Docx 20110922 Bao Cao VPN Final

8/2/2019 Docx 20110922 Bao Cao VPN Final

1/44

ti VPN (Virtual Private Network(______________________________________________________________________

__

I HC QUC GIA TP.H CH MINH

TRNG I HC KHOA HC T NHINKHOA IN T VIN THNG

-------------oOo---------------

ti :

GVHD: Nguyn Anh Vinh

Mn : Cng ngh mngNhm :

Phan B Tu -0520091

Nguyn Minh Tm -0520093Nguyn Thanh Hng -0520031

______________________________________________________________

1Khoa in T Vin Thng i hc Khoa Hc T Nhin


2/44


__

MC LC

I. Gii thiu v Cng ngh VPN.....................................................21.1 VPN l g................................................................................................................31.2 Li ch ca VPN em li.......................................................................................3

VPN lm gim chi ph thng xuyn:......................................................................4Gim chi ph qun l v h tr.................................................................................4VPN m bo an ton thng tin, tnh ton vn v xc thc4Error: Reference source not foundVPN d dng kt ni cc chi nhnh thnh mt mng cc b ..4

1.3 Cc thnh phn cn thit to kt ni VPN. 4II. Cc loi VPN...............................................................................5

2.1 VPN Remote Access.......................................Error: Reference source not found6VPN Remote Access. 6 thc hin c VPN Remote Access cn:.........................................................6

2.2 VPN Site - to - Site.................................................................................................6VPN Site - to - Site...................................................................................................6 Intranet VPN...........................................................................................................6 Extranet VPN..6 thc hin c VPN Site - to Site cn:..............................................................6

III. Cc cng ngh v giao thc h tr VPN..................................73.1 ng hm v m ho..............................................................................................3.2 ng hm...............................................................................................................3.2 M ho.................................................................................................................13

Cng ngh VPN lp 2............................................................................................14Cng ngh VPN lp 3............................................................................................15ng hm GRE....................................................................................................16MPLS VPNs....................................................16Error: Reference source not found

IV. Giao thc bo mt IPSec17Error: Reference source not foundDigital Signatures............................................18Error: Reference source not foundIPSec Security Protocol..........................................................................................19

IPSec Transport Mode.....................................Error: Reference source not found20IPSec Tunnle Mode.........................................Error: Reference source not found21Encapsulating Security Header (ESP)............Error: Reference source not found22

______________________________________________________________



3/44


__

Authentication Header (AH)...........................Error: Reference source not found23Tin trnh chng thc bt tay 3 bc -...........Error: Reference source not found24Three-Way CHAP Authentication Process.....Error: Reference source not found25

V. Kt lun26VI. Cch cu hnh m hnh VPN (Client to Site)..VII.Ti liu tham kho.27

I. Gii thiu v Cng ngh VPN:1.1 VPN l g ?

Mng ring o hay cn c bit n vi t vit tt VPN, y khng phi l mtkhi nim mi trong cng ngh mng. VPN c th c inh ngha nh l mt dchv mng o c trin khai trn c s h tng ca h thng mng cng cng vimc ch tit kim chi ph cho cc kt ni im-im. Mt cuc in thoi gia haic nhn l v d n gin nht m t mt kt ni ring o trn mng in thoicng cng. Hai c im quan trng ca cng ngh VPN l ''ring'' v ''o" tngng vi hai thut ng ting anh (Virtual and Private). VPN c th xut hin ti btc lp no trong m hnh OSI, VPN l s ci tin c s h tng mng WAN, lmthay i v lm tng thm tch cht ca mng cc b cho mng WAN.

______________________________________________________________



4/44


__

V PN = ng h m + M ho

______________________________________________________________



5/44


__

1.2 Li ch ca VPN em li :

VPN lm gim chi ph thng xuyn:

VPN cho php tit kim chi ph thu ng truyn v gim chi ph pht sinh chonhn vin xa nh vo vic h truy cp vo h thng mng ni b thngqua cc im cung cp dch v a phng POP(Point of Presence), hn

ch thu ng truy cp ca nh cung cp dn n gi thnh cho vic ktni Lan - to - Lan gim i ng k so vi vic thu ng Leased-Line

Gim chi ph qun l v h tr:

Vi vic s dng dch v ca nh cung cp, chng ta ch phi qun l cc kt niu cui ti cc chi nhnh mng khng phi qun l cc thit b chuynmch trn mng. ng thi tn dng c s h tng ca mng Internet vi ng k thut ca nh cung cp dch v t cng ty c th tp trungvo cc i tng kinh doanh.

