LAWRENCE NGUNJIRI MATHENGE final report

FACULTY/ SCHOOL/ INSTITUTE: Engineering

DEPARTMENT: Electrical and Information Engineering

COURSE NAME: Bachelor of Science in Electrical & Electronic Engineering

TITLE OF NAME OF STUDENT: Mathenge Lawrence Ngunjiri

REGISTRATION NUMBER: F17/29130/2009

COLLEGE: Architecture & Engineering

WORK: TO DESIGN AND BUILD A VPN SYSTEM TO INTERCONNECT OFFICES

AROUND THE COUNTRY.

1) I understand what plagiarism is and I am aware of the university policy in this regard.

2) I declare that this final year project report is my original work and has not been submitted

elsewhere for examination, award of a degree or publication. Where other people’s work

or my own work has been used, this has properly been acknowledged and referenced in

accordance with the University of Nairobi’s requirements.

3) I have not sought or used the services of any professional agencies to produce this work.

4) I have not allowed, and shall not allow anyone to copy my work with the intention of

passing it off as his/her own work.

5) I understand that any false claim in respect of this work shall result in disciplinary action,

in accordance with University anti-plagiarism policy.

Signature: ………………………………………………………………………………………

Date: ……………………………………………………………………………………………

i

DEDICATION

Dedicated to my dear family, fellow colleagues and friends who made this come true.

ii

ACKNOWLEDGEMENT

Appreciation to the Almighty for blessing me with the resources, guidance and intellect to pursue this project.

I would also like to express my sincere gratitude to my project supervisor ,Prof. M. K. Mang'oli, who took both time and relentless effort to guide me in my project design and simulation.

iii

ContentsLIST OF FIGURES.....................................................................................................................................v

LIST OF TABLES......................................................................................................................................vi

ABBREVIATIONS...................................................................................................................................vii

ABSTRACT.............................................................................................................................................viii

CHAPTER1:INTRODUCTION..................................................................................................................1

1.1Background........................................................................................................................................1

1.2 Problem Statement.............................................................................................................................2

1.3 Main Objectives.................................................................................................................................2

1.4 Project Scope.....................................................................................................................................2

CHAPTER 2: LITERATURE REVIEW.....................................................................................................3

2.1TYPES OF VPN.................................................................................................................................3

2.1.1REMOTE-ACCESS VPN............................................................................................................3

2.1.2 SITE-TO-SITE VPN...................................................................................................................4

2.1.2.1INTRANET VPN.....................................................................................................................4

2.3VPN TECHNOLOGIES.....................................................................................................................5

2.3.1Data Confidentiality.....................................................................................................................5

2.3.2Data Integrity...............................................................................................................................9

2.3.3Data Origin Authentication..........................................................................................................9

2.3.4Anti-Replay.................................................................................................................................9

2.3.5Data Tunneling/Traffic Flow Confidentiality..............................................................................9

2.3.6AAA(Authentication, authorization, and accounting)................................................................11

2.3.7Non-repudiation.........................................................................................................................11

2.4VPN Products...................................................................................................................................12

2.4.1VPN Concentrator.....................................................................................................................12

2.4.2VPN−Enabled Router/VPN−Optimized Router.........................................................................13

2.4.3Cisco Secure PIX Firewall.........................................................................................................15

2.4.4Cisco VPN Clients.....................................................................................................................15

2.4.5INTERNET SERVICE PROVIDER( SAFARICOM) TECHNICAL REPORT........................16

2.4.6IP address...................................................................................................................................17

CHAPTER THREE:DESIGN AND SIMULATION.................................................................................20

iv

3.1 SITE-TO-SITE VPN CONFIGURATION WITH GNS3................................................................20

3.1.1NETWORK SOFTWARES.......................................................................................................20

3.1.2VPN CONFIGURATION..........................................................................................................20

3.2MODEL OF COUNTRYWIDE VPN, SITE-T0-SITE VPN WITHOUT NAT-L2L IPSEC VPN.. .22

3.2.1 NETWORK SET-UP................................................................................................................22

3.2.2VPN SETUP..............................................................................................................................23

CHAPTER 4: RESULTS AND DISCUSSION.........................................................................................24

4.3INTERNET PROTOCOL SECURITY FOR THE VPN..................................................................25

4.4PING RESULTS..............................................................................................................................29

CHAPTER 5: CONCLUSION AND RECOMMENDATIONS................................................................34

5.1CONCLUSION................................................................................................................................34

5.2RECOMMENDATION....................................................................................................................34

APPENDIX A...........................................................................................................................................35

APPENDIX B...........................................................................................................................................38

APPENDIX C ..........................................................................................................................................40

APPENDIX D...........................................................................................................................................42

REFERENCES..........................................................................................................................................43

