IPsec - VPN - After Edit

State of Libya
Ministry of Education and Scientific Research

Elmergib University
Faculty of Information Technology
Computer Network Division
A graduation project is submitted to the computer network

department in partial fulfillment of the requirements for the
degree of Bachelor of Science in field of Computer networks
Implementation of IPsec-VPN Tunneling using

EVE-NG With Wireshark
Prepared by:
Osama Juma Sabra
Supervised by:
Mr. Abdulsalam Yahya
September 2022
1
SUPERVIOSR CERTIFICATION
I certify that the preparation of this project entitled Implementation of IPsec-VPN
Tunneling using (EVE-NG) Emulated virtual environment With Wireshark
Prepared by Osama juma sabra, it was conducted under my general supervision,
College of Information Technology, Networking Department, in partial fulfillment of
the requirements of the degree of Bachelor of Science in Computer Networks.
Name: Abdul Salam Yahya (Supervisor)
Signature: ------------------------------
Date: ------------------------------------
2
Abstract
The Internet provides less guarantee of security in the process of information
exchange. Virtual Private Network (VPN) IP Security (IPsec) based has been
implemented to overcome these issues and provide remotely secure connection for
clients to exchange information with company networks.
AVPN is a private network that uses a public network (usually the Internet) to connect
remote sites or users together. Instead of using a dedicated, real-world connection
such as leased line, a VPN uses "virtual" connections routed through the Internet from
the company's private network to the remote site or employee.
The project objective to be achieved is to design a VPN technology based on site-to-

site VPN-Tunnel, to be able to determine the resulting after implementing a VPN
based on IPsec protocol. The result is that VPN can connect from Tripoli branch and
Misrata branch in encryption connection over a public connection to the local
connection using EVE-NG Simulator. The test is done using PING tool to ensure the
encryption of data packets and Wireshark to capture and analyze the packet.
The testing show what inside the packet the result was the packets are encrypted over
the Tunnel, the evaluation results show the shows the successful verification of the
security strategy of IPsec and data are hashed and encrypted.
3
Table of contents
Abstract.......................................................................................................................................2
Chapter One: Introduction...........................................................................................................7
1.1 Virtual private network.....................................................................................................7
1.2 VPN PROTOCOLS............................................................................................................8
1.2.1 Link layer.........................................................................................................................8
1.2.2 Network layer..................................................................................................................8
1.2.3 Session layer.....................................................................................................................9
1.3 Types of VPN.......................................................................................................................9
1.4 Tunneling.............................................................................................................................9
1.5 Problem statement..............................................................................................................9
1.6 Research Objectives..........................................................................................................10
1.7 Research question.............................................................................................................10
1.8 Research importance........................................................................................................10
1.9 Lecture review...................................................................................................................10
1.10 Research methodology......................................................................................................11
Chapter Two: Background.........................................................................................................12
2.1 Virtual private network...................................................................................................13
2.2 Types of VPN connections................................................................................................15
2.2.1 Remote-Access VPN......................................................................................................16
2.2.2 Site-to-Site VPN.............................................................................................................17
2.3 VPN PROTOCOLS..........................................................................................................19
2.3.1 Link layer.......................................................................................................................19
2.3.1.1 PPTP...............................................................................................................................19
2.3.1.2 L2TP...............................................................................................................................19
2.3.2 Network layer................................................................................................................19
2.3.2.1 IPsec................................................................................................................................19
2.3.3 Session layer...................................................................................................................21
2.3.3.1 SSL / TLS.......................................................................................................................21
2.4 Comparing Different VPN Technologies........................................................................21
2.5 Tunneling...........................................................................................................................23
2.5.1 Tunneling: Site-to-Site..................................................................................................23
2.5.2 Tunneling: Remote-Access...........................................................................................23
2.6 IPsec Framework..............................................................................................................24
4
2.7 IPsec Protocols..................................................................................................................26
2.7.1 AH...................................................................................................................................26
2.7.2 ESP.................................................................................................................................26
2.8 IPsec Modes of Operations..............................................................................................27
2.9 Confidentiality...................................................................................................................28
2.10 Data Integrity....................................................................................................................28
2.11 Origin Authentication......................................................................................................29
2.12 IKE.....................................................................................................................................30
2.12.1 IKEv1 Phase 1...............................................................................................................30
2.12.2 IKEv1 Phase 2...............................................................................................................31
2.13 Benefits of VPN.................................................................................................................32
Chapter Three: Related Studies.................................................................................................33
4.1 Lecture review...................................................................................................................34
Chapter Four: Research Methodology......................................................................................40
4.1 Network tool......................................................................................................................41
4.1.1 Why choose EVE-NG....................................................................................................41
4.1.2 Some Features:..............................................................................................................41
4.2 Network model..................................................................................................................42
4.3 Background / Scenario.....................................................................................................42
4.4 Objectives..........................................................................................................................43
4.5 Addressing Table..............................................................................................................43
4.6 Basic configuration...........................................................................................................43
4.7 Installing configuration....................................................................................................44
4.7.1 Tripoli Router................................................................................................................44
4.7.2 Misrata Router..............................................................................................................46
4.8 VPN configuration............................................................................................................48
4.8.1 Part 1: Configure IPsec Parameters on Tripoli_Router...........................................49
4.8.1.1 Step 1: Identify interesting traffic on Tripoli_Router...............................................49
4.8.1.2 Step 2: Configure the IKE Phase 1 ISAKMP policy on Tripoli_Router.................50
4.8.1.3 Step 3: Configure the IKE Phase 2 IPsec policy on Tripoli_Router........................50
4.8.1.4 Step 4: Configure the crypto map on the outgoing interface....................................51
4.8.2 Part 2: Configure IPsec Parameters on Misrata Router...........................................51
4.8.2.1 Step 1: Configure router Misrata to support a VPN with Tripoli Router ..............51
4.8.2.2 Step 2: Configure the IKE Phase 1 ISAKMP properties on Misrata Router.........52
4.8.2.3 Step 3: Configure the IKE Phase 2 IPsec policy on Misrata Router........................53
5
4.8.2.4 Step 4: Configure the crypto map on the outgoing interface....................................54
4.9 Part 3: Verify the IPsec VPN...........................................................................................54
4.9.1 Show crypto isakmp policy...........................................................................................55
4.9.2 Show crypto ipsec transform-set.................................................................................55
4.9.3 Show crypto map...........................................................................................................56
4.9.4 Debug crypto isakmp....................................................................................................56
4.9.5 Debug crypto ipsec........................................................................................................57
4.9.6 Show crypto isakmp sa.................................................................................................57
4.9.7 Show crypto ipsec sa.....................................................................................................57
4.10 Simulation Test.................................................................................................................59
4.11 IKE (Internet Key Exchange)..........................................................................................60
4.11.1 IKE Phase 1...................................................................................................................61
4.11.2 IKE Phase 2...................................................................................................................65
Chapter Five: Conclusion...........................................................................................................67
5.1 Conclusion.........................................................................................................................68
5.2 Future work.......................................................................................................................68
REFERENCES............................................................................................................................69
LIST OF FIGURES
Figure 2.1 : VPN structure.............................................................................................................15
Figure 2.2 : types-of-virtual-private-network................................................................................15
Figure 2.3 : Remote-Access VPN..................................................................................................16
Figure 2.4 : Site-to-Site VPN.........................................................................................................17
Figure 2.5 : IPsec in transport and tunnel mode............................................................................20
Figure 2.6 : IPsec Framework Components..................................................................................26
Figure 2.7 : ESP Encryption and Authentication...........................................................................27
Figure 2.8 : KE Phase 1 Main Mode.............................................................................................31
Figure 2.9 : KEv1 Phase 2.............................................................................................................32
Figure 4.1 : Network model...........................................................................................................42
Figure 4.2 : crypto isakmp policy command.................................................................................55
Figure 4.3 : crypto ipsec transform-set command.........................................................................56
Figure 4.4 : crypto map command.................................................................................................56
Figure 4.5 : crypto isakmp command............................................................................................57
Figure 4.6 : crypto ipsec command................................................................................................57
Figure 4.7 : crypto isakmp sa command........................................................................................57
Figure 4.8 : crypto ipsec sa command...........................................................................................58
Figure 4.9 : Tunneling test using Ping...........................................................................................59
6
Figure 4.10 : Captured traffic by Wireshark..................................................................................60
Figure 4.11 : ISAKMP establishment process...............................................................................60
Figure 4.12 : First packet...............................................................................................................61
Figure 4.13 : Second packet...........................................................................................................62
Figure 4.14 : Third packet.............................................................................................................63
Figure 4.15 : Fourth packet............................................................................................................63
Figure 4.16 : fifth packet...............................................................................................................64
Figure 4.17 : sixth packet...............................................................................................................64
Figure 4.18 : first packet................................................................................................................65
Figure 4.19 : Second packet...........................................................................................................65
Figure 4.20 : Third packet.............................................................................................................66
LIST OF TABLES
Table 2.1 : VPN Features and Characteristics...............................................................................18
Table 2.2 : Different VPN Security services.................................................................................22
Table 2.3 : Encryption and Authentication protocols and algorithms...........................................23
Table 4.1 : Addressing Table.........................................................................................................43
Table 4.2 : ISAKMP Phase 1 Policy Parameters...........................................................................48
Table 4.3 : IPsec Phase 2 Policy Parameters.................................................................................49
Table 4.4 : verifying commands....................................................................................................54
List of Abbreviations
 (VPN) Virtual Private Network.
 (ISP) Internet Service Provider.
 (IPsec) Internet Protocol Security.
 (AH) Authentication Header.
 (ESP) Encapsulated Security Payload.
 (NAS) network access server.
 (L2F) Layer 2 Forwarding.
 (L2TP) Layer 2 Tunneling Protocol.
 (PPTP) Point-to-Point Tunneling Protocol.
 (SSL) Secure Sockets Layer.
 (GRE) generic routing encapsulation.
 (SA) Security Association.
 (IKE) Internet Key Exchange.
 (ISAKMP) Internet Security Association and Key Management Protocol.
7
Chapter One: Introduction
8
1.1 Virtual private network
A (VPN) appears to be the excellent method for distributed services provides on

