SlideShare une entreprise Scribd logo

IPSEC

Open Source School
Open Source School

VPNs and network security En savoir plus sur www.opensourceschool.fr Ce support est diffusé sous licence Creative Commons (CC BY-SA 3.0 FR) Attribution - Partage dans les Mêmes Conditions 3.0 France

Technologie
1  sur  32
Télécharger pour lire hors ligne
IPSEC VPNs and network security
1 La 1ère école 100 % dédiée à l'open source Open Source School est fondée à l'initiative de Smile, leader de l'intégration et de l'infogérance open source, et de l'EPSI,établissement privé pionnier de l’enseignement supérieur en informatique. Dans le cadre du Programme d’Investissements d’Avenir (PIA), le gouvernement français a décidé de soutenir la création de cette école en lui attribuant une première aide de 1,4M€ et confirme sa volonté de soutenir la filière du Logiciel Libre actuellement en plein développement. Avec une croissance annuelle de plus de 10%, et 4 000 postes vacants chaque année dans le secteur du Logiciel Libre, OSS entend répondre à la pénurie de compétences du secteur en mobilisant l’ensemble de l’écosystème et en proposant la plus vaste offre en matière de formation aux technologies open source tant en formation initiale qu'en formation continue.
2 Les formations du plein emploi !  Formation Continue Open Source School "Executive Education" est un organisme de formation qui propose un catalogue de plus de 200 formations professionnelles et différents dispositifs de reconversion permettant le retour à l’emploi (POE) ou une meilleure employabilité pour de nombreux professionnels de l’informatique.  Pour vos demandes : formations@opensourceschool.fr  Formation Initiale 100% logiciels libres et 100% alternance, le cursus Open Source School s’appuie sur le référentiel des blocs de compétences de l’EPSI. Il est sanctionné par un titre de niveau I RNCP, Bac+5. Le programme est proposé dans 6 campus à Bordeaux, Lille, Lyon, Montpellier, Nantes, Paris.
3 Nos domaines de formations
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G What is a VPN ? www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 3/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G What is a VPN ? www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 4/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G What is encapsulation www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 5/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Introduction to IPSEC IPSEC is a set of protocols to harden network communication security. A part of the IPv6 spec, but ported to IPv4 Often used for VPNs, however it has other purposes too Unlike most products (eg OpenVPN) it is an IETF standard, allowing interoperability This presentation is about IPSEC implementation in operating systems, there are also software implementations, hardware implementations in dedicated equipment, etc. www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 6/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 7/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G IPSEC Protocols IPSEC is built around several protocols ESP AH IKE NAT-T www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 8/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Encapsulation protocols ESP allows : Authentication Integrity (of payload) Confidentiality AH allows : Authentification Int´egrit´e (of whole packet) ESP does not protect the IP header, that makes it suitable for NAT www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 9/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Negociation protocols IKE IKE is the main protocol that allows security parameters negociation between hosts NAT-T NAT-T is a helper protocol which encapsulates traffic into a UDP port, allowing it to cross firewalls and NAT devices. www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 10/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Establishment of an IPSEC session Hosts contact each other using IKE (UDP 500) IKE Phase 1 : hosts authenticate to each other IKE Phase 2 : hosts negotiate the IPSEC parameters IPSEC-protected traffic starts flowing www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 11/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Two possible modes Transport mode : only the payload is encapsulated Tunnel mode : the IP header is encapsulated too In tunnel mode, you can rewrite IP headers, allowing VPNs www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 12/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 13/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G SPD and SAD Security Policy Database SPDs are IPSEC’s routing tables. They decide which traffic is protected Security Association Database SAD are IPSEC’s network status (“netstat“), they contain current sessions www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 14/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Phase 1 parameters Mode : main / aggressive Identity : IP, DN, mail... Authentication method : PSK, X509, RSA... Encryption algorithm : 3DES, AES, blowfish... Authentication algorithm : MD5, SHA1, ... Diffie-Hellman key length Lifetime www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 15/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Phase 2 parameters Encryption algorithm Authentication algorithm Perfect Forward Secrecy Lifetime Domain : single host, subnet... www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 16/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G How sessions are established Hosts contact each other spotaneously or on demand Required sessions are established When they expire, they are automatically renewed www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 17/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 18/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Introduction All the implementations we will study share certain characteristics : SAD, SPD, routing, encapsulation are managed by the kernel IKE negociation, retries, renewal, are managed by userland daemons Both talk to each other on the standard PF KEY interface, allowing different implementations to coexist On Linux, two kernel implementation exist : a native PF KEY implementation and KLIPS, an historical implementation. Warning Firewalls can process IPSEC traffic, you’ll have to configure yours. www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 19/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Openswan/Strongswan : configuration Configuration is done in ipsec.conf conn net−net l e f t =192.168.0.1 l e f t s u b n e t =10.1.0.0/16 l e f t i d =192.168.0.1 l e f t f i r e w a l l=yes r i g h t =192.168.0.2 r i g h t s u b n e t =10.2.0.0/16 r i g h t i d =192.168.0.2 auto=add Write the PSK in ipsec.secrets . Examples : http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 20/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Openswan/Strongswan : commands Restart : / etc / i n i t . d/ i p s e c r e s t a r t Status : i p s e c c t l auto −−s t a t u s www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 21/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Architecture as usual, SPD/SAD are in-kernel setkey(8) is used to manipulate SPD/SAD racoon(8) is the IKE daemon www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 22/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Configuration setkey script #!/ usr / s b i n / s e t k e y −f # # Flush SAD and SPD f l u s h ; s p d f l u s h ; # Create p o l i c i e s f o r racoon spdadd 172.16.1.0/24 172.16.2.0/24 any −P out i p s e c esp / t u n n e l /192.168.1.100 −192.168.2.100/ r e q u i r e ; spdadd 172.16.2.0/24 172.16.1.0/24 any −P i n i p s e c esp / t u n n e l /192.168.2.100 −192.168.1.100/ r e q u i r e ; www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 23/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Configuration (2) racoon.conf path p r e s h a r e d k e y ”/ etc / psk . t x t ”; remote 192.168.2.100 { exchange mode main ; p r o p o s a l { e n c r y p t i o n a l g o r i t h m 3 des ; h a s h a l g o r i t h m md5 ; a u t h e n t i c a t i o n m e t h o d p r e s h a r e d k e y ; dh group modp1024 ; } } s a i n f o a dd r es s 172.16.1.0/24 any a d dr es s 172.16.2.0/24 any { p f s g r o u p modp768 ; e n c r y p t i o n a l g o r i t h m 3 des ; a u t h e n t i c a t i o n a l g o r i t h m hmac md5 ; c o m p r e s s i o n a l g o r i t h m d e f l a t e ; } www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 24/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Administration SPD/SAD status s e t k e y −D s e t k e y −DP /etc/init.d/setkey restart /etc/init.d/racoon restart racoon.log www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 25/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G OpenBSD : configuration /etc/ipsec.conf i k e esp from 1 0 . 1 . 0 . 0 / 1 6 to 10.10.22.0/24 l o c a l 212.85.148.172 peer 195.154.89.70 main auth hmac−sha1 enc aes group modp1024 quick auth hmac−sha1 enc aes group modp1024 psk ” toto ” www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 26/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G OpenBSD : administration isakmpd -K ipsecctl -f /etc/ipsec.conf ipsecctl -vsa www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 27/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 28/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Troubleshooting Use tcpdump : 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 . . . esp 91.216.209.229 > 41.141.252.214 s p i 0 x00183f10 seq 165869 l e n 484 esp 91.216.209.229 > 41.141.252.214 s p i 0 x00183f10 seq 165870 l e n 468 esp 91.216.209.229 > 41.141.252.214 s p i 0 x00183f10 seq 165871 l e n 468 esp 41.141.252.214 > 91.216.209.229 s p i 0 x f 1 a f a c e c seq 40877 l e n 132 esp 91.216.209.229 > 41.141.252.214 s p i 0 x0abd6f35 seq 40540 l e n 132 esp 41.141.252.214 > 91.216.209.229 s p i 0 x5f060fde seq 186105 l e n 100 . . . www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 29/29

