Instructions 

Vpn virtual private network. Building secure networks based on VPN. What is VPN on iPhone

VPN (Virtual Private Network) is a virtual private network.

In common parlance, a VPN is a completely secure channel that connects your Internet-enabled device to any other device on the world wide web. To put it even simpler, we can imagine it more figuratively: without connecting to a VPN service, your computer (laptop, phone, TV or any other device) when accessing the network is like a private house not fenced. At any moment, anyone can intentionally or accidentally break trees or trample the beds in your garden. WITH using a VPN your home turns into an impregnable fortress, the defense of which will simply be impossible to break.

How it works?

The principle of VPN operation is simple and “transparent” for the end user. The moment you go online, a virtual “tunnel” is created between your device and the rest of the Internet, blocking any attempts from the outside to penetrate inside. For you, the work of the VPN remains absolutely “transparent” and invisible. Your personal business correspondence, Skype or telephone conversations will in no way be intercepted or overheard. All your data is encrypted using a special encryption algorithm, which is almost impossible to crack.

In addition to protection from external intrusion, VPN provides the opportunity to virtually visit any country in the world for a while and use the network resources of these countries, watch television channels that were previously unavailable. VPN will replace your IP address with any other one. To do this, you will just need to select a country from the proposed list, for example the Netherlands, and all sites and services that you visit will automatically “think” that you are in this particular country.

Why not an anonymizer or proxy?

The question arises: why not just use some kind of anonymizer or proxy server on the network, because they also replace the IP address? Yes, everything is very simple - none of the above-mentioned services provide protection, you still remain “visible” to attackers, and therefore all the data that you exchange on the Internet. And, in addition, working with proxy servers requires you to have a certain ability to set precise settings. VPN operates on the following principle: “Connect and play”; it does not require any additional settings. The entire connection process takes a couple of minutes and is very simple.

About free VPNs

When choosing, you should remember that free VPNs almost always have restrictions on the amount of traffic and data transfer speed. This means that a situation may arise when you simply cannot continue to use a free VPN. Don't forget that free VPNs They are not always stable and are often overloaded. Even if your limit has not been exceeded, data transfer may take a long period of time due to the high load on the VPN server. Paid VPN services have a big difference throughput, no restrictions on both traffic and speed, and the level of security is higher than that of free ones.

Where to begin?

Most VPN services provide the opportunity to test quality for free for a short period. The testing period can be from several hours to several days. During testing, you usually get full access to all functionality VPN service. Our service makes it possible to find such VPN services link:

The Internet is increasingly being used as a means of communication between computers because it offers efficient and inexpensive communication. However, the Internet is a public network and in order to ensure secure communication through it, some mechanism is needed that satisfies at least the following tasks:

    confidentiality of information;

    data integrity;

    availability of information;

These requirements are met by a mechanism called VPN (Virtual Private Network) - a generalized name for technologies that allow one or more network connections (logical network) to be provided over another network (for example, the Internet) using cryptography (encryption, authentication, infrastructure) public keys, means to protect against repetitions and changes in messages transmitted over the logical network).

Creating a VPN does not require additional investment and allows you to stop using dedicated lines. Depending on the protocols used and purpose, VPN can provide three types of connections: host-to-host, host-to-network and network-to-network.

For clarity, let’s imagine the following example: an enterprise has several geographically distant branches and “mobile” employees working at home or on the road. It is necessary to unite all employees of the enterprise into a single network. The easiest way is to install modems in each branch and organize communications as needed. This solution, however, is not always convenient and profitable - sometimes constant communication and large bandwidth are needed. To do this, you will either have to lay a dedicated line between branches or rent them. Both are quite expensive. And here, as an alternative, when building a single secure network, you can use VPN connections of all branches of the company via the Internet and configure VPN tools on the network hosts.

Rice. 6.4. Site-to-site VPN connection

Rice. 6.5. VPN connection type host network

In this case, many problems are solved - branches can be located anywhere around the world.

The danger here is that, firstly, an open network is open to attack by attackers all over the world. Secondly, all data is transmitted over the Internet in clear text, and attackers, having hacked the network, will have all the information transmitted over the network. And thirdly, data can not only be intercepted, but also replaced during transmission through the network. An attacker could, for example, violate the integrity of databases by acting on behalf of clients of one of the trusted branches.

To prevent this from happening, VPN solutions use features such as data encryption to ensure integrity and confidentiality, authentication and authorization to verify user rights and allow access to the virtual private network.

A VPN connection always consists of a point-to-point channel, also known as a tunnel. The tunnel is created on an unprotected network, which most often is the Internet.

Tunneling or encapsulation is a method of transmitting useful information through an intermediate network. This information may be frames (or packets) of another protocol. With encapsulation, the frame is not transmitted as it was generated by the sending host, but is provided with an additional header containing routing information that allows the encapsulated packets to pass through the intermediate network (the Internet). At the end of the tunnel, the frames are de-encapsulated and transmitted to the recipient. Typically, a tunnel is created by two edge devices placed at entry points into the public network. One of the clear advantages of tunneling is that this technology allows you to encrypt the entire source packet, including the header, which may contain data containing information that attackers use to hack the network (for example, IP addresses, number of subnets, etc.) .

Although a VPN tunnel is established between two points, each node can establish additional tunnels with other nodes. For example, when three remote stations need to contact the same office, three separate VPN tunnels will be created to that office. For all tunnels, the node on the office side can be the same. This is possible because a node can encrypt and decrypt data on behalf of the entire network, as shown in the figure:

Rice. 6.6. Creating VPN tunnels for multiple remote locations

The user establishes a connection to the VPN gateway, after which the user has access to the internal network.