public network structure. VPN offers low cost, efficient use of bandwidth, scalable
and flexible functionality, secure and private connections. VPN provides a virtual
private line between two network sites that network traffic pass through. VPN
network is affected by several points such as operating system, hardware devices
being used, interoperability and algorithm being implemented [1].
VPN is one method for interconnecting multiple sites belonging to the same
organization using an Internet Service Provider (ISP) backbone network in place of a
dedicated line, The use of public telecommunication infrastructure reduces operational
costs while enhancing the security requirements through the security protocols and
procedures. VPN achieves implementation of a private network on top of the internet
technology infrastructure using modern switching or routing hardware capabilities,
encryption, authentication, packet tunneling and firewalls. Such robustness renders
VPN a scalable technology that has the potential to solve many of business
networking problems [2].
1.2 VPN PROTOCOLS
Virtual private Networks are commonly created at the Link Layer, the Network Layer,
or the Session Layer. Each of the protocols brings strengths and weaknesses to the
VPN solution.
1.2.1 Link layer
Link layer VPNs were designed to extend Remote Access Services over the Internet.
They can provide flow control thus optimizing transmission by cutting down on
dropped packets. The main disadvantage is that they are targeted at the Microsoft
client space, but not on other operating systems clients. The common Link Layer
protocols are PPTP and L2TP.
1.2.2 Network layer
The only network layer protocol used in VPNs is IPsec [3].
9
1.2.3 Session layer
Session layer VPNs provide more detailed control of data flow than lower layer
VPNs. They work with variety of authentication and encryption mechanisms and
establish a virtual circuit between client and host on a session-by-session basis,
allowing monitoring and access control based on user authentication.
1.3 Types of VPN
There are two types of VPN connections, Remote Access VPN and a Site-to-site VPN
A Remote Access VPN connects employees of a company to the company intranet
from home or when on the move. A site-to-site VPN connects geographically spaced-
out company intranets. Site-to-site VPN may also connect a company’s intranet to a
Business Partner’s intranet [2].
1.4 Tunneling
Most VPNs rely on tunneling to create a private network that reaches across the
Internet. Essentially, tunneling is the process of placing an entire packet within
another packet and sending it over a network. The protocol of the outer packet is
understood by the network and both points, called tunnel interfaces, where the packet
enters and exits the network [4].
1.5 Problem statement
The security risks of the internet are advertised every day bay trade and mainstream,
for the corporation the risks are even more real and apparent. Stolen or deleted
corporate data can adversely affect people’s livelihoods, and cost the company money.
And since the internet is a public network you always having someone access any
system you connect to it, and if your network is connected over the internet and your
security is lax the system cracker might be able to access your network using any
standard dial-up account from any ISP in the world, that is why we use VPN to protect
the files on your networked computers and the services that you grant your employees
10
and customers and other and the VPN will help us to alleviate some of the worry of
transmitting secure files outside of your network [5].
1.6 Research Objectives
To Implement and analysis of IPsec-VPN Tunneling.
To protect my privacy online.
To Safeguard Your Information.
1.7 Research question
How to Implement and analysis of IPsec-VPN Tunneling?
How to protect my privacy online?
How to Safeguard Your Information?
1.8 Research importance
In this research, we will propose a solution for the increasing prominence of network
security problem, Enterprises build their network infrastructure with intention to find
reliable solutions to protect themselves from untrusted and cybercrime activities, in
this sense, (VPN) are primarily concerned about Data privacy. VPNs represent an
extension of a private network made through added features like encapsulating the
data packets with a header on both ends, along the lines of the communication as well
as throughout setting communication tunnels using composite suite of protocols
available.
1.9 Lecture review
Concerning security aspects of database queries executed against distributed databases

by utilizing various IPsec modes of encryption, different research has been conducted
such as analyzing the performance of encryption algorithms from time and space
complexity [6]. up to confidentiality protection by using encrypted query processing
[7]. The former approach presents a performance analysis and comparisons between
symmetric encryption algorithms (DES) and cryptographic hash functions (MD5,
11
SHA-1) from the perspective of time complexity and space complexity. Parameters
considered for the comparison are CPU processing power and the size of the given
input and the conclusion indicates that MD5 is sufficient for the authentication
purposes rather than using the more complicated SHA-l algorithm[6] However,
considering the time of the research appearance, many serious security flaws are
detected in MD5 after [8] thus rendering the algorithms practically broken and
inefficient for use.
1.10 Research methodology
This project deals with Site-to-site IPsec-VPN that connects the company intranets.
IPsec-VPN network is implemented with security protocols for key management and
exchange, authentication and integrity using EVE-NG Network simulator. The testing
and verification analyzing of data packets is done using PING tool to ensure the
encryption of data packets during data exchange between different sites belong to the
same company, and using Wireshark tool to captures the traffic flow between Site A
and Site B.
12
Chapter Two: Background
13
2.1 Virtual private network
The Internet is a commonly used to interconnect the world. However, it lacks of
security guarantee in terms of information exchange. Due to security reasons, data
confidentiality, integrity and availability are important factor that needs to be
considered. Therefore, there are lots of security solution have been provided to secure
information exchange through the Internet. Based on the background, VPN is one of
solutions have been provided. It is a private connection that uses a public network. It
works through tunneling and encryption technology. Moreover, it requires a set of
protocol extensions that can provide security assurance, data integrity, and
confidentiality. The protocol is IP Security i.e., a new standard tunneling technology
used on VPN [1].
AVPN is a private network that uses a public network (usually the Internet) to connect
remote sites or users together. Instead of using a dedicated, real-world connection
such as leased line, a VPN uses "virtual" connections routed through the Internet from
the company's private network to the remote site or employee. In this article, you will
gain a fundamental understanding of VPNs, and learn about basic VPN components,
technologies, tunneling and security [4].
VPN provides an encrypted and secure connection “tunnel” path from a user’s
machine to its destination through the public internet. The internet has become a
popular, low-cost backbone infrastructure. Its universal reach has led many companies
to consider constructing a secure VPN over the public internet. A private network
creates a notion of computers and network resources that belong to a single dedicated
user or organization. The pool of computers and network resources, though they make
use of the public network facilities (i.e., ISP networks), assume independence and
total ownership of the resources. VPN is one method for interconnecting multiple sites
belonging to the same organization using an Internet Service Provider (ISP) backbone
network in place of a dedicated line. The use of public telecommunication
infrastructure reduces operational costs while enhancing the security requirements
through the security protocols and procedures. VPN achieves implementation of a
private network on top of the internet technology infrastructure using modern
14
switching or routing hardware capabilities, encryption, authentication, packet
tunneling and firewalls. Such robustness renders VPN a scalable technology that has
the potential to solve many of business networking problems [2].
A (VPN) appears to be the excellent method for distributed services provides on

public network structure. VPN offers low cost, efficient use of bandwidth, scalable
and flexible functionality, secure and private connections. VPN provides a virtual
private line between two network sites that network traffic pass through. VPN
network is affected by several points such as operating system, hardware devices
being used, interoperability and algorithm being implemented. [9]
VPN can be classified according to the tunneling security issue, location of endpoints,
connectivity types, security mechanisms robustness, and the types of tunneling
protocols provide connectivity through a tunnel which is a virtual link between two
nodes may separate by a number of networks. The tunnel is established within the
router and provided with the IP address of the router at the second end. Every packet
is encapsulated inside the IP datagram using IP address of the router at the far end of
tunnel as a destination address [9].
The two endpoints must use the same tunneling protocol. These logical tunnels that
carry the IP packet are independent of the payload, and have different headers due to
the protocol implemented. VPN provides secure and encrypted virtual connections
over IP network by encrypts and encapsulates each packet before passing it through a
tunnel. VPN uses authentication to ensure data integrity and confidentiality. VPN uses
dynamic tunnel for efficient bandwidth usage and flexibility matter for creating and
removing tunnels at any time. VPNs tunneling add an overhead to IP packets size, that
effect bandwidth utilization in network specifically if the packet size is short. This
effect lays on the end router to decapsulate the packet, performs decryption for the
packet [9].
15
Figure 2.1 : VPN structure
2.2 Types of VPN connections

VPN connections can be achieved in two ways. The first method is by using Internet
Protocol Security (IPsec) for authentication and encryption of services between
endpoints. The second way is by using tunnelling mechanisms. Tunnelling means that
the data being transmitted between end points is encapsulated inside another protocol
[2].
There are two types of VPN connections, Remote Access VPN and a Site-to-site
VPN.
Figure 2.2 : types-of-virtual-private-network
16
2.2.1 Remote-Access VPN
There are two common types of VPN. Remote-access, also called a virtual private
dial-up network (VPDN), is a user-to-LAN connection used by a company that has
employees who need to connect to the private network from various remote locations.
Typically, a corporation that wishes to set up a large remote-access VPN will
outsource to an enterprise service provider (ESP). The ESP sets up a (NAS) and
provides the remote users with desktop client software for their computers. The
telecommuters can then dial a toll-free number to reach the NAS and use their VPN
client software to access the corporate network. A good example of a company that
needs a remote-access VPN would be a large firm with hundreds of sales people in the
field. Remote-access VPNs permit secure, encrypted connections between a
company's private network and remote users through a third-party service provider
[4].
Figure 2.3 : Remote-Access VPN
17
2.2.2 Site-to-Site VPN
Through the use of dedicated equipment and large-scale encryption, a company can
connect multiple fixed sites over a public network such as the Internet.[4] Site-to-site
VPNs can be one of two types:
• Intranet-based - If a company has one or more remote locations that they wish to join
in a single private network, they can create an intranet VPN to connect LAN to LAN.
• Extranet-based - When a company has a close relationship with another company

