Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)

Implementation of IPsec VPN on Cisco Routers and implementing it on ISP

1

1. INTRODUCTION

1.0 Introduction to TCP and IP concepts:

TCP and IP were developed by a Department of Defence (DOD) research

project to connect a number different networks designed by different vendors

into a network of networks (the "Internet"). It was initially successful because it

delivered a few basic services that everyone needs (file transfer, electronic mail,

remote logon) across a very large number of client and server systems. Several

computers in a small department can use TCP/IP (along with other protocols) on

a single LAN. The IP component provides routing from the department to the

enterprise network, then to regional networks, and finally to the global Internet.

On the battlefield a communications network will sustain damage, so the DOD

designed TCP/IP to be robust and automatically recover from any node or

phone line failure. This design allows the construction of very large networks

with less central management. However, because of the automatic recovery,

network problems can go undiagnosed and uncorrected for long periods of time.

As with all other communications protocol, TCP/IP is composed of layers:

IP - is responsible for moving packet of data from node to node. IP

forwards each packet based on a four byte destination address (the IP

number). The Internet authorities assign ranges of numbers to different

organizations. The organizations assign groups of their numbers to

departments. IP operates on gateway machines that move data from

department to organization to region and then around the world.

TCP - is responsible for verifying the correct delivery of data from client

to server. Data can be lost in the intermediate network. TCP adds support

to detect errors or lost data and to trigger retransmission until the data is

correctly and completely received

Sockets - is a name given to the package of subroutines that provide

access to TCP/IP on most system.

1.1EXISTING SYSTEM:

There is no standard for what constitutes a VPN. VPNs can be

implemented using a number of different technologies, each of which

have their own strengths and weaknesses. This section presents a


2

scenario, and the strategies used for implementing a VPN for this

scenario.

For Example: The Scenario: Two networks, one home based and

one corporate based. Both are connected to the Internet, and expected, via

this VPN to behave as one.

The premise is as follows:

You have at least two sites

Both sites are using IP internally

Both sites are connected to the Internet, through a gateway that is

running FreeBSD.

The gateway on each network has at least one public IP address.

The internal addresses of the two networks can be public or private IP

addresses, it does not matter. They just may not collide; e.g.: may not

both use 192.168.1.x.

1.2 PROPOSED SYSTEM:

Internet Protocol Security (IPsec) is a protocol suite for securing Internet

Protocol (IP) communications by authenticating and encrypting each IP

packet of a communication session. IPsec also includes protocols for

establishing mutual authentication between agents at the beginning of the

session and negotiation of cryptographic keys to be used during the session.

IPsec is an end-to-end security scheme operating in the Internet Layer of

the Internet Protocol Suite. It can be used in protecting data flows between a

pair of hosts (host-to-host), between a pair of security gateways (network-to-

network), or between a security gateway and a host (network-to-host).

Some other Internet security systems in widespread use, such as Secure Sockets

Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate

in the upperlayers of the TCP/IP model. In the past, the use of TLS/SSL had to

be designed into an application to protect the application protocols. In contrast,

since day one, applications did not need to be specifically designed to use IPsec.

Hence, IPsec protects any application traffic across an IP network.


3

1.3ARCHITECTURE:

1.3.1 TCP/IP INTERNET ARCHITECTURE:

Fig 1.1 : Architecture of OSI and TCP/IP model

The Internet architecture is of a layered design, which makes testing and

future development of Internet protocols easy. The architecture and major

protocols of the Internet are controlled by the Internet Architecture Board

(IAB).

The Internet provides three sets of services. At the lowest level is a

connectionless delivery service (network layer) called the Internet protocol (IP).

The next level is the transport layer service. Multiple transport layer services

use the IP service. The highest level is the application layer services. Layering

of the services permits research and development on one without affecting the

others.The physical/link layer envelops the IP layer header and data. If the

physical layer is an Ethernet LAN, the IP layer places its message (datagram) in

the Ethernet (physical/link) frame data field. The transport layer places its


4

message (segment) in the IP data field. The application layer places its data in

the transport layer data field.