VPN m bo an ton thng tin, tnh ton vn v xc thc

______________________________________________________________



6/44


__

D liu truyn trn mng c m ho bng cc thut ton, ng thi c truyntrong cc ng hm(Tunnle) nn thng tin c an ton cao.

VPN d dng kt ni cc chi nhnh thnh mt mng cc b

Vi xu th ton cu ho, mt cng ty c th c nhiu chi nhnh ti nhiu quc giakhc nhau. Vic tp trung qun l thng tin ti tt c cc chi nhnh l cnthit. VPN c th d dng kt ni h thng mng gia cc chi nhnh vvn phng trung tm thnh mt mng LAN vi chi ph thp.

VPN h tr cc giao thc mng thng dng nht hin nay nh TCP/IP

Bo mt a ch IP : thng tin c gi i trn VPN c m ha do cc ach trn mng ring c che giu v ch s dng cc a ch bn ngoi internet

1.3 Cc thnh phn cn thit to nn kt ni VPN: User authentication : cung cp c ch chng thc ngi dng, ch cho php

ngi dng hp l kt ni vo h thng VPN Address management : cung cp a ch IP hp l cho ngi dng sau khi

gia nhp h thng VPN c th truy cp ti nguyn trn mng ni b Data Encryption : cung cp gii php m ha d liu trong qu trnh truyn

nhm bo m tnh ring t v ton vn d liu. Key Management: cung cp gii php qun l cc kha dng cho qu trnh

m ha v gii m d liu .

______________________________________________________________



7/44


__

II. Cc loi VPN :VPN c chia thnh 2 loi :

VPN Remote Accesss VPN Site to Site

o VPN Intraneto VPN Extranet

Hnh 1 - VPN Remote Access

2.1 VPN Remote Access

______________________________________________________________



8/44


__

VPN Remote Access : Cung cp kt ni truy cp t xa n mt mng Intranet hoc

Extranet da trn h tng c chia s. VPN Remote Access s dng ng truynAnalog, Dial, ISDN, DSL, Mobile IP v Cable thit lp kt ni n cc Mobileuser.

Mt c im quan trng ca VPN Remote Access l: Cho php ngi dng ding truy cp t xa vo h thng mng ni b trong cng ty lm vic.

thc hin c VPN Remote Access cn:

C 01 VPN Getway(c 01 IP Public). y l im tp trung x l khi VPNClient quay s truy cp vo h thng VPN ni b.

Cc VPN Client kt ni vo mng Internet

______________________________________________________________



9/44


__

Hnh 2 - VPN Site to Site

2.2 VPN Site - to Site:

VPN Site - to - Site c chia lm hai loi nh l VPN Intranet v VPN Extranet

Intranet VPN : Kt ni vn phng trung tm, cc chi nhnh v vn phng xavo mng ni b ca cng ty da trn h tng mng c chia s. Intranet VPNkhc vi Extranet VPN ch n ch cho php cc nhn vin ni b trong cng tytruy cp vo h thng mng ni b ca cng ty.

Extranet VPN : Kt ni b phn khch hng ca cng ty, b phn t vn, hoccc i tc ca cng ty thnh mt h thng mng da trn h tng c chia s.Extranet VPN khc vi Intranet VPN ch cho php cc user ngoi cng ty truycp vo h thng.

thc hin c VPN Site - to Site cn C 02 VPN Getway(Mi VPN Getway c 01 IP Public). y l im tp

trung x l khi VPN Getway pha bn kia quay s truy cp vo. Cc Client kt ni vo h thng mng ni b.

III. Cc cng ngh v giao thc h tr VPN :3.1 ng hm v m ho

Chc nng chnh ca mt mng VPN l truyn thng tin c m ho trong mtng hm da trn h tng mng c chia s

3.2 ng hm

Hu ht cc VPN u da vo k thut gi l Tunneling to ra mt mng ringtrn nn Internet. V bn cht, y l qu trnh t ton b gi tin vo trong mt

______________________________________________________________



10/44


__

lp header (tiu ) cha thng tin nh tuyn c th truyn qua h thng mngtrung gian theo nhng "ng ng" ring (tunnel).

Khi gi tin c truyn n ch, chng c tch lp header v chuyn n ccmy trm cui cng cn nhn d liu. thit lp kt ni Tunnel, my khch vmy ch phi s dng chung mt giao thc (tunnel protocol).

Giao thc ca gi tin bc ngoi c c mng v hai im u cui nhn bit. Haiim u cui ny c gi l giao din Tunnel (tunnel interface), ni gi tin ivo v i ra trong mng.

