Category: Computer/Network>gt; Internet
Analysis:
What is VPN
VPN (Virtual Private Neork): Virtual private network is a new network technology that provides us with a connection method for secure remote access to an enterprise's internal private network through a public network. We know that a network connection usually consists of three parts: client, transmission medium and server. VPN also consists of these three parts. The difference is that the VPN connection uses a tunnel as the transmission channel. This tunnel is built on a public network or a private network, such as Inter or Intra.
To achieve VPN connection, a VPN server based on Windows NT or Windows2000 Server must be configured in the enterprise's internal network. The VPN server is connected to the enterprise's internal private network on the one hand, and to the Internet on the other. Says the VPN server must have a public IP address. When a client communicates with a computer in a private network through a VPN connection, the ISP (Inter Service Provider) first transmits all data to the VPN server, and then the VPN server is responsible for transmitting all data to the target computer. VPN uses three technologies to ensure the security of communication: tunneling protocol, authentication and data encryption. The client sends a request to the VPN server, the VPN server responds to the request and issues an identity challenge to the client. The client sends the encrypted response information to the VPN server. The VPN server checks the response against the user database. If the account is valid, the VPN server checks the Whether the user has remote access permissions. If the user has remote access permissions, the VPN server accepts the connection. The client and server public keys generated during the authentication process are used to encrypt the data.
Basic configuration of VPN:
Working principle:
The network subnet of the server on one side is 192.168.1.0/24
The router is 100.10.15.1
The server on the other side is 192.168.10.0/24
The router is 200.20.25.1.
Perform the following steps:
1. Determine a pre-shared key (secret password) (the secret password in the following example is assumed to be noIP4u)
2. Configure IKE for the SA negotiation process.
3. Configure IPSec.
Configure IKE:
Shelby(config)#crypto isakmp policy 1
Note: policy 1 means policy 1. If you want to configure more VPNs, you can Written as policy 2, policy3┅
Shelby(config-isakmp)#group 1
Note: Unless you purchase a high-end router or there is less VPN communication, it is best to use the group 1 length The key, group command has two parameter values: 1 and 2. Parameter value 1 indicates that the key uses a 768-bit key, and parameter value 2 indicates that the key uses a 1024-bit key. Obviously, the latter key has high security, but consumes more CPU time.
Shelby(config-isakmp)#authentication pre-share
Note: Tell the router to use a pre-shared password.
Shelby(config-isakmp)#lifetime 3600
Note: Adjust the cycle for generating new SAs. This value is in seconds, and the default value is 86400, which is one day.
It is worth noting that the routers at both ends must set the same SA cycle, otherwise the VPN will be interrupted in a shorter SA cycle after normal initialization.
Shelby(config)#crypto isakmp key noIP4u address 200.20.25.1
Note: Return to global settings mode to determine the pre-shared key to use and the destination VPN address. The IP address of the router at one end is the IP address of the destination router. Correspondingly, the router configuration on the other end is similar to the above command, except that the IP address is changed to 100.10.15.1.
Configure IPSec
Shelby(config)#access-list 130 permit ip 192.168.1.0 0.0.0.255 172.16.10.0 0.0.0.255
Note: here The access list number used cannot be the same as any filtering access list, and a different access list number should be used to identify the VPN rule.
Shelby(config)#crypto ipsec transform-set vpn1 ah-md5-hmac esp-des esp-md5-hmac
Note: The only different parameters between the routers at both ends here are vpn1, which is the name defined for this combination of options. This name can be the same or different on the routers at both ends. The above command is to define the IPSec parameters used. To enhance security, enable authentication headers. Since both networks use private address spaces and need to tunnel data, a secure encapsulation protocol is also used. Finally, DES is defined as the secret key encryption algorithm.
Shelby(config)#crypto map shortsec 60 ipsec-isakmp
Note: The above command defines the period for generating new secret keys. If an attacker cracks the secret key, he can decrypt all communications using the same key. For this reason, we want to set a shorter key update period. For example, a new key is generated every minute. This command must match on the routers at both ends of the VPN. The shortsec parameter is the name we define for this configuration, which can later be associated with the router's external interface.
Shelby(config-crypto-map)#set peer 200.20.25.1
Note: This is the legal IP address that identifies the other party's router. A similar command must be entered on the remote router, except that the other party's router address should be 100.10.15.1.
Shelby(config-crypto-map)#set transform-set vpn1
Shelby(config-crypto-map)#match address 130
Note: This The two commands identify the transport settings and access lists used for this connection respectively.
Shelby(config)#interface s0
Shelby(config-if)#crypto map shortsec
Note: Apply the cryptographic map just defined to the router's external interface.
Now the remaining part is to test the VPN connection and make sure the communication is going as expected.
The last step is not to forget to save the running configuration, otherwise all your efforts will be in vain.
Attachment: Referring to the network security scope, VPN hardware equipment should be placed in the following four locations:
● Outside the firewall of the DMZ
● Connected to the firewall The third network card (service network)
● Within the scope of firewall protection
● Integrated with firewalls
How VPN works
How users connect to VPN:
The difference between a regular direct dial-up connection and a virtual private network connection is that in the former case, the PPP (Point-to-Point Protocol) packet stream is transmitted over a dedicated line . In a VPN, the PPP packet flow is sent by a router on one LAN, transmitted through a tunnel on the shared IP network, and then reaches a router on another LAN.
The key difference between the two is that tunnels replace actual dedicated lines. The tunnel is like pulling a serial communication cable out of the WAN cloud. So, how to form a VPN tunnel?
There are two main ways to establish a tunnel: Client-Initiated or Client-Transparent. Client startup requires that both the client and the tunnel server (or gateway) have tunneling software installed. The latter are usually installed at the company's central station. The tunnel is initialized by the client software and the tunnel server terminates the tunnel. The ISP does not need to support the tunnel. The client and tunnel server only need to establish the tunnel and authenticate using a user ID and password or a digital license. Once the tunnel is established, communication can occur as if the ISP was not involved in the connection.
On the other hand, if you want the tunnel to be transparent to customers, the ISP's POPs must have access servers and possibly routers that allow the use of the tunnel. The client first dials into the server. The server must be able to recognize that the connection is to be tunneled to a specific remote point. The server then establishes a tunnel with the tunnel server, usually using a user ID and password for authentication. In this way, the client establishes a direct conversation with the tunnel server through the tunnel. Although this policy does not require customers to have specialized software, customers can only dial into a properly configured access server.