what is a vpn (virtual private network) ? internet vpn device secure vpn tunnel tunnel mode...

What is a VPNWhat is a VPN(Virtual Private Network) ?(Virtual Private Network) ?

InternetInternetVPN DeviceVPN Device VPN DeviceVPN Device

Secure VPN TunnelSecure VPN Tunnel

Tunnel mode (Encrypted and Encapsulated traffic)

HostHostHostHost

VPN is a secure network tunnel created for encrypted data transmission between two or more authenticated parties over a public network.

LAN-to-LAN (Intranet)LAN-to-LAN (Intranet)

InternetBranch Office

Corporate LAN

Secure VPN TunnelVPN

DeviceVPN

Device

Encryption

AuthenticationServer

Client

IntranetIntranet

LAN-to-LAN VPN can easily meet customer’s need Transmit internal confidential data securely and globally accessible

Client-to-LANClient-to-LAN

InternetSecure VPN TunnelSecure VPN Tunnel

VPN VPN DeviceDevice

Encryption

AuthenticationServer

Client

Intranet Mobile WorkersHome PCs

Client-to-LAN VPN minimise the cost Client is protected itself and the intranet boundary

The VPN Protocols and The VPN Protocols and StandardsStandards

Point-to-Point Tunnelling Protocol (PPTP)– Originated from Microsoft

Layer 2 Forwarding (L2F)– Originated from Cisco

Layer 2 Tunnelling Protocol (L2TP)– Developed by IETF

IP Security Protocol (IPSec)– Developed by IETF

Four main protocols involved with VPN technology:

Layer 2- based VPN Layer 2- based VPN SolutionsSolutions

Layer 2 Tunnel Protocol (L2TP) developed by IETFA consensus standard from two merging tunnelling protocols (PPTP) and (L2F)

Tunnel authentication

Extends the PPP connection No cryptographic Keys Support

No facility to encrypt user data traffic

IPSec- Based VPN IPSec- Based VPN SolutionsSolutions

Open framework defined by the IP Security Architecture(IPSec) Working Group of the IETF

IP Authentication Header (AH)– Data authentication, data integrity and replay protection

IP Encapsulation Security Payload (ESP)– Data confidentiality, data authentication, data integrity and replay protection

Internet Security Association Key Management Protocol (ISAKMP)

– Configuration and management of security associations a cryptographic keys

How does it Work?How does it Work?The most simple explanation is that your networking data is wrapped up in header that specifies your machine as the source, and your VPN server as the destination. Your VPN server then removes that header and processes the packet as normal. This gives the appearance that the packet has originated from an internal source.

EncapsulationEncapsulationAll network traffic is encapsulated within control headers.

TCP :- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | your data ... next 500 octets | | ...... |

If we abbreviate the TCP header as "T", the whole file now looks like this:

T.... T.... T.... T.... T.... T.... T....

EncapsulationEncapsulationEthernet :- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet destination address (first 32 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet dest (last 16 bits) |Ethernet source (first 16 bits)| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet source address (last 32 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP header, then TCP header, then your data | | | ... | | | end of your data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

If we represent the Ethernet header with "E", and the Ethernet checksum with "C", your file now looks like this:

EIT....C EIT....C EIT....C EIT....C EIT....C

ConsiderConsider 0 00a0 c9db 2bb6 0000 f808 f666 0800 4500 ....+......f..E. 10 0057 7b00 4000 4006 aeea c009 c893 c009 .W{.@.@......... 20 c80f 0017 04e4 54a4 9662 df73 f4eb 5018 ......T..b.s..P. 30 7d78 e98d 0000 fffb 010d 0a44 7269 7665 }x.........Drive 40 2043 6f6d 7075 7465 7220 5365 7276 6963 Computer Servic 50 6573 2057 6562 2f45 6d61 696c 2053 6572 es Web/Email Ser 60 7665 720d 0a ver..

Frame 61 (101 on wire, 101 captured) Arrival Time: Jul 3, 2000 21:22:01.4514 Time delta from previous packet: 0.001389 seconds Frame Number: 61 Packet Length: 101 bytes Capture Length: 101 bytesEthernet II Destination: 00:a0:c9:db:2b:b6 (00:a0:c9:db:2b:b6) Source: 00:00:f8:08:f6:66 (DEC_08:f6:66) Type: IP (0x0800)Internet Protocol Version: 4

Installing the ClientInstalling the Client

Microsoft Word

Document

Installing the ServerInstalling the Server

Text Document

System Requirements-------------------1. A modern Linux distribution (such as Debian, Red Hat, etc.) with a recent

kernel (2.2.x recommended, 2.0.x should be ok). Note: ports exist forSolaris, BSD and others but are not supported in this HOWTO at thistime.

2. PPP 2.3.8 (and the MSCHAPv2/MPPE patch if you want enhanced Microsoftcompatible authentication and encryption).

3. PoPToP v1.0.0 (or download the latest release at:http://www.moretonbay.com/vpn/download_pptp.html

PPP (and MSCHAPv2/MPPE) Installation------------------------------------It is only necessary to use PPP 2.3.8 if you want Microsoft compatibleMSCHAPv2/MPPE authentication and encryption. The reason for this is thatthe MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP 2.3.8.If you don't need Microsoft compatible authentication/encryption any 2.3.xPPP source will be fine. (Update: There is now a MSCHAPv2/MPPE patch forppp-2.3.10).

PoPToP Installation-------------------Follow these instructions to install PoPToP:

1. Grab the latest version of PoPToP (v1.0.0 as of 19991001)(http://www.moretonbay.com/vpn/download_pptp.html)

2. You will need to be root to install and run PoPToP.3a. If you downloaded the PoPToP v1.0.0 tarball (and stored it in

/usr/local/src/) follow these instructions:[cd /usr/local/src/][tar zxvf pptpd-1.0.0.tgz][cd pptpd-1.0.0][./configure][make][make install]

3b. If you downloaded the PoPToP RPM (pptpd-1.0.0-1.i386.rpm as of 19991001)follow these instructions:

[rpm --install pptpd-1.0.0-1.i386.rpm]4. Note: PoPToP's binaries are located in /usr/local/sbin. PoPToP goes

looking for its binaries in that directory! So if they are not there itwon't work! Check that there is 'pptpd' and 'pptpctrl' in /usr/local/sbin/now.

5. If you want to enable debugging follow these steps:Change directory to /etc/ and open up syslog.conf. Add the line:

daemon.debug /var/log/pptpd.logKill off the current syslogd and start a new one:

[killall syslogd][/usr/sbin/syslogd]

Make sure the following files exist and look similar to: /etc/ppp/options debug name servername auth require-chap proxyarp

/etc/pptpd.conf speed 115200 localip 192.168.0.100 remoteip 192.168.0.234-238

/etc/ppp/chap-secrets billy servername bob *

You are now ready to launch PoPToP. If you want to launch PoPToP now:[/usr/local/sbin/pptpd]

Note: If you can't connect for some reason open up /var/log/pptpd.log andsearch for any error messages. If that doesn't help read the FAQ (below) oras a last resort send a message to the mailing list.

what is a vpn (virtual private network) ? internet vpn device secure vpn tunnel tunnel mode...

Documents