LIST OF FIGURESFIG 2.1:REMOTE-ACCESS VPN MODEL...........................................................................................3FIG2.2:SITE-TO-SITE VPN MODEL....................................................................................................4FIG 2.3 IPSEC ENCRYPTION MODES................................................................................................6FIG2.4:VPN CONCENTRATOR MODEL...........................................................................................13FIG 4.1KENYA VPN TOPOLOGY.......................................................................................................24FIG 4.1.2 ISP SAFARICOM CONFIGURATION...............................................................................24FIG 4.2 INTERNET SECURITY ASSOCIATION AND KEY EXCHANGE MANAGEMENT PROTOCOL FOR THE CENTRAL SITE, OFFICE_HQs NAIROBI...............................................25FIG 4.3.1 ELDORET IPSEC SA............................................................................................................25FIG 4.3.2KISII OFFICE IPSEC SA .....................................................................................................26FIG 4.3.3NAKURU IPSEC SA...............................................................................................................26FIG 4.3.4MANDERA IPSEC SA............................................................................................................27

v

FIG 4.3.5 TRANS_NZOIA IPSEC SA...................................................................................................28FIG 4.3.6 MOMBASA IPSEC SA..........................................................................................................284.3.7 MACHAKOS IPSEC SA................................................................................................................29FIG 4.4.1 ELDORET-PC1 PING..........................................................................................................29FIG 4.4.2KISII-PC1 PING......................................................................................................................30FIG 4.4.3 NAKURU-PC1 PING.............................................................................................................31FIG 4.4.4MANDERA-PC1 PING...........................................................................................................31FIG 4.4.5 TRANS-NZOIA PC1 PING...................................................................................................32FIG 4.4.6MACHAKOS-PC1 PING........................................................................................................32FIG 4.5WIRESHARK DATA CAPTURE FOR THE CENTRAL SITE OFFICE HQs NAIROBI...................................................................................................................................................................33

LIST OF TABLESTABLE 2.1:ROUTER CLASSIFICATION FOR THE VPN...............................................................14TABLE 2.2: IP ADDRESS CLASSES...................................................................................................19TABLE 3.1:VPN SITES CONFIGURATION.......................................................................................22

vi

ABBREVIATIONS.AES Advanced Encryption Standard.

AH Authentication Header.

ASA Adaptive Security Appliance.

CLI Command Line Interface.

DES Data Encryption Standard.

DSL Digital Subscriber Line.

ESP Encapsulating Security Payload.

GRE Generic Routing Encapsulation.

HDR Header.

IP Internet Protocol.

IPSec Internet Protocol Security.

IPv4 Internet Protocol version four.

IPv6 Internet Protocol version six.

ISAKMP Internet Security Association and Key Management Protocol.

ISP Internet Service Provider.

LAN Local Area Network.

L2L LAN TO LAN.

L2TP Layer 2 Tunneling Protocol.

MD5 Message Digest Five.

NAT Network Address Translation.

PIX Private Internet EXchange.

POP Point of Presence.

RSA Rivest-Shamir- Adleman.

vii

SHA Secure Hash Algorithm.

viii

ABSTRACT. A VPN extends a private network over a public network, for instance the internet and will thus enable inter-connection of an organization's offices around the country to the central site. It will enable computers to send and receive data across shared networks as if they were connected directly to a private network while benefiting from functionality, security and management policies of the private network.

ix

CHAPTER1:INTRODUCTION.

1.1Background The internet is a global and publicly accessible IP network. Relay of data through it therefore does not ensure data security as it is accessible to all computer users with internet connectivity. A Virtual Private Network(VPN) bundles data and safely transport it via internet production channels hence ensuring data confidentiality, integrity and authentication. Virtual refers to how the information on the private network is transported over a public network whereas private refers to traffic encryption to keep data confidential.

Organizations therefore use VPNs to provide virtual WAN(Wide Area Network) infrastructure to connect various offices, business partner sites, remote telecommuters to their corporate network. Benefits for the implementation of a VPN in an organization include;

Cost savings ; Organizations can use cost effective, third-party internet transport to connect remote offices and users to the main corporate site.

Security ; Advanced encryption and authentication protocols protect data from unauthorized access.

Scalability ; VPN use internet infrastructure provided by ISPs (Internet Service Providers) making it easier for organizations to add new users without adding significant infrastructure.

VPN system is classified by;

Protocols used to tunnel traffic. Tunnel's termination point location. Site-to-site or remote access connectivity. Level of security provided. OSI layer present to connecting network.

VPN channels information across a tunnel between endpoints, source destination and address destination. These destinations are denoted by IP addresses to the physical locations. However, for link via GSM each network tunnel is bound to a permanently associated IP address at the device. The endpoint of a VPN is not fixed to a single IP address but roams across various data networks from mobile service providers. This ensures flawless roaming across networks without losing application session as the network channels are always connected. Benefits for the implementation of a VPN in an organization include cost savings, security and scalability.

1

1.2 Problem Statement.Relay of data through the internet does not ensure data security as it is accessible to all computer users with internet connectivity. A Virtual Private Network(VPN) bundles data and safely transport it via internet production channels hence ensuring data confidentiality, integrity and authentication. Key to VPN effectiveness is security. This is achieved through data encapsulation and/or data encryption. Major advantages of the VPN are:-

Extend geographic connectivity Reduce operational costs versus traditional WANs Reduce transit times and traveling costs for remote users Improve productivity Simplify network topology Provide global networking opportunities Provide telecommuter support Provide faster Return On Investment (ROI) than traditional WAN

1.3 Main Objectives.

The purpose of this project is to enable secure internet connectivity between offices countrywide

for data confidentiality, authenticity and integrity.

1.4 Project Scope.

To design and build a VPN network to inter-connect offices countrywide we require the following:-

1. Existing network with servers and workstations i.e. Local Area Networks (LANs)2. A connection to the internet.3. VPN gateway i.e. routers, firewalls, VPN concentrators, Adaptive Security

Appliance (ASAs)4. Appropriate software to create and manage VPN tunnels.