Inside a private network, encryption itself does not occur. The reason is that this part of the network is considered secure and under direct control, as opposed to the Internet. This is also true when connecting offices using VPN gateways. This ensures that only information transmitted over an insecure channel between offices is encrypted.

There are many different solutions for building virtual private networks. The most famous and widely used protocols are:

    PPTP (Point-to-Point Tunneling Protocol) - this protocol has become quite popular due to its inclusion in Microsoft operating systems.

    L2TP (Layer-2 Tunneling Protocol) – combines the L2F (Layer 2 Forwarding) protocol and the PPTP protocol. Typically used in conjunction with IPSec.

    IPSec (Internet Protocol Security) is an official Internet standard developed by the IETF (Internet Engineering Task Force) community.

The listed protocols are supported by D-Link devices.

The PPTP protocol is primarily intended for virtual private networks based on dial-up connections. The protocol allows for remote access, allowing users to establish dial-up connections with Internet providers and create a secure tunnel to their corporate networks. Unlike IPSec, PPTP was not originally intended to create tunnels between local networks. PPTP extends the capabilities of PPP, a data link protocol that was originally designed to encapsulate data and deliver it over point-to-point connections.

The PPTP protocol allows you to create secure channels for exchanging data over various protocols - IP, IPX, NetBEUI, etc. Data from these protocols is packaged in PPP frames and encapsulated using the PPTP protocol in IP protocol packets. They are then transferred using IP in encrypted form over any TCP/IP network. The receiving node extracts PPP frames from IP packets and then processes them in a standard way, i.e. extracts an IP, IPX, or NetBEUI packet from a PPP frame and sends it over the local network. Thus, the PPTP protocol creates a point-to-point connection in the network and transmits data over the created secure channel. The main advantage of encapsulating protocols such as PPTP is their multi-protocol nature. Those. Data protection at the data link layer is transparent to network and application layer protocols. Therefore, within the network, both the IP protocol (as in the case of VPN based on IPSec) and any other protocol can be used as a transport.

Currently, due to the ease of implementation, the PPTP protocol is widely used both for obtaining reliable secure access to corporate network, and for access to Internet provider networks, when the client needs to establish a PPTP connection with the Internet provider to gain access to the Internet.

The encryption method used in PPTP is specified at the PPP level. Typically the PPP client is desktop computer with the Microsoft operating system, and the encryption protocol is Microsoft Point-to-Point Encryption (MPPE). This protocol is based on the RSA RC4 standard and supports 40- or 128-bit encryption. For many applications of this level of encryption, the use of this algorithm is quite sufficient, although it is considered less secure than some of the other encryption algorithms offered by IPSec, in particular, the 168-bit Triple-Data Encryption Standard (3DES).

How the connection is establishedPPTP?

PPTP encapsulates IP packets for transmission over an IP network. PPTP clients create a tunnel control connection that keeps the channel running. This process is performed at the transport layer of the OSI model. After the tunnel is created, the client computer and the server begin exchanging service packets.

In addition to the PPTP control connection, a connection is created to forward data through the tunnel. Encapsulating data before sending it into the tunnel involves two steps. First, the information part of the PPP frame is created. Data flows from top to bottom, from the OSI application layer to the data link layer. The received data is then sent up the OSI model and encapsulated by upper layer protocols.

Data from the link layer reaches transport layer. However, the information cannot be sent to its destination, since the OSI data link layer is responsible for this. Therefore, PPTP encrypts the payload field of the packet and takes on the second layer functions usually belonging to PPP, i.e., adding a PPP header and trailer to the PPTP packet. This completes the creation of the link layer frame. Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet, which belongs to the network layer. GRE encapsulates network layer protocols such as IP, IPX to enable their transmission over IP networks. However, using only the GRE protocol will not ensure session establishment and data security. This uses PPTP's ability to create a tunnel control connection. Using GRE as an encapsulation method limits the scope of PPTP to IP networks only.

After the PPP frame has been encapsulated in a frame with a GRE header, encapsulation is performed in a frame with an IP header. The IP header contains the source and destination addresses of the packet. Finally, PPTP adds a PPP header and ending.

On rice. 6.7 The data structure for forwarding over a PPTP tunnel is shown:

Rice. 6.7. Data structure for forwarding over a PPTP tunnel

To organize a VPN based on PPTP does not require large expenses and complex settings: it is enough to install a PPTP server in the central office (PPTP solutions exist for both Windows and Linux platforms), and run necessary settings. If you need to combine several branches, then instead of setting up PPTP on all client stations, it is better to use an Internet router or a firewall with PPTP support: settings are made only on the edge router (firewall) connected to the Internet, everything is absolutely transparent for users. Examples of such devices are multifunctional Internet routers of the DIR/DSR series and firewalls of the DFL series.

GRE-tunnels

Generic Routing Encapsulation (GRE) is a network packet encapsulation protocol that provides tunneling of traffic through networks without encryption. Examples of using GRE:

    transmission of traffic (including broadcasting) through equipment that does not support a specific protocol;

    tunneling IPv6 traffic over an IPv4 network;

    data transfer through public networks to implement a secure VPN connection.

Rice. 6.8. An example of how a GRE tunnel works

Between two routers A and B ( rice. 6.8) there are several routers, the GRE tunnel allows for connection between local networks 192.168.1.0/24 and 192.168.3.0/24 as if routers A and B were directly connected.

