vic to ra h thng VPN th mi ngi s c mt s la chn thnh phn
khc
nhau ph hp vi cng ty hay mc ch ca mi ngi.
1.3.1 VPN client
Mt khch hng VPN c th l mt my tnh hoc n c th l mt b nh
tuyn. Loi VPN khch hng s dng cho mng ca cng ty thc s ph thuc
vo nhu cu c nhn ca cng ty .
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 5
Mt khc, nu cng ty c mt vi nhn vin nhng ngi i du lch thng
xuyn v cn phi truy cp vo mng ca cng ty trn ng i, bn c th s
c hng li t vic thit lp my tnh xch tay ca nhn vin nh VPN khch
hng.
V mt k thut, bt k h iu hnh c th hot ng nh mt VPN khch
hng min l n h tr PPTP, L2TP, hoc giao thc IPSec. Trong cc h iu
hnh
ca Microsoft, bn c th s dng 2000, v XP thm ch l Window 7. Mc d
tt
c cc h iu hnh ny v mt k thut s lm vic nh khch hng, nhng tt
nht vn l Windows XP bi v n kh nng h tr L2TP v IPSec v thng
dng.
1.3.2 VPN Server
Cc my ch VPN hot ng nh mt im kt ni cho cc khch hng
VPN. V mt k thut, chng ta c th s dng Windows NT Server 4.0,
Windows 2000 Server, hoc Windows Server 2003 hay Window Server
2008 nh
l mt my ch VPN.
VPN Server kh n gin. N l mt my ch cng Windows Server 2008
chy Routing v Remote Access (RRAS). Khi mt kt ni VPN c chng
thc, cc my ch VPN ch n gin l hot ng nh mt b nh tuyn cung cp
cho khch hng VPN c th truy cp n mt mng ring.
1.3.3 IAS Server
Mt trong nhng yu cu b sung cho mt my ch VPN l cn c mt
my ch RADIUS(Remote Authentication Dial In User Service). RADIUS
l
mt server s dng dch v quay s xc thc t xa. RADIUS l c ch m cc
nh
cung cp dch v Internet thng s dng xc thc cc thu bao thit lp
kt
ni Internet.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 6
Microsoft cng c phin bn ring ca RADIUS c gi l Dch v xc
thc Internet hoc IAS( International Accounting Standards ) . Cc
dch v IAS c
c trn Windows Server 2008.
1.3.4 Firewall
Cc thnh phn khc theo yu cu ca VPN l mt tng la tt. My ch
VPN ca chp nhn kt ni t th gii bn ngoi, nhng iu khng c ngha l
th gii bn ngoi cn phi c quyn truy cp y n my ch VPN. Chng ta
phi s dng mt tng la chn bt k cng khng s dng.
Yu cu c bn cho vic thit lp kt ni VPN l a ch IP ca my ch VPN
c
thng qua tng la ca bn tip cn vi my ch VPN.
Nu bn nghim tc v an ninh (v nu c ngn sch),chng ta c th t
mt my ch ISA gia chu vi tng la v my ch VPN. tng l c th cu
hnh tng la ch o tt c lu lng truy cp VPN c lin quan n ISA
Server ch khng phi l my ch VPN. ISA Server sau hot ng nh mt
proxy VPN. C hai khch hng VPN v VPN Server ch giao tip vi my
ch
ISA. H khng bao gi giao tip trc tip vi nhau. iu ny c ngha rng
ISA
Server c che chn cc my ch VPN t khch hng truy cp trc tip, v
th
cho my ch VPN thm mt lp bo v.
1.3.5 Chn mt Giao thc Tunneling
Khi VPN khch hng truy cp vo mt my ch VPN, h lm nh vy qua
mt ng hm o. Mt ng hm l khng c g hn mt li i an ton qua mi
trng khng an ton (thng l Internet). Tuy nhin, ng hm th khng
t
nhin m c. N i hi vic s dng mt giao thc ng hm. C mt s giao
thc la chn to ng hm nh : IPSec, L2TP , PPTP, GRE. Nhng la
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 7
chn giao thc ng hm ng cho cng ty, hay nhu cu ca mi ngi l mt
quyt nh quan trng khi lp k hoch thit k VPN.
Li th ln nht m L2TP hn PPTP l n da trn IPSec. IPSec m ha d
liu, cung cp xc thc d liu , d liu ca ngi gi s c m ha v m bo
khng b thay i ni dung trong khi truyn. Hn na, IPSec c thit k
ngn
chn cc cuc tn cng replay.
Mc d L2TP c v l c li th hn so vi PPTP, nhng PPTP cng c li
th ring l kh nng tng thch. PPTP hot ng tt vi cc h iu hnh
Windows hn L2TP.
1.3.6 Authentication Protocol
Trong qu trnh thit lp mt VPN, chng ta phi chn mt giao thc xc
thc. Hu ht mi ngi chn MS-CHAP v2. MS-CHAP tng i an ton, v n
lm vic vi khch hng VPN s dng h iu hnh Windows. La chn tt nht
l MS-CHAP.
1.4 Li ch v Hn ch ca vic s dng VPN.
1.4.1 Li ch.
Vic s dng mng ring o l mt nhu cu v l xu th ca cng ngh truyn
thng bi v n c mt s u im nh:
Gim thiu chi ph trin khai v duy tr h thng:
- Vi VPN vic trin khai h thng p ng y nhu cu truyn ti hay tnh
bo mt an ton d liu nhng chi ph th kh r v VPN gim thiu ti a
ph
thu ng truyn di thay vo l s tn dng li h thng mng Internet
c sn.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 8
- Ph duy tr h thng cng l mt vn ng quan tm , Vi VPN ph duy tr
rt r , hn th na bng vic thu h tng c sn ca cc cng ty dch v
Internet th chi ph duy tr s khng cn ng lo ngi.
Ci thin kt ni.
- Vt qua b lc chn truy cp Web: VPN l mt la chn tt c th vt
qua c b lc Internet, y l l do ti sao VPN c s dng nhiu ti
mt s nc c s kim duyt Internet kht khe.
- Vic thay i a ch IP: Nu mun thay i IP khc th VPN c th gip
chng lm iu ny vic ny gip ta c th che du c a ch ca mnh
trnh c s xm hi hay xu ca nhng hacker (k tn cng, tin tc)
bn ngoi mng.
An ton trong giao dch.
- Vic trao i thng tin trong cng vic l nhiu v lin tc, nhng vn
bo
mt thng tin th cc k quan trng, vi VPN chng ta s khng phi lo
lng
qu nhiu v vic , VPN s dng c ch giu i, cc d liu s c m
ha v thng tin d liu c bo bc bi gi tin Header (phn u gi tin
ghi a ch u - cui ca gi tin) v truyn i nhanh chng da vo
Internet.
- VPN p ng tt vic chia s gi tin v d liu trong mt thi gian
di.
Kh nng iu khin t xa.
- Thi i hin nay, Mi ngi lm vic mun tit kim thi gian v gim
chi
ph, v vy vic mt ngi lm vic ti nh m vn c th gii quyt tt
nhng cng vic ca h th tht l tuyt vi. Vi VPN ngi dng c th truy
cp vo h thng mng t bt k u nh thm ch l mt qun coffe ch cn
ni c Internet ( y h thng VPN s dng Internet), v vy n rt c li
i cho vic thc hin cng vic t xa.
Kh nng m rng h thng tt.
- Chi ph xy dng mt h thng mng li chuyn dng (s dng cp
mng) cho mt cng ty lc u c th l hp l, tuy nhin cng ty ngy cng
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 9
pht trin nhu cu m rng h thng mng l cn thit v vy VPN l mt la
chn hp l bi v VPN khng ph thuc qu nhiu vo vn h thng,
ni mt cch n gin l khi mun m rng th ch cn to thm ng ng
(tunnel) kt ni da trn h tng Internet c sn.
1.4.2 Hn ch.
Mc d ph bin nhng mng ring o (VPN) khng hn l hon ho v hn
ch th lun lun tn ti trng bt k h thng mng no. Mt s hn ch cn
lu
khi trin khai h thng VPN:
VPN i hi s hiu bit chi tit v vn an ninh mng, vic cu hnh v ci
t phi cn thn, chnh xc m bo tnh an ton trn h thng mng
Internet
cng cng.
tin cy v hiu xut ca mt VPN da trn Internet khng phi l di s
kim sot trc tip ca cng ty , v vy gii php thay th l hy s dng
mt
nh cung cp dch v (ISP) tt v cht lng.
Vic s dng cc sn phm VPN v cc gii php ca cc nh cung cp khc
nhau khng phi lc no cng tng thch do cc vn v tiu chun cng
ngh VPN. Khi s dng pha trn v kt hp cc thit b s c th gy ra
nhng
vn k thut hoc nu s dng khng ng cch s lng ph rt nhiu chi ph
trin khai h thng.
Mt hn ch hay nhc im rt kh trnh khi ca VPN l vn bo mt
c nhn, bi v vic truy cp t xa hay vic nhn vin kt ni vi h thng
vn
phng bng my tnh xch tay, my tnh ring, khi cc nu my tnh ca h
thc hin hng lot cc ng dng khc, ngoi vic kt ni ti vn phng lm
vic th hacker (k tn cng, tin tc) c th li dng yu im t my tnh
c
nhn ca h tn cng vo h thng ca cng ty. V vy vic bo mt c nhn
lun c cc chuyn gia khuyn co phi m bo an ton.
1.5 Chc Nng ca VPN.
Mt s chc nng chnh ca VPN :
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 10
tin cy (Confidentiality): Ngi gi c th m ha cc gi d liu trc
khi truyn chng ngang qua mng. Bng cch , khng ai c th truy
nhp
thng tin m khng c cho php, nu ly c thng tin th cng khng c
c v thng tin c m ha.
Tnh ton vn d liu (Data Integrity): Ngi nhn c th kim tra d
liu
nhn c sau khi truyn qua Internet c b thay i hay khng.
Xc thc ngun gc (Origin Authentication): Khi nhn c d liu iu m
u tin phi lm l xc thc ngn gc ca d liu, VPN cho php ngi dng
xc thc thng tin, ngun gc ca d liu.
1.6 Phn loi mng VPN
Mc tiu t ra i vi cng ngh mng VPN l tho mn ba yu cu c bn sau:
Ti mi thi im, cc nhn vin ca cng ty c th truy nhp t xa hoc di
ng vo mng ni b ca cng ty.
Ni lin cc chi nhnh, vn phng di ng.
Kh nng iu khin c quyn truy nhp ca khch hng, cc nh cung
cp dch v hoc cc i tng bn ngoi khc.
Da vo nhng yu cu c bn trn, mng ring o VPN c phn lm ba loi:
Mng VPN truy nhp t xa (Remote Access VPN)
Mng VPN cc b (Intranet VPN)
Mng VPN m rng (Extranet VPN)
1.6.1 Mng VPN truy nhp t xa (Remote Access VPN)
Cc VPN truy nhp t xa cung cp kh nng truy nhp t xa. Ti mi thi
im, cc nhn vin, chi nhnh vn phng di ng c kh nng trao i, truy
nhp
vo mng ca cng ty. Kiu VPN truy nhp t xa l kiu VPN in hnh nht.