K thut Tunneling yu cu 3 giao thc khc nhau:

- Giao thc truyn ti (Carrier Protocol) l giao thc c s dng bi mng cthng tin ang i qua.- Giao thc m ha d liu (Encapsulating Protocol) l giao thc (nh GRE, IPSec,L2F, PPTP, L2TP) c bc quanh gi d liu gc.- Giao thc gi tin (Passenger Protocol) l giao thc ca d liu gc c truyn i(nh IPX, NetBeui, IP).

Ngi dng c th t mt gi tin s dng giao thc khng c h tr trn Internet (nhNetBeui) bn trong mt gi IP v gi n an ton qua Internet. Hoc, h c th t mt gi tin dng

a ch IP ring (khng nh tuyn) bn trong mt gi khc dng a ch IP chung (nh tuyn) m rng mt mng ring trn Internet.

K thut Tunneling trong mng VPN im-ni im

Trong VPN loi ny, giao thc m ha nh tuyn GRE (Generic RoutingEncapsulation) cung cp c cu "ng gi" giao thc gi tin (Passenger Protocol) truyn i trn giao thc truyn ti (Carier Protocol). N bao gm thng tin vloi gi tin m bn nag m ha v thng tin v kt ni gia my ch vi mykhch. Nhng IPSec trong c ch Tunnel, thay v dng GRE, i khi li ng vai

tr l giao thc m ha. IPSec hot ng tt trn c hai loi mng VPN truy cp txa v im- ni-im. Tt nhin, n phi c h tr c hai giao din Tunnel.

______________________________________________________________



11/44


__

Trong m hnh ny, gi tin c chuyn t mtmy tnh vn phng chnh qua my ch truycp, ti router (ti y giao thc m ha GREdin ra), qua Tunnel ti my tnh ca vn

phng t xa.

K thut Tunneling trong mng VPN truy cp t xaVi loi VPN ny, Tunneling thng dng giao thc im-ni-im PPP (Point-to-Point Protocol). L mt phn ca TCP/IP, PPP ng vai tr truyn ti cho cc giaothc IP khc khi lin h trn mng gia my ch v my truy cp t xa. Ni tmli, k thut Tunneling cho mng VPN truy cp t xa ph thuc vo PPP.

Cc giao thc di y c thit lp da trn cu trc c bn ca PPP v dngtrong mng VPN truy cp t xa.

Giao thc L2F

______________________________________________________________



12/44


__

L giao thc lp 2 c pht trin bi Cisco System. L2F c thit k cho phpto ng hm gia NAS v mt thit b VPN Getway truyn cc Frame, ngi

s dng t xa c th kt ni n NAS v truyn Frame PPP t remote user nVPN Getway trong ng hm c to ra.

Giao thc PPTP(Point-to-Point Tunneling Protocol)

y l giao thc ng hm ph bin nht hin nay. Giao thc c pht trin biMicrosoft.PPTP cung cp mt phn ca dch v truy cp t xa RAS(Remote Access Service).

Nh L2F, PPTP cho php to ng hm t pha ngi dng(Mobile User) truycp vo VPN Getway/Concentrator

Giao thc L2TP

L chun giao thc do IETF xut, L2TP tch hp c hai im mnh l truy nhpt xa ca L2F(Layer 2 Forwarding ca Cisco System) v tnh kt ni nhanh Point -to Point ca PPTP(Point to Point Tunnling Protocol ca Microsoft). Trong mitrng Remote Access L2TP cho php khi to ng hm cho cc frame v sdng giao thc PPP truyn d liu trong ng hm.

Mt s u im ca L2TP

L2TP h tr a giao thc Khng yu cu cc phn mm m rng hay s h tr ca HH. V vy

nhng ngi dng t xa cng nh trong mng Intranet khng cn ci thmcc phn mm c bit.

L2TP cho php nhiu Mobile user truy cp vo Remote Network thng qua

h thng mng cng cng L2TP khng c tnh bo mt cao tuy nhin L2TP c th kt hp vi c ch

bo mt IPSec bo v d liu.

______________________________________________________________



13/44


__

Vi L2TP s xc thc ti khon da trn Host Getway Network do vy pha nhcung cp dch v khng phi duy tr mt Database thm nh quyn truy cp

Giao thc Point to Point Protocol(PPP)

y l giao thc ng gi truyn d liu qua kt ni Serial. Li th ln nht caPPP l c th hot ng trn mi Data Terminal Equipment (DTE) hoc DataConnection Equipment(DCE). Mt c im thun li ca PPP l n khng giihn tc truy cp. PPP l sn sng cho kt ni song cng (Full Duplex) v l gii

php tt cho kt ni Dial-up.

