Main VPN technologies in Linux

Article title: main VPN technologies in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

I. main VPN technologies in Linux

1. IPSec (Internet Protocol Security)

IPSec is a perfect security standard for IETF (Internet Engineer Task Force). It combines several security technologies to form a complete system, which has received the attention and support of many vendors. Data encryption, authentication, and integrity check ensure the reliability, privacy, and confidentiality of data transmission.

Advantage: it defines a set of standard protocols for authentication, protection of privacy and integrity. IPSec supports a series of encryption algorithms, such as DES, Triple DES, and IDEA. It checks the integrity of transmitted data packets to ensure that the data is not modified. IPSec is used to provide security between multiple firewalls and servers. IPSec ensures the interoperability between VPNs running on the TCP/IP protocol.

Disadvantages: IPSec has some problems in the client/server mode. in actual applications, public keys are required. IPSec requires IP addresses of a known range or a fixed range. Therefore, it is not suitable for IPSec when IP addresses are dynamically allocated. IPSec does not support other protocols except the TCP/IP protocol. In addition, the configuration is complex.

The software for using IPSec in Linux is: Free S/WAN

Http://www.freeswan.org /. FreeS/WAN does not support NAT (Network Address Translation) and IP Address camouflage for encrypted channel communication.

2. PPP OVER SSH

SSH is an application based on secure sessions. SSH supports identity authentication and data encryption to encrypt all transmitted data. At the same time, data can be compressed to speed up data transmission. SSH can replace Telnet as a secure remote logon mode, and provide a secure "tunnel" for FTP and POP ". OpenSSH is an alternative software package for SSH and is free of charge. Use the PPP port to run technology on SSH to implement VPN. Advantage: simple installation and configuration. Disadvantage: the system overhead is relatively large during running. Ppp over ssh specific application software with SSHVNC (http://3sp.com/products/sshtools/sshvnc/sshvnc.php)

3. CIPE: Crypto IP Encapsulation

CIPE (encrypted IP encapsulation) is a VPN developed mainly for Linux.

. CIPE uses encrypted IP groups. these groups are encapsulated or "surrounded" in the datagram (UDP) group. The CIPE group is given the target header information and encrypted using the default CIPE encryption mechanism. CIPE uses standard Blowfish or IDEA encryption algorithms to support encryption. Depending on the encryption export regulations in your country, you can use the default method (Blowfish) to encrypt all the CIPE traffic on your private network. The CIPE configuration can be completed through text files and graphical network management tools. Using CIPE technology to implement VPN has the following advantages: simple installation and configuration, and low system overhead during running. Disadvantage: CIPE is not a standard VPN protocol and cannot support all platforms. Cipe url: http://sites.inka.de/

~

4. SSL VPN

IPSec VPN and ssl vpn are two different VPN Architectures. IPSec VPN works at the network layer and provides data protection and transparent security communication at the network layer, ssl vpn works between the application layer (based on HTTP protocol) and the TCP layer. from the overall security level, both can provide secure remote access. However, IPSecVPN is designed to connect and protect data streams in a trusted network. Therefore, it is more suitable for providing communication security for different networks, because of the following technical features, SSLVPN is more suitable for the secure access of remote scattered mobile users. OpenVPN is an application-layer VPN implementation based on the OpenSSL library. For details, see http://www.openvpn.net.

Advantages of OpenVPN: multiple common application systems are supported. The current version supports Linux and Windows

2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris.

Supports multiple client connection modes. You can use the standard SL/TLS protocol to operate OpenVPN on OSI layer 2 or 3 through GUI, and pass certificates or smart cards authentication. The encryption strength is high, and it is difficult to be hijacked on the transmission path to crack information.

OpenVPN disadvantages: using SSL application layer encryption, the transmission efficiency is lower than that of VPN software for IPSEC transmission

5. PPPTD

Point-to-Point Tunneling (PPTP) is a network technology that supports virtual private networks with multiple protocols.