Bi
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 11
v, nhng VPN ny c th thit lp bt k thi im no, t bt c ni no c
mng Internet.
VPN truy nhp t xa m rng mng cng ty ti nhng ngi s dng thng
qua c s h tng chia s chung, trong khi nhng chnh sch mng cng ty
vn
duy tr. Chng c th dng cung cp truy nhp an ton t nhng thit b
di
ng, nhng ngi s dng di ng, nhng chi nhnh v nhng bn hng ca
cng ty. Nhng kiu VPN ny c thc hin thng qua c s h tng cng cng
bng cch s dng cng ngh ISDN, quay s, IP di ng, DSL v cng ngh
cp
v thng yu cu mt vi kiu phn mm client chy trn my tnh ca ngi s
dng.
Hnh 2 : M hnh mng VPN truy nhp t xa
a) Cc u im ca mng VPN truy nhp t xa:
Mng VPN truy nhp t xa khng cn s h tr ca nhn vin mng bi v
qu trnh kt ni t xa c cc ISP thc hin.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 12
Gim c cc chi ph cho kt ni t khong cch xa bi v cc kt ni
khong cch xa c thay th bi cc kt ni cc b thng qua mng
Internet.
Cung cp dch v kt ni gi r cho nhng ngi s dng xa.
Bi v cc kt ni truy nhp l ni b nn cc Modem kt ni hot ng
tc cao hn so vi cc truy nhp khong cch xa.
VPN cung cp kh nng truy nhp tt hn n cc site ca cng ty bi v
chng h tr mc thp nht ca dch v kt ni.
b) Nhc im ca mng VPN truy cp t xa:
Mng VPN truy nhp t xa khng h tr cc dch v m bo QoS.
Nguy c b mt d liu cao. Hn na, nguy c cc gi c th b phn pht
khng n ni hoc mt gi.
Bi v thut ton m ho phc tp, nn tiu giao thc tng mt cch
ng k.
1.6.2 Mng VPN cc b ( Intranet VPN)
Cc VPN cc b c s dng bo mt cc kt ni gia cc a im
khc nhau ca mt cng ty. Mng VPN lin kt tr s chnh, cc vn phng,
chi
nhnh trn mt c s h tng chung s dng cc kt ni lun c m ho bo
mt. iu ny cho php tt c cc a im c th truy nhp an ton cc ngun
d
liu c php trong ton b mng ca cng ty.
Nhng VPN ny vn cung cp nhng c tnh ca mng WAN nh kh
nng m rng, tnh tin cy v h tr cho nhiu kiu giao thc khc nhau vi
chi
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 13
ph thp nhng vn m bo tnh mm do. Kiu VPN ny thng c cu hnh
nh l mt VPN Site- to- Site.
vn phng xa
Router
InternetInternetPOPPOP
Remote siteCentral site
or
PIX Firewall
Vn phng
trung tm
Hnh 3: M hnh mng VPN cc b
a) Nhng u im chnh ca mng cc b da trn gii php VPN bao
gm:
- Cc mng li cc b hay ton b c th c thit lp (vi iu kin mng
thng qua mt hay nhiu nh cung cp dch v).
- Gim c s nhn vin k thut h tr trn mng i vi nhng ni xa.
- Bi v nhng kt ni trung gian c thc hin thng qua mng Internet, nn
n
c th d dng thit lp thm mt lin kt ngang cp mi.
- Tit kim chi ph thu c t nhng li ch t c bng cch s dng ng
ngm VPN thng qua Internet kt hp vi cng ngh chuyn mch tc cao.
V d nh cng ngh Frame Relay, ATM.
b) Nhc im chnh ca mng cc b da trn gii php VPN :
- Bi v d liu c truyn ngm qua mng cng cng mng Internet cho
nn vn cn nhng mi e da v mc bo mt d liu v mc cht
lng dch v (QoS).
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 14
- Kh nng cc gi d liu b mt trong khi truyn dn vn cn kh cao.
- Trng hp truyn dn khi lng ln d liu, nh l a phng tin, vi yu
cu truyn dn tc cao v m bo thi gian thc l thch thc ln trong
mi trng Internet.
1.6.3 Mng VPN m rng (Extranet)
Khng ging nh mng VPN cc b v mng VPN truy nhp t xa, mng
VPN m rng khng b c lp vi th gii bn ngoi. Thc t mng VPN m
rng cung cp kh nng iu khin truy nhp ti nhng ngun ti nguyn
mng
cn thit m rng nhng i tng kinh doanh nh l cc i tc, khch hng,
v cc nh cung cp .
Intranet
DSL
cable
Extranet
Business-to-business
Router
InternetInternetPOPPOP
Remote siteCentral site
or
PIX Firewall
Vn phng
xa
Vn phng
trung tm
DSL
Hnh 4: M hnh mng VPN m rng
Cc VPN m rng cung cp mt ng hm bo mt gia cc khch hng, cc
nh cung cp v cc i tc qua mt c s h tng cng cng. Kiu VPN ny s
dng
cc kt ni lun lun c bo mt v c cu hnh nh mt VPN SitetoSite. S
khc nhau gia mt VPN cc b v mt VPN m rng l s truy cp mng c
cng nhn mt trong hai u cui ca VPN.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 15
a) Nhng u im chnh ca mng VPN m rng:
- Chi ph cho mng VPN m rng thp hn rt nhiu so vi mng truyn
thng.
- D dng thit lp, bo tr v d dng thay i i vi mng ang hot ng.
- V mng VPN m rng c xy dng da trn mng Internet nn c nhiu c
hi trong vic cung cp dch v v chn la gii php ph hp vi cc nhu
cu
ca mi cng ty hn.
- Bi v cc kt ni Internet c nh cung cp dch v Internet bo tr, nn
gim
c s lng nhn vin k thut h tr mng, do vy gim c chi ph vn
hnh ca ton mng.
a) Nhc im ca mng VPN m rng :
- Kh nng bo mt thng tin, mt d liu trong khi truyn qua mng cng
cng
vn tn ti.
- Truyn dn khi lng ln d liu, nh l a phng tin, vi yu cu truyn
dn tc cao v m bo thi gian thc, l thch thc ln trong mi trng
Internet.
- Lm tng kh nng ri ro i vi cc mng cc b ca cng ty.
2 Cc giao thc s dng trong VPN.
2.1 B giao thc IPSec.
Internet Protocol Security (IPSec) l mt b giao thc bo mt
(Internet Protocol
-IP) thng tin lin lc, bng cch xc thc v m ha mi gi tin IP ca mt
phin
giao dch, IPSec cng bao gm cc giao thc cho vic thit lp xc thc ln
nhau gia
cc i l trong cc phin giao dch v m phn bng cch s dng cc key m
ha.
IPSec l mt chng trnh iu hnh bo mt end-to-end trong cc Layer
Internet (lp kt ni internet) ca Internet Protocol Suite (IPS -
giao thc chun trong
internet). N c s dng vic bo v lung d liu gia mt cp my
(host-to-
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 16
host), gia hai mng (network-to-network), hay gia mt mng vi mt my
ch
(network-to-host).
Ngun gc IPSec ban u c pht trin ti phng th nghim Nghin cu hi
qun v l mt phn ca d n nghin cu ca DARPA (Defense Advanced
Research
Projects Agency - c quan nghin cng ngh tin tin ca b quc phng M
). Trong
ESP c bt ngun trc tip th giao thc SP3D, ch khng phi c bt
ngun t lp ISO Security Network Protocol (NLSP), cc c trng k thut
ca giao
thc SP3D c a ra bi NIST(National Institute of Standards and
Technology
Vin tiu chun v cng ngh), nhng SP3D c thit k bo mt h thng mng
bi c quan an ninh Quc gia (NSP), IPSec AH bt ngun t cc tiu
chun
IETF(Internet Engineering Task Force).
2.1.1 Kin Trc.
B giao thc IPSec l mt tiu chun m, IPSec s dng cc giao thc
thc
hin cc chc nng khc nhau, IPSec gm cc thnh phn sau:
Authentication Header(AH): cung cp kt ni an ton v xc thc ngun
gc
d liu cho gi tin IP, a ra chnh sch bo v chng li cc cuc tn
cng.
Encapsulating Security (ESP): Cung cp bo mt, xc thc ngun gc d
liu,
kt ni ton vn, kim sot cc lung d liu mt cch an ton.
Security Associations (SA):Cung cp nhng thut ton v thng s cn
thit
AH v ESP hot ng. a ra mt cch thc trao i kha ( ISAKMP-
Internet Security Association and Key Management Protocol) tnh
ton v
cung cp kha chia s (Pre-shared keys) nh : IKE(Internet Key
Exchange),
IKEv2, KINK (Kerberized Internet Negotiation of Keys), hoc
IPSECKEY.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 17
Hnh 5: S cc thnh phn ca IPSec v lung dch chuyn.
2.2 Giao thc PPTP v L2TP v SSTP .
2.2.1 Giao thc PPTP (Point-to-Point Tunneling Protocol).
PPTP l mt phng thc ca mng ring o, c pht trin bi Microsoft kt
hp vi mt s cng ty khc, n s dng mt knh iu khin qua giao thc TCP
v
ng hm GRE ng gi cc gi d liu PPP (Point-to-Point). PPTP l mt
phn ca cc tiu chun Internet Point-to-Point (PPP), PPTP s dng cc
loi xc
thc nh PPP (PAP, SPAP, CHAP, MS-CHAP, v EAP).
PPTP thit lp ng hm nhng khng cung cp m ha, n m ha bng
cch s dng giao thc Microsoft Point-to-Point Encrytion (MPPE) to
ra mt
VPN an ton. PPTP c chi ph tng i thp, iu ny gii thch ti sao
PPTP
thng c s dng nhiu bi cc khch hng ca Microsoft.
a) Nguyn tc hot ng ca PPTP.
PPP l giao thc truy nhp vo Internet v cc mng IP ph bin hin
nay.
N lm vic lp lin kt d liu trong m hnh OSI, PPP bao gm cc phng
thc ng gi, tch gi IP, l truyn i trn ch kt ni im ti im t my
ny
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 18
sang my khc.
PPTP ng cc gi tin v khung d liu ca giao thc PPP vo cc gi tin
IP
truyn qua mng IP. PPTP dng kt ni TCP khi to v duy tr, kt thc
ng hm v dng mt gi nh tuyn chung GRE ng gi cc khung PPP.
Phn ti ca khung PPP c th c m ho v nn li.
PPTP s dng PPP thc hin cc chc nng thit lp v kt thc kt ni
vt l, xc nh ngi dng, v to cc gi d liu PPP.
PPTP c th tn ti mt mng IP gia PPTP khch v PPTP ch ca mng.
PPTP khch c th c u ni trc tip ti my ch thng qua truy nhp mng
NAS thit lp kt ni IP. Khi kt ni c thc hin c ngha l ngi dng
c xc nhn. l giai on tuy chn trong PPP, tuy nhin n lun lun c
cung cp bi ISP. Vic xc thc trong qu trnh thit lp kt ni da trn
PPTP s
dng cc c ch xc thc ca kt ni PPP.
Mt s c ch xc thc c s dng l:
Giao thc xc thc m rng EAP.
Giao thc xc thc c th thch bt tay CHAP.