Cc ch :

Nu mun thit lp mt ci "ng o" b mt trn mng Internet theo c chtruy cp t xa, bn ch c th s dng giao thc IPSec trc tip khi mykhch c a ch IP thc.

Do L2TP vi c ch m ha IPSec yu cu cu trc m kha chung (PublicKey Infrastructure) nn kh khai thc v tn km so vi PPTP. L2TP/IPSecl giao thc L2TP chy trn nn IPSec, cn c ch truyn tin IPSec TunelMode li l mt giao thc khc.

Do c c ch thm nh quyn truy cp nn L2TP/IPSec hay IPSec Tunnel

Mode ch c th truyn qua mt thit b dch a ch mng NAT (networkaddress translation) bng cch i qua nhiu ci "ng o" hn. Nu dng mtNAT gia im hin din POP (Point of Present) v Internet, bn s gp khkhn. Cn trong PPTP, mt gi tin IP c m ha t trong mt gi tinIP khng c m ha nn n c th i qua mt NAT.

PPTP v L2TP c th hot ng vi cc h thng thm nh quyn truy cpda trn mt khu v chng h tr quyn ny mc cao cp bng nhngloi th thng minh, cng ngh sinh trc hc v cc thit b c chc nngtng t.

Li khuyn:

______________________________________________________________



14/44


__

PPTP l gii php ti u khi khch hng mun c c ch bo mt khng tnkm v phc tp. Giao thc ny cng t ra hu hiu khi cc lung d liu

phi truyn qua NAT. Khch hng nu mun c NAT v bo mt cao hnc th nh cu hnh cho cc quy tc IPSec trn Windows 2000. L2TP l gii php tt nht khi khch hng coi bo mt l vn quan trng

hng u v cam kt khai thc cu trc m kha chung PKI. Nu bn cnmt thit b NAT trong ng truyn VPN th gii php ny c th khng

pht huy hiu qu. IPSec Tunnel Mode li t ra hu hiu hn vi VPN im-ni-im (site to

site). Mc d giao thc ny hin nay cng c p dng cho VPN truy cpt xa nhng cc hot ng ca n khng "lin thng" vi nhau. IPSec

Tunnel Mode s c cp k hn trong phn VPN im-ni-im k sau.

So snh cc giao thc VPNTn im mnh im yu S dng trong mng

IPSE

C

+ Hot ng mt

cch c lp+ Cho php giua ch mng

+ Khng c qun l

ngi dng+ t sn phm c khnng tng tc vi

+ Phn mm tt nht

trn my ngi dngi vi vic truy cpt xa

______________________________________________________________



15/44


__

+ p ng cc kthut m ha

nh sn xut+ t h tr giao din

PPTP + Chy trn nnWin NT,98,95+ nh ng hmkt ni+ Cung cp khnng a giao thc+M ha RSA RC-4

+ Khng cung cp mha d liu t nhngmy ch truy cp txa+ Mang tnh cquyn rng ln

+ c dng mych truy cp t xa+ C th dng chomy bn win9xhay my trm dngwinNT

L2F + Cho php nh

ng hm a giaothc+ c cung cp

bi nhiu nh cungcp

+ Khng c m ha

+ Yu trong vic xcthc ngi dng+ Khng c iukhinlung cho nghm

+ Dng cho truy cp

t xa

L2TP + Kt hp PPTP vL2F+ Ch cn mt gichy trn X25 vFrame relay+ S dng IPSECcho vic m ha

+ Cha c cung cpnhiu trong sn phm+ Khng bo mt nhng on cui

+ Dng cho truy cpt xa

3.2 M ho

______________________________________________________________



16/44


__

M ho l mt c im c bn trong vic xy dng v thit k mng VPN. MngVPN s dng h tng ca h thng Internet v cc mng cng cng khc.

Do vy d liu truyn trn mng c th b bt gi v xem thng tin. m bo thng tin ch c c bi ngi nhn v ngi gi th d liuphi c m ho vi cc thut ton phc tp. Tuy nhin ch nn m hocc thng tin quan trng v qu trnh m ho v gii m s nh hng ntc truyn ti thng tin.

Cc nh cung cp dch v VPN chia VPN thnh 3 tp hp l VPN lp 1, 2 v 3.

VPN lp 1 c s dng vn chuyn cc dch v lp 1 trn h tng mng cchia s, c iu khin v qun l bi Generalized Multiprotocol Label

Switching (GMPLS).