L2 TP

The L2TP protocol emerged as a result of the combination of the PPTP and L2F protocols. The main advantage of the L2TP protocol is that it allows you to create a tunnel not only in IP networks, but also in ATM, X.25 and Frame relay networks. L2TP uses UDP as a transport and uses the same message format for both tunnel control and data forwarding.

As with PPTP, L2TP begins assembling a packet for transmission into the tunnel by first adding the PPP header to the PPP information data field, then the L2TP header. The resulting packet is encapsulated by UDP. Depending on the type of IPSec security policy selected, L2TP can encrypt UDP messages and add an Encapsulating Security Payload (ESP) header and ending, as well as an IPSec Authentication ending (see "L2TP over IPSec" section). Then it is encapsulated in IP. An IP header is added containing the sender and recipient addresses. Finally, L2TP performs a second PPP encapsulation to prepare the data for transmission. On rice. 6.9 shows the data structure for forwarding over an L2TP tunnel.

Rice. 6.9. Data structure for forwarding over an L2TP tunnel

The receiving computer receives the data, processes the PPP header and termination, and removes the IP header. IPSec Authentication authenticates the IP information field, and the IPSec ESP header helps decrypt the packet.

The computer then processes the UDP header and uses the L2TP header to identify the tunnel. The PPP packet now contains only payload data that is processed or forwarded to the specified recipient.

IPsec (short for IP Security) is a set of protocols for ensuring the protection of data transmitted over the Internet Protocol (IP), allowing authentication and/or encryption of IP packets. IPsec also includes protocols for secure key exchange over the Internet.

IPSec security is achieved through additional protocols that add their own headers to the IP packet - encapsulation. Because IPSec is an Internet standard, and there are RFCs for it:

    RFC 2401 (Security Architecture for the Internet Protocol) – security architecture for the IP protocol.

    RFC 2402 (IP Authentication header) – IP authentication header.

    RFC 2404 ( The Use of HMAC-SHA-1-96 within ESP and AH) – use of the SHA-1 hashing algorithm to create the authentication header.

    RFC 2405 (The ESP DES-CBC Cipher Algorithm With Explicit IV) - use of the DES encryption algorithm.

    RFC 2406 (IP Encapsulating Security Payload (ESP)) – data encryption.

    RFC 2407 (The Internet IP Security Domain of Interpretation for ISAKMP) is the scope of the key management protocol.

    RFC 2408 ( Internet Security Association and Key Management Protocol (ISAKMP) – management of keys and authenticators for secure connections.

    RFC 2409 (The Internet Key Exchange (IKE)) – key exchange.

    RFC 2410 (The NULL Encryption Algorithm and Its Use With IPsec) – null encryption algorithm and its use.

    RFC 2411 (IP Security Document Roadmap) is a further development of the standard.

    RFC 2412 (The OAKLEY Key Determination Protocol) – checking the authenticity of a key.

IPsec is an integral part of the Internet Protocol IPv6 and an optional extension to the Internet Protocol version IPv4.

The IPSec mechanism solves the following problems:

    authentication of users or computers when initializing a secure channel;

    encryption and authentication of data transmitted between secure channel endpoints;

    automatic provision of channel endpoints with secret keys necessary for the operation of authentication and data encryption protocols.

IPSec Components

AH (Authentication Header) protocol – header identification protocol. Ensures integrity by verifying that no bits in the protected portion of the packet were changed during transmission. But using AH can cause problems, for example, when a packet passes through a NAT device. NAT changes the packet's IP address to allow Internet access from a closed local address. Because In this case, the packet will change, then the AH checksum will become incorrect (to eliminate this problem, the NAT-Traversal (NAT-T) protocol was developed, which provides ESP transmission via UDP and uses UDP port 4500 in its operation). It's also worth noting that AH was designed for integrity only. It does not guarantee confidentiality by encrypting the contents of the package.

The ESP (Encapsulation Security Payload) protocol provides not only the integrity and authentication of transmitted data, but also data encryption, as well as protection against false replay of packets.

The ESP protocol is an encapsulating security protocol that provides both integrity and confidentiality. In transport mode, the ESP header is located between the original IP header and the TCP or UDP header. In tunnel mode, the ESP header is placed between the new IP header and the fully encrypted original IP packet.

Because Both protocols - AH and ESP - add their own IP headers, each of them has its own protocol number (ID), which can be used to determine what follows the IP header. Each protocol, according to IANA (Internet Assigned Numbers Authority - the organization responsible for the Internet address space), has its own number (ID). For example, for TCP this number is 6, and for UDP it is 17. Therefore, when working through a firewall, it is very important to configure filters in such a way as to allow packets with ID AH and/or ESP protocol to pass through.

To indicate that AH is present in the IP header, the protocol ID is set to 51, and for ESP the number is 50.

ATTENTION: Protocol ID is not the same as port number.

The IKE (Internet Key Exchange) protocol is a standard IPsec protocol used to ensure secure communications in virtual private networks. The purpose of IKE is to securely negotiate and deliver identified material to a security association (SA).

SA is the IPSec term for connection. An established SA (a secure channel called a Security Association or SA) includes a shared secret key and a set of cryptographic algorithms.

The IKE protocol performs three main tasks:

    provides a means of authentication between two VPN endpoints;

    establishes new IPSec connections (creates an SA pair);

    manages existing connections.

IKE uses UDP port number 500. When using the NAT Traversal feature, as mentioned earlier, the IKE protocol uses UDP port number 4500.

