ilab 2 ipsec with ikev2 and strongswan
play

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus - PowerPoint PPT Presentation

Sep 05, 2022 •862 likes •1.39k views

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

  1. ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit¨ at M¨ unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 1

  2. Motivation Imagine you are a huge search engine company you recently found out that some government agancy has the audacity to sniff in your network “F*** these guys.” - a engineer from a huge search engine company Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 2

  3. Motivation Imagine you are a huge search engine company you recently found out that some government agancy has the audacity to sniff in your network “F*** these guys.” - a engineer from a huge search engine company Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 2

  4. Motivation Imagine you are a huge search engine company you recently found out that some government agancy has the audacity to sniff in your network “F*** these guys.” - a engineer from a huge search engine company Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 2

  5. Situation We have several locations that need to be connected We have some users who need to access our network from outside ⇒ What we need is a VPN = Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 3

  6. Situation We have several locations that need to be connected We have some users who need to access our network from outside ⇒ What we need is a VPN = Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 3

  7. Situation We have several locations that need to be connected We have some users who need to access our network from outside ⇒ What we need is a VPN = Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 3

  8. Outline Motivation 1 Outline 2 IPSec 3 AH ESP IKEv2 Summary 4 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 4

  9. Outline Motivation 1 Outline 2 IPSec 3 AH ESP IKEv2 Summary 4 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 4

  10. Outline Motivation 1 Outline 2 IPSec 3 AH ESP IKEv2 Summary 4 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 4

  11. Outline Motivation 1 Outline 2 IPSec 3 AH ESP IKEv2 Summary 4 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 4

  12. IPSec - What is it good for? For encrypting data between two parties Consists of a number of different protocols 1 AH 2 ESP 3 ISAKMP 4 IKE(v2) A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 5

  13. IPSec - What is it good for? For encrypting data between two parties Consists of a number of different protocols 1 AH 2 ESP 3 ISAKMP 4 IKE(v2) A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 5

  14. IPSec - What is it good for? For encrypting data between two parties Consists of a number of different protocols 1 AH 2 ESP 3 ISAKMP 4 IKE(v2) A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 5

  15. IPSec - What is it good for? For encrypting data between two parties Consists of a number of different protocols 1 AH 2 ESP 3 ISAKMP 4 IKE(v2) A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 5

  16. IPSec - What is it good for? For encrypting data between two parties Consists of a number of different protocols 1 AH 2 ESP 3 ISAKMP 4 IKE(v2) A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 5

  17. Tunnel and Transport Mode Tunnelmode: Transportmode: Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 6

  18. AH - Authentication Header - RFC 4302 Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption! Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 7

  19. AH - Authentication Header - RFC 4302 Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption! Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 7

  20. AH - Authentication Header - RFC 4302 Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption! Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 7

  21. AH - Authentication Header - RFC 4302 Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption! Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 7

  22. AH - Authentication Header - RFC 4302 Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption! Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 7

  23. AH - Header Format Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 8

  24. ESP - Encapsulating Security Payload RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 9

  25. ESP - Encapsulating Security Payload RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 9

  26. ESP - Encapsulating Security Payload RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 9

  27. ESP - Encapsulating Security Payload RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 9

  28. ESP - Encapsulating Security Payload RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 9

  29. ESP - Header Format Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 10

  30. Internet Key Exchange Protocol v2 Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 11

  31. Internet Key Exchange Protocol v2 Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 11

  32. Internet Key Exchange Protocol v2 Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 11

  33. Internet Key Exchange Protocol v2 Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 11

  34. Internet Key Exchange Protocol v2 Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 11

  35. Summary We need a VPN We have IPSec We want to give a road warrior access Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 12

  36. Summary We need a VPN We have IPSec We want to give a road warrior access Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key

702 views • 26 slides
iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 8 18ss 1 / 29 Outline Overview IPsec databases

563 views • 29 slides
Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich Overview What is IKE ? Internet Key Exchange , part of IPsec Formal analysis of IKE Previously considered infeasible Using Scyther

410 views • 19 slides
Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL (Secure Socket Layer) /

812 views • 25 slides
Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli

Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli

Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli (vijay.devarapalli@azairenet.com) Assumptions in RFC 3775, 3963 There is only one primary care-of address per mobile node The primary care-of

240 views • 7 slides
The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen

The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen

The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen Institute for Networked Solutions HSR University of Applied Sciences Rapperswil Where the heck is Rapperswil? Brunner/Steffen, 28.03.2018,

226 views • 19 slides
IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly aurelien.wailly@orange.com Maryline Laurent Maryline.Laurent@it-sudparis.eu 2011-10-25 ICSNA 2011 1 Outline IPsec IKEv2 CGA IKEv2 with CGA?