Hin nay, vic pht trin VPN lp 1 cn ang trong giai on th nghim nn VPNLayer 1 khng c cp n trong ti ny.

Hiu n gin nht, mt kt ni VPN gia hai im trn mng cng cng l hnhthc thit lp mt kt ni logic. Kt ni logic c th c thit lp trn lp 2 hoclp 3 ca m hnh OSI v cng ngh VPN c th c phn loi rng ri theo tiuchun ny nh l VPN lp 2 v VPN lp 3(Layer 2 VPNs or Layer 3 VPNs).

Cng ngh VPN lp 2

VPN lp 2 thc thi ti lp 2 ca m hnh tham chiu OSI; Cc kt ni point-to-point c thit lp gia cc site da trn mt mch o(virtual circuit). Mt mcho l mt kt ni logic gia 2 im trn mt mng v c th m rng thnh nhiuim. Mt mch o kt ni gia 2 im u cui(end-to-end) thng c gi lmt mch vnh cu(Permanent Virtual Circuit-PVC). Mt mch o kt ni ng 2im trn mng(point to point) cn c bit n nh mng chuynmch(Switched Virtual Circuit - SVC). SVC t c s dng hn v phc tp

trong qu trnh trin khai cng nh khc phc h thng li. ATM v Frame Relayl 02 cng ngh VPN lp 2 ph bin.

______________________________________________________________



17/44


__

Cc nh cung cp h thng mng ATM v Frame Relay c th cung cp cc kt nisite - to - site cho cc tp on, cng ty bng cch cu hnh cc mch o vnh

cu(PVC) thng qua h thng cp Backbone c chia s.

Mt s tin li ca VPN lp 2 l c lp vi cc lung d liu lp 3. Cc mngATM v Frame Relay kt ni gia cc site c th s dng rt nhiu cc loi giaothc c nh tuyn khc nhau nh IP, IPX, AppleTalk, IP Multicast...ATM vFrame Relay cn cung cp c im QoS(Quality of Service). y l iu kin tinquyt khi vn chuyn cc lung d liu cho Voice.

Cng ngh VPN lp 3

Mt kt ni gia cc site c th c nh ngha nh l VPN lp 3. Cc loi VPNlp 3 nh GRE, MPLS v IPSec. Cng ngh GRE v IPSec c s dng thchin kt ni point - to - point, cng ngh MPLS thc hin kt ni a im(any - to -any)

ng hm GRE

Generic routing encapsulation (GRE) c khi xng v pht trin bi Cisco vsau c IETF xc nhn thnh chun RFC 1702. GRE c dng khi tocc ng hm v c th vn chuyn nhiu loi giao thc nh IP, IPX, Apple Talkv bt k cc gi d liu giao thc khc vo bn trong ng hm IP. GRE khngc chc nng bo mt cp cao nhng c th c bo v bng cch s dng c chIPSec. Mt ng hm GRE gia 2 site, IP c th vn ti c c th cm t nh l mt VPN bi v d liu ring gia 2 site c th c ng gi thnhcc gi tin vi phn Header tun theo chun GRE.

______________________________________________________________



18/44


__

Bi v mng Internet cng cng c kt ni trn ton th gii. Cc chi nhnh camt tp on nm trn nhng vng a l khc nhau. cc chi nhnh ny c th

truyn d liu cho nhau v cho vn phng chnh ti trung tm th iu kin cn lmi chi nhnh ch cn thit lp mt kt ni vt l n nh cung cp dch vInternet(ISP). Thng qua mng VPN c thit lp s dng GRE Tunnel. Tt ccc d liu gia cc chi nhnh s trao i vi nhau trong mt ng hm GRE.Hn th d liu cn c bo mt v chng li cc nguy c tn cng

MPLS VPNs

Cng ngh MPLS VPN xy dng cc kt ni chuyn mch nhn(Label SwitchedPath) thng qua cc Router chuyn mnh nhn(Label Switch Routers). Cc gi tin

c chuyn i da vo Label ca mi gi tin. MPLS VPN c th s dng cc giaothc TDP(Tag Distribution Protocol), LDP(Label Ditribution Protocol) hocRSVP(Reservation Protocol)

Khi xng cho cng ngh ny l Cisco, MPLS c ngun gc l cc Tag trongmng chuyn mch v sau c IETF chun ho thnh MPLS. MPLS c tora thng qua cc Router s dng c ch chuyn mch nhn(Label Switch Routers).Trong mt mng MPLS, cc gi tin c chuyn mch da trn nhn ca mi gitin. Cc nh cung cp dch v hin nay ang tng cng trin khai MPLS cungcp dch v VPN MPLS n khch hng.

