What vpn virtual private network is used for. What is VPN and why is it needed

VPN (Virtual Private Network) is a virtual private network.

In general terms, a VPN is a completely secure channel that connects your device with Internet access to any other on the global network. If it's even simpler, you can imagine it more figuratively: without connecting to a VPN service, your computer (laptop, phone, TV or any other device) when it goes online is like a private house not fenced in. At any time, everyone can intentionally or accidentally break trees, trample the beds in your garden. Using a VPN, your home turns into an impregnable fortress, which will be simply impossible to break.

How it works?

The principle of VPN operation is simple and transparent for the end user. At the moment you go online, a virtual "tunnel" is created between your device and the rest of the Internet, blocking any attempts from the outside to get inside. VPN operation remains completely transparent and invisible for you. Your personal, business correspondence, Skype or telephone conversations cannot in any way be intercepted or overheard. All your data is encrypted using a special encryption algorithm, which is almost impossible to crack.

In addition to protection against intrusion from the outside, VPN provides the opportunity to virtually temporarily visit any country in the world and use the network resources of these countries, watch TV channels that were previously unavailable. The VPN will replace your IP address with any other one. To do this, you just need to select a country from the proposed list, for example the Netherlands and all sites and services that you will go to will automatically “think” that you are in this particular country.

Why not anonymizer or proxy?

The question arises: why not just use some kind of anonymizer or proxy server on the network, because they also spoof the IP address? Yes, everything is very simple - none of the above services provides protection, you are still "visible" to attackers, and therefore all the data that you exchange on the Internet. And, in addition, working with proxy servers requires a certain skill from you to set precise settings. VPN operates according to the following principle: "Connect and work", it does not require any additional settings. The whole connection process takes a couple of minutes and is very simple.

About free VPNs

When choosing, keep in mind that free VPNs almost always have restrictions on the amount of traffic and data transfer rate. This means that there may be a situation where you simply cannot continue to use the free VPN. Do not forget that free VPNs are not always stable and are often overloaded. Even if your limit is not exceeded, the data transfer can be delayed for a long period of time due to the high load on the VPN server. Paid VPN services are distinguished by high bandwidth, no restrictions on both traffic and speed, and the security level is higher than that of free ones.

Where to begin?

Most VPN services provide an opportunity to test the quality for free for a short period. The testing period can be from several hours to several days. During testing, you usually get full access to all the functionalities of the VPN service. Our service makes it possible to find such VPN services by the link:

VPN (Virtual Private Network) or in translation into Russian virtual private network is a technology that allows you to combine computer devices into secure networks to provide their users with an encrypted channel and anonymous access to resources on the Internet.

In companies, VPN is used mainly to combine several branches located in different cities or even parts of the world into one local network. Employees of such companies, using VPN, can use all the resources that are in each branch as their own local, located at their side. For example, you can print a document on a printer located in another branch with just one click.

For ordinary Internet users, VPN comes in handy when:

• the site was blocked by the provider, but you need to enter;
• often have to use online banking and payment systems and want to protect data from possible theft;
• the service works only for Europe, and you in Russia do not mind listening to music on LastFm;
• do not want the sites you visit to track your data;
• there is no router, but it is possible to connect two computers to a local network to provide both access to the Internet.

How VPN works

VPNs work through a tunnel that they establish between your computer and a remote server. All data transmitted through this tunnel is encrypted.

It can be thought of as an ordinary tunnel, which is found on highways, only laid through the Internet between two points - a computer and a server. In this tunnel, data, like cars, sweeps between points at the highest possible speed. At the entrance (on the user's computer), this data is encrypted and goes in this form to the addressee (to the server), at this point they are decrypted and interpreted: the file is downloaded, a request is sent to the site, etc. After which the received data is again encrypted on server and through the tunnel are sent back to the user's computer.

For anonymous access to sites and services, a network consisting of a computer (tablet, smartphone) and a server is sufficient.

In general, data exchange via VPN looks like this:

1. A tunnel is created between the user's computer and the server with the VPN creation software installed. For example OpenVPN.
2. In these programs, a key (password) is generated on the server and on the computer to encrypt / decrypt data.
3. The request is generated on the computer and encrypted using the key created earlier.
4. The encrypted data is transmitted over the tunnel to the server.
5. The data that came from the tunnel to the server is decrypted and the request is executed - sending a file, entering the site, starting the service.
6. The server prepares the response, encrypts it before sending it, and sends it back to the user.
7. The user's computer receives the data and decrypts it with the key that was generated earlier.

The devices included in the VPN are not geographically tied and can be located at any distance from each other.