Data exchange in IKE occurs in 2 phases. In the first phase, the IKE SA is established. In this case, the channel endpoints are authenticated and data protection parameters are selected, such as an encryption algorithm, session key, etc.

In the second phase, the IKE SA is used to negotiate a protocol (usually IPSec).

When a VPN tunnel is configured, one SA pair is created for each protocol used. SAs are created in pairs, because Each SA is a unidirectional connection, and data must be transferred in two directions. The resulting SA pairs are stored on each node.

Since each node is capable of establishing multiple tunnels with other nodes, each SA has a unique number to identify which node it belongs to. This number is called SPI (Security Parameter Index).

SA is stored in a database (DB) S.A.D.(Security Association Database).

Each IPSec node also has a second DB − SPD(Security Policy Database) – security policy database. It contains the configured site policy. Most VPN solutions allow the creation of multiple policies with combinations of suitable algorithms for each host to which a connection needs to be established.

The flexibility of IPSec lies in the fact that for each task there are several ways to solve it, and the methods chosen for one task are usually independent of the methods for implementing other tasks. At the same time, the IETF working group has defined a basic set of supported functions and algorithms, which should be uniformly implemented in all products that support IPSec. The AH and ESP mechanisms can be used with a variety of authentication and encryption schemes, some of which are mandatory. For example, IPSec specifies that packets are authenticated using either a one-way MD5 function or a one-way SHA-1 function, and encryption is performed using the DES algorithm. Manufacturers of products that run IPSec may add other authentication and encryption algorithms. For example, some products support encryption algorithms such as 3DES, Blowfish, Cast, RC5, etc.

To encrypt data in IPSec, any symmetric encryption algorithm that uses secret keys can be used.

Transmitted stream protection protocols (AH and ESP) can operate in two modes: transport mode and in tunneling mode. When operating in transport mode, IPsec works only with transport layer information, i.e. only the data field of the packet containing TCP protocols/ UDP (the IP packet header is not changed (not encrypted)). Transport mode is typically used to establish connections between hosts.

In tunneling mode, the entire IP packet is encrypted, including the network layer header. In order for it to be transmitted over the network, it is placed in another IP packet. Essentially, it is a secure IP tunnel. Tunnel mode can be used to connect remote computers to a virtual private network (host-network connection scheme) or to organize secure data transfer via open channels communications (eg Internet) between gateways to connect different parts of a virtual private network (site-to-site connection diagram).

IPsec modes are not mutually exclusive. On the same node, some SAs may use transport mode and others use tunnel mode.

During the authentication phase, the ICV (Integrity Check Value) of the packet is calculated. This assumes that both nodes know the secret key, which allows the recipient to calculate the ICV and compare it with the result sent by the sender. If the ICV comparison is successful, the sender of the packet is considered to be authenticated.

In mode transportA.H.

    the entire IP packet, except for some fields in the IP header that may be modified during transmission. These fields, which are set to 0 for ICV calculation, can be Type of Service (TOS), flags, fragment offset, time to live (TTL), and checksum header;

    all fields in AH;

    IP packet payload.

AH in transport mode protects the IP header (excluding fields for which changes are allowed) and payload in the original IP packet (Figure 3.39).

In tunnel mode, the original packet is placed in a new IP packet, and data transmission is performed based on the header of the new IP packet.

For tunnel modeA.H. When performing a calculation, the ICV checksum includes the following components:

    all fields of the outer IP header, except some fields in the IP header that may be modified during transmission. These fields, which are set to 0 for ICV calculation, can be Type of Service (TOS), flags, fragment offset, time to live (TTL), and checksum header;

    all fields AH;

    original IP packet.

As you can see in the following illustration, AH tunneling mode protects the entire original IP packet by using an additional outer header, which AH transport mode does not use:

Rice. 6.10. Tunnel and transport modes of operation of the AN protocol

In mode transportESP does not authenticate the entire packet, but only protects the IP payload. The ESP header in ESP transport mode is added to the IP packet immediately after the IP header, and the ESP trailer (ESP Trailer) is accordingly added after the data.

ESP transport mode encrypts the following parts of the packet:

    IP payload;

An encryption algorithm that uses Cipher Block Chaining (CBC) mode has an unencrypted field between the ESP header and the payload. This field is called the IV (Initialization Vector) for the CBC calculation that is performed on the receiver. Because this field is used to begin the decryption process, it cannot be encrypted. Even though the attacker has the ability to view the IV, there is no way for him to decrypt the encrypted portion of the packet without the encryption key. To prevent attackers from changing the initialization vector, it is protected by an ICV checksum. In this case, ICV performs the following calculations:

    all fields in the ESP header;

    payload including plaintext IV;

    all fields in ESP Trailer except the authentication data field.

ESP tunnel mode encapsulates the entire original IP packet in the new IP header, ESP header, and ESP Trailer. To indicate that ESP is present in the IP header, the IP protocol identifier is set to 50, leaving the original IP header and payload unchanged. As with AH tunnel mode, the outer IP header is based on the IPSec tunnel configuration. In the case of ESP tunnel mode, the authentication area of ​​the IP packet shows where the signature was placed to certify its integrity and authenticity, and the encrypted part shows that the information is secure and confidential. The source header is placed after the ESP header. After the encrypted portion is encapsulated in a new tunnel header, which is not encrypted, the IP packet is transmitted. When sent over a public network, the packet is routed to the IP address of the receiving network's gateway, and the gateway decrypts the packet and discards the ESP header using the original IP header to then route the packet to a computer on the internal network. ESP tunneling mode encrypts the following parts of the packet:

    original IP packet;

  • For ESP tunnel mode, the ICV is calculated as follows:

    all fields in the ESP header;

    original IP packet including plaintext IV;

    all ESP header fields except the authentication data field.