Ngun gc ca tt c cc cng ngh VPN l d liu ring c ng gi v phnphi n ch vi vic gn cho cc gi tin thm phn Header; MPLS VPN s dngcc nhn(Label) ng gi d liu gc v thc hin truyn gi tin n ch.

RFC 2547 nh ngha cho dch v VPN s dng MPLS. Mt tin ch ca VPNMPLS so vi cc cng ngh VPN khc l n gim phc tp cu hnh VPNgia cc site.

______________________________________________________________



19/44


__

IV. Giao thc bo mt IPSec :

Cng ngh VPN s dng c s h tng mng cng cng v cc mi trng truyndn c chia s khc truyn d liu, do vy bo mt d liu trong mng VPNl vn v cng quan trng. gii quyt vn ny, VPN xy dng nghm(Tunnle) v s dng b giao thc IPSec m ho d liu trong ng hm.

Mt thut ton m ho c hai chc nng m ho v gii m

M ho(Encryption): C chc nng chuyn d liu dng bn r(Plain text) thnhdng d liu c m ho

Gii m(Decryption): C chc nng chuyn thng tin c m ho thnh dngbn r(Plain Text) vi key c cung cp.

Cc thut ton mt m c xp vo hai loi sau:

i xng(Symmetric) Bt i xng(Asymmetric)

Thut ton mt m i xng(Symmetric) c c im l ngi nhn v ngi gicng s dng chung mt kho b mt(secret key). Bt k ai c kho b mt u cth gii m bn m.

Thut ton mt m bt i xng(Asymmetric) cn c bit n nh l thut tonkho cng khai(Public Key). Kho m c gi l kho cng khai v c th c

cng b, ch kho o(Private Key) l cn c gi b mt. Nh vy Public Key vPrivate Key l lin quan n nhau. Bt k ai c Public Key u c th m ho bnPlain Text nhng ch c ai c Private Key mi c th gii m t bn m v dng r.

______________________________________________________________



20/44


__

minh ho cho thut ton ny, chng ta quay tr li v d v bi ton mt min hnh l: Bob v Alice cn truyng thng tin b mt cho nhau s dng thut

ton m ho cng khai.

Trong thc t thut ton m kho cng khai t c s dng m ho ni dungthng tin v thut ton ny x l chm hn so vi thut ton i xng. tuy nhin

______________________________________________________________


C ch m ho v gii m s dng Public Key


21/44


__

Public Key thng c dng gii quyt vn phn phi Key ca thut toni xng. Public Key khng thay th Symmetric m chng tr gip ln nhau.

Digital Signatures

Mt ng dng khc ca thut ton m ho cng khai l ch k in t(DigitalSignature). Tr li bi ton Alice v Bob. Lc ny Bob mun chng thc l thAlice gi cho mnh do chnh Alice gi ch khng phi l mt l th nc danh tmt k thc 3 no . Do vy mt ch k in t c sinh ra v gn km vo tptin ca Alice, Bob s dng Public Key gii m v xc nhn y ng l ch k

ca Alice. C ch xc thc nh sau:

My tnh Alice s dng hm HASH bm vn bn cn mun gi cho Bobthnh mt tp 512 byte gi l tp HASH.

______________________________________________________________


C ch xc thc ch k s


22/44


__

Alice m ho tp HASH vi Private Key thnh ch k s. Ch k s c

nh km vo vn bn gi i

Bob gii m ch k in t ca Alice vi Public key to ra tp HASH1 vsau s dng hm HASH bm tp Plain Text nhn c t Alice to ra tpHASH2

HASH1 v HASH2 c so snh vi nhau, nu hp nht th vn bn Bobnhn c ng l ca Alice gi.

IPSec Security Protocol

Mc ch ca IPSec l cung cp dch v bo mt cho gi tin IP ti lp Network.Nhng dch v ny bao gm iu khin truy cp, ton vn d liu, chng thc vbo mt d liu.Encapsulating security payload (ESP) v authentication header (AH) l hai giaothc chnh c s dng cung cp tnh nng bo mt cho gi IP. IPSec hotng vi hai c ch Transport Mode v Tunnel Mode

IPSec Transport Mode

Trong ch ny mt IPSec Transport Header(AH hoc ESP) c chn vo giaIP Header v cc Header lp trn.