1.3.2 INTERNET PROTOCOL (IP)

The IP provides a connectionless delivery system that is unreliable and on a

best-effort basis. The IP specifies the basic unit of data transfer in a TCP/IP

internet as the datagram. Data grams may be delayed, lost, duplicated, delivered

out of sequence, or intentionally fragmented, to permit a node with limited

buffer space to handle the IP datagram. It is the responsibility of the IP to

reassemble any fragmented data grams. In some error situations, data grams are

silently discarded while in other situations, error messages are sent to the

originators (via the ICMP, a utility protocol.) The IP specifications also define

how to choose the initial path over which data will be sent, and defines a set of

rules governing the unreliable datagram service.

Fig 1.2: IP-datagram format.

1.3.2.1 Header Length – 4 Bit field

The value represents the number of octets in the header divided by four,

which makes it the number of 4-octet groups in the header. The header length is

used as a pointer to the beginning of data. The header length is usually equal to

5, which defines the normal, 20-octet header without options. When options are

Destination address

Source address

Header checksum

Fragment offset Identification

Version Total length IHL Type of service

D

F M

F

Time to live Protocol

32 Bits

Options (o or more words)


5

used, padding may be required to make the total size of the header an even

multiple of 4-octet groups. The range of value for the header length is 5 to 15.

1.3.2.2 Version – 4 Bit field

All other values are reserved or unassigned. Although the range of values

is 0 to 15, the value used by IP is 4. By means of this field, different versions of

the IP could operate in the Internet.

1.3.2.2 Type of Service – 8 Bit field

Specifies the precedence and priority of the IP datagram. Bits +5, +6, and

+7 make up the precedence field, with a range of 0 to 7. Zero is the normal

precedence and 7 is reserved for network control. Most gateways presently

ignore this field.

The four bits (+1, +2, +3, and +4) define the priority field, which has the

field range of 0 to 15. The four priorities presently assigned (the remaining 12

values are reserved) are: value 0 (the default, normal service), value 1

(minimize monetary cost), value 2 (maximize reliability), value 4 (maximize

throughput), and value 8 (bit+4 equal to one, defines minimize delay option).

These values are used by routers to select paths that accommodate the user’s

request.

Fig 1.3: Type-of-service field.

1.3.2.3 Total Length – 16 Bit field

The total length field is used to identify the number of octets in the entire

datagram. The field has 16 bits, and the range is between 0 and 65,535 octets.

Since the datagram typically is contained in an Ethernet frame, the size usually

will be less than 1,500 octets. Larger datagrams may be handled by some

0 Priority Precedence

27 26 25 24 23 22 21 20

7 6 5 4 3 2 1

msb Isb

0

Bit order of

transmission


6

intermediate networks of the Internet but are segmented if a gateway of a

network is unable to handle the larger size. IP specifications set a minimum size

of 576 octets that must be handled by routers without fragmentation. Larger

datagrams are subject to fragmentation.

1.3.2.4 Identification – 16 Bit field

The value of the identification field is a sequential number assigned by

the originating host. The numbers cycle between 0 and 65,535 which when

combined with the originating host address makes it a unique number in the

Internet. The number is used to aid in the assembling of a fragmented datagram.

1.3.2.5 Fragment Offset – 13 Bit field

When the size of a datagram exceeds the maximum of an intermediate

network, it is segmented by that network. The fragment offset represents the

displacement (in increments of eight octets) of this segment form the beginning

of the entire datagram. This is a 13-bit field and provides an offset to the proper

location of this fragmented segment within the original datagram. Since the

value represents groups of eight octets, the effective range of the offset is

between 0 and 8191 octets. The resulting fragments are treated as complete

datagrams, and remain that way until they reach the destination host where they

are reassembled into the original datagram. Each fragment has the same header

as the original header except for the fragment offset field, identification field,

and the flags fields. Since the resulting datagrams may arrive out of order, these

fields are used to assemble the collection of fragments into the original

datagram.