Rice. 6.11. Tunnel and transport mode of the ESP protocol

Rice. 6.12. Comparison of ESP and AH protocols

Summary of application modesIPSec:

    Protocol – ESP (AH).

    Mode – tunnel (transport).

    The key exchange method is IKE (manual).

    IKE mode – main (aggressive).

    DH key – group 5 (group 2, group 1) – group number for selecting dynamically created session keys, group length.

    Authentication – SHA1 (SHA, MD5).

    Encryption – DES (3DES, Blowfish, AES).

When creating a policy, it is usually possible to create an ordered list of algorithms and Diffie-Hellman groups. Diffie-Hellman (DH) is an encryption protocol used to establish shared secret keys for IKE, IPSec, and PFS (Perfect Forward Secrecy). In this case, the first position that matches on both nodes will be used. It is very important that everything in the security policy allows for this alignment. If everything else matches except for one part of the policy, the nodes will still not be able to establish a VPN connection. When setting up a VPN tunnel between various systems you need to find out which algorithms are supported by each side so that you can choose the most secure policy possible.

Basic settings that the security policy includes:

    Symmetric algorithms for data encryption/decryption.

    Cryptographic checksums to verify data integrity.

    Node identification method. The most common methods are pre-shared secrets or CA certificates.

    Whether to use tunnel mode or transport mode.

    Which Diffie-Hellman group to use (DH group 1 (768-bit); DH group 2 (1024-bit); DH group 5 (1536-bit)).

    Whether to use AH, ESP, or both.

    Whether to use PFS.

A limitation of IPSec is that it only supports IP protocol layer communications.

There are two main schemes for using IPSec, differing in the role of the nodes that form the secure channel.

In the first scheme, a secure channel is formed between the end hosts of the network. In this scheme, the IPSec protocol protects the node on which it is running:

Rice. 6.13. Create a secure channel between two endpoints

In the second scheme, a secure channel is established between two security gateways. These gateways accept data from end hosts connected to networks located behind the gateways. The end hosts in this case do not support the IPSec protocol; traffic sent to the public network passes through the security gateway, which performs protection on its behalf.

Rice. 6.14. Creating a secure channel between two gateways

For hosts that support IPSec, both transport and tunnel modes can be used. Gateways are only allowed to use tunnel mode.

Installation and supportVPN

As mentioned above, installing and maintaining a VPN tunnel is a two-step process. In the first stage (phase), two nodes agree on an identification method, an encryption algorithm, a hash algorithm, and a Diffie-Hellman group. They also identify each other. All this can happen as a result of the exchange of three unencrypted messages (the so-called aggressive mode, Aggressive mode) or six messages, with the exchange of encrypted identification information (standard mode, Main mode).

In Main Mode, it is possible to coordinate all configuration parameters of the sender and recipient devices, while in Aggressive Mode there is no such possibility, and some parameters (Diffie-Hellman group, encryption and authentication algorithms, PFS) must be configured identically in advance on each device. However, in this mode, both the number of exchanges and the number of packets sent are lower, resulting in less time required to establish an IPSec session.

Rice. 6.15. Messaging in standard (a) and aggressive (b) modes

Assuming the operation completed successfully, the first phase SA is created − Phase 1 S.A.(also called IKES.A.) and the process moves to the second phase.

In the second stage, key data is generated and nodes agree on the policy to use. This mode, also called Quick mode, differs from the first phase in that it can only be established after the first phase, when all packets of the second phase are encrypted. Correct completion of the second phase results in the appearance of Phase 2 S.A. or IPSecS.A. and at this point the installation of the tunnel is considered complete.

First, a packet with a destination address in another network arrives at the node, and the node initiates the first phase with the node responsible for the other network. Let's say a tunnel between nodes has been successfully established and is waiting for packets. However, nodes need to re-identify each other and compare policies after a certain period of time. This period is called Phase One lifetime or IKE SA lifetime.

Nodes must also change the key to encrypt data after a period of time called Phase Two or IPSec SA lifetime.

Phase Two lifetime is shorter than that of the first phase, because... the key needs to be changed more often. You need to set the same lifetime parameters for both nodes. If you do not do this, then it is possible that the tunnel will initially be established successfully, but after the first inconsistent lifetime the connection will be interrupted. Problems may also arise when the lifetime of the first phase is less than that of the second phase. If a previously configured tunnel stops working, then the first thing that needs to be checked is the lifetime on both nodes.

It should also be noted that if the policy is changed on one of the nodes, the changes will take effect only the next time the first phase occurs. For the changes to take effect immediately, the SA for this tunnel must be removed from the SAD database. This will cause the agreement between nodes to be renegotiated with new security policy settings.

Sometimes when setting up an IPSec tunnel between equipment from different manufacturers, difficulties arise due to the coordination of parameters when establishing the first phase. You should pay attention to such a parameter as Local ID - this is a unique identifier of the tunnel endpoint (sender and recipient). This is especially important when creating multiple tunnels and using the NAT Traversal protocol.

