Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Similar documents

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Securing IP Networks with Implementation of IPv6

Chapter 4 Virtual Private Networking

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

VPN. VPN For BIPAC 741/743GE

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Chapter 8 Virtual Private Networking

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

IPSec Pass through via Gateway to Gateway VPN Connection

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

CCNA Security 1.1 Instructional Resource

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Protocol Security Where?

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

How To Configure An Ipsec Tunnel On A Network With A Network Gateways (Dfl-800) On A Pnet 2.5V2.5 (Dlf-600) On An Ipse Vpn

Lecture 17 - Network Security

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Micronet SP881. TheGreenBow IPSec VPN Client Configuration Guide.

Introduction to Security and PIX Firewall

Firewall Troubleshooting

Configure IPSec VPN Tunnels With the Wizard

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

ISG50 Application Note Version 1.0 June, 2011

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Juniper NetScreen 5GT

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

IP Security. Ola Flygt Växjö University, Sweden

Configuration Procedure

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Branch Office VPN Tunnels and Mobile VPN

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

IPsec VPN Application Guide REV:

Laboratory Exercises V: IP Security Protocol (IPSec)

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Configuring a FortiGate unit as an L2TP/IPsec server

Lab Configure a PIX Firewall VPN

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

Chapter 6 Basic Virtual Private Networking

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Network Security. Lecture 3

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Virtual Private Networks

How to configure VPN function on TP-LINK Routers

Configuring SSH Sentinel VPN client and D-Link DFL-500 Firewall

FortiOS Handbook IPsec VPN for FortiOS 5.0

VPN Wizard Default Settings and General Information

Cisco RV 120W Wireless-N VPN Firewall

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Linksys RV042. TheGreenBow IPSec VPN Client. Configuration Guide.

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

21.4 Network Address Translation (NAT) NAT concept

Network Security Part II: Standards

ZyXEL ZyWALL P1 firmware V3.64

LAN-Cell to Cisco Tunneling

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

FortiOS Handbook - IPsec VPN VERSION 5.2.2

Symantec Firewall/VPN 200

Virtual Private Network and Remote Access

GNAT Box VPN and VPN Client

Virtual Private Network and Remote Access Setup

How to configure VPN function on TP-LINK Routers

Case Study for Layer 3 Authentication and Encryption

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

The BANDIT Products in Virtual Private Networks

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Network virtualization

CS 4803 Computer and Network Security

Creating a VPN with overlapping subnets

This is a guide on how to create an IPsec VPN tunnel from a local client running Shrew Soft VPN Client to an Opengear device.

Using IPSec in Windows 2000 and XP, Part 2

Planet CS TheGreenBow IPSec VPN Client. Configuration Guide.

FortiOS Handbook - IPsec VPN VERSION 5.2.4

Using IPsec VPN to provide communication between offices

Cisco QuickVPN Installation Tips for Windows Operating Systems

SonicWALL Check Point Firewall-1 VPN Interoperability

LinkProof And VPN Load Balancing

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

OfficeConnect Internet Firewall VPN Upgrade User Guide

Setting up D-Link VPN Client to VPN Routers

How To Industrial Networking

This section provides a summary of using network location profiles to identify network connection types. Details include:

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Cisco SA 500 Series Security Appliance

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Transcription:

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance Johnnie Chen Project Manager of Network Security Group Network Benchmarking Lab Network Benchmarking Laboratory 1

Outline What is VPN? Why we need VPN? IPSec Background Why IPSec VPN? =>Functionalitliy What re the critical issues in IPSec VPN =>Interoperability and Performance IPSec Functionality Testing IPSecInteroperability Testing IPSec Performance Testing Network Benchmarking Laboratory 2

What is VPN? Why we need VPN? Network: a way to communicate with others Private Network: a way to communicate with others in private (privacy and authenticity) BC1 Dedicated link BC2 Virtual Private Network: a way to set up private networks over shared infrastructure BC1 Internet BC2 Shared media Network Benchmarking Laboratory 3

IP Security (IPSec) Background The most deployed protocol: IP OSI Layer Application Presentation Session Transport Network Data Link Physical IPSec is Here Network Benchmarking Laboratory 4

Protocols in IPSec: ESP and AH ESP: Encapsulating Security Payload Privacy (Encryption: AES/3DES/DES) Authenticity (Hash: SHA1/MD5) Security Parameters Index (SPI): 32 bits Sequence Number: 32 bits Payload Data (variable) Padding (0-255 bytes) Pad Length: 8 bits Next Header: 8 bits Authentication Data (variable) Network Benchmarking Laboratory 5

AH: Authentication Header Authenticity only (Hash: SHA1/MD5) Next Header: 8 bits Payload Len: 8 bits RESERVED: 16 bits Security Parameters Index (SPI): 32 bits Sequence Number Field: 32 bits Authentication Data (variable) Network Benchmarking Laboratory 6