Recommandé

GIT pour développeur
GIT pour développeurGIT pour développeur
GIT pour développeurOpen Source School
 
Kerberos : The network authentification protocol
Kerberos : The network authentification protocolKerberos : The network authentification protocol
Kerberos : The network authentification protocolOpen Source School
 
Monitoring : The art of knowing when and why things go wrong
Monitoring : The art of knowing when and why things go wrongMonitoring : The art of knowing when and why things go wrong
Monitoring : The art of knowing when and why things go wrongOpen Source School
 
PostgreSQL : Introduction
PostgreSQL : IntroductionPostgreSQL : Introduction
PostgreSQL : IntroductionOpen Source School
 
Varnish : Advanced and high-performance HTTP caching
Varnish : Advanced and high-performance HTTP cachingVarnish : Advanced and high-performance HTTP caching
Varnish : Advanced and high-performance HTTP cachingOpen Source School
 
Redhat enterprise Linux
Redhat enterprise LinuxRedhat enterprise Linux
Redhat enterprise LinuxOpen Source School
 
SSL : Theory and practice
SSL : Theory and practiceSSL : Theory and practice
SSL : Theory and practiceOpen Source School
 
LDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementationLDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementationOpen Source School
 

Recommandé

GIT pour développeur
GIT pour développeurGIT pour développeur
GIT pour développeurOpen Source School
 
Kerberos : The network authentification protocol
Kerberos : The network authentification protocolKerberos : The network authentification protocol
Kerberos : The network authentification protocolOpen Source School
 
Monitoring : The art of knowing when and why things go wrong
Monitoring : The art of knowing when and why things go wrongMonitoring : The art of knowing when and why things go wrong
Monitoring : The art of knowing when and why things go wrongOpen Source School
 
PostgreSQL : Introduction
PostgreSQL : IntroductionPostgreSQL : Introduction
PostgreSQL : IntroductionOpen Source School
 
Varnish : Advanced and high-performance HTTP caching
Varnish : Advanced and high-performance HTTP cachingVarnish : Advanced and high-performance HTTP caching
Varnish : Advanced and high-performance HTTP cachingOpen Source School
 
Redhat enterprise Linux
Redhat enterprise LinuxRedhat enterprise Linux
Redhat enterprise LinuxOpen Source School
 
SSL : Theory and practice
SSL : Theory and practiceSSL : Theory and practice
SSL : Theory and practiceOpen Source School
 
LDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementationLDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementationOpen Source School
 
101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystems101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystemsAcácio Oliveira
 
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesPHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesAttaporn Ninsuwan
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commandstmavroidis
 
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅ChoiYura
 
101 2.4b use debian package management v2
101 2.4b use debian package management v2101 2.4b use debian package management v2
101 2.4b use debian package management v2Acácio Oliveira
 
101 2.4 use debian package management
101 2.4 use debian package management101 2.4 use debian package management
101 2.4 use debian package managementAcácio Oliveira
 
2.4.1 use debian package management v2
2.4.1 use debian package management v22.4.1 use debian package management v2
2.4.1 use debian package management v2Acácio Oliveira
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)kholis_mjd
 
PASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main MemoryPASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main Memorymicchie
 
Lession1 Linux Preview
Lession1 Linux PreviewLession1 Linux Preview
Lession1 Linux Previewleminhvuong
 
Lession2 Xinetd
Lession2 XinetdLession2 Xinetd
Lession2 Xinetdleminhvuong
 
Security Considerations on Linux Package Management
Security Considerations on Linux Package ManagementSecurity Considerations on Linux Package Management
Security Considerations on Linux Package ManagementTharindu Edirisinghe
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Combell NV
 
IPV6 Under the Hood
IPV6 Under the HoodIPV6 Under the Hood
IPV6 Under the Hoodamiable_indian
 