DeadPeerDetection

During the VPN operation, in the absence of traffic between the endpoints of the tunnel, or when the initial data of the remote node changes (for example, changing a dynamically assigned IP address), a situation may arise when the tunnel is essentially no longer such, becoming, as it were, a ghost tunnel . In order to maintain constant readiness for data exchange in the created IPSec tunnel, the IKE mechanism (described in RFC 3706) allows you to monitor the presence of traffic from a remote node of the tunnel, and if it is absent for a set time, a hello message is sent (in firewalls The message "DPD-R-U-THERE" is sent to D-Link. If there is no response to this message within a certain time, in D-Link firewalls specified by the “DPD Expire Time” settings, the tunnel is dismantled. D-Link firewalls after this using the "DPD Keep Time" settings ( rice. 6.18), automatically try to restore the tunnel.

ProtocolNATTraversal

IPsec traffic can be routed according to the same rules as other IP protocols, but since the router cannot always extract information specific to transport layer protocols, IPsec cannot pass through NAT gateways. As mentioned earlier, to solve this problem, the IETF defined a way to encapsulate ESP in UDP, called NAT-T (NAT Traversal).

The NAT Traversal protocol encapsulates IPSec traffic and simultaneously creates UDP packets that NAT forwards correctly. To do this, NAT-T places an additional UDP header before the IPSec packet so that it is treated as a regular UDP packet throughout the network and the recipient host does not perform any integrity checks. Once the packet arrives at its destination, the UDP header is removed and the data packet continues on its path as an encapsulated IPSec packet. Thus, using the NAT-T mechanism, it is possible to establish communication between IPSec clients on secure networks and public IPSec hosts through firewalls.

When configuring D-Link firewalls on the recipient device, two points need to be noted:

    In the Remote Network and Remote Endpoint fields, specify the network and IP address of the remote sending device. It is necessary to allow translation of the initiator (sender) IP address using NAT technology (Figure 3.48).

    When using shared keys with multiple tunnels connected to the same remote firewall that have been NATed to the same address, it is important to ensure that the Local ID is unique for each tunnel.

Local ID may be one of:

    Auto– the IP address of the outgoing traffic interface is used as a local identifier.

    IP– IP address of the WAN port of the remote firewall

    DNS– DNS address

    To understand what a VPN is, it is enough to decipher and translate this abbreviation. It is understood as a “virtual private network” that unites individual computers or local networks in order to ensure the secrecy and security of transmitted information. This technology involves establishing a connection with a special network-based server public access using special programs. As a result, a reliably protected channel appears in the existing connection modern algorithms encryption. In other words, a VPN is a point-to-point connection within or over an unsecured network that provides a secure tunnel for the exchange of information between users and the server.

    Fundamental Properties of a VPN

    Understanding what a VPN is is incomplete without understanding its key properties: encryption, authentication and access control. It is these three criteria that distinguish a VPN from an ordinary corporate network that operates on the basis of public connections. Implementation of the above properties makes it possible to protect user computers and organization servers. Information that passes through materially unprotected channels becomes invulnerable to external factors, and the likelihood of its leakage and illegal use is eliminated.

    VPN typology

    Having understood what a VPN is, you can move on to considering its subtypes, which are distinguished based on the protocols used:

    1. PPTP is a point-to-point tunnel protocol that creates a secure channel over a regular network. The connection is established using two network sessions: data is transferred via PPP over the GRE protocol, the connection is initialized and managed via TCP (port 1723). It can be difficult to set up on mobile and some other networks. Today, this type of VPN is the least reliable. It should not be used when working with data that should not fall into the hands of third parties.
    2. L2TP - Layer 2 tunneling. This advanced protocol was developed based on PPTP and L2F. Thanks to IPSec encryption, as well as combining the main and control channels into a single UDP session, it is much more secure.
    3. SSTP is SSL-based secure socket tunneling. This protocol creates reliable connections over HTTPS. For the protocol to function, port 443 is required, which allows communication to be established from anywhere, even beyond the proxy.

    VPN Features

    The previous sections talked about what a VPN is with technical point vision. Now you should look at this technology through the eyes of users and understand what specific advantages it brings:

    1. Safety. Not a single Internet user would like it if his page on a social network was hacked or, even worse, passwords for bank cards and virtual wallets were stolen. VPN effectively protects personal data. Both outgoing and incoming information flows are transmitted through the tunnel in encrypted form. Even the ISP cannot access them. This point is especially important for those who often connect to the network in Internet cafes and other points with unprotected Wi-Fi. If you do not use a VPN in such places, then not only the information being transmitted, but also the connected device will be at risk.
    2. Anonymity. VPN eliminates the issue of hiding and changing IP addresses because it never reveals the user’s real IP to the resources he visits. The entire flow of information passes through a secure server. Connecting through anonymous proxies does not involve encryption, the user’s activity is not a secret to the provider, and the IP may become the property of the resource being used. In this case, the VPN will pass off its own IP as the user’s.
    3. Unlimited access. Many sites are blocked at the level of states or local networks: for example, they are not available in the offices of serious companies social media. But it’s worse when you can’t get to your favorite site even from home. VPN, replacing the user’s IP with its own, automatically changes his location and opens the way to all blocked sites.

    VPN Applications

    Virtual private networks are most often used:

    1. Providers and system administrators of companies to ensure secure access to global network. At the same time, for working within a local network and for accessing general level different security settings are used.
    2. Administrators to restrict access to a private network. This case is classic. With the help of VPN, enterprise divisions are united, and it is also possible to remote connection employees.
    3. Administrators to combine networks of different levels. As a rule, corporate networks are multi-level, and each subsequent level is provided with increased protection. VPN in this case provides greater reliability than simple association.

