Vpn Command Line Interface Configuration Using Packet Information Technology Essay

ABSTRACT

This paper clearly examines and explains Virtual Private Network (VPN), its operation, benefits and describes the procedure to set up a Site-to-site Virtual private network using command line interface. IPSec VPN is employed and the implementation is carried out using the packet tracer.

INTRODUCTION

Let us first describe a Private Network. Private network consists of computers owned by one organization which share information particularly with each other.

Virtual Private Network provides an efficient, reliable, secured and user friendly method of communication and data travelling over VPN. Data transmitted over VPN is secured by using encapsulation, encryption, authentication, using firewalls or by providing security mechanism using tunnelling protocols. Virtual Private Network is used for video conferencing, file sharing and remote access.

Example:

Suppose, if the company has Local Area Networks in its head office at London and other Local Area Networks in the branch office at Manchester, by implementing VPN, data and resource sharing will be economic, reliable, and fast and provides security by using

The following configuration is an example of a VPN.

Figure 1: Example of a VPN [3]

Why build a Virtual Private Network?

Earlier, companies used leased phone lines to communicate between its branch offices. Leased lines (dedicated lines) offered security, privacy and connection was available at any time. However, leased phones were expensive and unreasonably high when companies’ branch offices were spread over across a country. As the popularity of Internet grew, companies started to deploy more computers for resource sharing. In order to maintain the privacy and integrity many companies started to create their own Virtual Private Networks (VPNs) to interconnect the distant branch offices and cater the requirements of remote employees. Over the years, demand for VPN began to grow as it provides a cost-effective solution for large organisations to securely transfer data between its branch offices.

Using VPN we can create a secure, private network over a public network. It makes use of virtual connections (temporary connections) to connect a single computer and a network, two computers or two networks [1].

VPNs are primarily used to achieve the following goals [2]:

• Provide remote access securely to a corporate network

• Interconnect branch offices to an enterprise network (intranet)

• Expand companies’ existing computing infrastructure to include partners, suppliers and customers (extranet).

Benefits of using VPN

In order to provide fast, reliable and secured method of transmitting the data over two users or networks, VPNs are used. Security being the major concern, VPN provides an economic solution to securely transfer data and protects integrity of companies’ resources and confidential data.

Cost Saving

Network Scalability

Cost Saving: Using VPNs, the cost of maintaining servers is reduced and companies can employ third-party services and outsource their support. This minimizes the organizations’ expenditure through resource sharing and facilitates services to many business clients.

Network Scalability: Cost of building a private network gradually increases as the organization expands. An organization with several branch offices can be connected using Internet based VPN, thereby avoiding scalability problem. Internet based VPNs use public lines to connect remote and distant locations across a wide geographical area. It offers secure, reliable connection and quality of service. [4]

Types of VPN [7].

Three basic types of VPN

Remote Access

Intranet

Extranet

Remote Access VPNs

They provide secure connections mainly for remote access users and offer same level of security as private networks. With the aid of Remote Access VPNs, remote users will be able to access data at companies’ head office from any branch offices. Remote access VPNs are employed in large organizations. It offers secure, reliable and encrypted connection across a public network. [3]

Fig 4 shows remote access VPN

Fig 4 Remote access VPN

Site-to-site VPNs

It uses greater encryption methods where an organization can connect many sites on a public medium.

Site−to−site VPNs can be classified into Intranets or Extranets.

Intranet VPNs

Intranet VPNs are mostly used to connect structured networks which may spread over a large geographical area. They may be used to connect companies’ head offices, remote offices and branch offices using private lines. They are also used to connect within an organization. They offer reliable connection. It gives greater flexibility to enforce desired security levels in an organization. Intranet VPNs provide same level of security and connectivity as private networks. [7]

Figure 2 shows an intranet VPN topology

Figure 2

Extranet VPNs

Extranet VPNs are used to connect companies’ Intranet over a shared infrastructure using dedicated lines. They connect wide range of users. They offer greater user rights to telecommuters and remote offices.

Figure 3 is an example of Extranet VPN

Figure 3

Analysis of current VPN technologies

The different VPN technologies are as follows

IPSec

L2TP

PPTP

IPSec

IPSec consist of a set of specific protocols and techniques which are required to set up secure Virtual Private Network connections. Internet protocol (IP) packets may be altered during the transmission which does not provide data security. By implementing IPSec transmission security may be achieved while transmitting IP packets. IPSec uses authentication, checks for packet reliability and encapsulates in order to ensure data security. IPSec may be used as a tunnelling protocol and finds application for site-to-site VPNs.

Internet key exchange protocol (IKE) is used to establish an IPSec connection. It is a protocol which is used to exchange IPSec parameters and helps to develop security associations (SA) between two end devices. A security association (SA) is created when agreement of IPSec parameters occur between the end devices. IKE uses two protocols

ISAKMP

Oakley

ISAKMP

There are two types of IPSec connections

Transport mode

Tunnel mode

Transport mode

In this mode, IPSec header information is added to the IP header which contains authentication and encapsulation information. It uses hashing mechanism to encrypt the payload portion of the IP packet.

Tunnel mode

It provides more options as packets may be encrypted or encapsulated.