Running Symfony
Running SymfonyRunning Symfony
Running SymfonyWildan Maulana
 
Introduction to tcp ip linux networking
Introduction to tcp ip linux networkingIntroduction to tcp ip linux networking
Introduction to tcp ip linux networkingSreenatha Reddy K R
 
White Paper: Perforce Administration Optimization, Scalability, Availability ...
White Paper: Perforce Administration Optimization, Scalability, Availability ...White Paper: Perforce Administration Optimization, Scalability, Availability ...
White Paper: Perforce Administration Optimization, Scalability, Availability ...Perforce
 
<img src="../i/r_14.png" />
<img src="../i/r_14.png" /><img src="../i/r_14.png" />
<img src="../i/r_14.png" />tutorialsruby
 
Tuning 17 march
Tuning 17 marchTuning 17 march
Tuning 17 marchBinan AL Halabi
 
P4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxP4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxtampham61268
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)n|u - The Open Security Community
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpOlli-Pekka Niemi
 

Contenu connexe

Tendances

101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystems101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystemsAcácio Oliveira
 
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesPHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesAttaporn Ninsuwan
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commandstmavroidis
 
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅ChoiYura
 
101 2.4b use debian package management v2
101 2.4b use debian package management v2101 2.4b use debian package management v2
101 2.4b use debian package management v2Acácio Oliveira
 
101 2.4 use debian package management
101 2.4 use debian package management101 2.4 use debian package management
101 2.4 use debian package managementAcácio Oliveira
 
2.4.1 use debian package management v2
2.4.1 use debian package management v22.4.1 use debian package management v2
2.4.1 use debian package management v2Acácio Oliveira
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)kholis_mjd
 
PASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main MemoryPASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main Memorymicchie
 
Lession1 Linux Preview
Lession1 Linux PreviewLession1 Linux Preview
Lession1 Linux Previewleminhvuong
 
Security Considerations on Linux Package Management
Security Considerations on Linux Package ManagementSecurity Considerations on Linux Package Management
Security Considerations on Linux Package ManagementTharindu Edirisinghe
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Combell NV
 
Introduction to tcp ip linux networking
Introduction to tcp ip linux networkingIntroduction to tcp ip linux networking
Introduction to tcp ip linux networkingSreenatha Reddy K R
 
White Paper: Perforce Administration Optimization, Scalability, Availability ...
White Paper: Perforce Administration Optimization, Scalability, Availability ...White Paper: Perforce Administration Optimization, Scalability, Availability ...
White Paper: Perforce Administration Optimization, Scalability, Availability ...Perforce
 
<img src="../i/r_14.png" />
<img src="../i/r_14.png" /><img src="../i/r_14.png" />
<img src="../i/r_14.png" />tutorialsruby
 

Tendances (19)

101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystems101 4.1 create partitions and filesystems
101 4.1 create partitions and filesystems
 
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesPHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
 
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
[ 2021 AI + X 여름 캠프 ] 1. linux 기초 & 장비 세팅
 
101 2.4b use debian package management v2
101 2.4b use debian package management v2101 2.4b use debian package management v2
101 2.4b use debian package management v2
 
101 2.4 use debian package management
101 2.4 use debian package management101 2.4 use debian package management
101 2.4 use debian package management
 
2.4.1 use debian package management v2
2.4.1 use debian package management v22.4.1 use debian package management v2
2.4.1 use debian package management v2
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)
 
PASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main MemoryPASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main Memory
 
Lession1 Linux Preview
Lession1 Linux PreviewLession1 Linux Preview
Lession1 Linux Preview
 
Lession2 Xinetd
Lession2 XinetdLession2 Xinetd
Lession2 Xinetd
 
Security Considerations on Linux Package Management
Security Considerations on Linux Package ManagementSecurity Considerations on Linux Package Management
Security Considerations on Linux Package Management
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
 
IPV6 Under the Hood
IPV6 Under the HoodIPV6 Under the Hood
IPV6 Under the Hood
 
Running Symfony
Running SymfonyRunning Symfony
Running Symfony
 
Introduction to tcp ip linux networking
Introduction to tcp ip linux networkingIntroduction to tcp ip linux networking
Introduction to tcp ip linux networking
 
White Paper: Perforce Administration Optimization, Scalability, Availability ...
White Paper: Perforce Administration Optimization, Scalability, Availability ...White Paper: Perforce Administration Optimization, Scalability, Availability ...
White Paper: Perforce Administration Optimization, Scalability, Availability ...
 
