Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange...

26

Transcript of Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange...

Page 1: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)
Page 2: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VirtualPrivate

Networks

Rudi Engelbertink CISSP

Page 3: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

Introduction

● Purpose of VPNs● Types of VPNs● Types of VPN Protocols● OSI model● VPN types in depth● VPN providers● Do I need a VPN ?● Questions ?

Page 4: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

Purposes of VPNs

● Connect networks● Protect your data transmission● Hide your location● Anonymous access● Gain geo-restricted access

Page 5: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VPN Types

● Site - to - Site VPNs– Intranet based VPN– Extranet based VPN

● Remote Access VPNs– Access to private networks– Bypass regional restrictions– Enhance security & privacy

Page 6: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

OSI model

Page 7: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

OSI model

Page 8: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

TCP/IP Protocol

Page 9: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VPN protocols

● MPLS/hybrid● IPsec● IKEv2● L2TP● PPTP● SSL / TLS / SSTP● SSH● OpenVPN

Page 10: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VPN protocols - MPLS/Hybrid

Page 11: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VPN protocols - IPsec

● Transport mode● Tunnel mode

Page 12: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

IPsec - Transport mode

Page 13: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

IPsec - Tunnel mode

Page 14: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VPN protocols - IKEv2

● Internet Key Exchange version 2● handles request and response actions● handling the SA (Security Association)

attribute● responsible for establishing a secure tunnel● The IKE protocol uses UDP port 500● supports PFS (Perfect Forward Secrecy).

Page 15: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VPN protocols - L2TP

Page 16: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VPN protocols - PPTP

Page 17: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VPN protocols - SSL/TLS/SSTP

Page 18: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VPN protocols - SSH tunnel

Page 19: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VPN protocols - OpenVPN

Page 20: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

Do I need a VPN ?

It depends– Access ‘home’ services– Protect against eavesdropping– Hide your real location– Protect your remote device– Access blocked content– Hide your identity

Page 21: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VPN providers

● Setup a home OpenVPN server– Site-2-Site– Remote Access

● Authentication– Username/password– Preshared Secret– TLS Authentication– Certificates

● Own Certificate Authority● Strickt certificate checking

Page 22: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VPN providers

● 99 VPN products are owned or operated by only 23 companies (6 Chinese)

● 5/9/14 eyes countries● Russia / China based● Logging

Page 23: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

VPN providers

● Top 5 VPN– Express VPN– CyberGhost– NordVPN– Surfshark– PIA

● All support – Windows, Mac, iOS, Android, Linux

● All claim “NO logging”

Page 24: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

Do I need a VPN ?

● Yes– #1 Data privacy– #2 Data security

● No

– # 1 Nothing to hide– # 2 Nothing to protect

Page 25: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

Questions ?

Page 26: Virtual Private Networkstwente.hcc.nl/downloads/VPNs.pdfVPN protocols - IKEv2 Internet Key Exchange version 2 handles request and response actions handling the SA (Security Association)

References

● http://www.tcpipguide.com/index.htm● https://community.openvpn.net/openvpn/

wiki/Hardening● https://vpnpro.com/blog/hidden-vpn-

owners-unveiled-97-vpns-23-companies/● https://vpnoverview.com/privacy/

anonymous-browsing/5-9-14-eyes/● https://vpnoverview.com/best-vpn/top-5-

best-vpn/


Crypto Template IKEv2-Vendor Configuration Mode Commands · Crypto Template IKEv2-Vendor Configuration Mode Commands TheCryptoTemplateIKEv2-VendorConfigurationModeisusedtoconfigureanIKEv2IPSecpolicyfor

Crypto Template IKEv2-Vendor Configuration Mode Commands · Crypto Template IKEv2-Vendor Configuration Mode Commands TheCryptoTemplateIKEv2-VendorConfigurationModeisusedtoconfigureanIKEv2IPSecpolicyfor

Mobility Protocol Options for IKEv2 (MOPO-IKE)

Mobility Protocol Options for IKEv2 (MOPO-IKE)

Configuring IKEv2 Fragmentation - Cisco€¦ · IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 10.0.8.3/848 10.0.9.4/848 none/none READY Encr: AES-CBC, keysize: 256,

Configuring IKEv2 Fragmentation - Cisco€¦ · IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 10.0.8.3/848 10.0.9.4/848 none/none READY Encr: AES-CBC, keysize: 256,

What’s new in IPv6 testing? - Welcome to Unified ... · IPv6 Ready Logo Test Program IPv6 Core Protocols IPsec, IKEv2 DHCPv6 MLDv2 SIP MIPv6 SNMP UNH-IOL is the North American Regional

What’s new in IPv6 testing? - Welcome to Unified ... · IPv6 Ready Logo Test Program IPv6 Core Protocols IPsec, IKEv2 DHCPv6 MLDv2 SIP MIPv6 SNMP UNH-IOL is the North American Regional

Round Bar Pull Handles / Round Bar Pull Handles with ... · Round Bar Pull Handles / Round Bar Pull Handles with Mounting Tabs / Oval Pull Handles Aluminum Pull Handles / Sheet Metal

Round Bar Pull Handles / Round Bar Pull Handles with ... · Round Bar Pull Handles / Round Bar Pull Handles with Mounting Tabs / Oval Pull Handles Aluminum Pull Handles / Sheet Metal

Handles & Door Handles for doors

Handles & Door Handles for doors

Configure Site-to-Site VPN on FTD Managed by FDM...€2.€Create the IKEv2 Policy that defines the same parameters configured on the FTD: Crypto ikev2 policy 1 Encryption aes-256