It is used for remote access. [6]

L2TP

The layer two tunnelling protocol was developed jointly by Cisco and Microsoft. It is mainly used for remote access. [3] It can also be used for non-IP networks. Encapsulation is done on an entire Ethernet frame into UDP packets. Packets containing local network addresses may be transmitted through the public medium. In order to ensure security and privacy, an IPSec header information is added to the L2TP header. [6]

PPTP

Point-to-Point Tunnelling Protocol (PPTP) was created by Microsoft. It is one of the most widely used VPN methods. As PPTP does not provide data encryption, Microsoft Point-to-Point Encryption (MPPE) protocol is used. PPTP combined with MPPE protocol provides security and one of the fastest VPN methods. [3]

Issues caused by VPN [12]

There are four common types of problems which may happen with VPN connections. These are:

The VPN connection being refused.

Accepting untrustworthy connection.

The inability to reach locations that lie beyond the VPN server.

Failure of tunnel creation.

Future of VPN

VPN is becoming more popular with more companies deploying VPN for remote access. This will be an economic means and provides remote access for employees in an organization.

Implementation of Site-to-site VPN [9]

The implementation of Site-to-Site IPSec VPN using command line interface is carried out in the Packet Tracer 5.2 program.

The topology for the Site-to-Site network is shown in Fig [4] below [9]

Fig [4]

The above topology consists of three routers R1, R2 and R3. The objective is to set up a site-to-site VPN access between Site 1 and Site 2. The network consisting of PC-A, Switch0 and Router 1 forms the Site1 and similarly network consisting of Router 3, Switch1 and PC-C forms the Site 2. The IPSec VPN tunnel is created between the Router 1 and Router 3. Router 2 just bypasses the interesting traffic and does have any role of providing VPN. IPSec is responsible for providing protection when transmitting private information over public networks such as Internet. It protects and authenticates IP packets providing data security.

There are five steps in developing an IPSec VPN [13]

Step 1: Identifying interesting traffic using access-list and initiating VPN connection

Interesting traffic refers to the traffic which is encrypted. For site1, all traffic that flows between Router 1 and Router 3 (Fig 4) is encrypted. Interesting traffic is being created between the source network and destination network with addresses 192.168.1.0 and 192.168.3.0 respectively. Similarly, we need to create interesting traffic for site2 where the source network address and destination network address will be 192.168.3.0 and 192.168.1.0 respectively. Any other traffic which flows across the network will not be encrypted.

In the above implementation, access list has been configured with the value 110 to categorize the traffic from network on router 1 to the network on router 3 as interesting.

In order to initiate the VPN connection, traffic needs to be generated between the routers R1 and R3.

Step 2: Establishing IKE Phase 1

IKE Phase 1 is compulsory where security association is created. ISAKMP key is being used. Two way security associations are established between the peers in this phase. Data travelling over the devices uses the same key. In this phase, peer authentication occurs [11].

Step 3: Establishing IKE Phase 2

The actual IPSec tunnel is established in this phase. IKE phase 1 generates secure communication link between Router1 and Router3 (Fig 4) and IPSec tunnels are created for encrypting data. IPSec connection between two end devices requires two security associations [11].

The following functions are performed in IKE Phase 2:

Managing IPSec security parameters

Establishing IPSec Security Association

Periodic regeneration of IPSec security associations to ensure data security

Additional Diffie-Hellman (DH) exchange

Step 4: Secure transmission of data

After the completion of IKE phase 2, interesting (encrypted) traffic flows through IPSec tunnel and is delivered to the endpoint.

If a “ping” command is issued on the Router1’s Loopback interface, it is sent to the Router3’s loopback interface. Router1 is responsible for starting the IKE phase 1. After the successful completion of IKE phase 1, it initiates phase 2. After completion of IKE phase 2, interesting (encrypted) traffic is transmitted over the IPSec tunnel.

Step 5: Verifying the IPSec VPN tunnel and tunnel termination

The show crypto isakmp sa command is issued to view the current active IKE SAs. “Active” status indicates that ISAKMP Security Association is in active state.

The Source IP address indicates the starting point which started the IKE negotiation. The QM_IDLE mode indicates Quick Mode exchange and the IPSec Security Association remains authenticated.

The show crypto ipsec sa command is used to show the current security association (SA) settings. It displays address of local host and remote hosts. It shows current peer which is set.

If we issue show crypto ipsec sa command before pinging the PC-C from PC-A, we find that numbers of packets encapsulated, encrypted, decrypted and de-capsulated are all zero. This is because no traffic is generated between the Router1 and Router3. In order to verify the IPSec tunnel, we need to ping the PC-C from PC-A or vice versa. After a successful ping and reissuing the above command, we find that numbers of packets encapsulated, encrypted, decrypted and de-capsulated are all more than zero which indicates that IPSec tunnel is active and is encrypting the data.

After the SA Lifetime timer expires, the tunnel is shut down. It is also possible to manually delete an IPSec tunnel.

The show crypto ipsec security-association lifetime command is used to view the Security Association (SA) Lifetime.

Summary and Conclusion

Virtual private networks provide effective security and reliability for transmitting confidential data over the Internet. It is a cost effective method for connecting the organizations’ branch offices and helps to provide remote access for employees within an organization. It is suitable for large organizations and helps in sharing and utilizing the resources of an organization effectively. Virtual private networks provide secure, reliable and fast access across the Local area networks and Wide Area Networks; and offer a good alternative solution to companies’ expensive leased lines.