1.3.2.6 Flags – 2 Bits

The flag field contains two flags. The low-order bit (MF) of the flags

fields is used to denote the last fragmented datagram when set to zero. That is,

intermediate (not-last) datagrams have the bit set equal to one to denote more

datagrams are to follow. The high-order bit (DF) of the flags field is set by an

originating host to prevent fragmentation of the datagram. When this bit is set

and the length of the datagram exceeds that of an intermediate network, the


7

datagram is discarded by the intermediate network and an error message

returned to the originating host via the ICMP.

1.3.2.7 Time to Live (TTL) – 8 Bit field

It represents a count set by the originator, which the datagram can exist in the

Internet before being discarded. Hence, a datagram may loop around an internet

for a maximum of 28 – 1 or 255 before being discarded. The current

recommended default TTL for the IP is 64. Since each gateway handling a

datagram decrements the TTL by a minimum of one, the TTL can also represent

a hop count. However, if the gateway holds the datagram for more than one

second, then it decrements the TTL by the number of seconds held. The

originator of the datagram is sent an error message via the ICMP when the

datagram is discarded.

1.3.2.8 Protocol – 8 Bit field

The protocol field is used to identify the next higher layer protocol using the IP.

It will normally identify either the TCP (value equal to 6) or UDP (value equal

to 17) transport layer, but may identify up to 255 different transport layer

protocols. An upper layer protocol using the IP must have a unique protocol

number.

1.3.2.9 Checksum – 16 Bit field

The checksum provides assurance that the header has not been corrupted during

transmission. The checksum includes all fields in the IP header, starting with the

version number and ending with the octet immediately preceding the IP data

field, which may be a pad field if the option field is present.

The checksum includes the checksum field itself, which is set to zero for

the calculation. The checksum represents the 16-bit, one’s complement of the

one’s complement sum of all 16-bit groups in the header.

An intermediate network (node or gateway) the changes a field in the IP header

(e.g., time-to-live) must recompute the checksum before forwarding it. Users of

the IP must provide their own data integrity, since the IP checksum is only for

the header.

1.3.2.10 Source Address – 32 Bit field

The source address field contains the network identifier and host

identifier of the originator.


8

1.3.2.11 Destination Address – 32 Bit field

The destination address field contains the network and identifier & Host

identifier of the destination.

1.3.2.12 Options – variable field

The presence of the “options” field is determined from the value of the

header length field. If the header length is greater than five, at least one option

is present. Although it is not required that a host set options, it must be able to

accept and process options received in a datagram. The options field is variable

in length. Each option declared begins with a single octet that defines that

format of the remainder of the option.

1.3.2.13 Padding – variable field

The pad field, when present, consists of 1 to 3 octets of zero, as required, to

make the total number of octets in the header divisible by four. (The header

length is in increments of 32-bit groups.)


9

2. LITERATURE SURVEY

2.1 INTRODUCTION

Information does not exist in a vacuum. Just as the need to share

information between desktop computers in an office has forced the proliferation

of LANs, the need to share information beyond a single workgroup is forcing

the adoption of LAN-to-LAN links, host gateways, asynchronous

communication servers, and other methods of communication with other

systems.

2.2 OBJECTIVES

The objectives of this chapter are to familiarize with the following: -

i) The LAN components and terminology

ii) Networking basics and topologies

iii) Hub

iv) Switch

v) Router

vi) Gateway

2.2.1 TOPOLOGY - Topology is the way that each node is physically

connected to the network. Common topologies include:

2.2.1.1 Bus :-

Fig 2.1:Bus network topology

Each node is daisy-chained (connected one right after the other)

along the same backbone. Information sent from a node travels along the


10

backbone until it reaches its destination node. Each end of a bus network

must be terminated with a resistor to keep the signal that is sent by a

node across the network from bouncing back when it reaches the end of

the cable.

2.2.1.2 Ring -

Fig 2.2: Ring network topology

Like a bus network, rings have the nodes daisy-chained. The difference is that the end of the network comes back around to the first node, creating a complete

circuit. In a ring network, each node takes a turn sending and receiving information through the use of a token. The token, along with any data, is sent

from the first node to the second node, which extracts the data addressed to it and adds any data it wishes to send. Then, the second node passes the token and

data to the third node, and so on until it comes back around to the first node again. Only the node with the token is allowed to send data. All other nodes

must wait for the token to come to them.