For an ordinary user of virtual private network services, it is enough to understand that accessing the Internet through a VPN is complete anonymity and unlimited access to any resources, including those that are blocked by the provider or are inaccessible for your country.

Who needs a VPN and why

Experts recommend using a VPN to transfer any data that should not end up in the hands of third parties - logins, passwords, private and business correspondence, and work with Internet banking. This is especially true when using open access points - WiFi at airports, cafes, parks, etc.

The technology will also come in handy for those who want to freely access any sites and services, including those blocked by the provider or open only to a certain circle of people. For example, Last.fm is available for free only for residents of the United States, England and several other European countries. Using a music service from Russia will allow a VPN connection.

Differences between VPN and TOR, proxy and anonymizers

VPN works globally on the computer and redirects the work of all software installed on the computer through the tunnel. Any request - via chat, browser, cloud storage client (dropbox), etc., before reaching the addressee, passes through the tunnel and is encrypted. Intermediate devices "confuse traces" through encryption of requests and decrypt it only before sending it to the final recipient. The final addressee of the request, for example, a website, does not record user data - geographic location, etc., but the data of the VPN server. That is, it is theoretically impossible to track which sites the user visited and what requests he sent over a secure connection.

To some extent, anonymizers, proxies and TOR can be considered analogs of VPNs, but all of them are somewhat inferior to virtual private networks.

How VPN differs from TOR

Like VPN, TOR technology assumes encryption of requests and their transfer from user to server and vice versa. Only TOR does not create permanent tunnels, the ways of receiving / transmitting data change with each access, which reduces the chances of intercepting data packets, but does not have the best effect on the speed. TOR is free technology and is supported by enthusiasts, so you shouldn't expect stable work. Simply put, you will be able to access a website blocked by your provider, but it will take several hours or even days to download HD video from it.

How VPN differs from proxy

Proxies, by analogy with VPNs, redirect the request to the site, passing it through intermediary servers. It is only easy to intercept such requests, because the exchange of information occurs without any encryption.

How VPN differs from anonymizer

Anonymizer is a stripped-down version of a proxy that can only work within an open browser tab. You will be able to enter the page through it, but you will not be able to take advantage of most of the possibilities, and no encryption is provided.

In terms of speed, the proxy will win out of the methods of indirect data exchange, since it does not provide for encryption of the communication channel. In second place is VPN, which provides not only anonymity, but also protection. The third place is for the anonymizer limited to work in an open browser window. TOR is suitable when there is no time and opportunity to connect to a VPN, but you should not count on high-speed processing of large requests. This gradation is valid for the case when unloaded servers are used, which are at the same distance from the tested one.

How to connect to the internet with a VPN

Dozens of services offer VPN access services on RuNet. Well, around the world there are probably hundreds. Basically, all services are paid. The cost ranges from a few dollars to several tens of dollars per month. Experts who have a good understanding of IT create a VPN server for themselves on their own, using servers for these purposes, which are provided by various hosting providers. The cost of such a server is usually about $ 5 per month.

Whether you prefer a paid or a free solution depends on your requirements and expectations. Both options will work - hide location, change ip, encrypt data during transmission, etc. - but problems with speed and access in paid services are much less common and are solved much faster.

Tweet

Plus

The technology that creates a logical network in another network received the abbreviation "VPN", which literally stands for "Virtual Private Network" in English. In simple terms, VPN includes different methods of communication between devices within another network and provides the ability to apply various protection methods, which significantly increases the safety of information exchanged between computers.

And this is very important in the modern world, for example, for networks of large commercial corporations and, of course, banks. Below are detailed guides on how to create a VPN, instructions on the procedure for making a VPN connection and how to properly configure the created VPN connection.

Definition

To understand more easily what a VPN is, you just need to know what it can do. VPN connection allocates a certain sector in the existing network and all computers and digital equipment located in it are in constant communication with each other. But the most important thing is that this sector is completely closed and protected for all other devices in the large network.

How to connect VPN

Despite the initially seeming complexity of VPN definition, its creation on Windows computers and even the VPN setup itself will not present much difficulty if there is a detailed guide. The main requirement is to strictly follow the strict sequence of the following steps:

Further, the VPN setup is performed, taking into account the various accompanying nuances.

How do I set up a VPN?

It is necessary to configure it taking into account the individual characteristics of not only the operating system, but also the operator providing communication services.

Windows XP

In order for VPN in the Windows XP operating system to successfully carry out its work, the following sequential steps are required:

Then, when operating in the created environment, you can use some convenient functions. To do this, you need to do the following:

Note: The parameters are always entered differently, as they depend not only on the server, but also on the service provider.