744 views • 36 slides
Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01

Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01

Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01 What Problem Does This Document Solve Tries to educate implementors that IKEv2 is not complex and difficult to implement. Why Do People

363 views • 5 slides
Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC can be used with VPNs Identify areas where extensions to IPSEC could be useful Bryan Gleeson, Page-1 VPN Reference Model CE CE PE

352 views • 9 slides
IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE PE CPE/CLE Host PE CPE to CPE IPSEC can be used for : PE to PE PE to CPE Bryan Gleeson, Page-1 CPE to CPE IPSEC tunnels

680 views • 8 slides
Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications HSR Hochschule fr Technik Rapperswil andreas.steffen@strongswan.org Wo um Gottes Willen

608 views • 35 slides
Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab Version 2.5.47 basiert auf dem USAGI Projekt. Hierbei handelt es sich um eine alternative Implementierung des IPsec Stacks zum FreeS/WAN Projekt.

610 views • 8 slides
THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution Make encryption the default mode of communication Certifjcations (FIPS, Common Criteria, USGv6, etc.)

917 views • 25 slides
A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one

A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one

A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one Gbit/s environment By Erik Dekker & Patrick Spaans Supervisors: Aristide Bouix and Mohammad Al Najar Introduction Organization host internal

629 views • 25 slides
Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality

818 views • 37 slides
Linux Kernel AgentX Sub-Agents Oliver Wellnitz wellnitz@ibr.cs.tu-bs.de Institute of Operating

Linux Kernel AgentX Sub-Agents Oliver Wellnitz wellnitz@ibr.cs.tu-bs.de Institute of Operating

Linux Kernel AgentX sub-agents Linux Kernel AgentX Sub-Agents Oliver Wellnitz wellnitz@ibr.cs.tu-bs.de Institute of Operating Systems and Computer Networks Technical University Braunschweig, Germany Oliver Wellnitz, IBR, TU Braunschweig page

469 views • 20 slides
Specific Simple Network Management Tools urgen Sch onw J alder University of Osnabr

Specific Simple Network Management Tools urgen Sch onw J alder University of Osnabr

Specific Simple Network Management Tools urgen Sch onw J alder University of Osnabr uck Albrechtstr. 28 49069 Osnabr uck, Germany Tel.: +49 541 969 2483 Email: <schoenw@informatik.uni-osnabrueck.de> Web:

436 views • 18 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University CSC 5991 Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University CSC 5991 Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University CSC 5991 Cyber Security Prac@ce 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs)

172 views • 14 slides
Trajectory Clustering: Visual Analytics Approaches Gennady Andrienko & Natalia Andrienko y

Trajectory Clustering: Visual Analytics Approaches Gennady Andrienko & Natalia Andrienko y

Trajectory Clustering: Visual Analytics Approaches Gennady Andrienko & Natalia Andrienko y http://geoanalytics.net Outline Similarity measures for trajectories Si il it f t j t i Density-based clustering of trajectories

739 views • 54 slides
Class of Infrastructures for Cloud Computing and Big Data M QoS basics and protocols Antonio

Class of Infrastructures for Cloud Computing and Big Data M QoS basics and protocols Antonio

University of Bologna Dipartimento di Informatica Scienza e Ingegneria (DISI) Engineering Bologna Campus Class of Infrastructures for Cloud Computing and Big Data M QoS basics and protocols Antonio Corradi Academic year 2017/2018 QoS 1

640 views • 48 slides
IoT Applications Niels Olof Bouvin 1 Overview The Smart Grid Unifying the Internet of Things

IoT Applications Niels Olof Bouvin 1 Overview The Smart Grid Unifying the Internet of Things

IoT Applications Niels Olof Bouvin 1 Overview The Smart Grid Unifying the Internet of Things Trigger-action IoT Programming 2 Internet of what Things? The Internet of Things have come to cover many di ff erent areas Many things have been

646 views • 47 slides
Some Ping Examples ping -c4 www.linuxjournal.com ping -c2 -b 149.153.100.255 ping -c2 224.0.0.2

Some Ping Examples ping -c4 www.linuxjournal.com ping -c2 -b 149.153.100.255 ping -c2 224.0.0.2

Some Ping Examples ping -c4 www.linuxjournal.com ping -c2 -b 149.153.100.255 ping -c2 224.0.0.2 1 Doing the Net::Ping Thing, 1 of 2 #! /usr/bin/perl -w use strict; use Net::Ping; my $host = shift || localhost; my @protos = qw( icmp

541 views • 14 slides
Principled Computer System Design Robbert van Renesse (some material due to Hakim Weatherspoon

Principled Computer System Design Robbert van Renesse (some material due to Hakim Weatherspoon

Principled Computer System Design Robbert van Renesse (some material due to Hakim Weatherspoon and probably others) Message from Prof. Weatherspoon Please let the class know that they get their own cloud today! Mini Project0 is available,

1.16k views • 38 slides

More recommend