Giao thc xc nh mt khu PAP.
Giao thc PAP hot ng trn nguyn tc mt khu c gi qua kt ni
di dng vn bn n gin v khng c bo mt. CHAP l giao thc cc thc
mnh hn, s dng phng php bt tay ba chiu hot ng, v chng li cc
tn cng quay li bng cch s dng cc gi tr b mt duy nht v khng th
on
v gii c. PPTP cng c cc nh pht trin cng ngh a vo vic mt m
v nn phn ti tin ca PPP. mt m phn ti tin PPP c th s dng phng
thc m ho im ti im MPPE.
MPPE ch cung cp mt m trong lc truyn d liu trn ng truyn khng
cung cp mt m ti cc thit b u cui ti u cui. Nu cn s dng mt m
u cui n u cui th c th dng giao thc IPSec bo mt lu lng IP
gia cc u cui sau khi ng hm PPTP c thit lp.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 19
Khi PPP c thit lp kt ni, PPTP s dng quy lut ng gi ca PPP
ng gi cc gi truyn trong ng hm. c th da trn nhng u im ca
kt ni to bi PPP, PPTP nh ngha hai loi gi l iu khin v d liu,
sau
gn chng vo hai knh ring l knh iu khin v knh d liu. PPTP tch
cc
knh iu khin v knh d liu thnh nhng lung iu khin vi giao thc
iu
khin truyn d liu TCP v lung d liu vi giao thc IP. Kt ni TCP to
ra
gia cc my khch v my ch c s dng truyn thng bo iu khin.
Cc gi d liu l d liu thng thng ca ngi dng. Cc gi iu khin
c a vo theo mt chu k ly thng tin v trng thi kt ni v qun l bo
hiu gia ng my khch PPTP v my ch PPTP. Cc gi iu khin cng c
dng gi cc thng tin qun l thit b, thng tin cu hnh gia hai u
ng
hm.
Knh iu khin c yu cu cho vic thit lp mt ng hm gia cc
my khch v my ch PPTP. My ch PPTP l mt Server c s dng giao
thc
PPTP vi mt giao din c ni vi Internet v mt giao din khc ni vi
Intranet, cn phn mm client c th nm my ngi dng t xa hoc ti cc
my ch ISP.
b) Nguyn tc kt ni iu khin ng hm theo giao thc PPTP.
Kt ni iu khin PPTP l kt ni gia a ch IP ca my khch PPTP v
a ch my ch. Kt ni iu khin PPTP mang theo cc gi tin iu khin v
qun l c s dng duy tr ng hm PPTP. Cc bn tin ny bao gm PPTP
yu cu phn hi v PPTP p li phi hi nh k pht hin cc li kt ni gia
cc my trm v my ch PPTP. Cc gi tin ca kt ni iu khin PPTP bao
gm
tiu IP, tiu TCP v bn tin iu khin PPTP v tiu , phn cui ca lp
lin kt d liu.
c) Nguyn l ng gi d liu ng hm PPTP.
ng gi khung PPP v gi nh tuyn chung GRE.Phn ti ca khung PPP
ban u c m ho v ng gi vi tiu PPP to ra khung PPP. Khung
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 20
PPP sau c ng gi vi phn tiu ca phin bn giao thc GRE sa i.
GRE l giao thc ng gi chung, cung cp c ch ng gi d liu nh tuyn
qua mng IP. i vi PPTP, phn tiu ca GRE c sa i mt s im
l. Mt trng xc nhn di 32 bits c thm vo. Mt bits xc nhn c s
dng ch nh s c mt ca trng xc nhn 32 bits. trng Key c thay th
bng trng di Payload 16 bits v trng ch s cuc gi 16 bits. Trng
ch
s cuc gi c thit lp bi my trm PPTP trong qu trnh khi to ng
hm.
ng gi IP
Trong khi truyn ti phn ti PPP v cc tiu GRE sau c ng gi vi
mt tiu IP cha cc thng tin a ch ngun v ch thch hp cho my trm
v
my ch PPTP.
ng gi lp lin kt d liu
c th truyn qua mng LAN hay WAN th gi tin IP cui cng s c ng
gi vi mt tiu v phn cui ca lp lin kt d liu giao din vt l u
ra.
Nh trong mng LAN th nu gi tin IP c gi qua giao din Ethernet, n
s
c gi vi phn tiu v ui Ethernet. Nu gi tin IP c gi qua ng
truyn WAN im ti im n s c ng gi vi phn tiu v ui ca giao
thc PPP.
- Cc gi tin IP, IPX, hoc khung NetBEUI c a ti giao din o i
din cho kt ni VPN bng cc giao thc tng ng s dng c t giao
din thit b mng NDIS.
- NDIS a gi tin d liu ti NDISWAN, ni thc hin vic m ho v nn
d liu, cng nh cung cp tiu PPP phn tiu PPP ny ch gm
trng m s giao thc PPP khng c trng Flags v trng chui kim
tra khung (FCS). Gi nh trng a ch v iu khin c tho thun
giao thc iu khin ng truyn (LCP) trong qu trnh kt ni PPP.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 21
- NDISWAN gi d liu ti giao thc PPTP, ni ng gi khung PPP vi
phn tiu GRE. Trong tiu GRE, trng ch s cuc gi c t gi
tr thch hp xc nh ng hm.
- Giao thc PPTP sau s gi gi tin va to ra ti TCP/IP.
- TCP/IP ng gi d liu ng hm PPTP vi phn tiu IP sau gi
kt qu ti giao din i din cho kt ni quay s ti ISP cc b NDIS.
- NDIS gi gi tin ti NDISWAN, cung cp cc tiu v ui PPP.
- NDISWAN gi khung PPP kt qu ti cng WAN tng ng i din cho
phn cng quay s.
d) Nguyn tc thc hin gi tin d liu ti u cui ng hm PPTP.
Khi nhn c d liu ng hm PPTP, my trm v my ch PPTP, s
thc hin cc bc sau.
- X l v loi b gi phn tiu v ui ca lp lin kt d liu hay gi
tin.
- X l v loi b tiu IP.
- X l v loi b tiu GRE v PPP.
- Gii m hoc nn phn ti tin PPP.
- X l phn ti tin nhn hoc chuyn tip.
e) Tnh nng v hn ch ca PPTP.
Tnh nng :
- PPTP to ra nhiu kt ni gia cc khch hng m khng yu cu dch v
c bit ISP.
- PPTP ph hp trn nhiu h iu hnh thng dng. (Microsoft ,Nortel
Network, TeteSystems).
- PPTP h tr cc dch v IP, m ha cc gi tin RC4 (56 bit hoc 128
bit),
s dng port 1723 v cc giao thc GRE.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 22
Mt s hn ch:
Kh khn ln nht gn km vi PPTP l c ch yu km v bo mt do n
dng m ha ng b trong kha c xut pht t vic n s dng m ha i
xng l cch to ra kha t mt khu ca ngi dng. iu ny cng nguy him
hn
v mt khu thng gi di dng phi by hon ton trong qu trnh xc nhn.
Giao thc to ng hm k tip (L2F) c pht trin nhm ci thin bo mt
vi
mc ch ny.
2.2.2 Giao thc nh ng hm lp 2 (Layer 2 Tunneling Protocol).
IETF kt hp hai giao thc PPTP v L2F v pht trin thnh L2TP. N
kt
hp nhng c im tt nht ca PPTP v L2F. V vy, L2TP cung cp tnh
linh
ng, c th thay i, v hiu qu chi ph cho gii php truy cp t xa ca L2F
v
kh nng kt ni im im nhanh ca PPTP.
Do L2TP l s trn ln c hai c tnh ca PPTP v L2F, bao gm:
L2TP h tr a giao thc v a cng ngh mng, nh IP, ATM, FR, v
PPP.
L2TP khng yu cu vic trin khai thm bt c phn mm no, nh iu
khin v h iu hnh h tr. Do , c ngi dng v mng ring Intranet
cng khng cn trin khai thm cc phn mm chuyn bit.
L2TP cho php ngi dng t xa truy cp vo mng t xa thng qua mng
cng cng vi mt a ch IP cha ng k (hoc ring t).
Qu trnh xc nhn v chng thc ca L2TP c thc hin bi cng mng
my ch. Do , ISP khng cn gi d liu xc nhn hoc quyn truy cp ca
ngi
dng t xa. Hn na, mng ring intranet c th nh ngha nhng chnh sch
truy
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 23
cp ring cho chnh bn thn. iu ny lm qui trnh x l ca vic thit lp
ng
hm nhanh hn so vi giao thc to hm trc y.
im chnh ca L2TP tunnels l L2TP thip lp ng hm PPP khng ging
nh PPTP, khng kt thc gn vng ca ISP. Thay vo , nhng ng hm m
rng n cng ca mng my ch (hoc ch), nhng yu cu ca ng hm L2TP
c th khi to bi ngi dng t xa hoc bi cng ca ISP.
Khi PPP frames c gi thng qua L2TP ng hm, chng c ng
gi nh nhng thng ip User Datagram Protocol (UDP). L2TP dng nhng
thng
ip UDP ny cho vic to hm d liu cng nh duy tr ng hm. Ngoi ra,
ng hm d liu v ng hm duy tr gi tin, khng ging nhng giao thc
to
hm trc, c hai c cng cu trc gi d liu.
a) Cc thnh phn ca L2TP.
Qu trnh giao dch L2TP m nhim 3 thnh phn c bn, mt Network
Access Server (NAS), mt L2TP Access Concentrator (LAC), v mt
L2TP
Network Server (LNS).
Network Access Server (NAS)
- L2TP NASs l thit b truy cp im-im cung cp da trn yu cu kt
ni
Internet n ngi dng t xa, l nhng ngi quay s (thng qua PSTN
hoc
ISDN) s dng kt ni PPP. NASs phn hi li xc nhn ngi dng t xa
nh cung cp ISP cui v xc nh nu c yu cu kt ni o. Ging nh PPTP
NASs, L2TP NASs c t ti ISP site v hnh ng nh client trong qui
trnh thit lp L2TP tunnel. NASs c th hi p v h tr nhiu yu cu
kt
ni ng thi v c th h tr mt phm vi rng cc client .
B tp kt truy cp L2TP (LAC)
- Vai tr ca LACs trong cng ngh to hm L2TP thit lp mt ng hm
thng qua mt mng cng cng (nh PSTN, ISDN, hoc Internet) n LNS
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 24
ti im cui mng ch. LACs phc v nh im kt thc ca mi trng vt
l gia client v LNS ca mng ch.
L2TP Network Server (LNS)
- LNSs c t ti cui mng ch. Do , chng dng kt thc kt ni
L2TP cui mng ch theo cng cch kt thc ng hm t client ca LACs.
Khi mt LNS nhn mt yu cu cho mt kt ni o t mt LAC, n thit lp
ng hm v xc nhn ngi dng, l ngi khi to yu cu kt ni. Nu
LNS chp nhn yu cu kt ni, n to giao din o.
b ) Qui trnh x l L2TP.
Khi mt ngi dng t xa cn thit lp mt L2TP tunnel thng qua
Internet
hoc mng chung khc, theo cc bc tun t sau y:
Bc 1: Ngi dng t xa gi yu cu kt ni n ISPs NAS gn nht ca
n, v bt u khi to mt kt ni PPP vi nh ISP cui.