The VPN network built is simulated on the Graphical Network Simulator 3 emulator where the above requirements and conditions can be simulated.

2

CHAPTER 2: LITERATURE REVIEW.

2.1TYPES OF VPN.

2.1.1REMOTE-ACCESS VPN.This is a user−to−LAN connection used by a company that has employees who need to connect to the private network from various remote locations. Typically, a corporation that wishes to set up a large remote−access VPN provides some form of Internet dial−up account to their users using an Internet service provider (ISP).

The telecommuters can then dial a number to reach the Internet and use their VPN client software to access the corporate network. A good example of a company that needs a remote−access VPN would be a large firm with hundreds of sales people in the field. Remote−access VPNs permit secure, encrypted connections between a company's private network and remote users through a third−party service provider.

FIG 2.1:REMOTE-ACCESS VPN MODEL.

3

2.1.2 SITE-TO-SITE VPN.Through the use of dedicated equipment and large−scale encryption, a company canconnect multiple fixed sites over a public network such as the Internet. Each site needs only a local connection to the same public network, thereby saving money on long private leased−lines.Site−to−site VPNs can be further categorized into intranets or extranets.

2.1.2.1INTRANET VPN.

A site−to−site VPN built between offices of the same company is said to be an intranet VPN.

2.1.2.2EXTRANET VPN.A VPN built to connect the company to its partner or customer is referred to as an extranet VPN.

FIG2.2:SITE-TO-SITE VPN MODEL

4

2.3VPN TECHNOLOGIES.A well−designed VPN uses several methods in order to keep your connection and data secure.

2.3.1Data Confidentiality.

This is perhaps the most important service provided by any VPN implementation. Since your private data travels over a public network, data confidentiality is vital and can be attained by encrypting the data. This is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Most VPNs use one of these protocols to provide encryption.

2.3.1.1 IPSec.

Internet Protocol Security Protocol (IPSec) provides enhanced security features such asstronger encryption algorithms and more comprehensive authentication. Only systems that areIPSec−compliant can take advantage of this protocol. Also, all devices must use a commonkey or certificate and must have very similar security policies set up.

For remote−access VPN users, some form of third−party software package provides the connection and encryption on the user's PC. IPSec supports either 56−bit (single DES) or 168−bit (triple−DES) encryption. IPSec has two encryption modes: tunnel and transport.

Tunnel Mode Tunnel mode encrypts the header and the payload of each packet

Transport Mode Transport mode only encrypts the payload.

5

FIG 2.3 IPSEC ENCRYPTION MODES.

IPSec mode can be broadly classified into the following functional blocks;

2.3.1.1.1Negotiation protocol.

This negotiates the IPSec settings and consists of:-

2.3.1.1.1.1AH(Authentication Header)

This undertakes data integrity and authentication but does not encrypt

2.3.1.1.1.2ESP(Encapsulating Security Payload)

Key mechanism that negotiates what kind of encryption, authentication and data integrity mechanism to use.

2.3.1.1.1.3AH & ESP

This combines both AH and ESP but however results to redundancy.

6

2.3.1.1.2Encryption.

2.3.1.1.2.1Types of Encryption Keys.

Encryption keys are mathematical algorithms used to encode data. They are categorized into:-

2.3.1.1.2.1.1Symmetrical Keys.

Each peer uses the same key to encrypt and decrypt data(shared key).These usually consists of the following:-

2.3.1.1.2.1.1.1DES(Data Encryption Standard)

56-bit encryption system created by IBM

2.3.1.1.2.2.1.1.2 3DES;Tripple DES This uses 3DES keys on each block of data thus 168-bit encryption system

2.3.1.1.2.2.1.1.3AES(Advanced Encryption Standard)

This is a newer and more efficient 128 or 192 or 256-bit encryption system which supercedes the 3DES. However, it is intense on the processor compared to the DES and 3des.

2.3.1.1.2.1.2Asymmetrical Keys.

This is where a peer uses one key to encrypt and another to decrypt i.e. public and a private key respectively.

7

2.3.1.1.2.2.1RSA(Rivest-Shamir-Adleman)

This is for miscellaneous encryption and is usually 512, 768 and 1024-bit or larger.

2.3.1.1.3Authentication.

Also known as hashing. This ensures data integrity i.e. data sent is uncorrupted. This includes:-

MD5(Message Digest 5); 128-Bit Hash SHA1(Secure Hash Algorithm);160-Bit Hash

2.3.1.1.4Protection.

This allows encryption and authentication over the internet. It comprises; Diffie-Hellman Diffie-Hellman 2 Diffie-Hellman 5 Diffie-Hellman 7

2.3.1.2PPTP/MPPE

PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend, and ECI Telematics. PPTP supports multi−protocol VPNs, with 40−bit and 128−bit encryption using a protocol called Microsoft Point−to−Point Encryption (MPPE). It is important to note that PPTP by itself does not provide data encryption.

2.3.1.3L2TP/IPSec

Commonly called L2TP over IPSec, this provides the security of the IPSec protocol over the tunneling of Layer 2 Tunneling Protocol (L2TP). L2TP is the product of a partnership between the members of the PPTP forum, Cisco, and the Internet Engineering Task Force (IETF).