2.1.1.3 Star –

Fig 2.3: Star network topology

In a star network, each node is connected to a central device called a hub. The

hub takes a signal that comes from any node and passes it along to all the other

nodes.


11

2.2.1.4 SWITCHES:

Switches are a fundamental part of most networks. They make it possible

for several users to send information over a network at the same time without

slowing each other down. Just like routers allow different networks to

communicate with each other, switches allow different nodes (a network

connection point, typically a computer) of a network to communicate directly

with one another in a smooth and efficient manner.

While hubs provide an easy way to scale up and shorten the distance that

the packets must travel to get from one node to another, they do not break up

the actual network into discrete segments. That is where switches come in.

Fig2.4: Imagine that each vehicle is a packet of data waiting for an

opportunity to continue on its trip.

In a fully switched network, switches replace all the hubs of an Ethernet

network with a dedicated segment for every node. These segments connect to a

switch, which supports multiple dedicated segments (sometimes in the

hundreds). Since the only devices on each segment are the switch and the node,

the switch picks up every transmission before it reaches another node. The

switch then forwards the frame over the appropriate segment. Since any

segment contains only a single node, the frame only reaches the intended

recipient. This allows many conversations to occur simultaneously on a

switched network.


12

Fig 2.5: An example of a network using a switch

Switching allows a network to maintain full-duplex Ethernet. Before switching,

Ethernet was half-duplex, which means that data could be transmitted in only

one direction at a time. In a fully switched network, each node communicates

only with the switch, not directly with other nodes. Information can travel from

node to switch and from switch to node simultaneously.

2.2.1.5 ROUTERS

Routers connect LANs at the Network layer of the OSI model Routers

connect LANs that use the same Network-layer protocol, such as IPX-to-IPX

and IP-to-IP. Because routers operate at the Network layer, they can be used to

link dissimilar LANs, such as ARCNET, Ethernet, and Token Ring.

Fig 2.6:Example of Routers


13

Two networks connected via a router are physically and logically separate

networks. Network-layer protocols have their own addressing scheme separate

from the addressing scheme of MAC-layer protocols. This addressing scheme

may or may not include the MAC-layer addresses of the network cards. Each

network attached to a router must be assigned a logical identifier, or network

address, to designate it as unique from other physical networks.

For example, NetWare’s IPX routers (NetWare file servers or external

NetWare routers using ROUTER.EXE) use each LAN card’s MAC-layer

address and a logical address for each network assigned by the router installer.

Routers only forward traffic addressed to the other side. This means that

local traffic on one LAN will not affect performance on another. Routers can be

proprietary devices, or can be software and hardware res iding in a general

purpose computer, such as a PC.

Like transparent bridges, routers maintain routing tables. A router’s

routing table, however, keeps track of network addresses and possible routes

between networks, not individual node addresses. Using routers, redundant

paths between networks can be established, and traffic will be routed between

networks based on some algorithm to determine the best path. The simplest

routers usually select the path with the fewest number of router hops as the best

path. More intelligent routers consider other factors, such as the relative

response times of various possible routes, when selecting the best path.

2.2.1.6 GATEWAYS

A gateway is a fundamentally different type of device than a router or

switch and can be used in conjunction with them. A gateway makes it possible

for an application program, running on a system, confirming to network

architecture, to communicate with an application program running on a system

confirming to some other network architecture.

A gateway performs its function in the Application layer of the OSI

model. The function of a gateway is to convert one set of communication

protocols to some other set of communication protocols. Protocol conversion

may include the following:

Message Format Conversion- Different networks may employ different

message format, maximum message size, or character codes. The gateway

must be able to convert messages to appropriate format, size and coding.


14

Address translation- Different networks may employ different addressing

mechanism and network address structures. The gateway must be able to

interpret network address in one network and convert them into network

address in other network.

Protocol conversion- When a message is prepared for transmission, each

layer adds control information, unique to the protocol used in that layer. The

gateway must be able to convert control information used by each layer so

that the receiving system receives the control information in the format it

expects.

2.3 IPv4 ADDRESSING

2.3.1 IP Addressing:

For any two systems to communicate, they must be able to identify and locate

each other. While these addresses in below Figure are not actual network

addresses, they represent and show the concept of address grouping. This uses

the A or B to identify the network and the number sequence to identify the

individual host. A computer may be connected to more than one network. In

this situation, the system must be given more than one address. Each address

will identify the connection of the computer to a different network.

Fig 2.7: Network system.

A device is not said to have an address, but that each of the connection

points, or interfaces, on that device has an address to a network. This will allow

other computers to locate the device on that particular network. The

combination of letter (network address) and the number (host address) create a

unique address for each device on the network. Each computer in a TCP/IP

network must be given a unique identifier, or IP address. This address,

operating at Layer 3, allows one computer to locate another computer on a


15

network. All computers also have a unique physical address, known as a MAC

address. These are assigned by the manufacturer of the network interface card.

MAC addresses operate at Layer 2 of the OSI model.

2.3.2 IPv4 addressing

A router forwards packets from the originating network to the destination

network using the IP protocol. The packets must include an identifier for both

the source and destination networks. Using the IP address of destination

network, a router can deliver a packet to the correct network. When the packet

arrives at a router connected to the destination network, the router uses the IP

address to locate the particular computer connected to that network. This system

works in much the same way as the national postal system. When the mail is

routed, it must first be delivered to the post office at the destination city using

the zip code. That post office then must locate the final destination in that city

using the street address. This is a two-step process.

Accordingly, every IP address has two parts. One part identifies the

network where the system is connected, and a second part identifies that

particular system on the network.

This kind of address is called a hierarchical address, because it contains

different levels. An IP address combines these two identifiers into one number.

This number must be a unique number, because duplicate addresses would

make routing impossible. The first part identifies the system's network address.

The second part, called the host part, identifies which particular machine it is on

the network.

IP addresses are divided into classes to define the large, medium, and

small networks. Class A addresses are assigned to larger networks. Class B

addresses are used for medium-sized networks and Class C for small networks.

The first step in determining which part of the address identifies the network

and which part identifies the host is identifying the class of an IP address.

2.3.3 Class A, B, C, D, and E IP addresses:

To accommodate different size networks and aid in classifying these

networks, IP addresses are divided into groups called classes. This is known as

class ful addressing. Each complete 32-bit IP address is broken down into a

network part and a host part. A bit or bit sequence at the start of each address

determines the class of the address. There are five IP address classes as shown

in the Figure below.


16

Fig 2.8: Class A, B, C, D &E IP address

The Class A address was designed to support extremely large networks, with

more than 16 million host addresses available. Class A IP addresses use only the

first octet to indicate the network address. The remaining three octets provide

for host addresses.

The first bit of a Class A address is always 0. With that first bit a 0, the

lowest number that can be represented is 00000000, decimal 0. The highest

number that can be represented is 01111111, decimal 127. The numbers 0 and

127 are reserved and cannot be used as network addresses. Any address that

starts with a value between 1 and 126 in the first octet is a Class A address.

The 127.0.0.0 network is reserved for loopback testing. Routers or local

machines can use this address to send packets back to themselves. Therefore,

this number cannot be assigned to a network.

The Class B address was designed to support the needs of moderate to

large-sized networks. A Class B IP address uses the first two of the four octets

to indicate the network address. The other two octets specify host addresses.

The first two bits of the first octet of a Class B address are always 10. The

remaining six bits may be populated with either 1s or 0s. Therefore, the lowest

number that can be represented with a Class B address is 10000000, decimal

128. The highest number that can be represented is 10111111, decimal 191.


17

Any address that starts with a value in the range of 128 to 191 in the first octet

is a Class B address.

The Class C address space is the most commonly used of the original

address classes. This address space was intended to support small networks

with a maximum of 254 hosts.