Operation modes in IPSec: Tunnel mode and Transport mode Tunnel mode: secure channel for two regions BC1 and BC2 can talk to each other through the IPSec secure channel SG1 and SG2 can NOT do that Transport mode: secure channel for two points. SG1 and SG2 can talk to each other through the IPSec secure channel BC1 and BC2 can NOT do that IPSec secure channel BC1 SG1 Internet SG2 BC2 Network Benchmarking Laboratory 7

Security Association (SA) and Security Policy (SP) in IPSec SA: define what kinds of mechanisms to used to secure those packets Encryption/Hash algorithms Session keys for encryption/hash algorithms Security Parameter Index (SPI) SP: define what kinds of packets to be secured Source IP range/destination IP range ESP or AH Tunnel or Transport Which tunnel to use Network Benchmarking Laboratory 8

Internet Key Exchange (IKE) Automatically install SA in both side of SG. Automatically change session keys in a certain time. Peer authentication method Certificate Pre-shared key Network Benchmarking Laboratory 9

IPSec VPN Scenario Before IPSec Setup BC1: private IP SG1 Internet SG2 BC2: private IP Assume Pc1 in BC1, Pc2 in BC2 Pc1 ping Pc2 => trigger IKE negotiation => SG1 is initiator, SG2 is responder If IKE negotiation successfully => SAs are installed in both SG1 and SG2. After IPSec Setup IPSec secure channel BC1: private IP SG1 Internet SG2 BC2: private IP Network Benchmarking Laboratory 10

Why IPSec VPN Why VPN Why IPSec Network Benchmarking Laboratory 11

What re the critical issues in IPSec VPN Interoperability (IKE): Too many variables to configure IPSec No standard configuration Performance Without ASIC, Encryption will greatly slow down the speed of packet processing Network Benchmarking Laboratory 12

TestBed Topology Network Benchmarking Laboratory 13

IPSec Functionality Testing Setup two D-Link DFL-900 Do NOT enable Firewall function ADVANCED SETTINGS->Firewall-> uncheck Enable Stateful Inspection Firewall->Apply Enable IPSec VPN ADVANCED SETTINGS->VPN Settings-> IPSec->check Enable IPSec ->Apply Click IKE -> Add a proper IPSec rule (Tunnel mode, ESP) Use ping and ftp to setup and pass through the IPSec tunnel Collect the Log data DEVICE STATUS->VPN Logs->IPSec Logs Copy to the report Network Benchmarking Laboratory 14

IPSec Interoperability Testing Setup one D-Link DFL-900 and another vendor s device NetScreen 5GT Fortinet Fortigate-50 Soniwall SOHO-3 WatchGuard SOHO-6 D-Link DFL-100 Use ping and ftp to setup and pass through the IPSec tunnel (Tunnel mode, ESP) Collect the IPSec logs which you have done and write a table to describe the Interoperability Copy to the Report Network Benchmarking Laboratory 15

IPSec Performance Testing Use Smartflow/Smartbits to test the throughput of DFL-900 IPSec Variables affecting throughput Null/SHA1, 3DES/SHA1, AES/SHA1 Frame size: 64, 512, 1450, 1518 bytes Collect the test result from smartflow Results->Export All Tests to File Copy to the Report Network Benchmarking Laboratory 16

SmartFlow Setting (reference only) Parameter Port Port Model (SMB6000 2A1, 2A2) Auto Negotiation (SMB6000 2A1, 2A2) Speed (SMB6000 2A1, 2A2) Duplex (SMB6000 2A1, 2A2) Port IP Address (SMB6000 2A1) Network (SMB6000 2A1) Gateway (SMB6000 2A1) Subnet Mask (SMB6000 2A1) Port IP Address (SMB6000 2A2) Network (SMB6000 2A2) Gateway (SMB6000 2A2) Subnet Mask (SMB6000 2A2) Cards IPv4 Networks Value SMB6000 2A1 SMB6000 2A2 LAN-6101A/3101A Force 100M Full 192.168.1.1 192.168.1.0 192.168.1.254 255.255.255.0 192.168.2.1 192.168.2.0 192.168.2.254 255.255.255.0 Network Benchmarking Laboratory 17

SmartFlows 2A1 -> 2A2 IP s next protocol IP Source IP Destination NONE/UDP/TCP 192.168.2.3 192.168.1.3 Test Setup Frame size with CRC (bytes) Duration (Sec) Traffic test mode Traffic initial rate (%) Traffic Minimum rate (%) Traffic Maximum rate (%) Back off (%) Acceptable frame loss (%) 64/512/1024/1518 10 Binary 10 1 100 50 0 Network Benchmarking Laboratory 18