Primarily used for remote−access VPNs with Windows 2000 operating systems, since Windows 2000 provides a native IPSec and L2TP client. Internet Service Providers can also provide L2TP

8

connections for dial−in users, and then encrypt that traffic with IPSec between their access−point and the remote office network server.

2.3.2Data Integrity

While it is important that your data is encrypted over a public network, it is just as important to verify that it has not been changed while in transit. For example, IPSec has a mechanismto ensure that the encrypted portion of the packet, or the entire header and data portion of the packet, has not been tampered with. If tampering is detected, the packet is dropped. Data integrity can also involve authenticating the remote peer.

2.3.3Data Origin Authentication

It is extremely important to verify the identity of the source of the data that is sent. This is necessary to guard against a number of attacks that depend on spoofing the identity of the sender.

2.3.4Anti-Replay

This is the ability to detect and reject replayed packets and helps prevent spoofing.

2.3.5Data Tunneling/Traffic Flow Confidentiality

Tunneling is the process of encapsulating an entire packet within another packet and sending it over a network. Data tunneling is helpful in cases where it is desirable to hide the identity of the device originating the traffic.

For example, a single device that uses IPSec encapsulates traffic that belongs to a number of hosts behind it and adds its own header on top of the existing packets. By encrypting the original packet and header (and routing the packet based on the additional layer 3 header added on top), the tunneling device effectively hides the actual source of the packet. Only the trusted peer is able to determine the true source, after it strips away the additional header and decrypts the original header.

As noted in Network Working Group, Request for Comments, RFC 2401 , "...disclosure of the external characteristics of communication also can be a concern in some circumstances. Traffic flow confidentiality is the service that addresses this latter concern by concealing source and destination addresses, message length, or frequency of communication. In the IPsec context, using ESP in tunnel mode, especially at a security gateway, can provide some level of traffic flow confidentiality."

9

All the encryption protocols listed here also use tunneling as a means to transfer the encrypted data across the public network. It is important to realize that tunneling, by itself, does not provide data security. The original packet is merely encapsulated inside another protocol and might still be visible with a packet−capture device if not encrypted. It is mentioned here, however, since it is an integral part of how VPNs function. Tunneling requires three different protocols.

2.3.5.1Passenger protocol.

The original data (IPX, NetBeui, IP) that is carried.

2.3.5.2Encapsulating protocol.

The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrappedaround the original data.

2.3.5.3Carrier protocol.

The protocol used by the network over which the information is traveling. The original packet (Passenger protocol) is encapsulated inside the encapsulating protocol, which isthen put inside the carrier protocol's header (usually IP) for transmission over the public network.

Note that the encapsulating protocol also quite often carries out the encryption of the data. Protocols such as IPX and NetBeui, which would normally not be transferred across the Internet, can safely and securely be transmitted.

For site−to−site VPNs, the encapsulating protocol is usually IPSec or Generic Routing Encapsulation (GRE). GRE includes information on what type of packet you are encapsulating and information about the connection between the client and server.

For remote−access VPNs, tunneling normally takes place using Point−to−Point Protocol (PPP). Part of the TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the network between the host computer and a remote system. PPP tunneling will use one of PPTP, L2TP or Cisco's Layer 2 Forwarding (L2F).

10

2.3.6AAA(Authentication, authorization, and accounting)

AAA is used for more secure access in a remote−access VPN environment. Without user authentication, anyone who sits at a laptop/PC with pre−configured VPN client software can establish a secure connection into the remote network.

With user authentication however, a valid username and password also has to be entered before the connection is completed. Usernames and passwords can be stored on the VPN termination device itself, or on an external AAA server, which can provide authentication to numerous other databases such as Windows NT, Novell, LDAP, and so on.

When a request to establish a tunnel comes in from a dial−up client, the VPN device prompts for a username and password. This can then be authenticated locally or sent to the external AAA server, which checks:¨ Who you are (Authentication)¨ What you are allowed to do (Authorization)¨ What you actually do (Accounting)The Accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes.

2.3.7Non-repudiation

In certain data transfers, especially those related to financial transactions, non-repudiation is a highly desirable feature. This is helpful in preventing situations where one enddenies having taken part in a transaction. Much like a bank requires your signature before honoring your check, non-repudiation works by attaching a digital signature to the sent message, thus precluding the possibility of sender denying participation in the transaction.

A number of protocols exist that can be used to build a VPN solution. All of these protocols provide some subset of the services listed in this document. The choice of a protocol depends on the desired set of services.

For example, an organization might be comfortable with the data being transferred in clear text but extremely concerned about maintaining its integrity, while another organization might find maintaining data confidentiality absolutely essential. Their choice of protocols might thus be different.

11

2.4VPN Products. Based on the type of VPN (remote−access or site−to−site), you need to put in place certain components to build your VPN. These might include:

Desktop software client for each remote user e.g. Cisco VPNClient Dedicated hardware such as a Cisco VPN Concentrator, Cisco Router or a Cisco Secure

PIX Firewall Dedicated VPN server for dial−up services Network Access Server (NAS) used by service provider for remote user VPN access Private network and policy management center.

Because there is no widely accepted standard for implementing a VPN, many companies have developed turn−key solutions on their own. For example, Cisco offers several VPN solutions that include:

2.4.1VPN Concentrator.

Incorporating the most advanced encryption and authentication techniques available, Cisco VPN Concentrators are built specifically for creating a remote−access or site−to−site VPN and ideally are deployed where the requirement is for a single device to handle a very large number of VPN tunnels.

