Main VPN technologies in Linux (1)

I. Main VPN technologies in Linux

1. IPSecInternet Protocol Security)

IPSec is a perfect security standard for IETFInternet Engineer Task Force. It combines several security technologies to form a complete system, which has received the attention and support of many vendors. Data Encryption, authentication, and integrity check ensure the reliability, privacy, and confidentiality of data transmission.

Advantage: it defines a set of standard protocols for authentication, protection of privacy and integrity. IPSec supports a series of encryption algorithms, such as DES, Triple DES, and IDEA. It checks the integrity of transmitted data packets to ensure that the data is not modified. IPSec is used to provide security between multiple firewalls and servers. IPSec ensures the interoperability between VPNs running on the TCP/IP protocol.

Disadvantages: IPSec has some problems in the Client/Server mode. In actual applications, public keys are required. IPSec requires IP addresses of a known range or a fixed range. Therefore, it is not suitable for IPSec when IP addresses are dynamically allocated. IPSec does not support other protocols except the TCP/IP protocol. In addition, the configuration is complex.

The software for using IPSec in Linux is: Free S/WAN

Http://www.freeswan.org /. FreeS/WAN does not support NATNetwork Address Translation.

2. PPP OVER SSH

SSH is an application based on secure sessions. SSH supports identity authentication and data encryption to encrypt all transmitted data. At the same time, data can be compressed to speed up data transmission. SSH can replace Telnet as a secure remote logon mode, and provide a secure "Tunnel" for FTP and POP ". OpenSSH is an alternative software package for SSH and is free of charge. Use the PPP port to run Technology on SSH to implement VPN. Advantage: simple installation and configuration. Disadvantage: The system overhead is relatively large during running. The specific application software of ppp over ssh includes SSHVNChttp: // 3sp.com/products/sshtools/sshvnc/sshvnc.php)

3. CIPE: Crypto IP Encapsulation

CIPE encrypted IP Encapsulation) is a VPN developed mainly for Linux.

. CIPE uses encrypted IP groups. These groups are encapsulated or "enclosed" in the datagram UDP) group. The CIPE group is given the target header information and encrypted using the default CIPE encryption mechanism. CIPE uses standard Blowfish or IDEA encryption algorithms to support encryption. Depending on the Encryption Export Regulations in your country, you can use the default method Blowfish) to encrypt all the CIPE traffic on your private network. The CIPE configuration can be completed through text files and graphical network management tools. Using CIPE technology to implement VPN has the following advantages: simple installation and configuration, and low system overhead during running. Disadvantage: CIPE is not a standard VPN protocol and cannot support all platforms. Cipe url: http://sites.inka.de/

4. SSL VPN

IPSec VPN and ssl vpn are two different VPN architectures. IPSec VPN works at the network layer and provides data protection and transparent Security Communication at the network layer, ssl vpn works between the application layer (based on HTTP Protocol) and the TCP layer. From the overall security level, both can provide secure remote access. However, IPSecVPN is designed to connect and protect data streams in a trusted network. Therefore, it is more suitable for providing communication security for different networks, because of the following technical features, SSLVPN is more suitable for the secure access of remote scattered mobile users. OpenVPN is an application-layer VPN implementation based on the OpenSSL library. For details, see http://www.openvpn.net.

Advantages of OpenVPN: multiple common application systems are supported. The current version supports Linux and Windows

2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris.

Supports multiple client connection modes. You can use the standard SL/TLS protocol to operate OpenVPN on OSI layer 2 or 3 through GUI, and pass certificates or smart cards authentication. The encryption strength is high, and it is difficult to be hijacked on the transmission path to crack information.

OpenVPN disadvantages: using SSL application layer encryption, the transmission efficiency is lower than that of VPN software for IPSEC Transmission

5. PPPTD

Point-to-Point Tunneling Protocol (PPTP) is a network technology that supports Virtual Private Networks with multiple protocols.

PPTP can be used to establish a PPP session tunnel on an IP network. In this configuration, the PPTP tunnel and PPP session run on two identical machines, and the caller acts as the PNS. PPTP uses the client-server structure to separate some functions of the current network access server and supports Virtual Private Networks. As a Call Control and Management Protocol, PPTP allows the server to control incoming call switches from the PSTN or ISDN and initiate external circuit exchange connections. PPTP can only be implemented through PAC and PNS, and other systems do not need to know PPTP. The dial-up network can be connected to the PAC without knowing PPTP. The standard PPP client software can continue to operate on the tunnel PPP link. PPTP uses an extended version of GRE to transmit user PPP packets. These enhancements allow lower-layer congestion control and Flow Control for tunnels that transmit user data between PAC and PNS. This mechanism allows efficient use of tunnel available bandwidth and avoids unnecessary retransmission and buffer overflow. PPTP does not specify a specific algorithm for lower-layer control, but it does define some communication parameters to support such algorithm work.

Compared with other remote "dial-in" VPN, PPTP has a built-in PPTP client in Microsoft Windows 95/98/Me/NT/2000/XP/Vista, this means that the Administrator does not have to deal with any additional client software and issues that are commonly encountered. The software implemented by the Linux PPTP server is: poptophttp: // www.poptop.org/) The Poptop feature of the open-source PPTP server product is:

Microsoft compatible with authentication and encryption MSCHAPv2, MPPE40-128 bit RC4 encryption ).

Supports multiple client connections.

Use the RADIUS plug-in to seamlessly integrate into a Microsoft network environment.

Work with Windows 95/98/Me/NT/2000/xp pptp client.

Work with the Linux PPTP client.

Poptop is under the GNU General Public License and will still be completely free of charge.

The following describes the implementation of VPN based on the above technology in Linux: