Basic Principles of IPSec VPN

Source: Internet
Author: User
I have been busy a few days ago for my livelihood. Unfortunately, I got sick for a few days, so I didn't keep the documents in time. I would like to apologize to everyone, especially those who are eager to wait for me to write a book.

Finally, I started to talk about the IPSec VPN technology. I have explained the principles of ssl vpn and mpls vpn. I still want to introduce the IPSec VPN principles in a simple way.
.
IPSec is a complete and systematic VPN technology that sets a series of protocol standards. If we do not go into the details of IPSec, we will understand IPSec in the following aspects.
1. Why should I import the IPSec protocol?
There are two reasons for the import of the IPSec protocol. One is the middle of the original TCP/IP system, which does not include a security-based design. Anyone who can build a line can analyze all the communication data. IPSec introduces a complete security mechanism, including encryption, authentication, and data tamper-proofing.

Another reason is that the rapid development of the Internet makes access more convenient. Many customers want to use the Internet bandwidth to achieve interconnectivity between remote networks.

Through Packet encapsulation technology, the IPSec protocol can encapsulate IP addresses of internal networks using IP addresses that can be routed over the Internet to achieve intercommunication between remote networks.

2. Package Encapsulation Protocol
Imagine a real communication method. Assume that ID cards are required for sending and receiving emails (only for adults). Children do not have ID cards and cannot send emails. There are two children, Xiao Zhang and Xiao Li. Their father is Lao Zhang and Lao Li. Now, Xiao Zhang and Xiao Li are writing letters to communicate with each other. What should I do?

A reasonable way to achieve this is: Mr. Zhang writes a letter, blocks the letter and writes "Mr. Zhang -->; Mr. Li", then writes an envelope to his father and Mr. Zhang, and writes "Mr. Zhang -->; "Lao Li", put the previous letter in it and send it to Lao Li. After receiving the letter, Lao Li opened the letter and found that the letter was sent to his son, and then transferred it to Xiao Li. The same is true for Mr. Li's reply, which was sent back to Mr. Zhang in his father's name.
This communication implementation method depends on the following factors:
* Lao Li and Lao Zhang can receive and send emails.
* Send the letter to John.
* After receiving a letter from his son, Lao Zhang will be able to properly handle (write another envelope) and the re-packaged envelope will be correctly sent out.
* At the other end, after receiving the letter, Lao Li will be able to deliver Xiao Li correctly.
* The reverse process is the same.
Change the receiver of the envelope to the IP address on the Internet, and change the content of the letter to the data of the IP address. This model is the IPsec Packet encapsulation model. Zhang Xiaoli is an internal private IP host, and his father is a VPN gateway. Two remote LAN hosts that cannot communicate with each other are encapsulated by the IP address at the exit, to achieve LAN communication.

The introduction of such package encapsulation protocols is a little hard. The ideal networking mode, of course, is full routing. Any node can be reached (just as the ideal communication method is that anyone can write and communicate directly ).

When I first designed the Internet protocol, the IP address was 32 bits. At that time, it was enough. No one could predict that the Internet would grow to the current scale in the future (the same example occurs in the telecom short message, due to the limit of 160 bytes, the development of short messages is greatly restricted ). In theory, it can contain a maximum of 4 billion IP addresses based on the 2's 32 power. The use of these IP addresses is inadequate. In addition, about 70% of IP addresses are allocated in the United States (who asked people to invent and manage the Internet ?) Therefore, for China, the IP address resources available for allocation are very limited.

Since the IP address is limited, it is naturally the best way to implement remote LAN-LAN communication and packet encapsulation.

3. Security Protocol (encryption)
Still refer to the above communication model.
Assume that Lao Zhang's letter is sent to Lao Li through the postal system, and there are many good people in the middle. He wants to peek at the communication between Xiao Zhang and Xiao Li (Xiao Zhang and Xiao Li as a business, through the sales information, or damage the good.
To solve this problem, we need to introduce security measures. Security can be done by Xiao Li and Xiao Zhang. The text is expressed by a dark sign. It can also be done by their dad, write a good letter, and hand it over to Dad, tell him to write it again with a dark sign before it is passed out.

The encryption technology of the IPSec protocol is the same as this method. Since data can be encapsulated, data can also be transformed as long as the destination is reached, data can be restored to the original form. This encryption is completed on the VPN gateway at the Internet egress.

4. Security Protocol (Data Authentication)
The preceding communication model is used as an example. Encryption alone is not enough.
Encrypt the data. In the middle of the model, the text of the letter is represented by a dark sign.

The good guys cannot crack the letter, but they can forge a letter or change the letter at random. In this way, after the mail arrives at the destination, the content will be completely invisible, and the recipient does not know that the letter was modified.