Bc2: NAS chp nhn yu cu kt ni sau khi xc nhn ngi dng cui.
NAS dng phng php xc nhn PPP, nh PAP, CHAP, SPAP, v EAP cho
mc ch ny.
Bc3: Sau NAS kch hot LAC, nhm thu nhp thng tin cng vi LNS
ca mng ch.
Bc4: K tip, LAC thit lp mt ng hm LAC-LNS thng qua mng
trung gian gia hai u cui. ng hm trung gian c th l ATM, Frame
Relay, hoc IP/UDP.
Bc 5: Sau khi ng hm c thit lp thnh cng, LAC ch nh mt
Call ID (CID) n kt ni v gi mt thng ip thng bo n LNS. Thng
bo xc nh ny cha thng tin c th c dng xc nhn ngi dng.
Thng ip cng mang theo LCP options dng tho thun gia ngi
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 25
dng v LAC.
Bc 6: LNS dng thng tin nhn c t thng ip thng bo xc
nhn ngi dng cui. Nu ngi dng c xc nhn thnh cng v LNS
chp nhn yu cu ng hm, mt giao din PPP o (L2TP tunnel) c
thit lp cng vi s gip ca LCP options nhn c trong thng ip
thng bo.
Bc 7: Sau ngi dng t xa v LNS bt u trao i d liu thng qua
ng hm.
L2TP, ging PPTP v L2F, h tr hai ch hot ng L2TP, bao gm:
Ch gi n. Trong ch ny, yu cu kt ni c khi to bi ngi dng
t xa. Ch gi i. Trong ch ny, yu cu kt ni c khi to bi LNS.
Do , LNS ch dn LAC lp mt cuc gi n ngi dng t xa. Sau khi LAC
thit lp cuc gi, ngi dng t xa v LNS c th trao i nhng gi d liu
qua ng hm.
c) D liu ng hm L2TP.
Tng t PPTP tunneled packets, L2TP ng gi d liu tri qua nhiu
tng ng gi. Sau y l mt s giai on ng gi ca L2TP data
tunneling:
PPP ng gi d liu khng ging phng thc ng gi ca PPTP, d liu
khng c m ha trc khi ng gi. Ch PPP header c thm vo d
liu payload gc.
L2TP ng gi khung ca PPP. Sau khi original payload c ng gi bn
trong mt PPP packet, mt L2TP header c thm vo n.
UDP Encapsulation of L2TP frames. K tip, gi d liu ng gi L2TP
c ng gi thm na bn trong mt UDP frame. Hay ni cch khc, mt
UDP header c thm vo L2TP frame ng gi. Cng ngun v ch
bn trong UDP header c thit lp n 1710 theo ch nh.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 26
PSec Encapsulation of UDP datagrams. Sau khi L2TP frame tr thnh
UDP
c ng gi, UDP frame ny c m ho v mt phn u IPSec
ESP c thm vo n. Mt phn ui IPSec AH cng c chn vo gi
d liu c m ha v ng gi.
IP Encapsulation of IPSec-encapsulated datagrams. K tip, phn u
IP
cui cng c thm vo gi d liu IPSec c ng gi. Phn u IP
cha ng a ch IP ca L2TP server (LNS) v ngi dng t xa.
ng gi tng Data Link. Phn u v phn cui tng Data Link cui cng
c thm vo gi d liu IP xut pht t qu trnh ng gi IP cui cng.
Phn u v phn cui ca tng Data Link gip gi d liu i n nt ch.
Nu nt ch l ni b, phn u v phn cui tng Data Link c da
trn cng ngh LAN (v d, chng c th l mng Ethernet). mt kha
cnh khc, nu gi d liu l phng tin cho mt v tr t xa, phn u v
phn cui PPP c thm vo gi d liu L2TP ng gi.
Qui trnh x l de-tunneling nhng gi d liu L2TP tunnel th ngc
li
vi qui trnh ng hm. Khi mt thnh phn L2TP (LNS hoc ngi dng
cui) nhn c L2TP tunneled packet, trc tin n x l gi d liu bng
cch g b Data Link layer header and trailer. K tip, gi d liu c
x
l su hn v phn IP header c g b.
Gi d liu sau c xc nhn bng vic s dng thng tin mang theo
bn trong phn IPSec ESP header v AH trailer. Phn IPSec ESP
header
cng c dng gii m v m ha thng tin. K tip, phn UDP header
c x l ri loi ra. Phn Tunnel ID v phn Call ID trong phn L2TP
header dng nhn dng phn L2TP tunnel v phin lm vic.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 27
Cui cng, phn PPP header c x l v c g b v phn PPP
payload c chuyn hng n protocol driver thch hp cho qui trnh x
l.
d) Ch ng hm L2TP.
L2TP h tr 2 ch - ch ng hm bt buc v ch ng hm t
nguyn. Nhng ng hm ny gi mt vai tr quan trng trong bo mt giao
dch
d liu t im cui n im khc.
Trong ch ng hm bt buc, khung PPP t PC xa c to ng
hm trong sut ti mng LAN. iu ny c ngha l Client xa khng iu
khin
ng hm v n s xut hin nh n c kt ni chnh xc ti mng cng ty
thng qua mt kt ni PPP. Phn mm L2TP s thm L2TP header vo mi
khung
PPP ci m c to ng hm. Header ny c s dng mt im cui khc
ca ng hm, ni m gi tin L2TP c nhiu thnh phn.
Cc bc thit lp L2TP ng hm bt buc c m t theo cc bc sau:
Bc 1: Ngi dng t xa yu cu mt kt ni PPP t NAS c t ti ISP site.
Bc 2: NAS xc nhn ngi dng. Qui trnh xc nhn ny cng gip NAS bit
c cch thc ngi dng yu cu kt ni.
Bc 3: Nu NAS t do chp nhn yu cu kt ni, mt kt ni PPP c thit
lp
gia ISP v ngi dng t xa.
Bc 4: LAC khi to mt L2TP tunnel n mt LNS mng ch cui.
Bc 5: Nu kt ni c chp nhn bi LNS, PPP frames tri qua qu trnh
L2TP tunneling. Nhng L2TP-tunneled frames ny sau c chuyn n
LNS
thng qua L2TP tunnel.
Bc 6: LNS chp nhn nhng frame ny v phc hi li PPP frame gc.
Bc 7: Cui cng, LNS xc nhn ngi dng v nhn cc gi d liu. Nu ngi
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 28
dng c xc nhn hp l, mt a ch IP thch hp c nh x n frame
Bc 8: Sau frame ny c chuyn n nt ch trong mng intranet.
Ch ng hm t nguyn c Client xa khi gn lin chc nng LAC
v n c th iu khin ng hm. T khi giao thc L2TP hot ng theo mt
cch y ht nh khi s dng ng hm bt buc, LNS s khng thy s khc bit
gia hai ch .
Thun li ln nht ca ng hm t nguyn L2TP l cho php ngi
dng t xa kt ni vo internet v thit lp nhiu phin lm vic VPN ng
thi.
Tuy nhin, ng dng hiu qu ny, ngi dng t xa phi c gn nhiu a
ch IP. Mt trong nhng a ch IP c dng cho kt ni PPP n ISP v mt
c dng h tr cho mi L2TP tunnel ring bit. Nhng li ch ny cng l
mt bt li cho ngi dng t xa v do , mng ch c th b tn hi bi cc
cuc tn cng.
Vic thit lp mt voluntary L2TP tunnel th n gin hn vic thit lp
mt
ng hm bt buc bi v ngi dng t xa m nhim vic thit lp li kt ni
PPP n im ISP cui.
Cc bc thit lp ng hm t nguyn L2TP gm :
Bc 1: LAC (trong trng hp ny l ngi dng t xa) pht ra mt yu cu
cho
mt ng hm t nguyn L2TP n LNS.
Bc 2: Nu yu cu ng hm c LNS chp nhn, LAC to hm cc PPP
frame cho mi s ch r L2TP v chuyn hng nhng frame ny thng qua
ng hm.
Bc 3: LNS chp nhn nhng khung ng hm, lu chuyn thng tin to hm,
v x l cc khung.
Bc 4: Cui cng, LNS xc nhn ngi dng v nu ngi dng c xc nhn
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 29
thnh cng, chuyn hng cc frame n nt cui trong mng Intranet.
e) Nhng thun li v bt li ca L2TP.
Thun li chnh ca L2TP c lit k theo danh sch di y:
L2TP l mt gii php chung. Hay ni cch khc n l mt nn tng c lp.
N cng h tr nhiu cng ngh mng khc nhau. Ngoi ra, n cn h tr
giao
dch qua kt ni WAN non-IP m khng cn mt IP.
L2TP tunneling trong sut i vi ISP ging nh ngi dng t xa. Do ,
khng i hi bt k cu hnh no pha ngi dng hay ISP.
L2TP cho php mt t chc iu khin vic xc nhn ngi dng thay v ISP
phi lm iu ny.
L2TP cung cp chc nng iu khin cp thp c th gim cc gi d liu
xung ty nu ng hm qu ti. iu ny lm cho qua trnh giao dch bng
L2TP nhanh hn so vi qu trnh giao dch bng L2F.
L2TP cho php ngi dng t xa cha ng k (hoc ring t) a ch IP truy
cp vo mng t xa thng qua mt mng cng cng.
L2TP nng cao tnh bo mt do s dng IPSec-based payload encryption
trong
sut qua trnh to hm, v kh nng trin khai xc nhn IPSec trn tng gi
d
liu.
Ngoi ra vic trin khai L2TP cng gp mt s bt li sau:
L2TP chm hn so vi PPTP hay L2F bi v n dng IPSec xc nhn mi
gi d liu nhn c.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 30
Mc d PPTP c lu chuyn nh mt giai php VPN dng sn, mt Routing
and Remote Access Server (RRAS) cn c nhng cu hnh m rng
2.2.3 Secure Socket Tunneling Protocol (VPN-SSTP).
Hin nay, ngoi 2 c ch PPTP v L2TP trn Windows Server 2008 v
Windows Vista Service Pack 1 cn h tr thm mt c ch kt ni mi l:
Secure
Socket Tunneling Protocol (SSTP).
a) Gii thiu.
SSTP (Secure Socket Tunneling Protocol) l mt dng ca kt ni
VPN
trong Windows Vista v Windows Server 2008. SSTP s dng cc kt ni
HTTP
c m ha SSL thit lp mt kt ni VPN n VPN gateway. SSTP l mt
giao thc rt an ton v cc thng tin quan trng ca ngi dng khng c
gi
cho ti khi c mt ng hm SSL an ton c thit lp vi VPN gateway.
SSTP cng c bit n vi t cch l PPP trn SSL, chnh v th n cng c
ngha l bn c th s dng cc c ch chng thc PPP v EAP bo m cho
cc kt ni SSTP c an ton hn.
b) L do s dng PPTP trong VPN.
Mng ring o VPN cung cp mt cch kt ni t xa n h thng mng
thng qua Internet. Windows Server 2003 h tr cc ng hm VPN da
vo
PPTP v L2TP/IPSec. Nu ngi dng truy cp t xa ng sau mt
Firewall,nhng ng hm ny i hi cc port ring bit c m bn trong cc
firewall nh cc port TCP 1723 v giao thc IP GRE cho php kt ni
PPTP.