<img src="../i/r_14.png" />
<img src="../i/r_14.png" /><img src="../i/r_14.png" />
<img src="../i/r_14.png" />
 
Tuning 17 march
Tuning 17 marchTuning 17 march
Tuning 17 march
 

Similaire à IPSEC

P4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxP4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxtampham61268
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)n|u - The Open Security Community
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpOlli-Pekka Niemi
 
Decreasing Incident Response Time
Decreasing Incident Response TimeDecreasing Incident Response Time
Decreasing Incident Response TimeBoni Bruno
 
Lecture 5: Software platforms and services
Lecture 5: Software platforms and services Lecture 5: Software platforms and services
Lecture 5: Software platforms and services PayamBarnaghi
 
FIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
IDMEF, the universal format for security alerts, OW2con'16, Paris.
IDMEF, the universal format for security alerts, OW2con'16, Paris. IDMEF, the universal format for security alerts, OW2con'16, Paris.
IDMEF, the universal format for security alerts, OW2con'16, Paris. OW2
 
OpenTelemetry Introduction
OpenTelemetry Introduction OpenTelemetry Introduction
OpenTelemetry Introduction DimitrisFinas1
 
Advanced Log Processing
Advanced Log ProcessingAdvanced Log Processing
Advanced Log ProcessingAnton Chuvakin
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications WSO2
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docxstirlingvwriters
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7Sergey Yrievich
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer vilss
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdfKdpKumar
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18Max Kleiner
 

Similaire à IPSEC (20)

P4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxP4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptx
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
 
Decreasing Incident Response Time
Decreasing Incident Response TimeDecreasing Incident Response Time
Decreasing Incident Response Time
 
Lecture 5: Software platforms and services
Lecture 5: Software platforms and services Lecture 5: Software platforms and services
Lecture 5: Software platforms and services
 
FIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media ServerFIWARE Tech Summit - Stream Processing with Kurento Media Server
FIWARE Tech Summit - Stream Processing with Kurento Media Server
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
IDMEF, the universal format for security alerts, OW2con'16, Paris.
IDMEF, the universal format for security alerts, OW2con'16, Paris. IDMEF, the universal format for security alerts, OW2con'16, Paris.
IDMEF, the universal format for security alerts, OW2con'16, Paris.
 
ECI OpenFlow 2.0 the Future of SDN
ECI OpenFlow 2.0 the Future of SDN ECI OpenFlow 2.0 the Future of SDN
ECI OpenFlow 2.0 the Future of SDN
 
OpenTelemetry Introduction
OpenTelemetry Introduction OpenTelemetry Introduction
OpenTelemetry Introduction
 
Advanced Log Processing
Advanced Log ProcessingAdvanced Log Processing
Advanced Log Processing
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docx
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
 
Kumar cscl final
Kumar cscl finalKumar cscl final
Kumar cscl final
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18
 

Dernier

4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 

Dernier (20)