(for example, a partner, supplier or customer), they can build an extranet VPN that
connects LAN to LAN, and that allows all of the various companies to work in a
shared environment [4].
Figure 2.4 : Site-to-Site VPN
A Remote Access VPN connects employees of a company to the company intranet

from home or when on the move. A site-to-site VPN connects geographically spaced-
out company intranets. Site-to-site VPN may also connect a company’s intranet to a
Business Partner’s intranet.[2] The table 2.1 summarizes VPN features and
characteristics.
VPN type Features and characteristics
18
Remote Access • Connect users to corporate network
• Client server scheme
• Internet Protocol Security
• Use Secure Sockets Layer
• Point to Point Tunnelling Protocol
• Layer 2 Tunnelling Protocol
Site-to-site • Connects networks
• Hosts communicate through a VPN

gateway
• Internet Protocol Security
• Generic Routing Encapsulation
• Multi-Protocol Label Switching (MPLS)
Table 2.1 : VPN Features and Characteristics
To achieve full functionality of VPN connections, a mixture of the above components

will ensure such a realization. For the problem domain in this research paper, we
recommend the site-to-site setup for certain applications, for the purposes of achieving
full confidentiality capabilities. The major driver for such an option being the
sensitive nature of data that may be shared among the responsible communicating
branches in such an established connection. a remote access VPN setup will enable
access to emails and other communication requirements that may not involve
exchange of sensitive data or documents.
19
2.3 VPN PROTOCOLS
Virtual private Networks are commonly created at the Link Layer, the Network Layer,
or the Session Layer. Each of the protocols brings strengths and weaknesses to the
VPN solution.
2.3.1 Link layer

Link layer VPNs were designed to extend Remote Access Services over the Internet.
They can provide flow control thus optimizing transmission by cutting down on
dropped packets. The main disadvantage is that they are targeted at the Microsoft
client space, but not on other operating systems clients. The common Link Layer
protocols are PPTP and L2TP.
2.3.1.1 PPTP
The PPTP tunnels PPP traffic within IP packets, using a modified version the Generic
Routing Encapsulation (GRE). PPTP uses the same types of authentications as PPP.
These protocols rely on password strength which is one means to accomplish
authentication and security.
2.3.1.2 L2TP
The L2TP combines features of PPTP with (L2F) protocol. Tunneling using L2TP is
accomplished through multiple levels of encapsulation: L2TP, UDP, IPsec, IP and
Data-Link, where IPsec provides the encryption for L2TP tunnels [3].
2.3.2 Network layer

The only network layer protocol used in VPNs is IPsec.
2.3.2.1 IPsec
IPsec VPN is designed to provide security between two gateways, firewalls and
routers, or between a client and gateway. IPsec provides two different modes:
Transport Mode, applicable only for host-to-host security, provides protection for the
payload of IP packet, while Tunnel Mode provides security between two networks by
protecting the entire IP packet. Both intranet and extranet VPNs are enabled through
this mode.
20
Figure 2.5 : IPsec in transport and tunnel mode
IPsec provides two security protocols. First, (AH) protects the source and destination
addresses of the IP header using a hash function with a secret key. Second, (ESP)
provides authentication, integrity and confidentiality and allows for encryption of the
data payload, guaranteeing data confidentiality and integrity.
(IKE) protocol sets up IPsec parameters and exchanges encryption keys in order to
create a new security association. IKE authenticates the users by using either shared
secret or public key cryptography. To support asymmetric user authentication
methods, many enhancements are used e.g., Extended Authentication (XAUTH) and
Hybrid authentication. XAUTH inserts a login/password authentication after Main
Mode and before IPsec parameter negotiation (Quick Mode) to securely authenticate
the remote user. XAUTH is secured by IKE main mode that needs a pre shared key or
a certificate. Hybrid authentication authenticates only the server with a certificate or
public key, and the client only by the legacy methods protected by ISAKMP SA.
IKEv2 includes features like XAUTH / Hybrid type of legacy authentication support,
using encapsulated EAP protocol. This legacy authentication is similar to Hybrid auth.
IKEv2 uses a method similar to IKE shared secret authentication for the parties to
prove to each other that they have the secret derived from the EAP key-generating run
[3].
21
2.3.3 Session layer
Session layer VPNs provide more detailed control of data flow than lower layer
VPNs. They work with variety of authentication and encryption mechanisms and
establish a virtual circuit between client and host on a session-by-session basis,
allowing monitoring and access control based on user authentication. The main
disadvantage is that session layer VPNs proxy all traffic, thus they are slower than
lower layer VPNs. Their more sophisticated access control is more complicated to set-
up manage and maintain than address-based access control schemes. The common
Session layer protocol is SSL/TLS.
2.3.3.1 SSL / TLS

SSL/TLS VPN based on the (SSL) Protocol provides data encryption and
authentication for http traffic. It can also be used for securing RTP traffic. SSL uses
the primary secure transport mechanism SSL/HTTPS built-in for secure connections
from web browsers to web servers. On the majority of web browsers, consultation of
the certificate’s lists sent back is not activated by default, so a serious problem is
provoked by the security of SSL based on these certificates.
2.4Comparing Different VPN Technologies

The security services offered by VPN technologies are reported in table 2.2 .
Both IPsec and SSL negotiate per-session keys, and use cryptography to prevent
eavesdropping and forgery. IPsec with mutual certificate authentication is more secure
than SSL with one way server certificate authentication which is more vulnerable to
denial-of-service attacks than IPsec [3]. Encryption and Authentication algorithms and
protocols for data traffic over a VPN tunnel are presented with user authentication
protocols in table 2.3.
Terminal Auth User Auth Confidentiality Integrity
22
PPTP No Yes Yes No
L2TP Yes Yes Yes Yes
IPsec Yes No Yes Yes
SSL/TLS Yes No Yes Yes
Table 2.2 : Different between VPN Security services
Terminal Auth User Auth Encryption
PPTP PAP , SPAP MPPE / RC4 EAP-

TLS, MSCHAP.
MS-CHAP,EAP-TLS,
digital certificates for
mutual authentication.
L2TP IPsec ESP PAP , SPAP IPsec/ESP (DES,
Computer MS-CHAP,EAP-TLS, 3DES, AES)
Certificates
Pre-shared Key for
mutual authentication.
IPsec ESP/AH HMAC- Digital certificates, ESP (DES-CBC,

MD5, IKE with shared-secret 3DES-SHA1, AES
digital certificate or passwords for mutual and Blowfish).
pre-shared key. authentication.
SSL Digital certificate Digital certificates, 3DES, RC4-MD5

HTTP Basic Sub authentication Public-key
(login page protects
Authentication, ID username/password encryption
Table 2.3 : Encryption and Authentication protocols and algorithms

23
Form the above tables, we conclude that the network layer VPN including IPsec is the
strongest VPN solution on behalf of security. Complexity, performance and
compatibility problems of IPsec make it less suitable for media traffic. Therefore,
IPsec VPN needs many enhancements to support security for VoIP [3].
2.5 Tunneling
Most VPNs rely on tunneling to create a private network that reaches across the
Internet. Essentially, tunneling is the process of placing an entire packet within
another packet and sending it over a network. The protocol of the outer packet is
understood by the network and both points, called tunnel interfaces, where the packet
enters and exits the network [4].
Tunneling requires three different protocols:
• Carrier protocol - The protocol used by the network that the information is traveling
over.
• Encapsulating protocol - The protocol (GRE, IPsec, L2F, PPTP, L2TP) that is
wrapped around the original data.
• Passenger protocol - The original data (IPX, NetBeui, IP) being carried.
2.5.1 Tunneling: Site-to-Site

In a site-to-site VPN, GRE is normally the encapsulating protocol that provides the
framework for how to package the passenger protocol for transport over the carrier
protocol, which is typically IP-based. This includes information on what type of
packet you are encapsulating and information about the connection between the client
and server. Instead of GRE, IPsec in tunnel mode is sometimes used as the
encapsulating protocol. IPsec works well on both remote-access and site-to-site VPNs.
IPsec must be supported at both tunnel interfaces to use.
2.5.2 Tunneling: Remote-Access

In a remote-access VPN, tunneling normally takes place using PPP. Part of the
TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the
24
network between the host computer and a remote system. Remote-access VPN
tunneling relies on PPP. Each of the protocols listed below were built using the basic
structure of PPP and are used by remote access VPNs.
 L2F - Developed by Cisco, L2F will use any authentication scheme supported by
PPP. [4]
 PPTP (Point-to-Point Tunneling Protocol) - PPTP was created by the PPTP Forum,
a consortium which includes US Robotics, Microsoft, 3COM, Ascend and ECI
Telematics. PPTP supports 40-bit and 128-bit encryption and will use any
authentication scheme supported by PPP.
 L2TP - L2TP is the product of a partnership between the members of the PPTP
Forum, Cisco and the IETF (Internet Engineering Task Force). Combining features
of both PPTP and L2F, L2TP also fully supports IPsec [4].
L2TP can be used as a tunneling protocol for site-to-site VPNs as well as remote-
access VPNs.[4] In fact, L2TP can create a tunnel between:
• Client and router
• NAS and router
• Router and router
2.6 IPsec Framework

IPsec is an open standard that defines how a VPN can be secured across IP networks.
IPsec protects and authenticates IP packets between source and destination. IPsec
provides these essential security functions: [10]
 Confidentiality: IPsec ensures confidentiality by using encryption.