C nhng tnh hung nh nhn vin gh thm khch hng, a im i
tc hoc khch sn m h thng ch cho truy cp web (HTTP,HTTPs),cn tt
c
cc port khc b ngn chn. Kt qu,nhng user t xa ny gp phi vn khi
thc
hin kt ni VPN do lm tng cuc gi nh tr gip v gim nng sut ca
nhn vin. Secure Socket Tunneling Protocol(SSTP) l mt ng hm VPN
mi
c gii thiu trong Windows Server 2008 nhm gii quyt vn kt ni
VPN
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 31
ny.
SSTP thc hin iu ny bng cch s dng HTTPs lm lp vn chuyn
sao cho cc kt ni VPN c th i qua cc firewall, NAT v server web
proxy
thng c cu hnh. Bi v kt ni HTTPs (TCP 443) thng c s dng
truy cp cc site Internet c bo v nh cc web site thng mi, do
HTTPs
thng c m trong cc firewall v c th i qua cc Proxy web, router
NAT.
VPN Server chy trn nn Windows Server 2008 da vo SSTP lng
nghe cc kt ni SSTP t VPN client. SSTP server phi c mt
Computer
Certificate c ci t thuc tnh Server Authentication.Computer
Certificate ny
c s dng xc thc server SSTP vi client SSTP trong qu trnh thit
lp
session SSL.Client hiu lc ha certificate ca server SSTP. thc hin
iu ny
th Root CA cp pht certificate cho SSTP server phi c ci t trn
client
SSTP.
ng hm VPN da vo SSTP c chc nng nh mt ng hm peer-
L2TP v da vo PPTP. iu ny c ngha PPTP c bao bc trn SSTP m sao
gi cc lu lng cho cho kt ni HTTPs. Nh vy,tt c cc tnh nng khc
ca VPN nh kim tra sc khe da vo NAT, ti lu lng IPV6 trn VPN,
cc
thut ton xc thc nh username v smartcard...v client VPN da vo
trnh qun
l kt ni vn khng thay i i vi SSTP, PPTP v L2TP. N giup cho
Admin
mt ng dn di tr tt di chuyn t L2TP/PPTP n SSTP.
c) SSTP hat ng nh th no?
SSTP hat ng trn HTTPs tc l ch HTTP s dng SSL cho s bo mt
thng tin v d liu. SSL cng cung cp c ch xc thc cc im cui khi
uc
yu cu s dng PKI.SSTP s dng SSL xc thc server vi client v n
da
vo PPP chy trn xc thc client vi server. Ngha l Client xc thc
server
bng certificate v Server xc thc Client thng qua giao thc hin c c
h tr
bi PPP.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 32
Khi Client kt ni vi Remote Access Server bng cch s dng SSTP
lm
giao tc to lp ng hm, SSTP thit lp session HTTPs vi server t xa
ti port
443 mt a ch URL ring bit. Cc xc lp proxy HTTP c cu hnh thng
qua IE s c s dng thit lp kt ni ny.
Vi session HTTPs, client i hi server cung cp certificate xc
thc.Khi thit lp quan h SSL han tt, cc session HTTP c thet lp trn
.
Sau , SSTP c s dng thng lng cc tham s gia Client v Server.
Khi lp SSTP c thit lp, vic thng lng SSTP c bt u nhm cung
cp c ch xc thc client vi server v to ng hm cho d liu.
Chng 2: Tm hiu v c ch m ha ca IPSec.
1. Gii thiu v IPSec.
1.1. Mt s ch lm vic.
1.1.1. Ch giao vn.
Ch ny h tr truyn thng tin gia cc my hoc gia my ch vi my
khc m khng c s can thip no ca cc gateway lm nhim v an ninh
mng.
Trong Transport mode, ch nhng d liu bn giao tip cc gi tin c m ho
v
hoc xc thc. Trong qu trnh Routing, c IP header u khng b chnh sa
hay
m ho; tuy nhin khi authentication header c s dng, a ch IP khng
th
chnh sa ( v d nh port number). Transport mode s dng trong tnh
hung giao
tip host-tohost. iu ny c ngha l ng gi cc thng tin trong IPSec
cho NAT
traversal c nh ngha bi cc thng tin trong ti liu ca RFC bi
NAT-T.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 33
Hnh 6 Cu trc gi tin IPSec ch Transport Mode
1.1.2. Ch ng hm ( Tunnel Mode ):
Ch ny h tr kh nng truy nhp t xa v lin kt an ton cc Website.
Ch chuyn vn s dng AH v ESP i vi phn ca tng chuyn vn trong
mt gi tin IP. Phn d liu thc ca giao thc IP ny l phn duy nht c
bo
v trong ton gi tin. Phn header ca gi tin IP vi a ch ca im truyn
v
im nhn khng bo v. Khi p dng c AH v ESP th AH c p dng sau
tnh ra tnh ton vn ca d liu trn tng lng d liu. Mt khc ch ng
hm cho php m ho v tip nhn i vi ton b gi tin IP. Cc cng bo mt
s
dng ch ny cung cp cc dch v bo mt thay cho cc thc th khc trn
mng. Cc im truyn thng u cui c bo v bn trong cc gi tin IP n
trong khi cc im cui m ho li c lu trong cc gi tin IP truyn i.
Mt
gateway bo mt thc hin phn tch gi tin IP n cho im nhn cui cng
sau
khi IPSec hon thnh vic s l ca mnh. Trong ch ng hm, a ch IP
ca
im n c bo v.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 34
Hnh 7. Cu trc gi tin IPSec ch Tunnel Mode
Trong ch ng hm, c mt phn header IP ph c thm vo, cn
trong ch chuyn vn th khng c iu ny. IPSec nh ra ch ng hm
p dng cho AH v ESP.
Khi host 1 mun giao tip vi host 2, n c th s dng ch ng hm
cho php cc gateway bo mt c th cung cp cc dch v m bo an ton
cho vic lin lc gia hai nt mng trn mng cng cng.
IPSec cho php ch bo mt theo nhiu lp v theo nhiu tuyn truyn.
Trong , phn header ca gi tin ni ti c hon ton bao bc bi phn
header
ca gi tin c pht i. Tuy vy, phi c mt iu kin l cc tuyn truyn
khng
c gi chng ln nhau.
i vi vic s l lung d liu truyn i, tng IP s tham chiu n SPD
(Security Policy Database) quyt nh cc dch v bo mt cn p dng. Cc
b
chn lc c ly ra t cc phn header s dng ch ra mt cch thc hot ng
cho SPD. Nu hot ng ca SPD l p dng tnh nng bo mt th s c mt
con
tr, tr n SA trong SADB ( Security Association Database) c tr v.
Trng
hp SA khng c trong SADB th IKE s c kch hot. Sau cc phn
header
AH v ESP c b xng theo cch m SA nh ra v gi tin s c truyn i.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 35
Vi vic s l lung d liu gi n, sau khi nhn c mt gi tin, tng c
nhim v bo mt s kim tra danh mc cc phng thc bo mt a ra cc
hnh ng sau y: hu b, b qua hoc p dng. Nu hnh ng l p dng m
SA khng tn ti th gi tin s b b qua. Tuy nhin, nu SA c trong SADB
th
gi tin s c chuyn n tng tip theo x l. Nu gi tin c cha cc phn
header ca dch v IPSec th stack ca IPSec s thu nhn gi tin ny v
thc hin
s l. Trong qu trnh s l, IPSec ly ra phn SPI, phn a ch ngun v a
ch
ch ca gi tin. ng thi, SADB c nh s theo cc tham s chn ra SA
nht n s dng: SPT, a ch ch hoc l giao thc.
Hnh 8
IPSec cho php thit lp cc mi truyn thng ring bit v m bo tnh b
mt trn mng internet m khng cn bit n cc ng dng ang chy trn
my hay cc giao thc tng cao hn nh tng vn chuyn ( Transport
layer).
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 36
Hnh 9
IPSec l b giao thc c kh nng thm nh d liu c hai pha ngi
gi v ngi nhn, m bo tnh b mt v ton vn d liu bng cch m
ho chng thc. IPSec c kh nng thch ng vi tt c cc t nh ng dng
chy trn mng IP.
IPSec hot ng hiu qu v nhanh hn cc ng dng bo mt hot ng
tng ng dng (Application layer).
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 37
Hnh 10
IPSec c th c coi nh l mt lp di ca giao thc TCP/IP, lp ny
kim sot cc ngi dng truy nhp da vo mt chnh sch an ton v mi
my tnh v mt t chc m phn an ninh gia ngi gi v ngi nhn.
Giao thc ng gi an ton ESP ( Encapsulation Security Payload): l
giao
thc s 50 c gn bi IANA. ESP l mt giao thc bo mt c th c s
dng cho vic cung cp tnh bo mt v xc thc cc gi d liu khi s nh
m
ng ca ngi dng khng c php. ESP cung cp phn ti tin ca gi d
liu, ESP cung cp s xc thc cho gi tin IP ni b v phn tiu ESP.
S
xc thc cung cp s xc thc v ngun gc v tnh ton vn ca gi d liu.
ESP l giao thc h tr v kiu m ho i xng nh: Blowfish, DES. Thut
ton m ho d liu mc nh s dng trong IPSec l thut ton DES 56
bit.
Trong cc sn phm v thit b mng ca Cisco dng trong VPN c n s
dng
vic m ho d liu tt hn bng cch s dng thut ton 3DES( Triple
Data
Encryption Security ) 128 bit.
Giao thc ESP c th c s dng c lp hoc kt hp vi giao thc
chng thc u mc AH ( Authentication Header ) tu thuc vo tng mi
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 38
trng. Hai giao thc ESP v AH u cung cp tnh ton vn, xc thc cc
gi d liu.
Giao thc ESP cng c th bo v c tnh duy nht ca gi tin bng cch
yu cu bn nhn t bit replay trong tiu ch ra rng gi tin
c gi.
Giao thc chng thc mc u AH ( Authentication Header Protocol
).
Trong h thng IPSec c mt u mc c bit: u mc chng thc AH
c thit k cung cp hu ht dch v chng thc cho d liu IP.
Vi IP v4
Hnh 11
Vi IP v6
Hnh 12
Giao thc trao i cha kho Inernet ( IKE ).
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 39
AH v ESP l nhng giao thc m IPSec yu cu nhng b mt dng chung
trong vic phn phi kho, do cc cha kho c th mt cp khi trao i qua
li.
Do mt c ch trao i cha kho an ton cho IPSec phi tho mn yu cu
sau.
Khng ph thuc vo cc thut ton c bit.
Khng ph thuc vo mt nghi thc trao i kho c bit.
S chng thc ca nhng thc th qun l kho.
Thit lp cc SA trn cc tuyn giao thng khng an ton.
S dng hiu qu cc ngun ti nguyn.
Giao thc IKE da trn khung ca Hip hi qun l ch a kha trn Internet
v
Giao thc phn phi kho Oakley.
Giao thc IKE c cc c tnh sau:
+ Cc cha kho pht sinh v nhng th tc nhn bit.
+ T ng lm mi li cha kho.
+ Gii quyt vn mt kho.