Windows 8

In this OS, the question of how to set up a VPN should not cause any particular difficulties, because here it is almost automated.

The sequence of actions consists of the following steps:

Next, you need to specify the network options. To this end, perform the following actions:

Note: Entering the settings can vary significantly depending on the network configuration.

Windows 7

The process of making settings in Windows 7 is simple and accessible even to inexperienced computer users.

To produce them, a Windows 7 user needs to take the following sequential steps:

Note: in order to work correctly, a careful individual selection of all parameters is required.

Android

To configure the normal functioning of an Android gadget in a VPN environment, you need to do a few steps:

Connection characteristics

This technology includes different types of delays in data transmission procedures. Delays occur due to the following factors:

1. It takes some time to establish a connection;
2. There is a constant process of encoding the transmitted information;
3. blocks of transmitted information.

The most significant differences are present in the technology itself, for example, for VPN you do not need routers and separate lines. To function effectively, you only need access to the World Wide Web and applications that provide information encoding.

The Internet is increasingly being used as a means of communication between computers because it offers efficient and inexpensive communication. However, the Internet is a public network and in order to ensure secure communication through it, a certain mechanism is needed that satisfies at least the following tasks:

confidentiality of information;

data integrity;

availability of information;

These requirements are met by a mechanism called VPN (Virtual Private Network) - a generalized name for technologies that allow one or more network connections (logical network) to be provided over another network (for example, the Internet) using cryptography (encryption, authentication, infrastructure public keys, means for protection against repetitions and changes of messages transmitted over the logical network).

The creation of a VPN does not require additional investments and allows you to abandon the use of leased lines. Depending on the protocols used and the purpose, VPN can provide connections of three types: host-host, host-net and net-net.

For clarity, let's imagine the following example: an enterprise has several geographically distant branches and "mobile" employees working at home or on the road. It is necessary to unite all employees of the enterprise into a single network. The easiest way is to put modems in each branch and arrange communications as needed. Such a solution, however, is not always convenient and profitable - sometimes you need a constant connection and high bandwidth. To do this, you will either have to lay a dedicated line between the branches, or rent them. Both are quite expensive. And here, as an alternative when building a single secure network, you can use VPN-connections of all branches of the company via the Internet and configure VPN-tools on the network hosts.

Rice. 6.4. Site-to-site VPN connection

Rice. 6.5. Host-to-Network VPN

In this case, many problems are solved - branches can be located anywhere around the world.

The danger here lies in the fact that, firstly, an open network is available for attacks from attackers around the world. Secondly, all data is transmitted over the Internet in the clear, and attackers, having hacked the network, will have all the information transmitted over the network. And thirdly, data can not only be intercepted, but also replaced during transmission over the network. An attacker could, for example, compromise the integrity of databases by acting on behalf of clients of one of the trusted branches.

To prevent this from happening, VPN solutions use tools such as data encryption to ensure integrity and confidentiality, authentication and authorization to validate user rights, and allow VPN access.

A VPN connection always consists of a point-to-point link, also known as a tunnel. The tunnel is created on an unsecured network, which is most often the Internet.

Tunneling or encapsulation is a way of transmitting useful information over an intermediate network. Such information can be frames (or packets) of another protocol. With encapsulation, the frame is not transmitted in the form in which it was generated by the sending host, but is provided with an additional header containing route information that allows the encapsulated packets to pass through the intermediate network (Internet). At the end of the tunnel, frames are de-encapsulated and sent to the recipient. Typically, the tunnel is created by two edge devices located at the points of entry into the public network. One of the clear advantages of tunneling is that this technology allows you to encrypt the entire original packet, including the header, which may contain data containing information that attackers use to hack the network (for example, IP addresses, number of subnets, etc.) ...

Although a VPN tunnel is established between two points, each node can establish additional tunnels with other nodes. For example, when three remote stations need to communicate with the same office, three separate VPN tunnels will be created to that office. For all tunnels, the office-side node can be the same. This is possible because the host can encrypt and decrypt data on behalf of the entire network, as shown in the figure:

Rice. 6.6. Create VPN tunnels for multiple remote locations

The user establishes a connection to the VPN gateway, after which the user is granted access to the internal network.

The encryption itself does not take place inside the private network. The reason is that this part of the network is considered secure and under direct control, as opposed to the Internet. The same is true when connecting offices using VPN gateways. Thus, encryption is guaranteed only for information that is transmitted over an insecure channel between offices.

There are many different solutions for building virtual private networks. The most famous and widely used protocols are:

PPTP (Point-to-Point Tunneling Protocol) - this protocol has become quite popular due to its inclusion in Microsoft operating systems.