4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 

IPSEC

  • 2. 1 La 1ère école 100 % dédiée à l'open source Open Source School est fondée à l'initiative de Smile, leader de l'intégration et de l'infogérance open source, et de l'EPSI,établissement privé pionnier de l’enseignement supérieur en informatique. Dans le cadre du Programme d’Investissements d’Avenir (PIA), le gouvernement français a décidé de soutenir la création de cette école en lui attribuant une première aide de 1,4M€ et confirme sa volonté de soutenir la filière du Logiciel Libre actuellement en plein développement. Avec une croissance annuelle de plus de 10%, et 4 000 postes vacants chaque année dans le secteur du Logiciel Libre, OSS entend répondre à la pénurie de compétences du secteur en mobilisant l’ensemble de l’écosystème et en proposant la plus vaste offre en matière de formation aux technologies open source tant en formation initiale qu'en formation continue.
  • 3. 2 Les formations du plein emploi !  Formation Continue Open Source School "Executive Education" est un organisme de formation qui propose un catalogue de plus de 200 formations professionnelles et différents dispositifs de reconversion permettant le retour à l’emploi (POE) ou une meilleure employabilité pour de nombreux professionnels de l’informatique.  Pour vos demandes : formations@opensourceschool.fr  Formation Initiale 100% logiciels libres et 100% alternance, le cursus Open Source School s’appuie sur le référentiel des blocs de compétences de l’EPSI. Il est sanctionné par un titre de niveau I RNCP, Bac+5. Le programme est proposé dans 6 campus à Bordeaux, Lille, Lyon, Montpellier, Nantes, Paris.
  • 4. 3 Nos domaines de formations
  • 5. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/29
  • 6. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G What is a VPN ? www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 3/29
  • 7. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G What is a VPN ? www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 4/29
  • 8. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G What is encapsulation www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 5/29
  • 9. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Introduction to IPSEC IPSEC is a set of protocols to harden network communication security. A part of the IPv6 spec, but ported to IPv4 Often used for VPNs, however it has other purposes too Unlike most products (eg OpenVPN) it is an IETF standard, allowing interoperability This presentation is about IPSEC implementation in operating systems, there are also software implementations, hardware implementations in dedicated equipment, etc. www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 6/29
  • 10. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 7/29
  • 11. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G IPSEC Protocols IPSEC is built around several protocols ESP AH IKE NAT-T www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 8/29
  • 12. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Encapsulation protocols ESP allows : Authentication Integrity (of payload) Confidentiality AH allows : Authentification Int´egrit´e (of whole packet) ESP does not protect the IP header, that makes it suitable for NAT www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 9/29
  • 13. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Negociation protocols IKE IKE is the main protocol that allows security parameters negociation between hosts NAT-T NAT-T is a helper protocol which encapsulates traffic into a UDP port, allowing it to cross firewalls and NAT devices. www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 10/29
  • 14. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Establishment of an IPSEC session Hosts contact each other using IKE (UDP 500) IKE Phase 1 : hosts authenticate to each other IKE Phase 2 : hosts negotiate the IPSEC parameters IPSEC-protected traffic starts flowing www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 11/29
  • 15. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Two possible modes Transport mode : only the payload is encapsulated Tunnel mode : the IP header is encapsulated too In tunnel mode, you can rewrite IP headers, allowing VPNs www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 12/29
  • 16. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 13/29
  • 17. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G SPD and SAD Security Policy Database SPDs are IPSEC’s routing tables. They decide which traffic is protected Security Association Database SAD are IPSEC’s network status (“netstat“), they contain current sessions www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 14/29
  • 18. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Phase 1 parameters Mode : main / aggressive Identity : IP, DN, mail... Authentication method : PSK, X509, RSA... Encryption algorithm : 3DES, AES, blowfish... Authentication algorithm : MD5, SHA1, ... Diffie-Hellman key length Lifetime www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 15/29