    Basic nuances when setting up a VPN

    Users who already know what a VPN connection is often set out to set it up themselves. Step by step instructions instructions on setting up secure networks for various operating systems can be found everywhere, but they do not always mention one important point. With a standard VPN connection, the main gateway is specified for the VPN network, as a result of which the user’s Internet is lost or connected through remote network. This creates inconvenience and sometimes leads to unnecessary expenses for paying for double traffic. To avoid trouble, you need to do the following: in the network settings, find the TCP/IPv4 properties and in the additional settings window, uncheck the box that allows you to use the main gateway on the remote network.

    A Virtual Private Network is a virtual private network that is used to provide secure connections within corporate connections and Internet access. The main advantage of a VPN is high security due to the encryption of internal traffic, which is important when transferring data.

    What is a VPN connection

    Many people, when they come across this abbreviation, ask: VPN – what is it and why is it needed? This technology opens up the ability to create a network connection on top of another. VPN works in several modes:

    • node-network;
    • network-network;
    • node-node.

    Organization of private virtual network at network levels allows the use of TCP and UDP protocols. All data that passes through computers is encrypted. This is additional protection for your connection. There are many examples that explain what a VPN connection is and why you should use it. This issue will be discussed in detail below.

    Why do you need a VPN?

    Each provider is able to provide user activity logs upon request from the relevant authorities. Your internet company records every activity you do online. This helps relieve the provider of any responsibility for the actions carried out by the client. There are many situations in which you need to protect your data and gain freedom, for example:

    1. The VPN service is used to send confidential company data between branches. This helps protect important information from interception.
    2. If you need to bypass the service's geographic location. For example, the Yandex Music service is available only to residents of Russia and residents former countries CIS. If you are a Russian-speaking resident of the United States, then you will not be able to listen to the recordings. A VPN service will help you bypass this ban by replacing the network address with a Russian one.
    3. Hide website visits from your provider. Not every person is ready to share their activities on the Internet, so they will protect their visits using a VPN.

    How VPN works

    When you use another VPN channel, your IP will belong to the country where this secure network is located. When connected, a tunnel will be created between the VPN server and your computer. After this, the provider’s logs (records) will contain a set of incomprehensible characters. Data analysis special program will not give results. If you do not use this technology, the HTTP protocol will immediately indicate which site you are connecting to.

    VPN structure

    This connection consists of two parts. The first is called an “internal” network; you can create several of these. The second is the “external” one, through which an encapsulated connection occurs; as a rule, the Internet is used. It is also possible to connect to the network of a separate computer. The user is connected to a specific VPN through an access server connected simultaneously to the external and internal networks.

    When VPN software connects remote user, the server requires two important processes to go through: first identification, then authentication. This is necessary to obtain the rights to use this connection. If you have fully completed these two steps, your network is endowed with powers that open up the possibility of work. In essence, this is an authorization process.

    VPN classification

    There are several types of virtual private networks. There are options for the degree of security, implementation method, level of operation according to the ISO/OSI model, and the protocol involved. You can use a paid access or a free VPN service from Google. Based on the degree of security, channels can be “secure” or “trusted”. The latter are needed if the connection itself has the required level of protection. To organize the first option, the following technologies should be used:

    • PPTP;
    • OpenVPN;
    • IPSec.

    How to create a VPN server

    For all computer users, there is a way to connect a VPN yourself. Below we will consider the option in the operating room Windows system. This manual does not provide for the use of additional software. The setup is carried out as follows:

    1. To make a new connection, you need to open the network access viewing panel. Start typing the words “ Network connections».
    2. Press the “Alt” button, click on the “File” section in the menu and select “New incoming connection”.
    3. Then set the user who will be given a connection to this computer via VPN (if you only have one Account on a PC, you must create a password for it). Check the box and click “Next”.
    4. Next, you will be asked to select a connection type; you can leave a checkmark next to “Internet”.
    5. The next step is to enable network protocols that will work on this VPN. Check all the boxes except the second one. If desired, you can set a specific IP, DNS gateways and ports in the IPv4 protocol, but it is easier to leave the assignment automatic.
    6. When you click on the “Allow access” button, the operating system will automatically create a server and display a window with the computer name. You will need it for connection.
    7. This completes the creation of a home VPN server.

    How to set up a VPN on Android

    The method described above is how to create a VPN connection on personal computer. However, many have long been doing everything using their phone. If you don’t know what a VPN is on Android, then all the above facts about this type connections are also valid for a smartphone. Configuration modern devices provides comfortable Internet use on high speed. In some cases (to run games, open websites), proxy substitutions or anonymizers are used, but for a stable and fast connection, a VPN is better suited.

    If you already understand what a VPN on a phone is, then you can proceed directly to creating a tunnel. This can be done on any device that supports Android. The connection is made as follows:

    1. Go to the settings section, click on the “Network” section.
    2. Find the item called " Additional settings" and go to the "VPN" section. Next, you will need a PIN code or password that will unlock the ability to create a network.
    3. The next step is to add a VPN connection. Specify the name in the “Server” field, the name in the “username” field, set the connection type. Click on the “Save” button.
    4. After this, a new connection will appear in the list, which you can use to change your standard connection.
    5. An icon will appear on the screen indicating that there is a connection. If you tap on it, you will be provided with statistics of received/transmitted data. You can also disable it here VPN connection.

    Video: Free VPN service

    From the name itself - a virtual private network - it follows that it somehow reproduces the properties of a real private network.

    Without any stretch, a network can be called private only if the enterprise solely owns and manages the entire network infrastructure - cables, crossover equipment, channel-forming equipment, switches, routers and other communication equipment.

    A virtual private network is a kind of “network within a network,” that is, a service that gives users the illusion that their private network exists within a public network.