L2TP (Layer-2 Tunneling Protocol) - combines the L2F (Layer 2 Forwarding) protocol and the PPTP protocol. Typically used in conjunction with IPSec.

IPSec (Internet Protocol Security) is an official Internet standard developed by the Internet Engineering Task Force (IETF) community.

The listed protocols are supported by D-Link devices.

PPTP is primarily intended for dial-up virtual private networks. The protocol allows for remote access, allowing users to establish dial-up connections with ISPs and create a secure tunnel to their corporate networks. Unlike IPSec, PPTP was not originally designed for LAN-to-LAN tunnels. PPTP extends the capabilities of PPP, a data link protocol that was originally developed to encapsulate data and deliver it over point-to-point connections.

PPTP allows you to create secure channels for exchanging data using various protocols - IP, IPX, NetBEUI, etc. The data of these protocols are packed into PPP frames, encapsulated using PPTP into IP packets. They are then transferred using IP in encrypted form over any TCP / IP network. The receiving node extracts PPP frames from the IP packets and then processes them in a standard way, i.e. extracts an IP, IPX or NetBEUI packet from a PPP frame and sends it over the local network. Thus, PPTP creates a point-to-point connection in the network and transmits data over the created secure channel. The main advantage of encapsulating protocols such as PPTP is that they are multi-protocol. Those. data protection at the data link layer is transparent to the protocols of the network and application layers. Therefore, within the network, you can use both the IP protocol (as in the case of a VPN based on IPSec) and any other protocol as a transport.

Nowadays, due to its ease of implementation, PPTP is widely used both to obtain reliable secure access to the corporate network and to access the networks of ISPs when a client needs to establish a PPTP connection with an ISP to access the Internet.

The encryption method used in PPTP is specified at the PPP level. Typically, the PPP client is a Microsoft desktop, and the encryption protocol is Microsoft Point-to-Point Encryption (MPPE). This protocol is based on the RSA RC4 standard and supports 40- or 128-bit encryption. For many applications of this level of encryption, the use of this algorithm is quite sufficient, although it is considered less reliable than a number of other encryption algorithms offered by IPSec, in particular, the 168-bit Triple-Data Encryption Standard (3DES).

How the connection is establishedPPTP?

PPTP encapsulates IP packets for transmission over an IP network. PPTP clients create a tunnel-control connection to keep the link alive. This process is performed in the transport layer of the OSI model. After the tunnel is created, the client computer and the server begin to exchange service packets.

In addition to the PPTP control connection, a tunnel data connection is created. Encapsulating data before sending it into the tunnel involves two steps. First, the information part of the PPP frame is created. Data flows from top to bottom, from the OSI application layer to the data link layer. The received data is then sent up the OSI model and encapsulated by upper layer protocols.

Data from the link layer reaches the transport layer. However, the information cannot be sent to its destination, since the OSI data link layer is responsible for this. Therefore, PPTP encrypts the payload field of the packet and takes over the Layer 2 functions normally associated with PPP, that is, it adds a PPP header and trailer to the PPTP packet. This completes the creation of the link layer frame. Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet that belongs to the network layer. GRE encapsulates network layer protocols such as IP, IPX to enable them to be transported over IP networks. However, using only the GRE protocol will not ensure session establishment and data security. It uses PPTP's ability to create a connection to manage the tunnel. The use of GRE as an encapsulation method restricts the PPTP field of action to IP networks only.

After the PPP frame has been encapsulated in a GRE header frame, it is encapsulated in an IP header frame. The IP header contains the addresses of the sender and recipient of the packet. Finally, PPTP adds a PPP header and ending.

On rice. 6.7 shows the data structure for sending over the PPTP tunnel:

Rice. 6.7. PPTP tunnel data structure

To organize a VPN based on PPTP does not require large costs and complex settings: it is enough to install a PPTP server in the central office (PPTP solutions exist for both Windows and Linux platforms), and configure the necessary settings on the client computers. If you need to combine several branches, then instead of configuring PPTP on all client stations, it is better to use an Internet router or firewall with PPTP support: settings are made only on the border router (firewall) connected to the Internet, everything is absolutely transparent for users. DIR / DSR series multifunctional Internet routers and DFL series firewalls are examples of such devices.

GRE-tunnels

Generic Routing Encapsulation (GRE) is a network packet encapsulation protocol that tunnels traffic over networks without encryption. Examples of using GRE:

transmission of traffic (including broadcast) through equipment that does not support a specific protocol;

tunneling IPv6 traffic over an IPv4 network;

data transmission over public networks to implement a secure VPN connection.