The VPN Concentrator was specifically developed to address the requirement for a purpose−built, remote−access VPN device. The concentrators provide highavailability, high performance and scalability and include components, called Scalable Encryption Processing (SEP) modules, that enable users to easily increase capacity and throughput. The concentrators are offered in models suitable for small businesses with 100 or fewer remote−access users to large enterprise organizations with up to 10,000 simultaneous remote users.

12

FIG2.4:VPN CONCENTRATOR MODEL

2.4.2VPN−Enabled Router/VPN−Optimized Router

All Cisco routers that run Cisco IOS® software support IPSec VPNs. The only requirement is that the router must run a Cisco IOS image with the appropriate feature set. The Cisco IOS VPN solution fully supports remote access, intranet and extranet VPN requirements. This means that Cisco routers can work equally well when connected to a remote host running VPN Client software or when connected to another VPN device such as a router, PIX Firewall or VPN Concentrator.

VPN−enabled routers are appropriate for VPNs with moderate encryption and tunneling requirements and provide VPN services entirely through Cisco IOS software features. Examples of VPN−enabled routers include the Cisco 800, Cisco 1000, Cisco 1700,Cisco 1600, Cisco 2500, Cisco 2600, Cisco 4000, Cisco 3600 Cisco 4500, Cisco 4700 and Cisco 7200, Cisco7500 series. Cisco's VPN−optimized routers provide scalability, routing, security, and Quality of Service (QoS).

The routers are based on the Cisco IOS software, and there is a device suitable for every situation, from small−office/home−office (SOHO) access through central−site VPN aggregation to large−scale enterprise needs. VPN−optimized routers are designed to meet high encryption and tunneling requirements and often make use of additional hardware such as encryption cards to achieve high performance.

13

WORKPLACE.VPNROUTER.

MODEL. COST

Small office and Tele-workers.

800 Series CISCO881-K9 KSHS.29,928CISCO881-SEC-K9 KSHS.35,776

1900 Series CISCO1921/K9 KSHS.43,172CISCO1941/K9 KSHS.54,180

Brand Office and SMB

2900 Series CISCO2901/K9 KSHS.62,436

Head Office/WAN/VPN Aggregation

7200 Series CISCO7204VXR KSHS.70,900CISCO7201 KSHS .980,400

7600 Series PWR-2700-DC KSHS.129,430CISCO 7609-5 KSHS.568,890

CISCO ASR 900 ASR-903 KSHS.141,900CISCO ASR 1000 ASR 1002-10G-

SHA/K9KSHS.4,020,500

TABLE 2.1:ROUTER CLASSIFICATION FOR THE VPN

14

2.4.3Cisco Secure PIX Firewall

The Private Internet eXchange (PIX) Firewall combines dynamic network address translation, proxy server, packet filtration, firewall, and VPN capabilities in a single piece of hardware.

Instead of using Cisco IOS software, this device has a highly streamlined operatingsystem that trades the ability to handle a variety of protocols for extreme robustness and performance by focusing on IP. As with Cisco routers, all PIX Firewall models support IPSec VPN. All that is required is that the licensing requirements to enable the VPN feature must be met.

2.4.4Cisco VPN Clients

Cisco offers both hardware and software VPN clients. The Cisco VPN Client (software) comes bundled with the Cisco VPN 3000 Series Concentrator at no additional cost. This software client can be installed on the host machine and used to connect securely to the central siteconcentrator (or to any other VPN device such a router or firewall).

The VPN 3002 Hardware Client is an alternative to deploying the VPN Client software on every machine and provides VPN connectivity to a number of devices.

The choice of devices that you would use to build your VPN solution is ultimately a design issue that depends on a number of factors, including the desired throughput and the number of users.

For example, on a remote site with a handful of users behind a PIX 501, you could consider configuring the existing PIX as the IPSec VPN endpoint, provided that you accept the 501's 3DES throughput of roughly 3 Mbps and the limit of a maximum of 5 VPN peers.

On the other hand, on a central site acting as a VPN endpoint for a large number ofVPN tunnels, going in for a VPN−optimized router or a VPN concentrator would probably be a good idea. The choice now would depend on the type ( LAN−to−LAN or remote access) and number of VPN tunnels being set up. The wide range of Cisco devices that support VPN provides the network designers with a high amount of flexibility and a robust solution to meet every design need.

15

2.4.5INTERNET SERVICE PROVIDER( SAFARICOM) TECHNICAL REPORT.

2.4.5.1 SAFARICOM MANAGED WIDE AREA NETWORKS (WANS).

The wide area network, often referred to as a WAN, is a communication system that connects local computer networks into a larger working network that may cover both national and international locations. This is common with branch offices which require a common channel for easier communication.

Safaricom Business offers managed WANs. Our full service offering (from design and installation to operation) means we can design for the scale as well as the security needs of:

Local authorities Education sector Banking and financial services Emergency services Healthcare

We can build and operate your WAN to enable your organization’s presence throughout the country. The point-to-point service provides dedicated and "always on" point-to-point connectivity between two points. The data rates provided are suited to customer requirements.

2.4.5.2Business Benefits.

Cost effective – A WAN enables businesses to connect to one central server or data storage facility thus eliminating the need to invest in similar equipment

Flexibility – Businesses can upgrade their internet connection capacity to fit their demand data demands

Secure and Confidential - Safaricom Wide Area Network offers opportunity for business to have secure communication between branches.

Multiple Web content – Businesses on the Safaricom Wide Area Network can be able to run and access multiple web applications such as video streaming, data uploads and down loads and even voice.

16

2.4.5.3Safaricom's WAN. It is a network of telecommunication infrastructure that links multiple branch offices located in different geographical locations to its headquarters or to a centralized location. It is meant mainly for corporate or medium size businesses with branches across the country, but can also cater for local authorities, the education sector, banking and financial services, emergency services and healthcare.

Safaricom’s main role will be to design the network according to you specification, install and operate at a fee. An IP address is issued upon payment which is then configured to your business routers.

2.4.6IP address.An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions:-

1. host or network interface identification and

2. location addressing.

The designers of the Internet Protocol defined an IP address as a 32-bit number consisting of 4 octets and this system, known as Internet Protocol Version 4 (IPv4), is still in use today. However, due to the enormous growth of the Internet and the predicted depletion of available addresses, a new version of IP (IPv6), using 128 bits for the address, was developed in 1995. IPv6 was standardized as Network Working Group, Request for Comments , RFC 2460 in 1998, and its deployment has been ongoing since the mid-2000s.

IP addresses are binary numbers, but they are usually stored in text files and displayed in human-readable notations, such as 172.16.254.1 (for IPv4), and 2001:db8:0:1234:0:567:8:1 (for IPv6). Decomposition of an IPv4 address from dot-decimal notation to its binary value is illustrated below.

17

http://en.wikipedia.org/wiki/Logical_address

http://en.wikipedia.org/wiki/Identification_(information)

http://en.wikipedia.org/wiki/Internet_Protocol

http://en.wikipedia.org/wiki/Computer_network

2.4.6.1 IPv4 addresses.In IPv4 an address consists of 32 bits which limits the address space to 4,294,967,296 (232) possible unique addresses. IPv4 reserves some addresses for special purposes such as private networks (~18 million addresses) or multicast addresses (~270 million addresses).

IPv4 addresses are canonically represented in dot-decimal notation, which consists of four decimal numbers, each ranging from 0 to 255, separated by dots, e.g., 172.16.254.1. Each part represents a group of 8 bits (octet) of the address. In some cases of technical writing, IPv4 addresses may be presented in various hexadecimal, octal, or binary representations.

2.4.6.2 IPv4 sub-netting.In the early stages of development of the Internet Protocol, network administrators interpreted an IP address in two parts:

network number portion and

host number portion.

The highest order octet (most significant eight bits) in an address was designated as the network number and the remaining bits were called the rest field or host identifier and were used for host numbering within a network.

This early method soon proved inadequate as additional networks developed that were independent of the existing networks already designated by a network number. In 1981, the Internet addressing specification was revised with the introduction of classful network architecture.

18

http://en.wikipedia.org/wiki/File:Ipv4_address.svg

Classful network design allowed for a larger number of individual network assignments and fine-grained sub-network design. The first three bits of the most significant octet of an IP address were defined as the class of the address. Three classes (A, B, and C) were defined for universal unicast addressing. Depending on the class derived, the network identification was based on octet boundary segments of the entire address. Each class used successively additional octets in the network identifier, thus reducing the possible number of hosts in the higher order classes (B and C). The following table gives an overview of this now obsolete system.

Class Leadingbits

Size of networknumber bit field

Size of

restbit

field

Numberof

networks

Addressesper

network

Start address

End address

A 0 8 24 128 (27) 16,777,216 (224)

0.0.0.0 127.255.255.255

B 10 16 16 16,384 (214)

65,536 (216) 128.0.0.0 191.255.255.255

C 110 24 8 2,097,152 (221)

256 (28) 192.0.0.0 223.255.255.255

TABLE 2.2: IP ADDRESS CLASSES.

2.4.6.3 IP sub-networks.

IP networks may be divided into sub-networks in IPv4 . For this purpose, an IP address is logically recognized as consisting of two parts:-

the network prefix and

the host identifier, or interface identifier (IPv6). The subnet mask or the CIDR prefix determines how the IP address is divided into network and host parts.

The term subnet mask is only used within IPv4. Both IP versions however use the CIDR concept and notation. In this, the IP address is followed by a slash and the number (in decimal) of bits used for the network part, also called the routing prefix. For example, an IPv4 address and its subnet mask may be 192.0.2.1 and 255.255.255.0, respectively. The CIDR notation for the same IP address and subnet is 192.0.2.1/24, because the first 24 bits of the IP address indicate the network and subnet.

19

CHAPTER THREE:DESIGN AND SIMULATION.

3.1 SITE-TO-SITE VPN CONFIGURATION WITH GNS3.3.1.1NETWORK SOFTWARES.

3.1.1.1 GRAPHIC NETWORK SIMULATOR 3.The Graphic Network Simulator 3 is a open source software that simulates complex networks while being as close as possible to the way real networks perform without having dedicated network hardware such as routers and switches.

GNS3 uses the following emulators to run the very same operating systems as in real networks

Dynamips; the well known Cisco IOS emulator

Virtualbox; this runs desktop and server operating systems as well as Juniper JunOS

Qemu; a generic open source machine emulator, it runs Cisco ASA,PIX and IPS.