Configure Site-to-Site VPN on FTD Managed by FDM...€2.€Create the IKEv2 Policy that defines the same parameters configured on the FTD: Crypto ikev2 policy 1 Encryption aes-256

Remote Access VPN AnyConnect Secure Mobility - … · CLI support to migrate IKEv1 config to IKEv2 migrate AnyConnect

Remote Access VPN AnyConnect Secure Mobility - … · CLI support to migrate IKEv1 config to IKEv2 migrate AnyConnect

Next-Gen USG IKEv2 VPN (Client-to-Site) - Zyxel · 2019-01-15 · 1/33 Next-Gen USG IKEv2 VPN (Client-to-Site) Computers running Windows 7 or later support IPSec IKEv2 with certificate

Next-Gen USG IKEv2 VPN (Client-to-Site) - Zyxel · 2019-01-15 · 1/33 Next-Gen USG IKEv2 VPN (Client-to-Site) Computers running Windows 7 or later support IPSec IKEv2 with certificate

SonicOS Enhanced 3.2 IKEv2 - SonicWallsoftware.sonicwall.com/firmware/beta/documentation/IKEv2.pdf · allows authentication of the sender of data, and Encapsulating Security Payload

SonicOS Enhanced 3.2 IKEv2 - SonicWallsoftware.sonicwall.com/firmware/beta/documentation/IKEv2.pdf · allows authentication of the sender of data, and Encapsulating Security Payload

BCOM-USB Device · 5-101, etc., the BCOM-USB also handles bit-oriented protocols such as Conitel 2020, CDC Type I and II, as well as SDLC/HDLC protocols. For a complete list of ...

BCOM-USB Device · 5-101, etc., the BCOM-USB also handles bit-oriented protocols such as Conitel 2020, CDC Type I and II, as well as SDLC/HDLC protocols. For a complete list of ...

Configuring Internet Key Exchange Version 2 (IKEv2) · Configuring Internet Key Exchange Version 2 (IKEv2) Information About Internet Key Exchange Version 2 5 † The EAP identity

Configuring Internet Key Exchange Version 2 (IKEv2) · Configuring Internet Key Exchange Version 2 (IKEv2) Information About Internet Key Exchange Version 2 5 † The EAP identity

Decorative Hardware Furniture Handles and Knobs – Design Handles

Decorative Hardware Furniture Handles and Knobs – Design Handles

Eap Ikev2 Rfc5106

Eap Ikev2 Rfc5106

IKEv2-based VPNs using strongSwan · PDF fileAndreas Steffen, 27.10.2009, LinuxKongress2009.ppt 1 Linux Kongress 2009 Dresden IKEv2-based VPNs using strongSwan Prof. Dr. Andreas Steffen

IKEv2-based VPNs using strongSwan · PDF fileAndreas Steffen, 27.10.2009, LinuxKongress2009.ppt 1 Linux Kongress 2009 Dresden IKEv2-based VPNs using strongSwan Prof. Dr. Andreas Steffen

GETVPNG-IKEv2...clientprotocolgikev2ikev2_profile1]–ConfigurethistostartusingG-IKEv2 cryptomapGETVPN_CM10gkm setgroupg1 interfaceg0/0/0 cryptomapGETVPN_CM GETVPN G-IKEv2 Configuration

GETVPNG-IKEv2...clientprotocolgikev2ikev2_profile1]–ConfigurethistostartusingG-IKEv2 cryptomapGETVPN_CM10gkm setgroupg1 interfaceg0/0/0 cryptomapGETVPN_CM GETVPN G-IKEv2 Configuration

Next-Gen USG IKEv2 VPN (Client-to-Site) - Zyxel · 1/33 Next-Gen USG IKEv2 VPN (Client-to-Site) Computers running Windows 7 or later support IPSec IKEv2 with certificate authentication,

Next-Gen USG IKEv2 VPN (Client-to-Site) - Zyxel · 1/33 Next-Gen USG IKEv2 VPN (Client-to-Site) Computers running Windows 7 or later support IPSec IKEv2 with certificate authentication,

IPsec and IKEv2 for the Contiki Operating Systemuu.diva-portal.org/smash/get/diva2:736994/FULLTEXT01.pdf · UPTEC IT 14 010 Examensarbete 30 hp juni 2014 IPsec and IKEv2 for the Contiki

IPsec and IKEv2 for the Contiki Operating Systemuu.diva-portal.org/smash/get/diva2:736994/FULLTEXT01.pdf · UPTEC IT 14 010 Examensarbete 30 hp juni 2014 IPsec and IKEv2 for the Contiki

ANSSI Enhancements for IKEv1 and IKEv2 ACL · PDF fileANSSI Enhancements for IKEv1 and IKEv2 ACL Modes FromRelease20onwards,theANSSIforACLmodeshavebeenenhancedtoprovideadditional functionalities

ANSSI Enhancements for IKEv1 and IKEv2 ACL · PDF fileANSSI Enhancements for IKEv1 and IKEv2 ACL Modes FromRelease20onwards,theANSSIforACLmodeshavebeenenhancedtoprovideadditional functionalities

Netzob Documentation · communication protocols. It handles different types of protocols : text protocols (like HTTP and IRC), fixed fields protocols (like IP and TCP) and variable

Netzob Documentation · communication protocols. It handles different types of protocols : text protocols (like HTTP and IRC), fixed fields protocols (like IP and TCP) and variable