______________________________________________________________


Hnh: Hin th mt IP Packet c bo v bi IPSec trong

ch Transport Mode


23/44


__

Trong ch ny, IP Header cng ging nh IP Header ca gi d liu gc trtrng IP Protocol l c thay i nu s dng giao thc ESP(50) hoc AH(51)v IP Header Checksum l c tnh ton li. Trong ch ny, a ch IP chtrong IP Header l khng c thay i bi IPSec ngun v vy ch ny chc s dng bo v cc gi c IP EndPoint v IPSec EndPoint ging nhau.

IPSec Transport Mode l rt tt khi bo v lung d liu gia hai host hn l mhnh site-to-site. Hn th hai a ch IP ca hai host ny phi c nh tuyn(Nhnthy nhau trn mng) iu tng ng vi vic cc Host khng c php

NAT trn mang. Do vy IPSec Transport Mode thng c dng bo v ccTunnle do GRE khi to gia cc VPN Getway trong m hnh Site-to-Site,

IPSec Tunnle Mode

Dch v IPSec VPN s dng ch Transport v phng thc ng gi GRE giacc VPN Getway trong m hnh Site-to-Site l hiu qu. Nhng khi cc Client ktni vo Getway VPN th t Client v Getway VPN l cha c bo v, hn thkhi cc Client mun kt ni vo mt Site th vic bo v IPSec cng l mt vn .IPSec Tunnle Mode ra i h tr vn ny.

ch Tunnle Mode, gi IP ngun c ng gi trong mt IP Datagram v mtIPSec header(AH hoc ESP) c chn vo gia outer v inner header, bi v ng

______________________________________________________________



24/44


__

gi vi mt "outer" IP Packet, ch Tunnle c c th c s dng cungcp dch v bo mt gia cc IP Node ng sau mt VPN Getway

Encapsulating Security Header (ESP)

ESP cung cp s bo mt, ton vn d liu, v chng thc ngun gc d liu vdch v chng tn cng Anti-reply

______________________________________________________________


Hnh: Gi IP trong ch IPSec Tunnle

Gi d liu IP c bo v bi ESP


25/44


__

ESP in gi tr 50 trong IP Header. ESP Header c chn vo sau IP Header vtrc Header ca giao thc lp trn. IP Header c th l mt IP Header mi trongch Tunnle hoc l IP Header ngun nu trong ch Transport.

Tham s bo mt Security Parameter Index (SPI) trong ESP Header l mt gi tr32 bit c tch hp vi a ch ch v giao thc trong IP Header.SPI l mt s c la chn bi Host ch trong sut qu trnh din ra thnglng Public Key gia cc Peer-to-Peer. S ny tng mt cch tun t v nm

______________________________________________________________


Gi IP c bo v bi ESP trong ch Transport

Gi IP c bo v bi ESP trong ch Tunnle


26/44


__

trong Header ca ngi gi. SPI kt hp vi c ch Slide Window to thnh c chchng tn cng Anti-Replay.

Authentication Header (AH)

AH cng cung cp c ch kim tra ton vn d liu, chng thc d liu v chngtn cng. Nhng khng ging EPS, n khng cung cp c ch bo mt dliu. Phn Header ca AH n gin hn nhiu so vi EPS

AH l mt giao thc IP, c xc nh bi gi tr 51 trong IP Header. Trong ch Transport, g tr giao thc lp trn c bo v nh UPD, TCP..., trong ch Tunnle, gi tr ny l 4. V tr ca AH trong ch Transport v Tunnle nh tronghnh sau:

______________________________________________________________


Gi IP c bo v bi AH

Hnh: Gi IP c bo v bi AH trong ch Transport


27/44


__

Trong ch Transport, AH l rt tt cho kt ni cc endpoint s dng IPSec,trong ch Tunnle AH ng gi gi IP v thm IP Header vo pha trc Header.Qua AH trong ch Tunnle c s dng cung cp kt ni VPN end-to-end

bo mt. Tuy nhin phn ni dung ca gi tin l khng c bo mt

Tin trnh chng thc bt tay 3 bc -

Three-Way CHAP Authentication Process

______________________________________________________________


Gi IP bo v bi AH trong ch Tunnle


28/44


29/44


__

VI. Kt lun

Hin nay xu hng cc cng ty c nhiu chi nhnh l ph bin, do nhu cu trao ithng tin gia cc chi nhnh l cn thit v cp bch. Do vy trong tng lai, nhucu trin khai h thng mng VPN gia cc chi nhnh trong mt cng ty l nhu cutt yu.