 Data integrity: IPsec ensures that data arrives unchanged at the destination,
meaning that the data has not been manipulated at any point along the
communication path.
25
 Origin authentication: Authentication ensures that the connection is made with the
desired communication partner. IPsec uses Internet Key Exchange (IKE) to
authenticate users and devices that can carry out communication independently.
IKE can use the following methods to authenticate the peer system:
 Pre-shared keys (PSK)
 Digital certificates
 RSA-encrypted nonces
 Anti-replay protection: Anti-replay protection verifies that each packet is unique
and is not duplicated.
 Key management: Allows for an initial safe exchange of dynamically generated
keys across a non-trusted network and a periodic rekeying process, limiting the
maximum amount of time and data that are protected with any one key.
These security functions define the IPsec framework and spell out the rules for secure
communications. IPsec relies on existing algorithms to implement encryption,
authentication, and key exchange. Figure 2.6 illustrates some of the standard
algorithms that IPsec uses. The framework allows technologies to be replaced over
time. When cryptographic technologies become obsolete, it doesn’t make the IPsec
framework obsolete. Instead, obsolete technologies are replaced with more current
versions, keeping the framework in place [10].
Figure 2.6 : IPsec Framework Components
26
2.7 IPsec Protocols
There are two main IPsec framework protocols (AH) and (ESP). [10]
2.7.1 AH
AH, which is IP protocol 51, is the appropriate protocol to use when confidentiality is
not required. In other words, AH does not provide data encryption. AH does, however,
provide origin authentication, data integrity, and anti-replay protection for IP packets
that are passed between two systems. AH achieves data integrity and origin
authentication by applying a keyed one-way hash function to the packet to create a
hash, or message digest. The hash is combined with the text and is transmitted. The
receiver detects changes in any part of the packet that occur during transit by
performing the same one-way hash function on the received packet and comparing the
result to the value of the message digest that the sender has supplied. AH supports the
HMAC-MD5 and HMAC-SHA-1 algorithms [10].
2.7.2 ESP
Like AH, ESP provides origin authentication, data integrity, and anti-replay
protection; however, unlike AH, it also provides confidentiality. ESP, which is IP
protocol 50, provides confidentiality by encrypting IP packets. ESP supports various
symmetric encryption algorithms, including DES, 3DES, and AES. The original data
is well protected by ESP, because the entire original IP packet is encrypted. When
ESP authentication is also used, the encrypted IP packet and the ESP header and
trailer are included in the hashing process. When both authentication and encryption
are used, encryption is performed first. Authentication is then performed by sending
the encrypted payload through a hash algorithm. The hash provides data integrity and
data origin authentication. Last, a new IP header is prepended to the authenticated
payload. The new IP address is used to route the packet. ESP does not attempt to
provide data integrity for this new external IP header. Figure 2.7 illustrates the ESP
encryption and authentication process on an IP packet using tunnel mode [10].
27
Figure 2.7 : ESP Encryption and Authentication
In modern IPsec VPN implementations, the use of ESP is more common than AH.
2.8 IPsec Modes of Operations

ESP and AH can be used in two different ways, or modes. The encapsulation can be
done in tunnel mode or in transport mode. [10]
ESP transport mode does not protect the original packet’s IP header. Only the original
packet’s payload is protected. An ESP header is inserted between the original IP
header and the protected payload [10].
ESP tunnel mode protects the entire original IP packet. The entire original IP packet,
including its IP header, is encrypted and becomes the payload for the new packet. An
ESP header is applied for the transport layer header, and this is encapsulated in a new
packet with a new IP header. The new IP header specifies the VPN peers as the source
and destination IP addresses. The IP addresses specified in the original IP packet are
not visible.
2.9Confidentiality
The following are some of the encryption algorithms and key lengths that IPsec can
use: [10]
 DES algorithm: DES uses 56-bit symmetric key.
28
 3DES algorithm: 3DES is a variant of the 56-bit DES. It uses three independent
56-bit encryption keys per 64-bit block, which provides significantly stronger
encryption strength over DES.
 AES: AES provides stronger security than DES and is computationally more
efficient than 3DES. AES offers three different key lengths: 128 bits, 192 bits, and
256 bits.
 SEAL: As a stream cipher, SEAL encrypts data continuously rather than
encrypting blocks of data. SEAL uses a 160-bit key.
2.10 Data Integrity
VPN data is typically transported over the public Internet. Potentially, this data could
be intercepted and modified. The that a data-integrity algorithm adds a hash to the
message, which guarantees the integrity of the original message. If the transmitted
hash matches the received hash, the message has not been tampered with. However, if
there is no match, the message was altered. A Hashed Message Authentication Code
(HMAC) is a data-integrity algorithm that guarantees the integrity of the message.
IPsec currently supports three common HMAC algorithms: [10]
 HMAC-Message Digest 5 (HMAC-MD5): HMAC-MD5 uses a 128-bit shared-

secret key of any size but the output is a 128-bit hash.
 HMAC-Secure Hash Algorithm 1 (HMAC-SHA-1): HMAC-SHA-1 uses a secret
key of any size but the output is a 160-bit hash.
 HMAC-Secure Hash Algorithm 2 (HMAC-SHA-2): The SHA-2 family of
HMACs is based on the same base algorithm as SHA-1. The SHA-2 family (the
second generation of SHA algorithms) includes the 256-, 384-, and512-bit hash
algorithms, referred to as SHA256, SHA-384, and SHA-512 respectively.
2.11 Origin Authentication
When you are conducting business long distance, it is necessary to know who is at the
other end of the phone, email, or fax. The same is true of VPN networks. The device
on the other end of the VPN tunnel must be authenticated before the communication
path is considered secure. Four peer authentication methods exist:
29
 Pre-shared keys (PSK): A secret key value is entered into each peer manually and
is used to authenticate the peer. This is a shared secret that both parties must
exchange ahead of time.
 RSA signatures: The exchange of digital certificates authenticates the peers. The
local device derives a hash and encrypts it with its private key. The encrypted hash
is attached to the message and is forwarded to the remote end, and it acts like a
signature. At the remote end, the encrypted hash is decrypted using the public key
of the local end. If the decrypted hash matches the recomputed hash, the signature
is genuine. (RSA is named after its inventors, Rivest, Shamir, and Adleman.)
 RSA encrypted nonces: A nonce is a random number that is generated by the peer.
RS encrypted nonces use RSA to encrypt the nonce value and other values. This
method requires that each peer is aware of the public key of the other peer before
negotiation starts.
 ECDSA signatures: The ECDSA is the elliptic curve analog of the Digital
Signature Algorithm (DSA) signature method. ECDSA signatures are smaller than
RSA signatures of similar cryptographic strength. ECDSA operations can be
computed more quickly than similar-strength RSA operations.
2.12 IKE
IPsec uses the IKE protocol to negotiate and establish secured site-to-site or remote-
access VPN tunnels. IKE is a framework provided by the Internet Security
Association and Key Management Protocol (ISAKMP) and parts of two other key
management protocols, namely Oakley and Secure Key Exchange Mechanism
(SKEME). An IPsec peer accepting incoming IKE requests listens on UDP port 500.
IKE uses ISAKMP for Phase 1 and Phase 2 of key negotiation. Phase 1 negotiates a
security association (a key) between two IKE peers. The key negotiated in Phase 1
enables IKE peers to communicate securely in Phase 2. During Phase 2 negotiation,
IKE establishes keys (security associations) for other applications, such as IPsec. [10]
There are two versions of the IKE protocol: IKE version 1 (IKEv1) and IKE version 2
(IKEv2). IKEv2 was created to overcome some of the limitations of IKEv1. IKEv2
enhances the function of performing dynamic key exchange and peer authentication. It
30
also simplifies the key exchange flows and introduces measures to fix vulnerabilities
present in IKEv1. Both IKEv1 and IKEv2 protocols operate in two phases. IKEv2
provides a simpler and more efficient exchange.
2.12.1 IKEv1 Phase 1

IKEv1 Phase 1 occurs in one of two modes: main mode and aggressive mode. Main
mode has three two-way exchanges between the initiator and receiver. These
exchanges define what encryption and authentication protocols are acceptable, how
long keys should remain active, and whether Perfect Forward Secrecy (PFS) should be
enforced. Figure 2.8 summarizes these three two-way exchanges.
The first step in IKEv1 main mode is to negotiate the security policy that will be used
for the ISAKMP SA. There are five parameters, which require agreement from both
sides:
 Encryption algorithm.
 Hash algorithm.
 Diffie-Hellman group number.
 Peer authentication method.
 SA lifetime.
31
Figure 2.8 : KE Phase 1 Main Mode
2.12.2 IKEv1 Phase 2

The purpose of IKE Phase 2 is to negotiate the IPsec security parameters that define
the IPsec SA that protects the network data traversing the VPN. IKE Phase 2 only
offers one mode, called quick mode, to negotiate the IPsec SAs. In Phase 2, IKE
negotiates the IPsec transform set and the shared keying material that is used by the
transforms. In this phase, the SAs that IPsec uses are unidirectional; therefore, a
separate key exchange is required for each data flow. Optionally, Phase 2 can include
its own Diffie-Hellman key exchange, using PFS. Figure 2.9 illustrates the IKE Phase
2 exchange[10].
32
Figure 2.9 : KEv1 Phase 2
2.13 Benefits of VPN