To prevent such results, a data tamper-proofing mechanism should be introduced. If the data is illegally modified, it can be quickly identified. This can be used in real communications.Algorithm, Calculate the characteristics of the letter (such as the number of strokes and characters in the letter), and then mark these features with a dark sign behind the letter. The recipient checks the characteristics of the letter, and the characteristics will change as the letter changes. Therefore, if the modifier does not have a hidden number, the data feature value will not match after the change. The recipient can see it.

This is also true for the actual IPSec communication data authentication. the MD5 algorithm is used to calculate the packet character. After the packet is restored, the signature will be checked to see if it matches. Verify whether the data transmission process has been tampered.

5. Security Protocol (Identity Authentication)
Let's assume that Xiao zhangxiao Li's communication model.
Since Lao Zhang and Lao Li are not in the same place, they cannot meet each other, in order to ensure the security of their son's communication. Lao Zhang and Lao Li must confirm each other's credibility. This is the issue of identity authentication.

Assume that Mr. Li has met each other before, and they have already agreed on a communication code. For example, if 1234567890 corresponds to abcdefghij, write a 255 message, which corresponds to a bee.

Common VPN identity authentication can include pre-shared keys. The communication parties can implement the agreed encryption and decryption passwords and directly communicate with each other. Communication is a friend, and communication is a bad person. The distinction is simple.

Other complex identity authentication mechanisms include certificates (e-certificates such as X509), which are not detailed here, even if some of them are sleepy. If necessary, contact me for more detailed technical white papers and related identity authentication documents.

If there is an identity authentication mechanism, frequent replacement of keys becomes possible.

6. Miscellaneous
The above problems are solved, and the VPN communication model can be basically established.
But it is not perfect. This is the simplest VPN. That is, the remote network is interconnected through two static IP addresses on the peer end. Many VPN devices in the United States are at this level, because there are plenty of IP addresses in the United States, there is no problem with allocating static IP addresses. What is bitter is that I am waiting for Chinese customers, both of which require static IP addresses, which is equivalent to two Internet leased lines.
VPN should be used in China, and a bunch of problems should be solved. The next section describes what problems IPSec VPN will encounter in China.
The last time I used a simple model to describe the principle of VPN communication. IPSec uses the packet encapsulation method to establish a communication tunnel through the Internet. Through this communication tunnel, you can establish a network connection. However, this model is not perfect and there are still many problems to solve.

Before talking about other issues, we define several VPN concepts.

VPN node: a VPN node, which may be a VPN gateway or client software. A communication node in a VPN network. It should be able to connect to the Internet. It may be a direct connection, such as ADSL, Telephone Dialing, or NAT, such as residential broadband, CDMA Internet access, or ietong line.

VPN tunnel: a virtual link channel established between two VPN nodes. The internal network of the two devices can reach each other through this virtual data link. The information is the IP address, tunnel name, and key of both VPN nodes.

Tunnel routing: A device may establish a tunnel with many devices, so there is a tunnel selection problem, that is, to what destination and which tunnel to take?

In the previous communication model, Lao Li is the tunnel node. The password communication relationship established by the postal system is a data tunnel. When Xiao Zhang and Xiao Li send the letter to their dad, their dad had to make a decision, how to encapsulate the letter, and who to package it. If there is another Old Wang and their son, they will also need to communicate. At this time, the tunnel routing is better understood. The data sent to Mr. Wang is encapsulated into Mr. Wang, and the data sent to Mr. Li is encapsulated into Mr. Li. If there are many nodes, the tunnel routing will be complicated.

After understanding the above problems, we know that the problems to be solved by IPSec can be divided into the following steps:
& #61548; find the VPN node device of the Peer end. If the peer end is a dynamic IP address, you must be able to detect changes to the peer end's IP address in a timely manner through an effective way. According to the communication model, if Lao Li often moves, there must be an effective mechanism to promptly detect the changes in Lao Li's address.
& #61548; it is easy to build a tunnel. If both devices have valid public IP addresses, it is easier to create a tunnel. If one party is behind Nat, it will be a little cool. Generally, an internal VPN node initiates a UDP connection, encapsulates IPSec again, and sends it to the peer end. Because UDP can be memorized through the firewall, the IPsec packet is encapsulated through UDP, it can be passed back and forth through the firewall.
& #61548; after a tunnel is established, determine the tunnel route, that is, where to go and which tunnel to take. Many VPN tunnel configurations define a protection network. In this way, the tunnel routing is determined based on the protected network relationship. But it loses some flexibility.