GNS3 is an excellent alternative or complementary tool to real labs for network engineers and administrators. It can be used to experiment with features or to check configurations that need to be deployed later on real devices. Packet captures can also be viewed via Wireshark.

3.1.1.1WIRESHARK.Wireshark is Open Source Software released under the GNU General Public License that analyzes network protocols. Bytes/tick will measure the total number of bytes in all packets matching the display filter for the graph in each measurement interval(seconds) in the Statistics: IO Graph

3.1.2VPN CONFIGURATION.

3.1.2.1DESIGN ISAKMP(INTERNET SECURITY ASSOCIATION AND KEY MANAGEMENT PROTOCOL), IKE(INTERNET KEY EXCHANGE) PHASE 1 POLICYIKE phase 1 focuses on establishing authentication and a secure tunnel for IKE phase 2 (IPSec Tunnel) exchange. This is the foundation tunnel for the VPN tunnel. Key elements required are:-

3.1.2.1.1Remote peer IP or hostname.At the local peer: Specify the ISAKMP identity (address or hostname) the headquarters router will use when communicating with the remote office router during IKE negotiations.

20

At the remote peer: Specify the ISAKMP identity (address or hostname) the remote office router will use when communicating with the headquarters router during IKE negotiations.

3.1.2.1.2Key distribution method.At the local peer: Specify the shared key the headquarters router will use with the remote office router.

At the remote peer: Specify the shared key to be used with the local peer. This is the same key you just specified at the local peer.

3.1.2.1.3Authentication.Specify conditions to determine which IP packets are protected i.e. enable or disable crypto for traffic that matches these conditions.

3.1.2.1.4Encryption algorithm.Define encryption mode for the data to be transmitted between the peers.

3.1.2.1.5Hash algorithm.Specify hash algorithm to ensure data integrity.

3.1.2.1.6Lifetime.Specify a key lifetime for the crypto map entry other than the globally specified IPSec security association lifetimes.

3.1.2.2DESIGN IPSEC, IKE(INTERNET KEY EXCHANGE) PHASE 2 POLICY.IKE phase 2 focuses on establishing a secure IPSec tunnel for data transfer. Key elements required are:-

3.1.2.2.1Transform set.Specifies which transform sets are allowed for the crypto map entry.

3.1.2.2.2Peer information.Specifies a remote IPSec peer.

3.1.2.2.3Interesting traffic designation.Accesses-list number which determines which traffic should be protected by IPSec in the context of this crypto map entry.

3.2MODEL OF COUNTRYWIDE VPN, SITE-T0-SITE VPN WITHOUT NAT-L2L IPSEC VPN.An organization based in Kenya with offices based around the country in the following towns was taken as our case study:-

21

OFFICE PORT IP ADD. SUB-NET MASK

TRANSFORM-SET

ISAKMPPOLICY

ACCESS-LIST

Office HQs Nairobi

S3/0 64.69.1.1 255.255.255.0 ALL LISTEDBELOW

ALL LISTEDBELOW

ALL LISTEDBELOW

Branch Office Mombasa

S1/0 11.11.3.1 255.255.255.0 KENYAVPN5 POLICY 5 151

Branch Office Eldoret


Branch Office Nakuru


Remote Office Mandera


Remote Office Trans-Nzoia


Remote Office Kisii


Remote Office Machakos


TABLE 3.1:VPN SITES CONFIGURATION.

3.2.1 NETWORK SET-UP.Router C7200 was selected to simulate the central site i.e. Office Headquarters Nairobi and the various branch and remote offices.

Seven sites are simulated with an ISP router in the middle .The various town routers were connected to the ISP-SAFARICOM router via Serial Line cables and the computers via Fast-Ethernet cables to the edge-routers.

First, we make sure that devices on each site can ping each other within the site i.e. default routes are configured on all computers pointing to upstream router. Default routes are then configured via ISP Router on all seven sites. This means that all edge routers can reach central site, Office-HQs Nairobi router but can't go beyond that as ISP router doesn't know about internal network on the sites.

The command line interface(CLI) was used to configure the ip addresses of the ports , ip routes of the various workstations as shown in table 3-1 and their states configured to up.

22

3.2.2VPN SETUP.

The VPN will be setup in all eight sites and will be configured in a way that hosts on the central site, OfficeHeadquarters_Nairobi will be able to reach hosts on all other sites and vice versa. No NAT is applied and no Internet access will be available for hosts on both sites. Hosts on each site can only reach other and nothing else.

CHAPTER 4: RESULTS AND DISCUSSION.

FIG 4.1KENYA VPN TOPOLOGY.

23

FIG 4.1.2 ISP SAFARICOM CONFIGURATION.

FIG 4.2 INTERNET SECURITY ASSOCIATION AND KEY EXCHANGE MANAGEMENT PROTOCOL FOR THE CENTRAL SITE, OFFICE_HQs NAIROBI.

24

4.3INTERNET PROTOCOL SECURITY FOR THE VPN.

FIG 4.3.1 ELDORET IPSEC SA.

FIG 4.3.2KISII OFFICE IPSEC SA .

25

FIG 4.3.3NAKURU IPSEC SA.

26

FIG 4.3.4MANDERA IPSEC SA.

FIG 4.3.5 TRANS_NZOIA IPSEC SA.

27

FIG 4.3.6 MOMBASA IPSEC SA.

4.3.7 MACHAKOS IPSEC SA.

28

4.4PING RESULTS.