Rice. 6.8. An example of a GRE tunnel

Between two routers A and B ( rice. 6.8) there are multiple routers, the GRE tunnel allows the connection between the local area networks 192.168.1.0/24 and 192.168.3.0/24 as if routers A and B were directly connected.

L2 TP

L2TP is the result of the combination of PPTP and L2F. The main advantage of L2TP is that it allows you to create a tunnel not only in IP networks, but also in ATM, X.25 and Frame relay networks. L2TP uses UDP as its transport and uses the same message format for both tunnel management and data transfer.

As with PPTP, L2TP begins assembling the packet for transmission to the tunnel by adding the PPP header first, then the L2TP header to the PPP information data field. The resulting packet is UDP encapsulated. Depending on the selected IPSec security policy type, L2TP can encrypt UDP messages and add an Encapsulating Security Payload (ESP) header and ending, as well as an IPSec Authentication ending (see "L2TP over IPSec"). Then it is encapsulated in IP. An IP header is added containing the sender and recipient addresses. Finally, L2TP performs a second PPP encapsulation to prepare the data for transmission. On rice. 6.9 shows the data structure for forwarding over an L2TP tunnel.

Rice. 6.9. Data structure for forwarding over an L2TP tunnel

The receiving computer receives the data, processes the PPP header and termination, and strips out the IP header. IPSec Authentication authenticates the IP information field, and the IPSec ESP header helps decrypt the packet.

The computer then processes the UDP header and uses the L2TP header to identify the tunnel. The PPP packet now contains only payload, which is processed or forwarded to the specified recipient.

IPsec (short for IP Security) is a set of protocols for securing data transmitted over Internet Protocol (IP), allowing for authentication and / or encryption of IP packets. IPsec also includes protocols for secure key exchange over the Internet.

IPSec security is achieved through additional protocols that add their own headers to the IP packet - encapsulations. Because IPSec is an Internet standard, then there are RFC documents for it:

RFC 2401 (Security Architecture for the Internet Protocol) - Security architecture for the Internet Protocol.

RFC 2402 (IP Authentication header) - IP authentication header.

RFC 2404 (The Use of HMAC-SHA-1-96 within ESP and AH) - Using the SHA-1 hashing algorithm to create an authentication header.

RFC 2405 (The ESP DES-CBC Cipher Algorithm With Explicit IV) - the use of the DES encryption algorithm.

RFC 2406 (IP Encapsulating Security Payload (ESP)) - data encryption.

RFC 2407 (The Internet IP Security Domain of Interpretation for ISAKMP) is the scope of the key management protocol.

RFC 2408 (Internet Security Association and Key Management Protocol (ISAKMP)) - Management of keys and authenticators for secure connections.

RFC 2409 (The Internet Key Exchange (IKE)) - Key exchange.

RFC 2410 (The NULL Encryption Algorithm and Its Use With IPsec) - the null encryption algorithm and its use.

RFC 2411 (IP Security Document Roadmap) is a further development of the standard.

RFC 2412 (The OAKLEY Key Determination Protocol) - Checking the authenticity of a key.

IPsec is an integral part of the IPv6 Internet Protocol and is an optional extension to the IPv4 version of the Internet Protocol.

The IPSec mechanism solves the following tasks:

authentication of users or computers when initializing a secure channel;

encryption and authentication of data transmitted between endpoints of a secure channel;

Automatically provision channel endpoints with secret keys required for authentication and data encryption protocols.

IPSec components

AH (Authentication Header) protocol is an authentication header protocol. Ensures integrity by verifying that no bit in the protected portion of the packet has been changed during transmission. But using AH can cause problems, for example, when the packet is traversing a NAT device. NAT changes the IP address of the packet to allow Internet access from a private local address. Because In this case, the packet will change, then the AH checksum will become incorrect (to eliminate this problem, the NAT-Traversal (NAT-T) protocol has been developed, which provides ESP transmission over UDP and uses UDP port 4500 in its work). It is also worth noting that AH was designed for integrity only. It does not guarantee confidentiality by encrypting the contents of the package.

The ESP (Encapsulation Security Payload) protocol provides not only the integrity and authentication of transmitted data, but also data encryption, as well as protection against fraudulent packet replay.

ESP is an encapsulating security protocol that provides both integrity and confidentiality. In transport mode, the ESP header is between the original IP header and the TCP or UDP header. In tunnel mode, the ESP header is placed between the new IP header and the fully encrypted original IP packet.