+ Mi mt giao thc an ton ( AH, ESP ) c mt khng gian ch s an
ton ca chnh mnh.
+ Gn sn s bo v.
+ Chng li cc cuc tn cng lm nghn mch ti nguyn nh: Tn cng
t chi dch v DoS ( Denial- of- Service ).
+ Tip cn hai giai on
Thit lp nhng SA cho kho trao i.
Thit lp SA cho d liu chuyn.
+ S dng ch k s.
+ Dng chung kho.
Giao thc IKE thit k ra cung cp 5 kh nng:
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 40
Cung cp nhng phng tin cho hai bn v s ng nhng giao
thc,thut ton v nhng cha kho s dng.
m bo trao i kho n ng ngi dng.
Qun l nhng ch a kho sau khi c chp nhn.
m bo rng s iu khin v trao i kho an ton.
Cho php s chng thc ng gia cc i tng ngang hang.
1.2. Tm hiu v cc giao thc.
1.2.1. Giao thc AH (Authentication Header).
AH c s dng trong cc kt ni khng c tnh m bo d liu. Hn
na n l la ch nhm chng li cc tn cng replay attack bng cch s
dng
cng ngh chng tn cng sliding window v discarding older packets ,
AH
bo v qu trnh truyn d liu khi s dng IP. Trong IPv4, IP Header c
bao
gm TOS, Flags, Fragment Offset, TTL, va Header checksum. AH thc
hin
trc tip trong phn u tin ca gi tin IP. Di y l m hnh ca AH
header.
Hnh 13 : Cu trc gi tin AH
ngha ca tng trng:
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 41
Next header (8 Bits): Nhn dng giao thc s dng truyn thng tin,
cc
nh li d liu cha trong tiu AH.
Payload leghth (8 Bits): ln ca gi tin AH tnh bng n v (32 Bits)
v
tr i 2 n v.
(v d: ton b chiu di tiu AH l 6 th chiu di vng Payoad
l 4).
RESERVED (16 Bits): S dng trong tng lai (cho n thi im hin
ny n c biu din bng cc con s 0).
Security paramaters index (SPI 32 Bits): Nhn ra cc thng s bo
mt,
c tch hp vi a ch IP, v nhn dng cc thng lng bo mt c
kt hp vi cc gi tin. Gi tr 1-255 c dnh ring, gi tr 0 s dng
cho
mc ch c bit, cc gi tr khc dng gn cho SPI.
Sequence numbet (32 Bits): y l mt gi tr khng u, lun tng v
cho
php cung cp dch v antireplay cho mt SA. Thng tin ny khng nht
thit c dng bi bn nhn nhng n c phi bao gm thit b gi. Ch s
ny c khi ng v 0 khi SA c thit lp. Nu dch d antureplay
dc dng, ch s ny khng bao gi dc php lp li.Bi v bn gi khng
bit bn nhn c dng dch v antireplay hay khng, SA s c hy v
mt SA mi s c ti thit lp sau khi c 232 goi tin c truyn.
Authentication data (chiu di khng xc nh): trng ny cha nhiu
gi
tr Integrity Check Value (ICV) cho gi tin.Trng ny phi l mt s
nguyn bi s ca 32 v c th cha cc gi tr m (padding) p y cc
bt trng chp 32 bits. Gi tr ICV ny c dng cc gii thut nh
Message Authentication Code (MACs). MACs c da trn cc gii
thut
m ha i xng nh DES v 3DES hoc cc hm Hash mt chiu di nhu
MD5 hoc SHA-1. Khi tnh chon ch s ICV, dng trong MAC lm gi tr
ny kh b b gy. Mi u ca mt kt ni VPN s tnh ton ch s ICV ny
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 42
mt cch c lp. Nu cc gi tr ny khng trng, gi tin s b b qua. iu
ny gip m bo cc gi tin khng b thay i trong qu trnh truyn.
AH cung cp cc tnh xc thc, tnh nguyn vn v khu lp cho ton b
gi tin bao gm c phn tiu ca IP (IP Header) v cc gi d liu c
chuyn trong cc gi tin.
AH khng cung cp tnh ring t, khng m ha d liu nh vy d liu
c th c c nhng chng s c bo v chng li s thay i. AH s
s dng thut ton Key AH nh du gi d liu nhm m bo tnh ton
vn ca gi d liu.
Hnh 14: Cc thnh phn chng thc trong AH.
Hnh 15: Qu Trnh to gi tin AH.
Qu trnh to gi tin AH.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 43
Khi mt AH SA c khi to ln u tin , thut ton xc thc v cc
kha c gi li, v s chui truy cp c thit lp l 0. Khi IPsec xc nh
rng mt gi tin s ra bn ngoi c AH c p dng, n nm bn trong SA
thch hp v thc hin cc dc sau:
Bc 1: Mt tiu AH mu c chn vo gia IP haeder v tiu lp
trn.
Bc 2: S sepuence number tang dn v c lu gi trong cc tiu AH.
Vo thi gian ny, AH kim tra m bo rng s th t s khng b lp,
Nu lp, AH s to ra mt SA mi v khi to dy s 0. Trong trng hp s
sepeunce number khng lp, s th t s c tng ln v c lu gi
trong cc tiu AH.
Bc 3: Phn cn li ca cc trng AH, ngoi tr ca ICV, c lm y
vi chiu di quy nh.
Bc 4: Nu cn. paddinh ty c thm vo tiu AH m bo rng
n l mt bi s ca 32 bit (64 bit cho IPv6).
Bc 5: Cc trng c th thay i trong IP Header v trng ICV trong
tiu
AH c nh 0, v ICV c tnh trn ton b datagram IP. Nu c
nhiu ngun nh tuyn khc trong khi truyn (truyn qua cc thit b
trung
gian) trong IP Header, a ch dch phi c t l a ch cui cng trc
khi tnh ton ICV.
Bc 6: cc trng c th thay i c lm y , v cc ICV c lu tr
trong tiu AH. Nu c mt ngun nh tuyn ty chn trung gian khac,
trng a ch ch ca tiu IP c thit lp cc im n trung gian.
Bc 7: cc datagram IP c t v hng i u ra cho truyn dn n
ch ca n.
1.2.2. Giao thc ESP(Encapsulating security Pyload).
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 44
Giao thc ESP cung cp xc thc, ton vn, m bo tnh bo mt ca
gi tin. ESP cng h tr tnh nng cu hnh s dng trong tnh hung ch
cn
m ha hay ch cn xc thc.
Hnh 16: Cu trc gi tin ESP.
ngha cc thnh phn:
Security paramaters index (SPI 32Bits): nhn ra cc thng s c
tch hp vi a ch IP, nhn dng lin kt SA.
Sequence number (32 Bits): T ng tang c tc dng pht li.
Payload data ( di bt k): y l gi tin IP hoc mt phn ca gi tin
ban u ty thuc vo ch (mode) ca IPSec ang c dng. Khi
dng Tunnel Mode, trng hp ny cha ton b gi tin IP ban u.
Trong Transport Mode, n ch bao gm phn giao thc cc lp bn trn
ca gi tin ban u. Chiu di ca pay load lun l mt s nguyn ca
bytes.
Padding ( di bt k): v Pad Length (8 Bits): D liu chn vo di
ca n.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 45
Next Header (8 Bits): Nhn ra giao thc c s dng trong qu trnh
truyn thng tin. Nu l TCP gi tr l 6, nu l UDP gi tr l 17 khi
dng
Transport Mode, khi dng Tunnel Mode l 4 (IP-in-IP).
Authentication (Bi s ca 32): bao gm d liu cc thc cho gi tin,
c tnh trn ton b gi tin ESP tr phn Authentication data. Cc
thut
ton m ha bao gm DES, 3DES,AES. Cc thut ton xc thc bao gm
MD5 hoc SHA-1. ESP cn cung cp tnh nng anti-repay bo v cc
gi tin khng b chnh sa. ESP trong trng thi vn chuyn s khng
ng gi thut ton trn ton b gi tin m ch ng gi phn thn IP
Header. ESP c th s dng c lp hay kt hp AH, di y l m hnh
ca qu trnh thc thi ESP trn user data tr v gia 2 IPSec Peers.
Hnh 17: Qu trnh hot ng ca ESP.
ESP s dng mt m i xng cung cp m ha d liu cho cc gi tin
IPsec. Cho nn, kt hp c 2 u cui u c bo v bi ESP th hai
bn phi s dng kha ging nhau mi m ha v gii m c gi tin. Khi
mt u cui m ha d liu, n s chia d liu thnh cc block nh, v sau
thc hin thao tc m ha nhiu ln s dng block d liu v kha. Thut
ton
m ha hot ng trong chiu ny c xem nh Block Cipher Algorithms.
Khi mt u cui khc nhn c d liu m ha, n thc hin gii m s
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 46
dng key ging nhau v qu trnh thc hin tng t, nhng trong bc ny
ngc vi thao tc m ha. ESP c ch s IP Protocol l 50.
Qu trnh gi ESP.
Khi sn sang c t trn hng i ra, mt datagram IP c
kim tra xem c th x l bng IPSec hay khng? Nu ng gi ESP c
yu cu, th cn bit chnh xc SA hot ng trong Transport Mode hay
Tunnel Mode. Qu trnh x ly thc hin cc bc sau:
Bc 1: SPD tm kim mt SA ph hp vi cc thng tin chnh xc nh a
ch ch, cng, giao thc nu SA cha tn ti, mt cp SA c thng
lng gia hai bn truyn nhn.
Bc 2: Cc s th t t SA tng dn v c t trong tiu ESP. Nu
peer khng v hiu ha chc nng antireplay, s th t c kim tra chc
chn rng n khng bng 0.
Nc 3: Nu cn thit, Padding s c thm vo cho s bit, chiu di
pad v next header s c lm y. nu thut ton m ha yu cu, IV c
thm vo payload data(Initializanti vector l mt block ty c XOR
bi block d liu ban u trc khi m ha, trnh tnh trng chui m ha
ging nhau v d liu ging nhau), IV v payload data cng ESP trailer
s
c m ha, s dng kha v thut ton m ha c ch nh trong SA.
Bc 4: ICV c tnh trn ESP header, IV, payload data, trng ESP
trailer
v t trong trng Authentication data, s dng ha v thut ton m ha
trong SA.
Bc 5: Nu cc gi d liu kt qu yu cu phn mnh, n c thc hin
ti thi im ny. Trong Transport Mode, ESP ch c p dng cho ton b
datagram IP. Tunnel Mode, ESP c th c p dng cho mt mnh
datagram IP.
Mt lu l trnh t trong qu trnh m ha v xc thc rt quan trng,
v xc thc c thc hin cui cng, ICV s tnh ton trn d liu m ha
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 47
trc , c ngha l ngi nhn c th thc hin vic xc minh chng thc
tng i nhanh chng trc khi thc hin qu trnh gii m kh chm. iu
ny c th phn no ngn cn tn cng Dos bi mt lot d liu nhu nhin
c m ha gi ti u nhn.
Qu trnh nhn ESP.
V d liu n c th b phn mnh do qu trnh nh tuyn, chng phi
c ti hp. v sau khi ti hop, qu trnh x l ESP s c thc hin qua
cc bc sau:
Bc 1: SA nhn c bng cch so snh a ch ch, giao thc(ESP) v
SPI ca gi n. Nu khng c SA no tn ti, gi s b loi b.