All IPSec VPNs are implemented based on the above key points. Each company has its own practice. However, the VPN currently sold in the market must have solved the above problems.

The first question is how to find the VPN node device.

If the devices are all in dynamic dialing mode, a suitable static third party is required for resolution. It is equivalent to two people who keep moving. To find the target person, you must have a friend that everyone knows. If this friend does not move, both people can contact him.

There are three common static third-party implementations:

Through web pages, this is a technology invented by Sangfor, which resolves IP addresses through web pages. You can log on to http://www.123cha.com/, you can find the current IP address. Therefore, dynamic devices can submit their current IP addresses in this way. Other devices can be retrieved from the webpage. In this way, devices can find each other on this webpage. Because the web page is relatively fixed, this method can effectively solve this problem. This method can effectively eliminate the risks of centralized authentication and easily implement backup. It is a clever solution. Of course, there may be many attacks on Web pages. Therefore, pay attention to security measures.

A centralized server is used for unified parsing and grouping users. Each VPN device can only see other devices in the same group and cannot access the devices in different groups. You can also use the directory server. This method is suitable for centralized VPN. servers are deployed at the enterprise headquarters to achieve unified authentication and management of global devices. It is not suitable for authentication of scattered users, because there is a trust problem, the customer will doubt that if the management server has a problem, other devices may be able to connect to their own VPN domain. This large centralized VPN management software has specialized devices or software in many VPN manufacturers at home and abroad. It can not only perform dynamic IP address resolution, but also implement online authentication and other functions. If the management center is more functional, You can formulate communication policies in a centralized manner. The following VPN device configuration parameters are relatively small.

Another method is ddns, that is, dynamic domain name. Dynamic domain name is a relatively balanced technology. After dialing the VPN device, register the current IP address of the VPN device to the Primary Domain Name Server, and update the IP address of the second-level domain name. other Internet users can find the IP address of the second-level domain name through this second-level domain name. For example, if the name of the dynamic Domain Name Server is 99ip.net and ABC. 99ip.net, the VPN device submits it to the server through a software program and converts abc.99ip.net to the current IP address. However, you may also encounter DNS Cache problems. If the VPN manufacturer provides the ddns service, it can use the internal protocol to speed up the query and avoid problems caused by DNS buffering.

The above describes the Resolution Methods of Three dynamic IP addresses, which are provided by general manufacturers in China. If there are more eccentric technologies, they may not be mainstream technologies.

The problem of Dynamic IP addresses is solved. According to the previous communication model, the network can be established without considering many VPN devices. Therefore, once this technology is mastered by more and more manufacturers, the price of IPSec-based VPN devices and software will definitely decrease. IT technology changes from sunrise to sunset in a twinkling of an eye.

Second question: how to establish a tunnel
Solve the Problem of Dynamic IP address addressing. Now let's talk about the problem of NAT traversal. We know that UDP and TCP can traverse the firewall. Direct IPSec encapsulation cannot cross the firewall, because the firewall needs to change the port information so that the returned data packets can be transferred to the correct internal host. It is obvious that UDP is suitable, because TCP not only takes a long time for three-way handshakes, but also supports round-trip confirmation. In fact, it is not appropriate to complete these tasks as packets encapsulated in IPSec. Therefore, using UDP to encapsulate IPSec packets to traverse NAT is almost the only option.

Using UDP to traverse the NAT firewall only solves half of the problem because at least one party is on the Internet. There is a routable IP address. Sometimes two VPN nodes are after Nat, which can only be done through third-party forwarding. That is, both devices can communicate with third-party devices. Third-party devices are forwarded by both parties. This can be resolved through the previous model. Lao Zhang and Lao Li cannot communicate directly. They can communicate with Lao Wang, so that Lao Wang can forward data in the middle. All the communications between Mr. Li and Mr. Zhang will be handed over to his father, and old Wang will transfer the communications. This is a clear concept of tunnel routing. Instead of reaching a tunnel, it can be forwarded between several tunnels.

Therefore, IPSec VPN is not mysterious. All core tasks focus on the following aspects:
How to find other nodes related to the VPN node.
Negotiate a communication tunnel. What should I do after Nat.
Create a tunnel route table, identify different destination addresses, and use different tunnels.

Assuming that the above problem has been solved, in some way, the VPN node of the Dynamic IP Address can find each other and establish a tunnel. Therefore, tunnel routing communication can also be realized. Is it possible to implement a complete VPN ??

The answer is still whether the above problem is solved, which does not mean a very useful VPN product. There are still many other problems. The subsequent problems focus on complexity. After the implementation of simple principles, the rest of the work is to solve all related edge problems. In order to achieve a good thing. It is one thing to use.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.