Because both AH and ESP add their own IP headers, each with its own protocol number (ID), which can be used to determine what follows the IP header. Each protocol, according to the IANA (Internet Assigned Numbers Authority - the organization responsible for the address space of the Internet), has its own number (ID). For example, for TCP this number is 6, and for UDP - 17. Therefore, it is very important when working through a firewall to configure filters in such a way as to allow packets with AH and / or ESP protocol IDs.

Protocol ID 51 is set to indicate AH in the IP header, and 50 for ESP.

ATTENTION: Protocol ID is not the same as port number.

Internet Key Exchange (IKE) is a standard IPsec protocol used to secure communications in virtual private networks. The purpose of IKE is to securely negotiate and deliver identified material for a Security Association (SA).

SA is an IPSec term for a connection. An established SA (a secure channel called a "secure association" or "security association" - SA) includes a shared secret key and a set of cryptographic algorithms.

IKE serves three main purposes:

Provides means of authentication between two VPN endpoints;

establishes new IPSec links (creates an SA pair);

manages existing links.

IKE uses UDP port 500. When using NAT Traversal, as mentioned earlier, IKE uses UDP port 4500.

Data exchange in IKE occurs in 2 phases. In the first phase, an IKE SA is established. In this case, the channel endpoints are authenticated and the data protection parameters are selected, such as the encryption algorithm, session key, etc.

In the second phase of the SA, IKE is used for protocol negotiation (usually IPSec).

When a VPN tunnel is configured, one SA pair is created for each protocol used. SAs are created in pairs because each SA is a unidirectional connection, and data must be sent in two directions. The resulting SA pairs are stored on each node.

Since each node is able to establish multiple tunnels with other nodes, each SA has a unique number to determine which node it belongs to. This number is called the SPI (Security Parameter Index) or security parameter index.

SA stored in a database (DB) SAD(Security Association Database).

Each IPSec node also has a second DB - SPD(Security Policy Database) - database of security policy. It contains the configured site policy. Most VPN solutions allow the creation of multiple policies with combinations of suitable algorithms for each node to which you want to connect.

The flexibility of IPSec lies in the fact that for each task there are several ways to solve it, and the methods chosen for one task usually do not depend on the methods for implementing other tasks. At the same time, the IETF working group has defined a base set of supported functions and algorithms that should be consistently implemented in all products that support IPSec. The AH and ESP mechanisms can be used with a variety of authentication and encryption schemes, some of which are required. For example, IPSec specifies that packets are authenticated using either one-way MD5 or one-way SHA-1, and encryption is done using DES. Manufacturers of products running IPSec can add other authentication and encryption algorithms. For example, some products support encryption algorithms such as 3DES, Blowfish, Cast, RC5, etc.

Any symmetric encryption algorithm that uses secret keys can be used to encrypt data in IPSec.

Stream protection protocols (AH and ESP) can operate in two modes - in transport mode and in tunneling mode... When operating in transport mode, IPsec only works with transport layer information, i.e. only the data field of the packet containing the TCP / UDP protocols is encrypted (the IP packet header is not changed (not encrypted)). Transport mode is typically used to establish a connection between hosts.

Tunneling mode encrypts the entire IP packet, including the network layer header. In order for it to be transmitted over the network, it is placed in another IP packet. It is essentially a secure IP tunnel. Tunnel mode can be used to connect remote computers to a virtual private network ("host-network" connection scheme) or to organize secure data transmission through open communication channels (for example, the Internet) between gateways to combine different parts of a virtual private network ("network -net").

IPsec modes are not mutually exclusive. On the same node, some SAs can use transport mode while others use tunnel mode.

During the authentication phase, the ICV checksum (Integrity Check Value) of the packet is calculated. This assumes that both nodes know the secret key, which allows the receiver to calculate the ICV and compare it with the result sent by the sender. If the ICV comparison is successful, the sender of the packet is considered authenticated.

In the mode transportAH

the entire IP packet, with the exception of some fields in the IP header that can be changed in transit. These fields, which are 0 for the ICV calculation, can be Type of Service (TOS), flags, chunk offset, time to live (TTL), and checksum header;

all fields in AH;

payload of IP packets.

AH in transport mode protects the IP header (except for the fields that are allowed to be modified) and the payload in the original IP packet (Figure 3.39).

In tunnel mode, the original packet is placed in a new IP packet, and data transmission is performed based on the header of the new IP packet.

For tunnel modeAH When calculating, the ICV checksum includes the following components:

all fields in the outer IP header, with the exception of some fields in the IP header, which can be changed in transit. These fields, which are 0 for the ICV calculation, can be Type of Service (TOS), flags, chunk offset, time to live (TTL), and checksum header;

all AH fields;

original IP packet.

