8Building VPN with IPSec - Examples and Solutions

Remote access is now an undisputable part of the management of network devices of any vast local area network, especially with regard to the need for a prompt intervention of a network administrator in the event of a sudden situation and in connection with a reduction in the total cost of such an action. Therefore, the network administrator has to be connected to the Internet to remotely monitor and reconfigure individual network elements.

In the past, the Telnet protocol was used for remote access for network element management purposes. However, it did not protect his own communication, so it was relatively easy to intercept and capture login information. Spreading the Internet access, there was a need for a protocol that would secure communications against potential attackers. Thus, SSH (Secure Shell), which communicates with the TCP transport protocol by default on port 22, provides secure authentication on both sides, ensures their integrity, transparent data encryption, and optionally lossless compression (more information can be found in RFC 4252).

The needs of large companies to securely interconnect their branches have created virtual private networks that were to provide connection of two or more network devices in an untrusted public Internet environment. Another reason was the price for the interconnection. In the case of dedicated circuits, the costs would be incomparably higher. From the perspective of the OSI reference model, VPNs can generally be divided by the layer they are working on. The most common VPN technologies are listed in the following table.

The most common technologies in VPNs

VPN type

RM-OSI layer

Description

Frame Relay

link

It requires a homogeneous Frame Relay environment. Reliable, safer, but also more expensive compared to IP VPN.

ATM

link

It requires a homogeneous ATM environment. Like FR, it provides virtual channels with agreed parameters.

L2TP/PPTP

link

L2TP as a replacement for PPTP, which derives keys from the user's password (potential weakness). PPTP uses MPPE (Microsoft Point-to-Point Encryption) and L2TP IPsec for encryption. Defined by RFC 2637 and RFC 2661.

BGP/MPLS

link/network

It securely exchanges information between BGP (Border Gateway Protocol) border routers in backbone networks using MPLS tunnels. Defined by RFC 4364 and others.

IPSec

network

It is a security extension of the conventional IP protocol. Encrypting each packet creates a transparent secure transmission (so-called tunnel). Defined by several RFC recommendations.

SSL/TLS

transport and higher

SSL (Secure Sockets Layer) is a technology that is transparent to technology used on the OSI network layer. SSL is then derived from the TLS (Transport Layer Security) protocol defined in RFC 5246.

The most common way to connect branches is to connect them with IPSec VPN when an encrypted unidirectional (virtual) channel called SA is established between routers/firewalls located on the local area network.

For duplex (two-way) communication, two independent unidirectional SAs must be established.

IPSec is a mandatory component of IPv6 and additionally has also been deployed to IPv4.

It allows you to work in two modes (tunneling - the fully encapsulated original IP packet into a new IP packet, and the transport - the IPsec header is inserted between the original IP header and the upper layer header) and uses it to secure two AH and ESP protocols. Both protocols support either zero encryption (NULL), DES (Data Encryption Standard), 3DES (Triple DES), AES (Advanced Encryption Standard), and Blowfish. The IPsec protocol is defined in many RFC (Request For Comments) recommendations, but RFC 4301 is the most fundamental one. To ensure integrity, HMAC algorithms MD5 (Message-Digest 5) and SHA-1 are used.