Curs 11Tunelare. VPN
Servicii de ret,ea pentru ISP
13 mai 2010
SRISP Curs 11, Tunelare. VPN 1/25
Outline
Introducere
VPN Virtual Private Networks
IPsec
OpenVPN
Concluzii
Intrebari
SRISP Curs 11, Tunelare. VPN 2/25
Tunelare
I ncpasularea unui payload de protocol n alt protocol
I securitate
I compatibilizare
I n general protocolul de livrare opereaza la un nivel superior(invers decat ntr-o stiva de protocoale)
SRISP Curs 11, Tunelare. VPN 3/25
Tunelare la nivel legatura de date
I L2TP Layer 2 Tunneling Protocol
I protocol de nivel sesiune (foloses, te UDP)
I folosit pentru implementarea de ret,ele private virtuale (VPNs)
I fara suport de criptare sau asigurare a confident, ialitat, ii
SRISP Curs 11, Tunelare. VPN 4/25
Tunelare la nivel ret,ea
I IP-IP
I 4in6
I 6in4I GRE Generic Routing Encapsulation
I ncapsulare n cadrul pachetului IPI stateless
I PPTP Point-to-Point Tunneling ProtocolI canal de control peste TCP s, i tunelare GREI ncapsuleaza pachete PPP
SRISP Curs 11, Tunelare. VPN 5/25
Tunelare la nivel aplicat, ie
I tunelare SSHI ssh user@IP_NUMBER -L 10080:www.google.com:80
I tunelare HTTPI ncapsulare n protocolul HTTPI necesita un server mediator
I corkscrew tunelare SSH prin proxy-uri HTTP
SRISP Curs 11, Tunelare. VPN 6/25
Outline
Introducere
VPN Virtual Private Networks
IPsec
OpenVPN
Concluzii
Intrebari
SRISP Curs 11, Tunelare. VPN 7/25
VPN
I comunicat, ie privata peste o infrastructura publica
I nu este nevoie de alocarea unei linii/infrastructuri dedicate
I foloses, te tunelare ncapsularea unui protocol n cadrul altuiprotocol
I condent, ialitate, autentificare, integritate
SRISP Curs 11, Tunelare. VPN 8/25
Securizare VPN / Tipuri de implementari
I IPsec
I TLS/SSL
I DTLS/MPPE/SSTP (Cisco, Microsoft)
I SSH
SRISP Curs 11, Tunelare. VPN 9/25
Outline
Introducere
VPN Virtual Private Networks
IPsec
OpenVPN
Concluzii
Intrebari
SRISP Curs 11, Tunelare. VPN 10/25
IPsec
I suita de protocoale pentru securizarea IP (IPsec suite)
I autentificarea s, i criptarea fiecarui pachet IP
I aplicat, iile nu sunt cons, tiente de folosirea IPsec (nu trebuiemodificate/regandite)
SRISP Curs 11, Tunelare. VPN 11/25
Suita IPsec
I SA (security association) IKE/IKEv2 (Internet KeyExchange)
I protocoale/algoritmi de negociere s, i generare a cheilor
I AH (Authentication Header) autentificare s, i integritate
I ESP (Encapsulation Security Payload) confident, ialitate
I stiva IPsec: *BSD, Windows, Linux
SRISP Curs 11, Tunelare. VPN 12/25
Imagine IPsec
SRISP Curs 11, Tunelare. VPN 13/25
IPsec n Linux
I istoric: FreeS/WAN, KAME
I patch-uri n nucleu
I KLIPS pentru kernel-ul 2.4
I actualmente Linux NETKEY (nativ) bazat pe KAME
I pachetele ipsec-tools s, i racoon
SRISP Curs 11, Tunelare. VPN 14/25
OpenSwan
I fork/continuare a FreeS/WAN
I crearea unui certificat
I apt-get install openswan
I /etc/ipsec.secrets, /etc/ipsec.conf
I /etc/init.d/ipsec
SRISP Curs 11, Tunelare. VPN 15/25
StrongSwan
I pachete: strongswan-ikev2, strongswan-starter
I se genereaza un certificat
I /etc/ipsec.conf, /etc/ipsec.d/
I /etc/init.d/ipsec
SRISP Curs 11, Tunelare. VPN 16/25
Outline
Introducere
VPN Virtual Private Networks
IPsec
OpenVPN
Concluzii
Intrebari
SRISP Curs 11, Tunelare. VPN 17/25
OpenVPN
I implementare de VPN peste TLS/SSL
I autentificare pe baza de certificate/chei sau username
I foloses, te OpenSSL
I ruleaza peste TCP sau UDP
I ruleaza n user space
SRISP Curs 11, Tunelare. VPN 18/25
Networking n OpenVPN
I TCP/UDP
I interfet,e TUN (nivel 3, IP tunnel)
I interfet,e TAP (nivel 2, Ethernet)
I portul 1194 rezervat
SRISP Curs 11, Tunelare. VPN 19/25
Instalare s, i configurare
I apt-get install openvpn
I mknod /dev/net/tun c 10 200
I modprobe tun
I (A) openvpn -remote public B dev tun0 -ifconfig a.a.a.ab.b.b.b -port yyyy
I (B) openvpn -remote public A dev tun0 -ifconfig b.b.b.ba.a.a.a -port yyyy
I openvpn -genkey -secret key
SRISP Curs 11, Tunelare. VPN 20/25
Configurare
I /etc/openvpn/
I /etc/init.d/openvpn
I /etc/openvpn/openvpn.conf
I openvpn config /etc/openvpn/openvpn.conf
SRISP Curs 11, Tunelare. VPN 21/25
Outline
Introducere
VPN Virtual Private Networks
IPsec
OpenVPN
Concluzii
Intrebari
SRISP Curs 11, Tunelare. VPN 22/25
Cuvinte cheie
I tunelare
I VPN
I L2TP
I GRE
I IPsec
I AH, ESP
I Free S/WAN
I StrongSwan
I OpenVPN
SRISP Curs 11, Tunelare. VPN 23/25
Link-uri utile
I http://en.wikipedia.org/wiki/Tunneling_protocolI http://en.wikipedia.org/wiki/Virtual_private_networkI http://www.ipsec-howto.org/I http://www.openswan.org/I http://www.strongswan.org/I http://openvpn.net/
SRISP Curs 11, Tunelare. VPN 24/25
Outline
Introducere
VPN Virtual Private Networks
IPsec
OpenVPN
Concluzii
Intrebari
SRISP Curs 11, Tunelare. VPN 25/25
IntroducereVPN Virtual Private NetworksIPsecOpenVPNConcluziintrebari