As you can see in the following illustration, AH tunneling mode protects the entire original IP packet with an additional outer header that is not used in AH transport mode:

Rice. 6.10. Tunnel and transport modes of the AN protocol

In the mode transportESP does not authenticate the entire packet, but only protects the IP payload. The ESP header in ESP transport mode is added to the IP packet immediately after the IP header, and the ESP (ESP Trailer) ending is added after the data.

ESP transport mode encrypts the following parts of the packet:

IP payload;

An encryption algorithm that uses Cipher Block Chaining (CBC) mode has an unencrypted field between the ESP header and the payload. This field is called the Initialization Vector (IV) for the CBC calculation that is performed at the receiver. Since this field is used to start the decryption process, it cannot be encrypted. Despite the fact that the attacker has the ability to view the IV, he will not be able to decrypt the encrypted part of the packet without the encryption key. To prevent intruders from changing the initialization vector, it is guarded by the ICV checksum. In this case, ICV performs the following calculations:

all fields in the ESP header;

payload including plain text IV;

all fields in ESP Trailer except for the authentication data field.

ESP tunnel mode encapsulates the entire original IP packet in the new IP header, ESP header and ESP Trailer. To indicate that ESP is present in the IP header, the IP protocol identifier is set to 50, leaving the original IP header and payload unchanged. As with AH tunnel mode, the outer IP header is based on the IPSec tunnel configuration. In the case of using ESP tunnel mode, the authentication area of ​​the IP packet shows where the signature was signed, confirming its integrity and authenticity, and the encrypted part indicates that the information is secure and confidential. The original header is placed after the ESP header. After the encrypted portion is encapsulated in a new tunnel header that is not encrypted, the IP packet is transmitted. When sent over a public network, such a packet is routed to the IP address of the gateway of the receiving network, and the gateway decrypts the packet and discards the ESP header using the original IP header to route the packet to a computer on the internal network. ESP tunnel mode encrypts the following parts of the packet:

original IP packet;

• For ESP tunnel mode, the ICV is calculated as follows:

  all fields in the ESP header;

  original IP packet including plain text IV;

  all ESP header fields except for the authentication data field.

Rice. 6.11. ESP tunnel and transport mode

Rice. 6.12. Comparison of ESP and AH protocols

Mode Application SummaryIPSec:

Protocol - ESP (AH).

Mode - tunnel (transport).

Key exchange method - IKE (manual).

IKE mode - main (aggressive).

DH key - group 5 (group 2, group 1) - group number to select dynamically generated session keys, group length.

Authentication - SHA1 (SHA, MD5).

Encryption - DES (3DES, Blowfish, AES).

When creating a policy, it is usually possible to create an ordered list of algorithms and Diffie-Hellman groups. Diffie-Hellman (DH) is an encryption protocol used to establish shared secret keys for IKE, IPSec, and PFS (Perfect Forward Secrecy). In this case, the first position that matches on both nodes will be used. It is very important that everything in the security policy allows for this overlap. If, except for one part of the policy, everything else matches, the peers will still not be able to establish a VPN connection. When setting up a VPN tunnel between different systems, you need to find out which algorithms are supported by each side so that you can choose the most secure policy possible.

The main settings that the security policy includes:

Symmetric algorithms for encrypting / decrypting data.

Cryptographic checksums for checking data integrity.

Host identification method. The most common methods are pre-shared secrets or CA certificates.

Whether to use tunnel mode or transport mode.

Which Diffie-Hellman group to use (DH group 1 (768-bit); DH group 2 (1024-bit); DH group 5 (1536-bit)).

Whether to use AH, ESP, or both.

Whether to use PFS.

The limitation of IPSec is that it only supports data transfer at the IP protocol layer.

There are two main schemes for using IPSec, differing in the role of the nodes that form the secure channel.

In the first scheme, a secure channel is formed between the end hosts of the network. In this scheme, IPSec protects the host running:

Rice. 6.13. Create a secure channel between two endpoints

In the second scheme, a secure channel is established between two Security Gateways. These gateways receive data from end hosts connected to networks behind the gateways. In this case, the end hosts do not support the IPSec protocol, the traffic directed to the public network passes through the Security Gateway, which protects on its own behalf.

Rice. 6.14. Creating a secure channel between two gateways

For hosts that support IPSec, both transport and tunnel modes can be used. For gateways, only tunnel mode is allowed.

Installation and supportVPN

As mentioned above, setting up and maintaining a VPN tunnel is a two-step process. In the first phase (phase), the two nodes agree on an identification method, encryption algorithm, hash algorithm and Diffie-Hellman group. They also identify each other. All this can take place as a result of the exchange of three unencrypted messages (the so-called aggressive mode, Aggressive mode) or six messages, with the exchange of encrypted identification information (standard mode, Main mode).