    The main objectives of VPN technology are to provide guaranteed quality of service for user data flows in a public network, as well as protect them from possible unauthorized access or destruction.

    A virtual private network (VPN) is the unification of local networks through an open external environment (global network) into a single corporate network that provides safe data circulation.

    The essence of VPN technology is as follows (Figure 6.1):

    Figure 6.1 - VPN network diagram

    VPN agents are installed on all computers that have access to the Internet (instead of the Internet there can be any other public network), which process IP packets transmitted over computer networks.

    VPN agents automatically encrypt all outgoing information (and accordingly decrypt all incoming information). They also monitor its integrity using electronic digital signature(EDS) or simulated inserts (cryptographic checksum calculated using the encryption key).

    Before sending an IP packet The VPN agent operates as follows.

    The IP address of the packet recipient is analyzed, and a protection algorithm is selected depending on this address of this package. If there is no such recipient in the VPN agent settings, then the information is not sent.

    Generates and adds the sender's digital signature or imitative insert to the package.

    Encrypts the packet (entirely, including header).

    Performs encapsulation, i.e. forms a new header, which indicates the address not of the recipient at all, but of his VPN agent. This useful additional feature allows you to think of communication between two networks as if it were between two computers that have VPN agents installed. Any information useful to an attacker, for example, internal IP addresses, is no longer available to him.

    When an IP packet is received, the reverse steps are performed.

    The header contains information about the sender's VPN agent. If it is not included in the list of allowed ones in the settings, then the information is simply discarded.

    According to the settings, cryptographic algorithms and digital signatures are selected, as well as the necessary keys, after which the packet is decrypted and its integrity is checked, packets with broken integrity (digital signature is incorrect) are also discarded.

    After all the reverse transformations, the packet in its original form is sent to the real recipient over the local network.

    All of the above operations are performed automatically; the work of VPN agents is invisible to users. The VPN agent can be located directly on the protected computer (which is especially useful for mobile users). In this case, it protects the communication of only one computer on which it is installed.

    6.1 The concept of a “tunnel” when transmitting data in networks

    To transfer data, VPN agents create virtual channels between protected local networks or computers (such a channel is called a “tunnel”, and the technology for creating it is called “tunneling”). All information is transmitted through the tunnel in encrypted form.

    Figure 6.2.

    One of the required functions of VPN agents is packet filtering. Packet filtering is implemented in accordance with the settings of the VPN agent, the totality of which forms the security policy of the virtual private network. To increase the security of virtual private networks, it is advisable to place firewalls (filters) at the ends of the tunnels.

    VPN agents act as VPN gateways. VPN security gateway is network device, which connects to two networks - global and local and performs encryption and authentication functions for hosts on the network located behind it. A VPN gateway can be implemented as a separate hardware device, a separate software solution, or as a firewall or router with VPN functionality.

    Network connection A Security Gateway VPN appears to users on the network behind it as a leased line, when in fact it is an open packet-switched network. The VPN address of the security gateway on the external network side determines the address of the incoming tunneled packet. The internal address is the address of the host behind the gateway. A VPN security gateway can function as part of a router, firewall, etc.

    The peculiarity of tunneling is that this technology allows you to encrypt the entire source packet, along with the header, and not just its data field. The original packet is encrypted in its entirety, including the header, and this encrypted packet is placed in another, outer packet with a clear header. To transport data over a “dangerous” network, open fields of the external packet header are used, and when an external packet arrives at the endpoint of a secure channel, the internal packet is extracted from it, decrypted and its header is used for further transmission in clear form over a network that does not require protection.

    Figure 6.3 – VPN tunnel organization

    In this case, for external packets, the addresses of border routers (VPN gateways) installed at these two points are used, and the internal addresses of end nodes are contained in internal packets in a protected form (Figure 6.4).

    Figure 6.4 – Packet tunneling

    6.2 Architecture VPN networks

    By architecture There are three main types of VPN:

    1) Remote Access VPN

    2) Intranet VPN

    3) Inter-corporate VPN (Extranet VPN)

    VPN with remote access

    Using this scheme (Figure 6.5), individual employees can remotely access the organization’s corporate network through a public network. Remote clients can work from home, or, using a laptop computer, from anywhere on the planet where there is access to the World Wide Web.

    Figure 6.5 – VPN with remote access

    6.2.2 Intra-corporate VPNs(Figure 6.6)

    Figure 6.6 – Intranet VPN

    Here communication is carried out into one common network of geographically distributed branches of the company. This method is called Intranet VPN . This method It is advisable to use both for ordinary branches and for mobile offices, which will have access to the resources of the “parent” company, as well as easily exchange data with each other.

    6.2.3 Business-to-business VPNs(Figure 6.7)

    Figure 6.7 – Extranet VPN

    This is the so-called Extranet VPN when access is provided through secure access channels to clients or partners of the organization. Dials wide use due to the popularity of e-commerce.

    In this case, remote clients (partners) will have very limited opportunities to use the corporate network; in fact, they will be limited to access to those company resources that are necessary when working with their clients, for example, a website with commercial offers, and VPN is used in this case for secure transfer of confidential data.

    In addition to VPN gateways, Figure 6.7 also shows firewalls ME. Firewalls(filters) provide control of transmitted content (viruses and other external attacks). ME is a “fence” around a network that prevents intruders from penetrating it, while a VPN is an “armored car” that protects valuables when taken outside the fence. Therefore, it is necessary to use both solutions to ensure the required level of security. information resources. Most often, ME and VPN functions are combined in the same device.