A Class C address begins with binary 110. Therefore, the lowest number that

can be represented is 11000000, decimal 192. The highest number that can be

represented is 11011111, decimal 223. If an address contains a number in the

range of 192 to 223 in the first octet, it is a Class C address.

The Class D address class was created to enable multicasting in an IP

address. A multicast address is a unique network address that directs packets

with that destination address to predefined groups of IP addresses. Therefore, a

single station can simultaneously transmit a single stream of data to multiple

recipients.

The Class D address space, much like the other address spaces, is

mathematically constrained. The first four bits of a Class D address must be

1110. Therefore, the first octet range for Class D addresses is 11100000 to

11101111, or 224 to 239. An IP address that starts with a value in the range of

224 to 239 in the first octet is a Class D address.

A Class E address has been defined. However, the Internet Engineering

Task Force (IETF) reserves these addresses for its own research. Therefore, no

Class E addresses have been released for use in the Internet. The first four bits

of a Class E address are always set to 1s. Therefore, the first octet range for

Class E addresses is 11110000 to 11111111, or 240 to 255.

2.3.4 Reserved IP addresses:

Certain host addresses are reserved and cannot be assigned to devices on

a network. These reserved host addresses include the following:

2.3.4.1 Introduction to subnetting:

Subnetting is another method of managing IP addresses. This method of

dividing full network address classes into smaller pieces has prevented complete

IP address exhaustion. It is important to understand subnetting as a means of

dividing and identifying separate networks throughout the LAN. It is not always

necessary to subnet a small network. However, for large or extremely large

networks, subnetting is required. Subnetting a network means to use the subnet

mask to divide the network and break a large network up into smaller, more

efficient and manageable segments, or subnets. An example would be the U.S.


18

telephone system which is broken into area codes, exchange codes, and local

numbers.

The system administrator must resolve these issues when adding and

expanding the network. It is important to know how many subnets or networks

are needed and how many hosts will be needed on each network. With

subnetting, the network is not limited to the default Class A, B, or C network

Fig2.9: An Example Subnet System

Subnet addresses include the network portion, plus a subnet field and a

host field. The subnet field and the host field are created from the original host

portion for the entire network. The ability to decide how to divide the original

host portion into the new subnet and host fields provides addressing flexibility

for the network administrator.

To create a subnet address, a network administrator borrows bits from the

host field and designates them as the subnet field. The minimum number of bits

that can be borrowed is two. When creating a subnet, where only one bit was

borrowed the network number would be the .0 network. The broadcast number

would then be the .255 network.

The method that was used to create the subnet chart can be used to solve

all subnetting problems. This method uses the following formula:

Number of usable subnets= two to the power of the assigned subnet bits

or borrowed bits, minus two (reserved addresses for subnetwork id and

subnetwork broadcast)

(2 power of borrowed bits) – 2 = usable subnets

(23) – 2 = 6

Number of usable hosts= two to the power of the bits remaining, minus

two (reserved addresses for subnet id and subnet broadcast)

(2 power of remaining host bits) – 2 = usable hosts

(25) – 2 = 30


19

As early as 1992, the Internet Engineering Task Force (IETF) identified

the following two specific concerns: Exhaustion of the remaining, unassigned

IPv4 network addresses. At the time, the Class B space was on the verge of

depletion.

The rapid and large increase in the size of Internet routing tables occurred

as more Class C networks came online. The resulting flood of new network

information threatened the ability of Internet routers to cope ef

Fig2.10: Assigning the addresses to different regions

2.3.4.3 Applying the subnet mask:

Once the subnet mask has been established it then can be used to create

the subnet scheme. The chart in the Figure is an example of the subnets and

addresses created by assigning three bits to the subnet field. This will create

Fig 2.10(a): Applying the subnet mask

eight subnets with 32 hosts per subnet. Start with zero (0) when

numbering subnets. The first subnet is always referenced as the zero subnet.

When filling in the subnet chart three of the fields are automatic, others require

some calculation.