In Main Mode, it is possible to agree on all configuration parameters of the sender and receiver devices, while in Aggressive Mode this is not possible, and some parameters (Diffie-Hellman group, encryption and authentication algorithms, PFS) must be preconfigured in the same way on each device. However, in this mode, both the number of exchanges and the number of packets sent at the same time are smaller, as a result of which it takes less time to establish an IPSec session.

Rice. 6.15. Messaging in standard (a) and aggressive (b) modes

Assuming the operation completed successfully, the first phase SA is created - Phase 1 SA(also called IKESA) and the process proceeds to the second phase.

In the second step, key data is generated, the nodes agree on the policy to be used. This mode, also called Quick mode, differs from the first phase in that it can only be established after the first phase, when all packets in the second phase are encrypted. Correct completion of the second phase leads to the appearance Phase 2 SA or IPSecSA and this completes the installation of the tunnel.

First, a packet arrives at a node with a destination address in another network, and the node initiates the first phase with the node that is responsible for the other network. Let's say a tunnel between the nodes was successfully established and is waiting for packets. However, nodes need to re-identify each other and compare policies over a period of time. This period is called the Phase One lifetime or IKE SA lifetime.

Nodes must also change their encryption key over a period of time called the Phase Two lifetime or IPSec SA lifetime.

Phase Two lifetime is shorter than that of the first phase, because the key must be changed more often. You need to set the same lifetime parameters for both nodes. If you do not do this, then it is possible that the tunnel will initially be established successfully, but after the first inconsistent period of time to live, the connection will be interrupted. Problems can also arise when the lifetime of the first phase is less than that of the second phase. If a previously configured tunnel stops working, then the first thing that needs to be checked is the lifetime on both nodes.

It should also be noted that when you change the policy on one of the nodes, the changes will take effect only at the next onset of the first phase. For the changes to take effect immediately, the SA for this tunnel must be removed from the SAD database. This will force a renegotiation of the agreement between the nodes with the new security policy settings.

Sometimes, when setting up an IPSec tunnel between equipment from different manufacturers, there are difficulties associated with negotiating parameters when establishing the first phase. You should pay attention to such a parameter as Local ID - this is a unique identifier of the endpoint of the tunnel (sender and receiver). This is especially important when creating multiple tunnels and using the NAT Traversal protocol.

DeadPeerDetection

During VPN operation, in the absence of traffic between the endpoints of the tunnel, or when the original data of the remote node changes (for example, changing the dynamically assigned IP address), a situation may arise when the tunnel is essentially no longer such, becoming like a ghost tunnel ... In order to maintain constant readiness for data exchange in the created IPSec tunnel, the IKE mechanism (described in RFC 3706) allows you to control the presence of traffic from the remote tunnel node, and if it is absent for a specified time, a hello message is sent (in firewalls D-Link sends the message "DPD-RU-THERE"). If there is no response to this message for a certain time, in the D-Link firewalls specified by the "DPD Expire Time" settings, the tunnel is dismantled. D-Link firewalls then using the "DPD Keep Time" ( rice. 6.18) automatically try to restore the tunnel.

ProtocolNATTraversal

IPsec traffic can be routed according to the same rules as other IP protocols, but since a router cannot always retrieve information specific to transport layer protocols, IPsec cannot pass through NAT gateways. As mentioned earlier, to address this issue, the IETF has defined a way to encapsulate ESP in UDP called NAT-T (NAT Traversal).

NAT Traversal encapsulates IPSec traffic and simultaneously creates UDP packets that NAT forwards correctly. To do this, NAT-T places an additional UDP header in front of the IPSec packet so that it is processed as a regular UDP packet throughout the network and the recipient host does not perform any integrity checks. Once the packet arrives at its destination, the UDP header is removed and the data packet continues on its way as an encapsulated IPSec packet. Thus, using the NAT-T mechanism, it is possible to establish communication between IPSec clients on secure networks and public IPSec hosts through firewalls.

When configuring D-Link firewalls in the recipient device, two items should be noted:

in the Remote Network and Remote Endpoint fields, specify the network and IP address of the remote sending device. It is necessary to allow translation of the IP address of the initiator (sender) using NAT technology (Figure 3.48).

When using shared keys with multiple tunnels connected to the same remote firewall that have been NATed to the same address, it is important to ensure that the Local ID is unique for each tunnel.

Local ID can be one of:

Auto- the IP address of the outgoing traffic interface is used as the local identifier.

IP- IP address of the WAN port of the remote firewall

DNS- DNS address