VI. Cch cu hnh m hnh VPN (Client to Site)

______________________________________________________________



30/44


__

Quy c:card LAN: card mng dng ni gia 2 my vi nhau

card INTERNET: card mng ni n switch cc my u thy nhau v ni voRouter- M hnh bi Lab nh sau:

**Quy c:card LAN: card mng dng ni gia 2 my vi nhaucard INTERNET: card mng ni n switch cc my u thy nhauv ni vo Router

Client1 : s dng 1 cardCard LAN:

IP Address : 172.16.1.2

Subnet Mask : 255.255.0.0

Default Gateway : 172.16.1.1

Preferred DNS : trngSERVER1Card LAN:

IP Address : 172.16.1.1

Subnet Mask : 255.255.0.0

______________________________________________________________

http://www.zensoft.vn/Attachs/Articles/3674/1.jpg


31/44


__

Default Gateway : trng

Preferred DNS : trng

Card INTERNET:

IP Address : 192.168.1.1

Subnet Mask : 255.255.255.0

Default Gateway : 192.168.1.254 (tr v router )

Preferred DNS : 210.245.24.20

Client2: s dng 1 card

Card INTERNET

IP Address : 10.0.0.5

Subnet Mask : 255.255.255.0

Default Gateway : 10.0.0.2Preferred DNS : 210.245.24.20

Cc bc thc hin

1.NAT port 1723 ca Router ADSL v my SERVER1.

2. Cu hnh VPN Server trn my SERVER:

Bc 1 : To user Client2 kt ni vo VPN Server

User: u1

______________________________________________________________



32/44


__

Password: 123

-b du chn ti User must change password at next logon.OK Cho php U1 c quyn Allow access

Bc 2: Chn Start -- Programs -- Administrative Tools -- Routing and RemoteAccess.

Trong ca s Routing and Remote Access, Click chut phi SERVER1 --- chnConfigure and Enable Routing and Remote Access.

______________________________________________________________



33/44


__

______________________________________________________________

http://www.zensoft.vn/Attachs/Articles/3674/3%20%28540%20x%20389%29.jpg


34/44


__

- Bc 3: Ca s Welcome to the Routing and Remote Access Server Setup

Wizard, nhn Next.Ti ca s Configuration, check vo Remote Access (dial-upor VPN) v Next

______________________________________________________________

http://www.zensoft.vn/Attachs/Articles/3674/4.png


35/44


__

- Bc 4: Next Ca s Remote Access, check vo VPN

______________________________________________________________

http://www.zensoft.vn/Attachs/Articles/3674/5.png


36/44


__

- Bc 5: Ca s VPN Connection ,chn card INTERNET v b du chn ti Enable security on the selected packet filters , nhn Next .

______________________________________________________________

http://www.zensoft.vn/Attachs/Articles/3674/6%281%29.jpg


37/44


__

- Bc 6: Ca s IP Address Assignment, check vo From a specified range ofaddresses nhn Next

______________________________________________________________

http://www.zensoft.vn/Attachs/Articles/3674/7.gif


38/44


__

- Bc 7: Ti ca s Address Range Assignment, chn New

- Bc 8: Ti ca s New Address Range, nhp vo Start IP v End IP, nhn OK --Next

______________________________________________________________



39/44


__

- Bc 9: Ti ca s Managing Multiple Remote Access Servers, check vo No,use Routing and requests--> Next -- > Finish --->OK

______________________________________________________________

http://www.zensoft.vn/Attachs/Articles/3674/10.jpghttp://www.zensoft.vn/Attachs/Articles/3674/9.jpg


40/44


__

3.Cu hnh VPN Client trn my Client2:

-Click chut phi trn My Network Places chn Properties - Create a newconnection -- ca s Welcome --> Next.-Ti ca s Network Connection Type --> check vo Connect to the network atmy workplace --->Next

- Ca s Network Connection, check vo Virtual Private Network Connection-- Next

______________________________________________________________



41/44


__

- Ti ca s Connection Name -->ti Company Name g vo tn bt k(VD:ITLab) Next.

______________________________________________________________



42/44


__

-Ti ca s VPN Server Selection, g Hostname ng k trn NO-IP vo Host name or IP address --> Next --->Finish

______________________________________________________________



43/44


__

**Lu : Ti SERVER1 bn phi ci chng trnh cp nht IP cho host namebanbeit.no-ip.com !

-Ti ca s Connect, nhp User name l u1, Password l 123 v Connect

______________________________________________________________



44/44


__

VII. Ti liu tham kho

1. Ti liu VPN ca HSP K Thut Hng Yn2. K thut mng ring o Bin son Trn Cng Hng3. Vnexpress.net

Documents

Docx 20110922 Bao Cao VPN Final