One of the most competing advantages of VPN is the cost reduction. While VPN
offers cost saving facilities, it also yields other advantages such as; reduced training
requirements and equipment, increased flexibility and functional scalability.
Another important benefit of VPN is improved connectivity. MoJ can enjoy higher
levels of connectivity through the Internet Service Provider arm, which are made
possible through IP, Frame Relay or ATM infrastructure, often in conjunction with the
internet. Above all, VPNs enable the delivery of broadband services that are capable
of delivering emerging multimedia applications.
VPNs include comprehensive security policies that are another valuable commodity to
organizations. With VPN, MoJ can be confident that their data remains private and
that the transmissions are secure. The ability to prioritize traffic over a VPN ensures
33
that the necessary bandwidth is available to mission critical applications when
required [2].
34
Chapter Three: Related Studies
4.1 Lecture review
Authors of [11] have attempts to provide a common sense definition of a VPN, and an
overview of different approaches to building them. They concluded that while a VPN
can take many forms, there are some basic common problems that a VPN is built to
solve, which can be listed as virtualization of services and segregation of
communications to a closed community of interest, while simultaneously exploiting
the financial opportunity of economies of scale of the underlying common host
communications system.
Authors of [12] have studied the efficiency of time related features to address the
challenging problem of characterization of encrypted traffic and detection of VPN
traffic. they proposed a set of time-related features and two common machine learning
35
algorithms, C4.5 and KNN, as classification techniques. there results approve that the
proposed set of time-related features are good classifiers, achieving accuracy levels
above 80%. C4.5 and KNN had a similar performance in all experiments, although
C4.5 has achieved better results. From the two scenarios proposed, characterization in
2 steps (scenario A) vs. characterization in one step (scenario B), the first one
generated better result. In addition to our main objective, they have also found that our
classifiers perform better when the flows are generated using shorter timeout values,
which contradicts the common assumption of using 600s as timeout duration. As
future work we plan to expand our work to other applications and types of encrypted
traffic, and to further study the application of time-based features to characterize
encrypted traffic.
traffic classification for the encapsulated protocols (e.g., using Proxy server or VPN
tunnels) that are mainly used for hiding the identities of the users for privacy reasons,
are challenging and hence are not widely explored in the literature. However, recently,
Heywood et al. in [13] proposed a data driven classifier to identify traffic coming
from clients behind a proxy server using traffic flow information.
Authors of [9] in this paper it deals with Site-to-site IPsec-VPN that connects the
company intranets. IPsec-VPN network is implemented with security protocols for
key management and exchange, authentication and integrity using GNS3 Network
simulator. The testing and verification analyzing of data packets is done using both
PING tool and Wireshark to ensure the encryption of data packets during data
exchange between different sites belong to the same company. Where testing shows
the successful verification of the security strategy of IPsec and data packet processing
under using security protocols.
Authors of [1] in this research they builds a private network that provides quality and
security in accessing the Internet. The entire set of systems were built in a virtual and
simulated manner. It is built using GNS3 network simulator software and virtual
36
Cisco ASA Firewall. The result shows that VPN network connectivity is strongly
influenced by the hardware used as well as depend on Internet bandwidth provided by
Internet Service Provider (ISP). In addition to the security testing result shows that
IPsec-based VPN can provide security against Man in the Middle (MitM) attacks.
However, the VPN still has weaknesses against network attacks such as Denial of
Service (DoS) that causes the VPN server can no longer serve VPN client and become
crashes.
Authors of [2] In this research, we are going to simulate scalability of VPN

connectivity over insecure channels using Packet Tracer. The simulation results
though limited in scope will prove the viability of employing VPN technology. The
need to address security concerns for organizations is highly meet with VPN
implementations. This research employed the case study approach, where Ministry of
Justice in Namibia was the main focal point of attention; therefore, the scope of this
research was limited to that domain.
Authors of [3] In this paper they compare the VPN security protocols presenting their
advantage and drawbacks. Then they present the new solution to secure voice over
IPsec VPNs while guaranteeing the performance and quality of services, without
reducing the effective bandwidth. they use the AVISPA model to analyze the security
vulnerabilities of exchange messages to initiate session and establish VPN. Within this
paper, different VPN solutions are presented that solve the security aspects and trust
the communication between user and private network over internet. Moreover, they
defined the implemented security mechanisms for real time traffic. Some of these
security mechanisms leave the end-to-end communication unsecured. IPsec VPNs is
the best solution for real time traffic on behalf of security, but solution that provides
best security may not provide best performance and may affect the QoS like latency,
jitter, packet loss and synchronization etc... For example, IPsec provides different
security protocols introducing more complexity and resource usage. they propose a
new VoIP over VPN security solution that adopts IPsec tunneling protocol in
combination with cRTP and IPHC compressions technologies and uses SIP to
exchange IPsec parameters. This solution provides security for voice traffic and
37
guarantees performance and quality of services, without reducing the effective
bandwidth. We use AVISPA model to analyze the security vulnerabilities of exchange
IKEv2 parameters into SIP messages for initiating session and establishing VPN
tunnel.
Authors of [14] in this paper it contributes to the development of an IPsec policy

management system in two aspects. First, they defined a high-level security
requirement, which not only is an essential component to automate the policy
specification process of transforming from security requirements to specific IPsec
policies but also can be used as criteria to detect conflicts among IPsec policies, i.e.,
policies are correct only if they satisfy all requirements. Second, they developed
mechanisms to detect and resolve conflicts among IPsec policies in both intradomain
and inter-domain environment, basically in this research, they studied and analyzed
potential conflicts caused by various interactions among policies, which are hard to
resolve in one level. they clearly defined security policies in two levels: requirement
level security policy and implementation level security policy. The correctness of
implementation level security policies can be verified by checking satisfaction of
requirement level security policies, which can be automatically done using our
conflict detection algorithm. When conflicts are detected, a resolution is demanded.
they developed an optimization model to abstract this problem, in which we find a
policy set to optimize the overall satisfaction.
Authors of [15] The paper reports the design of an IP Secure Virtual Private Network
(VPN) for remote access. The Cisco Packet Traces platform is used for the simulation,
analysis and verification purpose. A VPN connects remote sites and users together
using a public network, such as Internet. It uses virtual connection to route the data
packets from a private network to remote sites or remote access users. It creates a
tunnel between the end users to ensure security of data being transmitted over the
Internet. The smart gadgets can be securely get connected with peripherals/users in the
Internet as if they were part of same private network. In order to avoid any security
attacks, a VPN need to be secured so as to prevent user data loss. The present work
reported a solution by introducing a sample Remote Access VPN network simulation
38
on Cisco Packet Tracer. This is a promising solution in terms of authenticity and
integrity of the data. Many such sites can be remotely accessed without any capacity
crunch as VPN is private communication over public infrastructure (Internet). It will
also reduce the delay, jitter and drop.
Authors of [16] in this paper it evaluates the data communication efficiency for
continuous data streaming and different scenarios in a wireless environment using a
VPN solution. The results of the research would be considered as a base for the
implementation of new solutions in the field of data streaming using heterogeneous
communications medium and technologies. When they use wireless environment
instead of Ethernet solution for sending video streaming data packets, they lose
approximately 34.89% from whole packet sent, and when they use VPN for video
streaming, they also lose 2.9% from the packet sent. The biggest WLANs have about
100 nodes. A way in which we can extend them is by using VPN Tunneling. With
WiMAX and LTE technologies VPN video data transmission speeds will increase,
both including "best-effort" and priority based QoS scalable solutions. Considering
that only 2.09 % of the packet size is lost through VPN encapsulation is a price worth
paying for a secure connection between two work points. they conclude that they have
achieved better speeds in a WLAN-WLAN video streaming scenario when they used
PPTP tunneling protocol in given conditions compared to L2TP and IPsec VPN
tunneling protocols.
Authors of [17] presents the issues of VPN technologies in communication especially

the three important VPN technologies such as Trusted VPNs, Secure VPNs and
Hybrid VPNs with their requirements, techniques and supporting with VPNC
standards and performance. This research show that VPN can be a solution to reduce
the network complexity, reduce the networks operational cost and access the remote
network via global Internet or Intranet with support of VPN Technologies in
communication along with VPNC supports, where IPsec is the most dominant
protocol for secure VPNs. SSL gateways for remote-access users are also popular for
secure VPNs. L2TP running under IPsec has a much smaller but significant
deployment. For trusted VPNs, the market is split on the two MPLS-based protocols.
39
Companies want to do their own routing tend to use layer 2 VPNs; companies that
want to outsource their routing tend to use layer 3 VPNs. VPNC does not create
standards; instead, it strongly supports current and future IETF standards. The cost
savings from the use of public infrastructures could not be recognized if not for the
security provided by VPN’s. Encryption and authentication protocols keep corporate
information private on public networks. With VPN technologies, new users can be
easily added to the network. Corporate network availability can be scaled quickly with
minimal cost. A single VPN implementation can provide secure communications for a
variety of applications on diverse operating system.
Authors of [18] in this research VPNs can be categorized as Secure or Trusted VPNs,
Client-based or Web-based VPNs, Customer Edge-based or Provider Edge-based
VPNs, or Outsourced or In-house VPNs. These categories often overlap each other. In
order to decide what VPN solutions to choose for different parts of the enterprise
infrastructure, the chosen solution should be the one that best meets the requirements
of the enterprise. The purpose of this paper is to serve as a basis when creating an
enterprise WAN which connects sites and users together using VPN technology. The
purpose of creating such a WAN is to allow the resources of a company. This paper
has proposed the remote access VPN formula that depends on remote access
connections requirements (access, security, protocols support, and cost) and remote
access VPN solutions (client-based VPNs and web-based VPNs). This paper also has
proposed the site-to-site VPN formula that depends on site-to-site connections
requirements (QoS, topology, security, and protocols support) and site-to-site VPN
solutions (secure VPNs, trusted VPNs, and hybrid VPNs). This paper has proposed
the proper VPN solution that will be used to serve as a basis when creating an
enterprise WAN which connects sites and users together using VPN technology, but it
is not practically to implement this proposal on the real Internet.
Authors of [19] in this work they examine and empirically evaluates the remote access
VPN protocols, namely Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling
Protocol over Internet Protocol Security (L2TP/IPsec), and Secure Socket Layer
(SSL). they explore the impact of these protocols on end-to-end user application
40
performance using metrics such as throughput, RTT, jitter, and packet loss. All
experiments were conducted using a windows XP SP/2 host (vpn client) connected to
a windows server 2003 host (vpn server)) and to a fedora core 6 host (vpn server).
This work should be expanded to include performance evaluation of the remote access
VPN protocols on other software and hardware VPN servers.
41
Chapter Four: Research Methodology
4.1 Network tool
EVE-NG (Emulated virtual environment) is a tool similar to GNS3 It allows