PPTP can be used to establish a PPP session tunnel on an IP network. In this configuration, the PPTP tunnel and PPP session run on two identical machines, and the caller acts as the PNS. PPTP uses the client-server structure to separate some functions of the current network access server and supports virtual private networks. As a call control and management protocol, PPTP allows the server to control incoming call switches from the PSTN or ISDN and initiate external circuit exchange connections. PPTP can only be implemented through PAC and PNS, and other systems do not need to know PPTP. The dial-up network can be connected to the PAC without knowing PPTP. The standard PPP client software can continue to operate on the tunnel PPP link. PPTP uses an extended version of GRE to transmit user PPP packets. These enhancements allow lower-layer congestion control and flow control for tunnels that transmit user data between PAC and PNS. This mechanism allows efficient use of tunnel available bandwidth and avoids unnecessary retransmission and buffer overflow. PPTP does not specify a specific algorithm for lower-layer control, but it does define some communication parameters to support such algorithm work.

Compared with other remote "dial-in" VPN, PPTP has a built-in PPTP client in Microsoft Windows (95/98/Me/NT/2000/XP/Vista, this means that the administrator does not have to deal with any additional client software and issues that are commonly encountered. Linux PPTP server implementation software is: poptop (http://www.poptop.org/) open source PPTP server product Poptop features:

Microsoft-compatible authentication and encryption (MSCHAPv2, MPPE40-128-bit RC4 encryption ).

Supports multiple client connections.

Use the RADIUS plug-in to seamlessly integrate into a Microsoft network environment.

Work with Windows 95/98/Me/NT/2000/xp pptp client.

Work with the Linux PPTP client.

Poptop is under the GNU General Public License and will still be completely free of charge.

The following describes the implementation of VPN based on the above Technology in Linux:

The first part is to establish a Linux VPN-CIPE

I. Overview of CIPE

Many VPN programs have been developed. one of the most easy-to-install VPN software described here is CIPE. VPN is a secure communication tunnel established on the Internet by authorized communication parties. data is encrypted in the tunnel for secure communication between headquarters and branches. Virtual private network is a new network technology used to securely access the enterprise network over the Internet or LAN. CIPE is a VPN implementation mainly developed for Linux. CIPE uses encrypted IP groups. these groups are encapsulated or "surrounded" in the datagram (UDP) group. The CIPE group is given the target header information and encrypted using the default CIPE encryption mechanism. These groups are then transmitted to the expected remote node through the CIPE virtual network device (cipcbx) and IP layer, and the communication company's network as the UDP Group. CIPE network model-1.

Screen. width * 0.7) {this. resized = true; this. width = screen. width * 0.7; this. style. cursor = 'hand'; this. alt = 'click here to open new window \ nCTRL + Mouse wheel to zoom in/out';} "onxxxxx =" if (! This. resized) {return true;} else {window. open ('http: // linux.chinaitlab.com/uploadfiles_7565/201001/201002017110249888.jpg');} "onxxxx =" if (this. width> screen. width * 0.7) {this. resized = true; this. width = screen. width * 0.7; this. alt = 'click here to open new window \ nCTRL + Mouse wheel to zoom in/out';} ">
Figure-1 cipe vpn network model

CIPE is a wise choice for Linux network administrators and system administrators. The reasons are as follows:

CIPE is included in Red Hat Enterprise Linux, so you can use it on all Red Hat Enterprise Linux edge machines (such as firewalls and gateway machines) and individual customer machines that you want to connect to your intranet. Redhat Linux also supports CIPE encryption.

CIPE uses standard Blowfish or IDEA encryption algorithms to support encryption. Depending on the encryption export regulations in your country, you can use the default method (Blowfish) to encrypt all the CIPE traffic on your private network.

Because CIPE is software-based, as long as you run Red Hat Enterprise Linux, any older or idle machine can act as the CIPE gateway, therefore, you do not have to purchase expensive dedicated VPN Hardware to securely connect two local networks, saving organizations money.

CIPE is actively developed to work with iptables, ipchains, and other rule-based firewalls. To coexist with existing firewall rules, you only need to allow the peer to accept the access to the cipe udp Group.

The CIPE configuration is completed through a text file. This eliminates the need for administrators to remotely configure the CIPE server and customers through graphical tools with poor network performance. CIPE can also be configured using network management tools.

The CIPE software can be found on the Redhat Linux 9.0-Red Hat Enterprise Linux AS 3.0 installation CD. There are two ways to install CIPE: one is to install CIPE from the installation disc, and the other is to download the E package from the official CIPE homepage linux "> http://sourceforge.net/projects/cipe-linux.

[1] [2] [3] Next page