Top Banner
25

Technologies VPN IPSEC & PKI

Nov 17, 2014

Download

Documents

Sylvain Maret

Technologie VPN travail de recherche HES Geneva

Ressources PKI: Sylvain Maret

IPSEC & PKI

NAT Traversal
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

1

Page 2: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

2

Start date : 01.02.2002Duration : 1+1 years

Stefano Ventura prof. HESChristian Tettamanti ing. HESPascal Gachet ing. HES

Gérald Litzistorf prof. HESPhilippe Logean ing. HESNicolas Sadeg ing. HES

VPN - Virtual Private Network

Page 3: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

3

VPN - Goals Of The Project

VPN Project

Phase IProtocols

Phase IIAuthentication

Phase IIIDeployment

OpenSource

Page 4: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

4

• Phase I– Research and study of remote access solutions– Secure access on internal private network– Interoperability tests– Study of VPN protocols (L2TP, PPTP, IPSec)– LAN-to-LAN and HOST-to-LAN scenarios

VPN - Goals Of The Project

Phase IProtocols

Page 5: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

5

• Phase IProtocols– PPTP point-to-point tunneling protocol– L2TP layer 2 tunneling protocol– IPSEC IP security protocols

• IKE authentication• AH integrity• ESP confidentiality, integrity

VPN - Goals Of The Project

Page 6: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

6

VPN - Goals Of The Project

• Phase II– Research and study of secure authentication

mechanisms– Study of Public Key Infrastructure (PKI)– Interoperability tests

Phase IIAuthentication

Page 7: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

7

• Phase III– Deployment

• LAN-to-LAN between EIG and TCOM• HOST-to-LAN at EIVD

VPN - Goals Of The Project

Phase IIIDeployment

Page 8: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

8

OpenSource

VPN – Open Source Software

Different solutions based on Open Source

• Server OS: Slackware Linux• Firewall: Netfilter/iptables• Gateway VPN: OpenSwan• PKI Authority: OpenCA• VPN Clients: Win2K: SSH Sentinel*

Linux: OpenSwan

*Free License for universities

Page 9: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

9

VPN – Scenario 1

internetinternetVPN tunnel

10.5.0.0/16 10.4.1.0/24

VPN GW VPN GW

EIVD – Open Source SolutionsEIG – Proprietary Solutions

Page 10: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

10

VPN – Scenario 2

internetinternetVPN tunnel

VPN Client10.4.2.20

10.4.1.0/24

VPN GW

EIVD – Open Source Solutions

Remote Client

Page 11: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

11

VPN – Scenario 3

internetinternet

VPN tunnel

VPN tu

nnel

VPN GW VPN GW

VPN Client10.4.2.20

10.5.0.0/16 10.4.1.0/24

EIG – Proprietary Solutions EIVD – Open Source Solutions

Page 12: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

12

VPN – Remote Client Authentication

• The remote client authenticates himself on gw VPN• The authentication is based on X.509 certificates• The client acquire a private IP address with DCHP-over-IPSEC• The remote client is part of the internal private network

internetinternetIPSec tunnel

VPN GW

10.4.1.0/24

Virtual IP10.4.2.20

Dynamic IP193.x.x.x

Page 13: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

13

VPN – DHCP-over-IPSec

• Internet Draft: draft-ietf-ipsec-dhcp-13.txt

10.4.2.20

DHCP DISCOVER

10.4.1.0/1610.4.1.0/16 DHCPServer

DHCPRelay

10.4.1.0/1610.4.1.0/16 DHCPServer

ISAKMP SA: Main Mode Auth.

DHCP SA: Life Time = 20 sec.

ESP SA: 10.4.2.20 10.4.0.0/15

Page 14: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

14

VPN – NAT-Traversal

• Internet Drafts: draft-ietf-ipsec-udp-encaps-03.txtdraft-ietf-ipsec-nat-t-03.txt

intelligent NAT box

NAT

ESP and IKE with one client

ESP encapsulated in UDP (port 4500)

ESP and IKE with n clients

Page 15: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

15

VPN – Encountered Problems

• PKI– Token Integration

• Internet Service Provider (ISP)– Firewalls– Routing

• NAT routers– Intelligent Box– Stupid Box

• NAT-Traversal• ESP UDP Encapsulation

Page 16: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

16

VPN – Gateway VPN Capabilities

IKE:Encryption algorithm: aes-256bitIntegrity function: SHA-2DF Group: MODP 1536 (group 5)PKI authentication OK

IPSEC – ESP (AH):Encryption algorithm: aes-256bitIntegrity function: HMAC-SHA-2DF Group: MODP 1536 (group 5)

Other:DHCP over IPSEC OKNAT-Traversal OK

Page 17: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

17

VPN – Final Architecture

EIVD VPN area

EIVD

DC W2KFireWall IPtables

GW VPN OpenSwan

NIDS Snort

Remote client

PKI OpenCA

Protected Area

EIG

GW Clavister

EIG

VPN

are

a

Internet

PKI USB Key

Page 18: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

18

Page 19: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

19

VPN – SSH Sentinell Configuration

Page 20: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

20

VPN – PKI Certificate Configuration

Page 21: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

21

VPN – SA Life & NAT Configuration

Page 22: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

22

VPN – IKE & ESP Configuration

Page 23: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

23

VPN – Connection example

Page 24: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

24

VPN – Network Interfaces

Before VPN Connection

After VPN Connection

Page 25: Technologies VPN IPSEC & PKI

Chris

tian

Tetta

man

ti, in

g. H

ES

25