enterprises, e-learning providers/centers, individuals and group collaborators to create
virtual proof of concepts, solutions and training environments, and provides network
admins with ways to simulate routers, switches, firewalls, and numerous other virtual
appliances. You can create a network lab with devices from Cisco, Juniper, Citrix,
Arista, A10, Alcatel, Checkpoint, F5, Palo Alto, PFSense, SonicWALL, Trend Micro
Tipping Point vTPS, and so much more. If the network vendor has a virtual appliance,
it can more than likely run in an EVE-NG environment. You can even add Linux and
42
Windows server images. Supporting a huge network/security/system migration or
upgrade.
4.1.1 Why choose EVE-NG

 Leaning
With EVE, you will be able to train yourself including cisco, juniper and also a lot of
other vendor like checkpoint, paloalto, F5 and many more.
 Design
With EVE, you are able to construct the network, accordingly requirement and plan
the right design to validate solution.
 Efficiency
With EVE, with no risk you can easily and quickly reproduce and improve your real
architecture in safe environment without risk to touch your real network.
 Flexibility
With EVE, you are able to confirm multivendor interaction, this Flexibility means
freedom of choice in key decision.
4.1.2 Some Features:

 Topology designer “click and play”.
 Import/export configuration.
 Picture import and maps “click and play”.
 Memory optimization (UKSM).
 CPU Watchdog.
 Full HTML5 User Interface.
 Ability to use without additional tools.
 Multiusers.
 Interaction with real network fully supported.
 Simultaneous lab instances.
43
4.2Network model
Figure 4.1: Network model
4.3 Background / Scenario
The network topology shows two routers. Your task is to configure Tripoli_Router
and Misrata_Router to support a site-to-site IPsec VPN when traffic flows between
their respective LANs. The IPsec VPN tunnel is from Tripoli_Router to
Misrata_Router via cloud. cloud acts as a pass-through and has no knowledge of the
VPN. IPsec provides secure transmission of sensitive information over unprotected
networks, such as the Internet. IPsec operates at the network layer and protects and
authenticates IP packets between participating IPsec devices (peers), such as Cisco
routers.
4.4 Objectives
Verify connectivity throughout the network.
Configure Tripoli_Router to support a site-to-site IPsec VPN with Misrata_Router.
44
4.5 Addressing Table
Default
Device Interface IP Address Subnet Mask Gateway
F0/0 192.168.1.1 255.255.255.0 N/A

Tripoli_Router
F0/1 192.168.2.2 255.255.255.0 N/A
F0/0 192.168.3.2 255.255.255.0 N/A
Misrata_Router
F0/1 192.168.4.1 255.255.255.0 N/A
VPC NIC 192.168.0.2 255.255.255.0 192.168.1.1
VPC NIC 192.168.0.2 255.255.255.0 192.168.4.1
Table 4.1 : Addressing Table

4.6 Basic configuration
 Host name
Hostname can help to keep track of the router and if you have multiple routers you're
configuring at the same time, then you will know which router that you're on at any
given point because of the unique name that you have assigned to that device.
 Ip assigned
Internet Protocol (IP) is a set of rules designed for all devices that use the internet and
controls how they share data over networks. All routers have unique IP addresses
because those addresses work as the ID numbers that make them known on the web.
 Enable password
enable password is a command that allows setting a local password to control access
to various privilege levels in global configuration mode.
 Console line
Console password is useful on a network on which multiple people have to access to

the router. The persons who are not authorized, can't access the router. Thus, it
prevents unauthorized person from accessing the router.
45
 Vty line
The term “vty” stands for Virtual teletype. VTY is a virtual port and used to get Telnet
or SSH access to the device. These connections are all virtual with no hardware
associated with them.
 OSPF protocol
OSPF (Open Shortest Path First) is a router protocol used to find the best path for
packets as they pass through a set of connected networks.
4.7 Installing configuration

4.7.1 Tripoli Router
 Host name
Router> enable
Router# config t
Router(config)# hostname Tripoli _Router
Router(config)# exit
 Ip assigned
Tripoli _Router> enable

Tripoli _Router# config t
Tripoli _Router(config)#interface fastEthernet 0/0
Tripoli _Router(config-if)#ip address 192.168.1.1 255.255.255.0
Tripoli _Router(config-if)#no shutdown
Tripoli _Router(config-if)#exit

Tripoli _Router(config)#interface fastEthernet 0/1
Tripoli _Router(config-if)#ip address 192.168.2.2 255.255.255.0
46
Tripoli _Router(config-if)#no shutdown
Tripoli _Router(config-if)#exit
 Enable password

Tripoli _Router(config)#enabel password it1999
Tripoli _Router(config)#exit
 line Console
Tripoli _Router(config)#line console 0
Tripoli _Router(config-line)#password Tripoli
Tripoli _Router(config-line)#login
 line Vty
Tripoli _Router(config)#line vty 0 15
Tripoli _Router(config-line)#password Libya
Tripoli _Router(config-line)#login
 OSPF protocol
Tripoli _Router(config)#router ospf 1
47
Tripoli _Router(config)# router-id 1.1.1.1
Tripoli _Router(config)#network 192.168.1.0 0.0.0.255 area 0
Tripoli _Router(config)#network 192.168.2.0 0.0.0.255 area 0
4.7.2 Misrata Router

 Host name
Router> enable
Router# config t
Router(config)# hostname Misrata_Router
Router(config)# exit
 Ip assigned
Misrata_Router> enable
Misrata_Router# config t
Misrata_Router(config)#interface fastEthernet 0/1
Misrata_Router(config-if)#ip address 192.168.4.1 255.255.255.0
Misrata_Router(config-if)#no shutdown
Misrata_Router(config-if)#exit
Misrata_Router(config)#interface fastEthernet 0/0
Misrata_Router(config-if)#ip address 192.168.3.2 255.255.255.0
Misrata_Router(config-if)#no shutdown
Misrata_Router(config-if)#exit
 line Console
48
Misrata_Router(config)#line console 0
Misrata_Router(config-line)#password Misrata
Misrata_Router(config-line)#login
Misrata_Router(config)#exit
 line Vty
Misrata_Router(config)#line vty 0 15
Misrata_Router(config-line)#password Libya
Misrata_Router(config-line)#login
 OSPF protocol
Misrata_Router(config)#router ospf 1
Misrata_Router(config)# router-id 3.3.3.3
Misrata_Router(config)#network 192.168.3.0 0.0.0.255 area 0
Misrata_Router(config)#network 192.168.4.0 0.0.0.255 area 0
4.8 VPN configuration
Parameters Tripoli_Router Misrata_Router
Key Distribution Manual or ISAKMP ISAKMP ISAKMP

Method
Encryption DES, 3DES, or AES AES 256 AES 256
Algorithm
Hash Algorithm MD5 or SHA-1 SHA-1 SHA-1
Authentication Pre-shared keys pre-share pre-share
49
Method or RSA
Key Exchange DH Group 1, 2, or 5 DH 5 DH 5
IKE SA Lifetime 86400 seconds or less 3600 3600
ISAKMP Key IT-Department IT-Department
Table 4.2: ISAKMP Phase 1 Policy Parameters
Parameters Tripoli_Router Misrata_Router
Transform Set Name vpn-set vpn-set

ESP Transform
esp-aes esp-aes
Encryption
ESP Transform
esp-sha-hmac esp-sha-hmac
Authentication
Peer IP Address 192.168.3.2 192.168.2.2
access-list 110 access-list 110
Traffic to be Encrypted (source 192.168.1.0 (source 192.168.4.0
dest 192.168.4.0) dest 192.168.1.0)
Crypto Map Name vpn-map vpn-map
SA Establishment ipsec-isakmp ipsec-isakmp
Table 4.3: IPsec Phase 2 Policy Parameters
4.8.1 Part 1: Configure IPsec Parameters on Tripoli_Router

4.8.1.1 Step 1: Identify interesting traffic on Tripoli_Router.
 Configure ACL 110 to identify the traffic from the LAN on Tripoli_Router to the
LAN on Misrata_Router as interesting. This interesting traffic will trigger the
IPsec VPN to be implemented when there is traffic between the Tripoli_Router to
Misrata_Router LANs. All other traffic sourced from the LANs will not be
encrypted. Because of the implicit deny all, there is no need to configure a deny ip
any statement.
50
Tripoli_Router(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255
192.168.4.0 0.0.0.255
 configure Cisco IOS ISAKMP is to ensure that existing ACLs on perimeter

routers, firewalls, or other devices do not block IPsec traffic. This configuration
would be added to the inbound ACL on router to permit protocol ESP, protocol
AH, and UDP traffic to get through the vpn tunnel.