  • 19. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Phase 2 parameters Encryption algorithm Authentication algorithm Perfect Forward Secrecy Lifetime Domain : single host, subnet... www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 16/29
  • 20. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G How sessions are established Hosts contact each other spotaneously or on demand Required sessions are established When they expire, they are automatically renewed www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 17/29
  • 21. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 18/29
  • 22. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Introduction All the implementations we will study share certain characteristics : SAD, SPD, routing, encapsulation are managed by the kernel IKE negociation, retries, renewal, are managed by userland daemons Both talk to each other on the standard PF KEY interface, allowing different implementations to coexist On Linux, two kernel implementation exist : a native PF KEY implementation and KLIPS, an historical implementation. Warning Firewalls can process IPSEC traffic, you’ll have to configure yours. www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 19/29
  • 23. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Openswan/Strongswan : configuration Configuration is done in ipsec.conf conn net−net l e f t =192.168.0.1 l e f t s u b n e t =10.1.0.0/16 l e f t i d =192.168.0.1 l e f t f i r e w a l l=yes r i g h t =192.168.0.2 r i g h t s u b n e t =10.2.0.0/16 r i g h t i d =192.168.0.2 auto=add Write the PSK in ipsec.secrets . Examples : http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 20/29
  • 24. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Openswan/Strongswan : commands Restart : / etc / i n i t . d/ i p s e c r e s t a r t Status : i p s e c c t l auto −−s t a t u s www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 21/29
  • 25. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Architecture as usual, SPD/SAD are in-kernel setkey(8) is used to manipulate SPD/SAD racoon(8) is the IKE daemon www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 22/29
  • 26. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Configuration setkey script #!/ usr / s b i n / s e t k e y −f # # Flush SAD and SPD f l u s h ; s p d f l u s h ; # Create p o l i c i e s f o r racoon spdadd 172.16.1.0/24 172.16.2.0/24 any −P out i p s e c esp / t u n n e l /192.168.1.100 −192.168.2.100/ r e q u i r e ; spdadd 172.16.2.0/24 172.16.1.0/24 any −P i n i p s e c esp / t u n n e l /192.168.2.100 −192.168.1.100/ r e q u i r e ; www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 23/29
  • 27. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Configuration (2) racoon.conf path p r e s h a r e d k e y ”/ etc / psk . t x t ”; remote 192.168.2.100 { exchange mode main ; p r o p o s a l { e n c r y p t i o n a l g o r i t h m 3 des ; h a s h a l g o r i t h m md5 ; a u t h e n t i c a t i o n m e t h o d p r e s h a r e d k e y ; dh group modp1024 ; } } s a i n f o a dd r es s 172.16.1.0/24 any a d dr es s 172.16.2.0/24 any { p f s g r o u p modp768 ; e n c r y p t i o n a l g o r i t h m 3 des ; a u t h e n t i c a t i o n a l g o r i t h m hmac md5 ; c o m p r e s s i o n a l g o r i t h m d e f l a t e ; } www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 24/29
  • 28. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G KAME : Administration SPD/SAD status s e t k e y −D s e t k e y −DP /etc/init.d/setkey restart /etc/init.d/racoon restart racoon.log www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 25/29
  • 29. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G OpenBSD : configuration /etc/ipsec.conf i k e esp from 1 0 . 1 . 0 . 0 / 1 6 to 10.10.22.0/24 l o c a l 212.85.148.172 peer 195.154.89.70 main auth hmac−sha1 enc aes group modp1024 quick auth hmac−sha1 enc aes group modp1024 psk ” toto ” www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 26/29
  • 30. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G OpenBSD : administration isakmpd -K ipsecctl -f /etc/ipsec.conf ipsecctl -vsa www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 27/29
  • 31. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Plan 1 Introduction 2 IPSEC Protocols 3 VPNs over IPSEC 4 Applications 5 Troubleshooting www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 28/29
  • 32. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G Troubleshooting Use tcpdump : 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 91 .21 6. 209 .22 9.5 00 > 1 0 9 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 .0 exchange ID PROT cookie : 68399732 fc60febb −>0000000000000000 msgid : 00000000 l e n : 184 . . . esp 91.216.209.229 > 41.141.252.214 s p i 0 x00183f10 seq 165869 l e n 484 esp 91.216.209.229 > 41.141.252.214 s p i 0 x00183f10 seq 165870 l e n 468 esp 91.216.209.229 > 41.141.252.214 s p i 0 x00183f10 seq 165871 l e n 468 esp 41.141.252.214 > 91.216.209.229 s p i 0 x f 1 a f a c e c seq 40877 l e n 132 esp 91.216.209.229 > 41.141.252.214 s p i 0 x0abd6f35 seq 40540 l e n 132 esp 41.141.252.214 > 91.216.209.229 s p i 0 x5f060fde seq 186105 l e n 100 . . . www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 29/29