Bc 2: nu antireplay c kch hot, n s thc hin vic kim tra mt s
sequence number.
Bc 3: Gi tin c xc nh thc bng vic tnh ton ICV da trn ESP
Header, payload v trng ESP trailer, s dng thut ton m ha v
kha
trong SA, nu xc thc tht bi, gi tin ny s b loi b. Nu gi tin c
xc thc, n s c chp nhn v u nhn cp nhp li sequence number.
Bc 4: Payload v trng ESP trailer c m ha bng vic s dng
thut ton v kha trong SA. Nu Padding c thm vo, n cn c
kim tra chc chn c nhng gi tr thch hp cho thut ton gii m. Gi
IP gc c ti hp b i cc trng ESP, vic ti hp ny ph thuc vo
vic s dng Transport Mode hay Tunnel Mode.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 48
Hnh 18: Bng so snh gia AH v ESP.
2 S dng IPSec.
2.1 Mc ch s dng.
IPSec c dng bo mt d liu khi truyn trn mng. Ngi qun tr
thit lp chui chnh sch c gi l IPSec Policy. Nhng chnh sch ny
bao
gm b lc ch r loi lu lng no i hi phi m ha, ch k s hoc c hai.
Sau mi gi my tnh gi i c n nh t nhn thy liu c ph hp vi
iu kin ca chnh sch. Tin trnh ny trong sut vi ngi dng v cc ng
dng bt u truyn d liu. Do IPSec c ng trong gi IP chun nn n c
th
truyn trn mng m khng i hi cu hnh c bit trn thit b gia hai
host.
IPSec khng th m ha mt s loi lu lng chng hn broadcast, multicast
v
gi giao thc Kerberos.
2.2 u v nhc im khi s dng IPSec.
2.2.1 u im
Li ch chnh ca IPSec l n m ha trong sut hon ton i vi tt c
giao
thc lp 3 ca m hnh OSI v cao hn.
IPSec cung cp:
- Xc thc ln nhau trc v trong qu trnh trao i.
- S cn mt trong sut qu trnh m ha ca lu lng IP v xc thc s ca
gi. IPSec c 2 ch : ESP (Encapsulating Security Payload) m ha
da trn mt hoc mt vi thut ton no v AH (Authentication
Header) xc thc lu lng nhng khng m ha n.
- Ton vn lu lng IP bng cch loi b lu lng c thay i. C
ESP v AH u dng xc nhn tnh ton vn ca tt c lu lng IP.
Nu gi c thay i th ch k s s khng nh km v gi s b hy.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 49
- Ngn chn tn cng: C ESP v AH dng s tun t bt c gi no c
capture li trong ln gi li sau s dng s khng tun t. Dng s c
sp xp theo th t chc chc rng k tn cng khng th dng li hay
gi li d liu c capture thit lp phin lm vic hoc thu thp
thng tin bt hp php. Dng s tun t cng bo v tn cng cng bng
cch chn message v sau dng message y ht truy nhp bt hp php
vo ti nguyn, c th l vi thng sau .
2.2.2 Nhc im
Tt c cc gi c x l theo IPSec s b tng kch thc do phi thm vo
cc tiu khc nhau, v iu ny lm cho thng lng hiu dng ca mng
gim xung. Vn ny c th c khc phc bng cch nn d liu trc
khi m ha, song cc k thut nh vy vn cn ang nghin cu v cha c
chun ha.
IPSec c thit k ch h tr bo mt cho lu lng IP, khng h tr cc
dng lu lng khc.
Vic tnh ton nhiu gii thut phc tp trong IPSec vn cn l mt vn
kh
i vi cc trm lm vic v my PC nng lc yu.
Vic phn phi cc phn cng v phm mm mt m vn cn b hn ch i
vi chnh ph mt s quc gia.
3 Trin Khai IPSec.
3.1 Cch IPSec bo mt lu lng.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 50
Cu hnh IPSec c thit lp thng qua policy trn my cc b hoc
policy
nhm trong Active Directory directory service:
IPSec policies c cung cp cho tt c my tnh: Policy quy nh cho b
phn
iu khin IPSec cch chy v nh ngha Security Association m c th
c
thit lp. Security asscociation chi phi giao thc m ha no c s dng
cho
loi lu lng no v phng thc xc thc no c thit lp.
Security Association c thit lp: Phn Internet Key Exchange (IKE)
thit lp
Security Association. IKE kt hp gia hai giao thc: Internet
Security
Association v Key Management (ISAKMP) v Oakley Key
Determination. Nu
mt my client i hi certificate xc thc v mt client khc i hi giao
thc
Kerberos, IKE s khng th thit lp security association (s kt hp bo
mt)
gia hai my. Nu bn nhn thy gi trong Network Monitor th bn s thy
gi
ISAKMP nhng bn cng s khng thy bt c gi AH hay ESP theo sau.
Gi IP c m ha: Sau khi security association c thit lp th b iu
khin
IPSec gim st ton b lu lng IP, so snh lu lng vi b lc c nh
ngha.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 51
3.2 IPSec Security Policy l g?
nh ngha
IPSec security policy bao gm mt hoc nhiu quy lut quyt nh cch
hot ng ca IPSec
IPSec Security policy rules
Bn trin khai IPSec bng cch thit lp policy. Mi policy c th
cha
ng mt vi quy lut nhng bn ch c th xc nhn mt policy ring l ti
mt thi im bt k trn mt my. Bn phi phi hp tt c quy lut c yu
cu thnh mt chnh sch n. Mi quy lut bao gm:
B lc: B lc quy nh cho policy bit loi lu lng no p dng cho
filter action. Chng hn, bn c th c b lc nhn dng ch lu lng
giao
thc HTTP hoc lu lng FTP.
Filter action: Filter action quyt nh cho chnh sch phi lm g nu
lu
lng tha b lc. Chng hn, bn c th bo cho IPSec chn ng tt c
lu lng FTP nhng i hi m ha tt c lu lng HTTP. Filter action
cng c th ch r thut ton m ha v bm m policy nn dng.
Phng php xc thc: C 3 phng php c th xc thc: certificates,
giao thc Kerberos v Preshared key. Mi rule c th ch r nhiu
phng
php xc thc.
Policy mc nh
Window 2000 hoc sau , c 3 policy c cu hnh mc nh:
Client (Respond only): Nu my tnh yu cu client dng IPSec th n
s
p ng vi IPSec. Policy Client (Respond Only) s khng khi to
IPSec
trn chnh n. Policy ny c 1 rule c gi l Default Response rule.
Rule
ny cho php host p ng i hi ESP cng nh c host trong Active
Directory domains tin cy. ESP l ch IPSec cung cp s tin cy
cng
vi xc thc, ton vn v chng truyn li.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 52
Server (Request Security): Bn c th dng chnh sch ny trn c
server
v client. Chnh sch ny lun c gng dng IPSec nhng c th tr li qu
trnh lin lc khng bo mt nu client khng c cu hnh vi IPSec
policy. Chnh sch Response Security c 3 rule. Rule th nht l
Default
Response c m t. Rule th hai cho php lu lng ICMP. ICMP l
giao thc duy tr trong TCP/IP, thng bo li v cho php kt ni n
gin.
Lnh ping dng ICMP thc hin vic g ri TCP/IP. Mc d ICMP l
tin ch chun on tt nhng bn c th mun v hiu ha n trong mng
bo mt cao v c mt vi t tn cng chng da trn ICMP. Rule th 3
i hi ESP cho tt c lu lng IP.
Secure Server (Require Security): Bn c th s dng chnh sch ny
trn
c server v client. Nu chnh sch ny c gn th my tnh c th ch
lin lc trn IPSec v s khng bao gi tr li ch lin lc khng bo
mt. Policy ny cng c 3 rule. Hai rule u l Default Response v
Permit
ICMP th c ni trn. S khc nhau trong policy Secure Server
(Require Security) l tt c lu lng phi c m ha vi ESP nu
khng server s khng lin lc vi n. Rule ICMP ghi rule i hi
bo mt cho tt c lu lng IP khc.
3.3 Cc Policy lm vic nh th no?
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 53
Tha thun s kt hp bo mt
Chng ta ng bao gi so snh cc policy mt cch ring l. Cc my tnh
c tha thun k thp bo mt phi c policy b sung. Bng trn ch ra cc
tc
ng khi cc policy mc nh lm vic vi nhau. Nu hai host c th tha
thun
kt hp bo mt tng thch vi nhau th lin lc c th c thc hin bng
cch
dng IPSec. Nu hai host c cc policy khng tng thch vi nhau th c
th
chng s tr li dng lin lc khng bo mt hoc khng th lin lc vi
nhau.
V d v cch thc cc policy lm vic vi nhau
Bng trn ch p dng cho cc policy mc nh vi cc rule mc nh. Nu
bn p policy vi rule l my A request ESP cho HTTP v my B require
AH cho
HTTP th sau hai my s khng th tha thun c s kt hp bo mt.
Xc thc Kerberos l thit lp mc nh cho tt c cc policy mc nh.
Giao thc Kerberos lm vic vi my tnh trong h thng Active Directory
nhng
nu mt my khng l thnh vin trong h thng th cc my tnh khc khng
th tha thun xc thc. Nu my B c thay i s dng ch certificate
cho
xc thc lu lng IP th khng th thit lp kt hp bo mt. C th cu hnh
li
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 54
cho my B yu cu giao thc Kerberos hoc certificates. Khi tha phng
php
xc thc th xc thc c th c thc hin.
Nu bn thit lp policy Secure Server (Require Security) th my
tnh
s khng th lin lc vi bt k my no khng ci t IPSec. Chng hn, my
tnh
cn truy cp server chy Microsoft SQL Server khng c IPSec th h
thng s b
fail.
Nu bn thit lp policy Server (Request Security) th my tnh s quay
v
lin lc khng bo mt vi bt c my tnh no khng c policy. Policy IPSec
s
c thit lp bo mt lu lng cn c bo mt khi cho php thc hin cc
lin lc c bn.
4 Trin khai IPSec vi Certificates.
4.1 Gii thiu v Certificates.
nh ngha
Mt certificate X.509 certificate s l mt giy y nhim in t
thng c s dng cho vic xc thc v bo mt trao i thng
tin trn h thng mng m chng hn Internet, Extranets v
Intranets.
Mt certificate ni kt mt public key vi thc th nm gi private
key tng ng. Chng hn, bn c th m ha d liu cho ngi
nhn vi public key ca h v chc chn rng ch ngi nhn c
private key dng gii m d liu.
Ngi cung cp certificate c gi l Certification Authority (CA).
Certificate c cung cp cho ngi dng, my tnh hoc mt dch
v chng hn IPSec.
Li ch ca certificate
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 55
Mt trong nhng li ch chnh ca certificate l host s khng cn duy
tr
mt tp password cho i tng ring t cn c xc thc nh mt iu kin cho
php truy cp. iu thay cho vic host ch n thun thit lp s tin cy
trong
mt CA cung cp certificate.