FIG 4.4.1 ELDORET-PC1 PING.

FIG 4.4.2KISII-PC1 PING.

29

FIG 4.4.3 NAKURU-PC1 PING.

FIG 4.4.4MANDERA-PC1 PING

30

FIG 4.4.5 TRANS-NZOIA PC1 PING.

31

FIG 4.4.6MACHAKOS-PC1 PING.

FIG 4.5WIRESHARK DATA CAPTURE FOR THE CENTRAL SITE OFFICE HQs NAIROBI.

32

CHAPTER 5: CONCLUSION AND RECOMMENDATIONS.

5.1CONCLUSION.In this paper ,the Virtual Private Network was configured to enable secure internet connectivity between offices countrywide for data confidentiality, authenticity and integrity. A LAN-to-LAN network with no NAT( Network Address Translation) was built using the Graphic Network Simulator 3 for eight towns connected to the internet service provider Safaricom router for connectivity to the central site ,Office_HQs Nairobi. The show crypto isakmp sa command shows the current IKE SAs. "Active" status means ISAKMP SA is in active state. The Source IP address indicates which endpoint initiated the IKE negotiation. The QM_IDLE mode indicates Quick Mode exchange, meaning the IPSec SA remains authenticated and can be used for several quick mode exchanges. The show crypto ipsec sa command is used to show current Security Association settings for the various end routers.

5.2RECOMMENDATION.

The LAN-to-LAN VPN can be implemented for an organization with offices countrywide which require data confidentiality, authenticity and integrity for its internet connectivity at a considerably low cost.

33

APPENDIX A.The code below was used to configure ip addresses and ip route for the central site, Office Headquarters Nairobi.

enable

config t

int s3/0

ip add 64.69.1.1 255.255.255.0

no shut

int f1/1

ip add 189.132.2.1 255.255.255.0

no shut

int f2/0

ip add 189.132.3.1 255.255.255.0

no shut

int s3/0

ip route 11.11.3.0 255.255.255.0 64.69.1.2

ip route 7.3.1.0 255.255.255.0 64.69.1.2

ip route 8.8.8.0 255.255.255.0 64.69.1.2

ip route 19.17.19.0 255.255.255.0 64.69.1.2

ip route 25.1.1.0 255.255.255.0 64.69.1.2

ip route 9.9.3.0 255.255.255.0 64.69.1.2

ip route 75.23.2.0 255.255.255.0 64.69.1.2

34

ip route 0.0.0.0 0.0.0.0 s0/0

do wr mem

exit

CTRL Z

copy run start

35

APPENDIX B.The branch offices were configured as follows for instance for Office Mombasa Console(CLI)

enable

config t

int s0/0

ip add 11.11.3.1 255.255.255.0

no shut

ip route 64.69.1.0 255.255.255.0 11.11.3.2

exit

copy run start

CTRL Z

37

APPENDIX C .After all workstations were configured, The ISP SAFARICOM router was put into play and all the routes configured via there ISP ports.

enable

config t

int s2/6

ip add 9.9.3.2 255.255.255.0

no shut

int s1/3

ip add 25.1.1.2 255.255.255.0

no shut

int s2/5

ip add 19.17.19.2 255.255.255.0

no shut

int s2/4

ip add 8.8.8.2 255.255.255.0

no shut

int s1/2

ip add 75.23.2.2 255.255.255.0

no shut

int s2/3

ip add 7.3.1.2 255.255.255.0

no shut

int s1/0

ip add 11.11.3.2 255.255.255.0

39

no shut

CTRL Z

copy run st

40

APPENDIX D

The following code was used to configure the VPN settings for all edge routers.

enable

config t

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 64.69.1.1

access-list 131 permit ip 158.133.2.0 0.0.0.255 189.132.2.0 0.0.0.255

access-list 131 permit ip 158.133.2.0 0.0.0.255 189.132.3.0 0.0.0.255

crypto ipsec transform-set KENYAVPN3 esp-aes esp-sha-hmac

crypto map S2SMAP_1 3 ipsec-isakmp

set peer 64.69.1.1

set transform-set KENYAVPN3

match address 131

CTRL Z

conf t

int s1/0

crypto map S2SMAP_1

41

REFERENCES.[1] Cisco Systems, Inc. Cisco IOS VPN Configuration Guide.

[2] Regis J. "BUD" ,Broadband_Telecommunications_Handbook-VPNS,3GW,GPRS,MPLS,VoIP,SIP.2ndEd.McGrawHill.2002.excellent

[3]Larry L. Peterson, Bruce S. Davie , Computer Networks, Third Edition: A Systems Approach, 3rd Edition (The Morgan Kaufmann Series in Networking)

[4]Douglas E Corner, Computer Networks and Internets with Internet Applications (4th Edition)

[5] Fred Halsall, Computer Networking and the Internet (5th Edition)

[6] http://www. safaricom.com

[7] http://www. xerunetworks.com

[8] http://www. gns3-labs.com

[9] CISCO Networking Academy Program: Engineering Journal and Workbook Volume I, Second Edition

[10] http://www. cisco.com

[11] http://www.cbtnugget.com

[12] Cisco Systems, Inc. ,How Virtual Private Networks Work.

42

LAWRENCE NGUNJIRI MATHENGE final report

Documents

Transcript of LAWRENCE NGUNJIRI MATHENGE final report