Tripoli_Router(config)#access-list 101 permit ahp host 192.168.2.2 host
192.168.3.2
Tripoli_Router(config)# access-list 101 permit esp host 192.168.2.2 host
192.168.3.2
Tripoli_Router(config)# access-list 101 permit udp host 192.168.2.2 host
192.168.3.2
4.8.1.2 Step 2: Configure the IKE Phase 1 ISAKMP policy on

Tripoli_Router.
Configure the crypto ISAKMP policy 10 properties on Tripoli_Router along with the

shared crypto key IT-Department. Refer to the ISAKMP Phase 1 table for the specific
parameters to configure. Default values do not have to be configured. Therefore, only
the encryption method, key exchange method, and DH method must be configured.
51
Tripoli _Router(config)#crypto isakmp policy 10
Tripoli _Router (config-isakmp)# authentication pre-share

Tripoli _Router (config-isakmp)# encryption aes 256
Tripoli _Router (config-isakmp)# group 5
Tripoli _Router (config-isakmp)# hash sha 1
Tripoli _Router (config-isakmp)# lifetime 3600
Tripoli _Router (config-isakmp)# exit
Tripoli _Router (config)# crypto isakmp key IT-Department address 192.168.3.2
Tripoli _Router (config)#exit
4.8.1.3 Step 3: Configure the IKE Phase 2 IPsec policy on Tripoli_Router.
a. Create the transform-set vpn-set to use esp-aes and esp-sha-hmac.

Tripoli _Router (config)# crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac
Tripoli _Router (config)#exit
b. Create the crypto map vpn-map that binds all of the Phase 2 parameters together.
Use sequence number 10 and identify it as an ipsec-isakmp map.

Tripoli _Router(config)#crypto map vpn-map 10 ipsec-isakmp
Tripoli _Router(config-crypto-map)#match address 110
52
Tripoli _Router(config-crypto-map)#set peer 192.168.3.2
Tripoli _Router(config-crypto-map)#set transform-set vpn-set
Tripoli _Router(config-crypto-map)#set security-association lifetime sec 3600
Tripoli _Router(config-crypto-map)#exit
4.8.1.4 Step 4: Configure the crypto map on the outgoing interface.
Bind the vpn-map crypto map to the outgoing fastEthernet 0/1 interface

Tripoli _Router(config)# interface fastEthernet 0/1
Tripoli _Router(config-if)# crypto map vpn-map
Tripoli _Router(config-crypto-map)#exit
4.8.2 Part 2: Configure IPsec Parameters on Misrata Router

4.8.2.1 Step 1: Configure router Misrata Router to support a site-to-site
VPN with Tripoli Router.
 Configure reciprocating parameters on Misrata Router. Configure ACL 110
identifying the traffic from the LAN on Misrata Router to the LAN on Tripoli
Router as interesting.
Misrata_Router > enable
53
Misrata_Router(config)# access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0

0.0.0.255
 configure Cisco IOS ISAKMP is to ensure that existing ACLs on perimeter

routers, firewalls, or other devices do not block IPsec traffic. This configuration
would be added to the inbound ACL on router to permit protocol ESP, protocol
AH, and UDP traffic to get through the vpn tunnel.
Misrata_Router(config)#access-list 101 permit ahp host 192.168.3.2 host 192.168.2.2
Misrata_Router(config)#access-list 101 permit esp host 192.168.3.2 host 192.168.2.2
Misrata_Router(config)# access-list 101 permit udp host 192.168.3.2 host 192.168.2.2
4.8.2.2 Step 2: Configure the IKE Phase 1 ISAKMP properties on

Misrata Router.
Configure the crypto ISAKMP policy 10 properties on Misrata_Router along with the
shared crypto key IT-Department.
54
Misrata_Router(config)#crypto isakmp policy 10
Misrata_Router(config-isakmp)# authentication pre-share
Misrata_Router(config-isakmp)# encryption aes 256
Misrata_Router(config-isakmp)# group 5
Misrata_Router(config-isakmp)# hash sha 1
Misrata_Router(config-isakmp)# lifetime 3600
Misrata_Router(config-isakmp)# exit
Misrata_Router(config)# crypto isakmp key IT-Department address 192.168.2.2
4.8.2.3 Step 3: Configure the IKE Phase 2 IPsec policy on Misrata

Router.
 Create the transform-set vpn-set to use esp-aes and esp-sha-hmac.
Misrata_Router(config)# crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac
 Create the crypto map vpn-map that binds all of the Phase 2 parameters together.
Use sequence number 10 and identify it as an ipsec-isakmp map.
Misrata_Router(config)#crypto map vpn-map 10 ipsec-isakmp
Misrata_Router(config-crypto-map)#match address 110
55
Misrata_Router(config-crypto-map)#set peer 192.168.2.2
Misrata_Router(config-crypto-map)#set transform-set vpn-set
Misrata_Router(config-crypto-map)#set security-association lifetime sec 3600
Misrata_Router(config-crypto-map)#exit
4.8.2.4 Step 4: Configure the crypto map on the outgoing interface.
Bind the vpn-map crypto map to the outgoing fastEthernet0/0 interface.
Misrata_Router > enable
Misrata_Router # config t
Misrata_Router (config)#interface fastEthernet 0/0
Misrata_Router (config-if)# crypto map vpn-map
4.9 Part 3: Verify the IPsec VPN
We ca use the cisco commands presented in table 7 to verify the vpn configuration
Show crypto isakmp policy Displays configured IKE policies
Show crypto ipsec transform-set Displays configured IPsec transform sets
Show crypto isakmp sa
Show crypto ipsec sa Displays established IPsec tunnels
Show crypto map Displays configured crypto maps
Debug crypto isakmp Debug IKE events
Debug crypto ipsec Debug IPsec events
Table 4.4: verifying commands
56
4.9.1 Show crypto isakmp policy
The Show crypto isakmp policy command is useful because it reveals the complete
isakmp (IKE Phase 1) policies, this command displays Internet Key Exchange (IKE)
parameters for the Internet Security Association and Key Management Protocol
(ISAKMP).and we use the show crypto isakmp command to view ISAKMP settings,
statistics and policies.
Tripoli _Router#Show crypto isakmp policy
Figure 4.2: crypto isakmp policy command
4.9.2 Show crypto ipsec transform-set
we can use the Show crypto ipsec transform-set command to show all the configured
transform sets, including the default transform set, and displays the current IPsec
configuration on the managed device. It also displays the transform sets that define a
specific encryption and authentication type.
Tripoli _Router# Show crypto ipsec transform-set
57
Figure 4.3: crypto ipsec transform-set command
4.9.3 Show crypto map
To see all the configured crypto maps, use the Show crypto map command. This
command verifies configurations and show the SA lifetime, and view configuration
for global, dynamic, and default map configurations.

Tripoli _Router# Show crypto map
Figure 4.4: crypto map command

4.9.4 Debug crypto isakmp
To display messages about Internet Key Exchange (IKE) events, use the debug crypto
isakmp command in EXEC mode. To disable debugging output, use the no form of
this command
Tripoli _Router# Debug crypto isakmp
58
Figure 4.5: crypto isakmp command
4.9.5 Debug crypto ipsec
To display IP Security (IPSec) events, use the debug crypto ipsec command in EXEC
mode. To disable debugging output, use the no form of this command.

Tripoli _Router# Debug crypto ipsec
Figure 4.6: crypto ipsec command

4.9.6 Show crypto isakmp sa
This command displays the security associations for the Internet Security Association
and Key Management Protocol (ISAKMP).

Tripoli _Router# Show crypto isakmp sa
Figure 4.7: crypto isakmp sa command
4.9.7 Show crypto ipsec sa
59
The show crypto ipsec sa command allows you to view the settings used by current
security associations. If no keyword is used, all security associations are displayed.
They are sorted first by interface, and then by traffic flow (for example,
source/destination address, mask, protocol, port). Within a flow, the security
associations are listed by protocol (ESP/AH) and direction (inbound/outbound).
Tripoli _Router# Show crypto ipsec sa
Figure 4.8: crypto ipsec sa command
60
4.10 Simulation Test
To test the network operation, two tools is used, PING and Wireshark. The tunneling
establishment is ensured using ping tool; Figure 4.9 show the result of successively
connectivity between the client and the server.
Figure 4.9: Tunneling test using Ping
The Wireshark is used to captures packets or traffic flow between Site A and Site B,
Wireshark is the most often-used packet sniffer in the world. Wireshark listens to a
network connection in real time and then grabs entire streams of traffic – quite
possibly tens of thousands of packets at a time.
61
Figure 4.10: Captured traffic by Wireshark
The Wireshark is used to capture the traffic between the routers to analyze the
network traffic and ensure the work of the security strategy. Figure 4.11 shows the
capturing of data traffic between router Tripoli and router Misrata that presents the
ISAKMP process for negotiation, establishment, key management between the two
routers.
Figure 4.11: ISAKMP establishment process
4.11 IKE (Internet Key Exchange)
IKE (Internet Key Exchange) is one of the primary protocols for IPsec since it
establishes the security association between two peers.
62
4.11.1 IKE Phase 1
The main purpose of IKE phase 1 is to establish a secure tunnel that we can use for
IKE phase 2. IKEv1 main mode uses 6 messages. I will show you these in Wireshark
and I’ll explain the different fields.
 Packet 1
Figure 4.12: First packet