4.2 Ti sao dng Certificates vi IPSec bo mt lu lng.
Bng sau miu t mt vi trng hp bn c th dng certificate
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 56
Mc ch
Dng certifiacate t mt CA ng tin cy c xem nh phng php xc
thc gia hai host IPSec cho php cc doanh nghip lin lc vi nhau. Bn
cng
c th dng certificate enable Windows Routing and Remote Access
service
giao tip bo mt trn Internet vi router lp 3 h tr IPSec. Tuy nhin,
v
certificate phc tp hn c preshare keys hoc giao thc Kerberos nn
chng i
hi nhiu v vic thit lp ca admin. Certificate ch l mt thnh phn ca
gii
php PKI. Mc d PKI i hi ti nguyn qun l. v lp k hoch nn
Giao thc Kerberos v preshared keys
Hai phng php khc cho vic xc thc gia hai host dng IPSec l:
Giao thc Kerberos: i vi lu lng gia cc my tnh trong cng mt
h thng domain th vic dng giao thc Kerberos mc nh l phng
php xc thc n gin nht cho IPSec v khng i hi bt c cu hnh
no. Giao thc Kerberos l mt thnh phn c Active Directory v th
n
cng l thnh phn ca cu trc enterprise domain. Tuy nhin, i vi
cc
client khng h tr giao thc Kerberos hoc cc client khng l thnh
phn
ca kin trc Active Directory th s dng preshared key hoc X.509
certificate
Preshared keys: preshared key l chui k t di ngu nhin c dng
lm
password gia hai host IPSec. Preshared keys khng bo mt nh
giao
thc Kerberos hoc certificate v n c ct trong on clear text
policy
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 57
IPSec. Nu ngi tn cng ginh c quyn truy cp ca admin vo
policy th s thy c preshared key. Preshared key cng khng c
dng tt cho cu hnh nhiu my.
Chng 3:Trin Khai H Thng VPN C IPSec.
1.M hnh trin khai:
VPN Server v DC ni vi nhau bng card CROSS.
VPN Server v VPN Client ni vi nhau bng card LAN.
VPN Server join to domain loidiep.itc.edu.
2. Cc bc thc hin:
- Ci t v cu hnh VPN Server.
- VPN Server ci t Certificate Services.
- VPN Server v VPN Client xin Certificate.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 58
- CA cp Certificate cho VPN Server v Client.
- VPN Server v VPN Client ci t Certificate.
- VPN Client to Connection.
- Test: truy cp DC v Join to Domain.
Bc 1: Ci t v cu hnh VPN Server
- VPN Server m Routing & Remote Access -> Chut phi
Server2 -> Configure
and Enable Routing and Remote Access.
- Chn Custom Configuration.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 59
- Check VPN Access -> Next.
- Click Finish.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 60
- Cu hnh cp IP cho VPN Client khi kt ni thnh cng:
Chut phi ln Server2 -> Properties.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 61
- Qua tab IP -> Chn Static Address Pool -> click Add.
- Cp a ch t : 10.10.10.100 -> 10.10.10.149 (50 kt ni) ->
OK
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 62
- Chn Port, quan st thy VPN Server mc nh cho php kt ni c PPTP
ln
L2TP. Cu hnh VPN Server ko cho php kt ni PPTP, ch cho php kt ni
L2TP:
Chut phi ln Port -> Properties.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 63
- Chn WAN Miniport (PPTP) -> click Configure.
- B check Remote Access Connections v Demand-dial routing
connection-> OK
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 64
- Quan st VPN Server by gi ch cho php kt ni L2TP.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 65
Bc 2: VPN Server ci t Certificate Services.
- u tin tin hnh ci t ASP.NET.
- Sau ci Certificate Services.
- Chn Stand-alone root CA.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 66
- Nhp tn CA (vd: DC).
- Mn hnh Certificate Database -> Next.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 67
- Mn hnh cnh bo chn YES ng tm thi stop IIS hon tt qu trnh ci
t.
- Mn hnh cnh bo v Security chn YES.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 68
Bc 3: VPN Server v VPN Client xin Certificate.
-VPN Server xin Certificate.
M Web Browser nhp: a ch CA/Certsrv ( y VPN Server cng chnh l
CA
nn c th nhp localhost/certsrv). Sau chn Request a
certificate.
- Chn Advanced Certificate request.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 69
- Chn Create and submit s request to this CA.
-
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 70
- Phn NAME nhp tn my VPN Server ( y l server2.loidiep.itc), phn
Type
of Certificate bung ra v chn IPSec Certificate .
-
- Check Store certificate int the local computer certificate
store v click Submit.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 71
- Ca s cnh bo chn YES
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 72
-VPN Client xin Certificate.
Trn VPN Client m Web Browser nhp: a ch
CA/certsrv(192.168.1.3/certsrv)
v sau chn Request a certificate.
- Chn Advanced request -> Create and submit a request to this
CA.
- Nhp tn my VPN Client -> Type of Certificate chn IPSec
Certificate
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 73
- Check Store Certificate in the local computer certificate
store sau click
Submit.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 74
- Chn YES ca s cnh bo v quan st vic xin hon tt.
Bc 4: CA cp Certificate cho VPN Server v VPN Client.
- Trn Certificate Server (cng chnh l VPN Server) m Certificate
Authority ( Start-
>Programs->Administrative Tools->Certificate
Authority).
- Chn Pending Requests v ln lt chut phi ln cc Request ca VPN
Server v VPN
Client bc trn chn All Task -> Issue.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 75
- Chn Issue Certificates, kim tra cc certificate cho VPN
Server
v VPN Client.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 76
Bc 5: VPN Server v VPN Client ci t Certificate.
- Trn my VPN Server m Web Browser nhp localhost/certsrv ->
chn View the
status of a pending certificate request.
- Chn IPSec Certificate.
- Chn Install this certificate.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 77
- Ca s cnh bo chn YES.
- Quan st ci t Certificate thnh cng.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 78
- Kim tra xem Certificate c hp l hay cha:
Chn Start->Run->MMC.
- Mn hnh MMC click menu File -> Add/Remove Snap-in.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 79
- click Add.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 80
- Chn Certificate -> click Add.
- Chn Computer account.
- Chn Local Computer -> Finish.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 81
- Sau bung Certificates -> Personal -> Certificates v nhp
p ln Certificate
Server2.loidiep.itc.edu quan st thy hp l.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 82
- Trn my VPN Client lm tng t nh trn VPN Server.
- Kim tra thy Certificate ca Client ko hp l (cho ).
- V DC cp Certificate cho VPN Client khng nm trong danh sch cc
CA tin
tng.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 83
- Tin hnh download Certificate ca Server
- M Web Browser nhp a ch CA/Certsrv . Sau chn Download a
CA Certificate, certificate chain, or CRL.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 84
- Chn Download CA certificate.
- Ca s download -> click Save.
- V lu ngoi Desktop -> click Save. (chung ta c th lu ti mt ni
no c th d
nh v tm kim)
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 85
- Download hon tt click Close.
- Quay tr li ca s MMC (Console1.msc) v import Certificate ca CA
va
download v: bung Trusted Root Certification Authorities v chut
phi
ln Certificates -> All Task -> Import.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 86
- Mn hnh Welcome -> Next. Mn hnh File to Import -> click
Browse.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 87
- Ch ng dn ra desktop (ni lu Certificate ca CA bc trn va
download) -> Chn Certificate ca CA -> Open.
- Click Next.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 88
- Mn hnh Certificate Store -> click Next -> Finish.
- Qu trnh Import thnh cng.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 89
- Quan st thy DC c trong danh sch cc CA tin tng.
- Kim tra li Certificate hp l.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 90
- Trn my DC to 1 domain user.
- V cho user ny quyn Allow Access.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 91
Bc 6: VPN Client to connection.
- Trn VPN Client: Chut phi My Network Places -> Properties.
Click Create a
new Connection.
- Mn hnh Welcome -> Next, mn hnh Network Connection Type
-> chn
Connect to the network at my workplace.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 92
- Mn hnh Network connection -> chn Virtual Private Network
connection.
- Mn hnh Connection name -> nhp Company name .
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 93
- Mn hnh VPN Server Selection nhp a ch VPN Server ->
Next.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 94
- Click -> Finish.
- Nhp User name, password; Check Save this User name and
password for the
following users. > click Properties.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 95
- Qua Tab Networking, phn Type of VPN chn L2TP IPSec VPN ->
click OK.
- Click Connect. Quan st kt ni thnh cng.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 96
Bc 7: Kim tra
- VPN Client truy cp my DC thnh cng.
- VPN Client m phn chnh a ch IP card LAN v b sung Preferred DNS
v
my DC (172.16.3.2) -> OK.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 97
- Tin hnh Join to domain loidiep.itc.edu -> OK.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 98
- Restart li my VPN Client -> Ca s logon chn Log on to:
LOIDIEP -> Check
Log on using dial-up connection (nhm mc ch thc hin kt ni VPN trc
khi
ng nhp) -> OK.
- Chn Connection: itc.edu to bc trn -> Connect.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 99
- Nhp User name v password -> Connect.
- Khi thc hin xong kt ni, VPN Client log on thnh cng vo
domain.
Tin hnh ci Adminpak.msi.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 100
- Ch cho qu trnh setup xong.
- Click Finish.
-
Trin Khai H Thng VPN c IPSEC GVHD: Trn N V Thc
SVTH: ng Th Cm Li Trn Vn Dip Trang 101
- Sau khi ci t hon tt tin hnh m Active Directory Users and
Computers.
- To th 1 user. Quan st thy to thnh cng.
-
DANH SCH T VIT TT V TI LIU THAM KHO
1. DANH SCH CC T VIT TT.
VPN - Virtual Private Network.
AH - Authentication Header.
ESP - Encapsulating Security Payload.
ISP - Internet service Provide.
PBX - Private Branch Exchange.
WAN -Wide Area Network.
LAN - Local Area Network.
RRAS - Routing v Remote Access.
RADIUS - Remote Authentication Dial In User Service.
L2TP - Layer 2 Tunneling Protocol.
SSTP - Secure Socket Tunneling Protocol.
PPTP - Point-to-Point Tunneling Protocol.
DARPA - Defense Advanced Research Projects Agency
NIST - National Institute of Standards and Technology
IETF - Internet Engineering Task Force
ISAKMP - Internet Security Association and Key Management
Protocol.
IKE - Internet Key Exchange.
-
MPPE - Microsoft Point-to-Point Encrytion .
TCP - Transmission Control Protocol.
CHAP - Challenge-Handshake Authentication Protocol .
PAP - Password authentication protocol.
EAP - Extensible Authentication Protocol.
GRE - Generic routing encapsulation.
IP, IPX - Internet Protocol, Internetwork Packet Exchange.
ATM - Asynchronous Transfer Mode .
FR - Frame Relay.
PPP - Point-to-point Protocol.
NAS - Network Access Server .
LAC, LNS - L2TP Access Concentrator, L2TP Network Server.
UDP - User Datagram Protocol.
HTTP, HTTPs - Hypertext Tranfer Protocol , Hypertext Tranfer
Protocol
Sercurity.
SSL - Secure Sockets Layer.
SADB - Security Association Database.
3DES - Triple Data Encryption Security.
DoS - Denial- of- Service.
ICV - Integrity Check Value .
-
2. TI LIU THAM KHO.
1. Microsoft Windows Ser