Presentation is loading. Please wait.

Presentation is loading. Please wait.

FreeS/WAN & VPN Cory Petkovsek VPN: Virtual Private Network – a secure tunnel through untrusted networks. IP Security (IPSec): a standardized set of authentication.

Published byRandell Small Modified over 9 years ago

Similar presentations

Presentation on theme: "FreeS/WAN & VPN Cory Petkovsek VPN: Virtual Private Network – a secure tunnel through untrusted networks. IP Security (IPSec): a standardized set of authentication."— Presentation transcript:

1 FreeS/WAN & VPN Cory Petkovsek VPN: Virtual Private Network – a secure tunnel through untrusted networks. IP Security (IPSec): a standardized set of authentication and encryption services which are the base protocols for many VPN implementations. FreeS/WAN: An implementation of IPSec for Linux. 4/26/2003

2 How Is It Used? FreeS/WAN & VPN The most common applications for IPSec: ● Connecting remote networks over the internet - Branch offices connecting to corporate headquarters ● Connecting a single host with an unknown IP - “Road Warriors,” a laptop user in a hotel across the country

3 Why IPSec? FreeS/WAN & VPN Advantages: ● The most general way to secure network transmissions. Higher level secures only one protocol, lower level secures only one medium, point to point. ● Provides transparent, remote network access. ● Flexible for a variety of uses and applications. Disadvantages: ● It is not secure if your system is not. ● Authenticates machines, not users. ● It does not replace higher level security such as PGP

4 Prerequisites FreeS/WAN & VPN Admin Prerequisites: ● Kernel Compilation ● IP Routing, Subnetting ● Firewalling System Prerequisites: ● Fully functional network ● GMP Library and development files ● Troubleshooting Utilities: tcpdump, ping

5 TCP: Packet Structure ● Source Address ● Source Port ● Destination Address ● Destination Port Netfilter and IPTables Src Port Dest Port Dest Addr Src Addr ---- 32-bits wide ----

6 IP Packet Structure FreeS/WAN & VPN.-------+-------+---------------+-------------------------------. |Version| IHL |Type of Service| Total Length | |-------+-------+---------------+-------------------------------| | Identification |Flags| Fragment Offset | |---------------+---------------+-------------------------------| | Time to Live | Protocol | Header Checksum | |---------------+---------------+-------------------------------| | Source Address | |---------------------------------------------------------------| | Destination Address | |---------------------------------------------------------------| | | | Payload | | | `---------------------------------------------------------------' Protocol can be: ● TCP ● UDP ● AH ● ESP ● Others Payload usually starts with a header from one of the above protocols followed by application data.

7 IPSec Protocols FreeS/WAN & VPN IPSec uses three protocols: ● AH (Authentication Header) packet-level authentication service ● ESP (Encapsulating Security Payload) encryption plus authentication ● IKE (Internet Key Exchange) negotiates connection parameters, including keys, for the other two.

8 IPSec Initiation FreeS/WAN & VPN General Sequence of Events: ● Phase one IKE (main mode exchange – UDP port 500) sets up a keying channel (ISAKMP SA) between the two gateways ● Phase two IKE (quick mode exchange – UDP port 500) sets up data channels - IPsec Security Associations (SAs) ● Ipsec proper exchanges data using AH or ESP

9 FreeS/WAN Components FreeS/WAN & VPN The FreeS/WAN implementation of IPSec consists of these components: ● KLIPS – compiled into the kernel or as modules, most of the IPSec work. ● Pluto – a daemon which implements the IKE protocol. ● ipsec – a user level command, the admin's interface to controlling the above two. ● ipsec.conf – configuration file. ● ipsec.secrets – file that stores RSA private keys and shared keys.

10 FreeS/WAN Components FreeS/WAN & VPN KLIPS is KerneL IPsec Support, the modifications necessary to support IPsec within the Linux kernel. KILPS does all the actual IPsec packet- handling, including ● encryption ● packet authentication calculations ● creation of ESP and AH headers for outgoing packets ● interpretation of those headers on incoming packets KLIPS also checks all non-IPsec packets to ensure they are not bypassing IPsec security policies.

11 FreeS/WAN Components FreeS/WAN & VPN Pluto(8) is a daemon which implements the IKE protocol. Pluto ● handles all the Phase one ISAKMP SAs ● performs host authentication and negotiates with other gateways ● creates IPsec SAs and passes the data required to run them to KLIPS ● adjusts routing and firewall setup to meet IPsec requirements. Pluto is controlled mainly by the ipsec.conf(5) configuration file.

12 FreeS/WAN Components FreeS/WAN & VPN The ipsec(8) command is a front end shellscript that allows control over IPsec activity. Common commands include: ● ipsec setup restart (also stop/start) ● ipsec auto –status (shows the dormant and active tunnels) ● ipsec look(shows active routes)

13 FreeS/WAN Components FreeS/WAN & VPN /etc/ipsec.conf – configuration file for FreeS/WAN /etc/ipsec.secrets – file that stores shared secrets and RSA private keys For details see the ipsec.conf(5) and ipsec.secrets(5) manual pages.

14 FreeS/WAN Links FreeS/WAN & VPN Official FreeS/WAN Site http://www.freeswan.org Online Documentation http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/index.html Super FreeS/WAN a version with the latest user supplied patches http://www.freeswan.ca x509 patch http://www.strongsec.com/freeswan/ Nat Traversal patch http://open-source.arkoon.net Other patches http://www.freeswan.ca/patches/

15 FreeS/WAN Links FreeS/WAN & VPN Networking concepts http://www.netfilter.org/documentation/HOWTO/networking-concepts- HOWTO.html Netfilter/Firewalling Information and Tutorials http://www.netfilter.org/documentation/index.html#HOWTO

Download ppt "FreeS/WAN & VPN Cory Petkovsek VPN: Virtual Private Network – a secure tunnel through untrusted networks. IP Security (IPSec): a standardized set of authentication."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
Installing and running FreeS/WAN. What is FreeS/WAN An implementation of IpSec for Linux –Can be found at www.freeswan.org Helps setup encrypted and/or.

Installing and running FreeS/WAN. What is FreeS/WAN An implementation of IpSec for Linux –Can be found at Helps setup encrypted and/or.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Industrial Strength Security for an Insecure World

Industrial Strength Security for an Insecure World

Similar presentations

Ads by Google