The initiator (peer that wants to build the tunnel) will send the first message. This is a
proposal for the security association. the initiator uses IP address 192.168.3.2 and is
sending a proposal to responder (peer we want to connect to) 192.168.2.2. IKE
uses UDP port 500 for this. In the output above you can see an initiator SPI (Security
Parameter Index), this is a unique value that identifies this security association.
63
We can see the IKE version (1.0) and that we are using main mode. The domain of
interpretation is IPsec and this is the first proposal. In the transform payload you can
find the attributes that we want to use for this security association.
 Packet 2
Figure 4.13: Second packet
When the responder receives the first message from the initiator, it will reply. This
message is used to inform the initiator that we agree upon the attributes in the
transform payload. You can also see that the responder has set its own SPI value.
 Packet 3
64
Figure 4.14: Third packet
Since our peers agree on the security association to use, the initiator will start the
Diffie Hellman key exchange. In the output above you can see the payload for the key
exchange and the nonce.
 Packet 4
65
Figure 4.15: Fourth packet
The responder will also send Diffie Hellman nonces to the initiator, our two peers can
now calculate the Diffie Hellman shared key.
 Packet 5
Figure 4.16: fifth packet

The last two messages are encrypted so we can’t see its contents anymore. These two
are used for identification and authentication of each peer. The initiator starts.
 Packet 6
66
Figure 4.17: sixth packet
And above we have the 6th message from the responder with its identification and
authentication information. IKEv1 main mode has now completed and we can
continue with IKE phase 2.
4.11.2 IKE Phase 2
The IKE phase 2 tunnel (IPsec tunnel) will be actually used to protect user data. There
is only one mode to build the IKE phase 2 tunnel which is called quick mode.
This negotiation happens within the protection of our IKE phase 1 tunnel so we can’t
see anything. Just for the sake of completeness, here’s what it looks like in Wireshark:
 Packet 1
Figure 4.18: first packet
 Packet 2
67
Figure 4.19: Second packet
 Packet 3
Figure 4.20: Third packet
Once IKE phase 2 has completed, we are finally ready to protect some user data.
68
Chapter Five: Conclusion
69
5.1 Conclusion
IPsec defines a standard set of protocols for securing internet connections, providing
for the authentication, confidentiality, and integrity of communications. It provides a
transparent end-to-end secure channel for upper-layer protocols, and implementations
do not require modifications to those protocols or to applications. While possessing
some drawbacks related to its complexity, it is a mature protocol suite that supports a
range of encryption and hashing algorithms and is highly scalable and interoperable.
Using IPsec to implement a VPN can guarantee high protection standards using useful
security features, IPsec also has its limitations and drawbacks, but this does not stop it
from becoming one of the best in securing end-to-end communications over the
internet.
This project designed the VPN technology that complicated to understand, deploy,
and maintain, and provided an overview of VPNs with an IPsec as a VPN technology,
in the practical part I implemented the four-step process of IPsec VPN establishment
that included IKE phase 1 and IKE phase 2, and looking at IPsec security associations
I applied ESP protocol and some hashing and encrypting algorithms such as SHA-1 &
AES 256 and used Authentication Method PSK (Pre-shared keys) then finished by
analyze the packet by using Wireshark to show what inside the packet the result was
the packets are encrypted over the Tunnel, the evaluation results show the successful
verification of the security strategy of IPsec and data packet processing under using
security protocols.
5.2 Future work
Future work could include comparison of AES 256 and 3DES and one hash
algorithms which are SHA-1 algorithms in site-to-site VPN environment for cabled
and wireless network using OPNET or NS2 simulator.
70
REFERENCES
1. Kurniawan, D.E., et al. Implementation and analysis ipsec-vpn on cisco asa firewall using
gns3 network simulator. in Journal of Physics: Conference Series. 2019. IOP Publishing.
2. Gamundani, A.M., J.N. Nambili, and M. Bere, A VPN Security Solution for Connectivity over
Insecure Network Channels: A novel study. SSRG Int J Comput Sci Eng, 2014. 1: p. 1-8.
3. Diab, W.B., S. Tohme, and C. Bassil. VPN analysis and new perspective for securing voice over
VPN networks. in Fourth International Conference on Networking and Services (icns 2008).
2008. IEEE.
4. Tyson, J., How Virtual private networks work. Howstuffworks,(Jul. 12, 2005), 2001.
5. Scott, C., P. Wolfe, and M. Erwin, Virtual private networks. 1999: " O'Reilly Media, Inc.".
6. Elkeelany, O., et al. Performance analysis of IPSec protocol: encryption and authentication. in
2002 IEEE International Conference on Communications. Conference Proceedings. ICC 2002
(Cat. No. 02CH37333). 2002. IEEE.
7. Popa, R.A., et al. CryptDB: protecting confidentiality with encrypted query processing. in
Proceedings of the twenty-third ACM symposium on operating systems principles. 2011.
8. Sotirov, A., et al. MD5 considered harmful today, creating a rogue CA certificate. in 25th
Annual Chaos Communication Congress. 2008.
9. Salman, F.A., Implementation of IPsec-VPN tunneling using GNS3. Indonesian Journal of
Electrical Engineering and Computer Science, 2017. 7(3): p. 855-860.
10. Gargano, P., 31 Days Before Your CCNA Security Exam: A Day-by-day Review Guide for the
IINS 210-260 Certification Exam. 2016: Cisco Press.
11. Ferguson, P. and G. Huston, What is a VPN? 1998.
12. Draper-Gil, G., et al. Characterization of encrypted and vpn traffic using time-related. in
Proceedings of the 2nd international conference on information systems security and privacy
(ICISSP). 2016.
13. Aghaei-Foroushani, V. and A.N. Zincir-Heywood. A proxy identifier based on patterns in
traffic flows. in 2015 IEEE 16th International Symposium on High Assurance Systems
Engineering. 2015. IEEE.
14. Fu, Z., et al. IPSec/VPN security policy: Correctness, conflict detection, and resolution. in
International Workshop on Policies for Distributed Systems and Networks. 2001. Springer.
15. Deshmukh, D. and B. Iyer. Design of IPSec virtual private network for remote access. in 2017
International Conference on Computing, Communication and Automation (ICCCA). 2017.
IEEE.
16. Simion, D., et al., Efficiency Consideration for Data Packets Encryption within Wireless VPN
Tunneling for Video Streaming. International Journal of Computers Communications &
Control, 2012. 8(1): p. 136-145.
17. Rajamohan, D.P., Performance analysis and special issues of VPN technologies in
communication: Trusted vpns, secure vpns, and hybrid vpns. IIJCS, July, 2014.
18. Jaha, A.A., F.B. Shatwan, and M. Ashibani. Proper virtual private network (VPN) solution. in
2008 the second international conference on next generation mobile applications, services,
and technologies. 2008. IEEE.
19. Joha, A.A., F.B. Shatwan, and M. Ashibani. Performance evaluation for remote access VPN on
windows server 2003 and fedora core 6. in 2007 8th International Conference on
Telecommunications in Modern Satellite, Cable and Broadcasting Services. 2007. IEEE.
71

IPsec - VPN - After Edit

Uploaded by

Copyright:

Available Formats

IPsec - VPN - After Edit

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IPsec - VPN - After Edit

Uploaded by

Copyright:

Available Formats

State of Libya

Ministry of Education and Scientific Research

A graduation project is submitted to the computer network

Implementation of IPsec-VPN Tunneling using

The project objective to be achieved is to design a VPN technology based on site-to-

A (VPN) appears to be the excellent method for distributed services provides on

1.2 VPN PROTOCOLS

1.2.1 Link layer

1.2.2 Network layer

The only network layer protocol used in VPNs is IPsec [3].

1.3 Types of VPN

1.5 Problem statement

1.6 Research Objectives

To Implement and analysis of IPsec-VPN Tunneling.

To protect my privacy online.

To Safeguard Your Information.

1.7 Research question

How to Implement and analysis of IPsec-VPN Tunneling?

How to protect my privacy online?

How to Safeguard Your Information?

1.8 Research importance

1.9 Lecture review

Concerning security aspects of database queries executed against distributed databases

1.10 Research methodology

A (VPN) appears to be the excellent method for distributed services provides on

2.2 Types of VPN connections

Figure 2.2 : types-of-virtual-private-network

Figure 2.3 : Remote-Access VPN

• Extranet-based - When a company has a close relationship with another company

Figure 2.4 : Site-to-Site VPN

A Remote Access VPN connects employees of a company to the company intranet

VPN type Features and characteristics

• Client server scheme

• Internet Protocol Security

• Use Secure Sockets Layer

• Point to Point Tunnelling Protocol

• Layer 2 Tunnelling Protocol

Site-to-site • Connects networks

• Hosts communicate through a VPN

• Internet Protocol Security

• Generic Routing Encapsulation

• Multi-Protocol Label Switching (MPLS)

Table 2.1 : VPN Features and Characteristics

To achieve full functionality of VPN connections, a mixture of the above components

2.3.1 Link layer

2.3.2 Network layer

2.3.3.1 SSL / TLS

2.4Comparing Different VPN Technologies

Terminal Auth User Auth Confidentiality Integrity

L2TP Yes Yes Yes Yes

IPsec Yes No Yes Yes

SSL/TLS Yes No Yes Yes

Table 2.2 : Different between VPN Security services

Terminal Auth User Auth Encryption

PPTP PAP , SPAP MPPE / RC4 EAP-

digital certificates for

L2TP IPsec ESP PAP , SPAP IPsec/ESP (DES,

Computer MS-CHAP,EAP-TLS, 3DES, AES)

IPsec ESP/AH HMAC- Digital certificates, ESP (DES-CBC,