The sub network ID of subnet zero is the same as the major network

number, in this case 192.168.10.0. The broadcast ID for the whole network is

the largest number possible, in this case 192.168.10.255. The third number that

IANA

National

Local

Consumer

InterNIC

America

RIPE

Europe

APNIC

Asia Regional

IANA

NationalNational

LocalLocal

ConsumerConsumer

InterNIC

America

RIPE

Europe

APNIC

Asia RegionalInterNIC

America

RIPE

Europe

APNIC

Asia

InterNIC

America

RIPE

Europe

APNIC

Asia Regional


20

is given is the subnetwork ID for subnet number seven. This number is the three

network octets with the subnet mask number inserted in the fourth octet

position. Three bits were assigned to the subnet field with a cumulative value of

224. The ID for subnet seven is 192.168.10.224. By inserting these numbers,

checkpoints have been established that will verify the accuracy when the chart

is completed.

When consulting the subnetting chart or using the formula, the three bits

assigned to the subnet field will result in 32 total hosts assigned to each subnet.

This information provides the step count for each subnetwork ID. Adding 32 to

each preceding number, starting with subnet zero, the ID for each subnet is

established. Notice that the subnet ID has all binary 0s in the host portion.

Fig 2.10(b): Appling the subnet mask

The broadcast field is the last number in each subnetwork, and has all

binary ones in the host portion. This address has the ability to broadcast only to

the members of a single subnet. Since the subnetwork ID for subnet zero is

192.168.10.0 and there are 32 total hosts the broadcast ID would be

192.168.10.31. Starting at zero the 32nd sequential number is 31. It is important

to remember that zero (0) is a real number in the world of networking.

The balance of the broadcast ID column can be filled in using the same

process that was used in the subnetwork ID column. Simply add 32 to the

preceding broadcast ID of the subnet. Another option is to start at the bottom of


21

this column and work up to the top by subtracting one from the preceding

subnetwork ID.

2.4 ROUTING CONCEPTS:

2.4.1 Introduction to Routing:

This chapter introduces the underlying concepts widely used in routing

protocols. Topics summarized here include routing protocol components and

algorithms. In addition, the role of routing protocols is briefly contrasted with

the role of routed or network protocols.

2.4.2 What is Routing?

Routing is the act of moving information across an inter-network from a source

to a destination. Along the way, at least one intermediate node typically is

encountered. Routing is often contrasted with bridging, which might seem to

accomplish precisely the same thing to the casual observer. The primary

difference between the two is that bridging occurs at Layer 2 (the link layer) of

the OSI reference model, whereas routing occurs at Layer 3 (the network layer).

This distinction provides routing and bridging with different information to use

in the process of moving information from source to destination, so the two

functions accomplish their tasks in different ways.

The topic of routing has been covered in computer science literature for

more than two decades, but routing achieved commercial popularity as late as

the mid-1980s. The primary reason for this time lag is that networks in the

1970s were simple, homogeneous environments. Only relatively recently has

large-scale internetworking become popular.

2.4.3 Routing Components:

Routing involves two basic activities: determining optimal routing paths and

transporting information groups (typically called packets) through an

internet-work. In the context of the routing process, the latter of these is referred

to as packet switching. Although packet switching is relatively straightforward,

path determination can be very complex.

2.4.4 Path Determination:

Routing protocols use metrics to evaluate what path will be the best for a packet

to travel. A metric is a standard of measurement, such as path bandwidth, that is

used by routing algorithms to determine the optimal path to a destination. To aid

the process of path determination, routing algorithms initialize and maintain


22

routing tables, which contain route information. Route information varies

depending on the routing algorithm used.

Routing algorithms fill routing tables with a variety of information.

Destination/next hop associations tell a router that a particular destination can

be reached optimally by sending the packet to a particular router representing

the "next hop" on the way to the final destination. When a router receives an

incoming packet, it checks the destination address and attempts to associate this

address with a next hop.

Routing tables also can contain other information, such as data about the

desirability of a path. Routers compare metrics to determine optimal routes, and

these metrics differ depending on the design of the routing algorithm used. A

variety of common metrics will be introduced and described later in this

chapter.

Routers communicate with one another and maintain their routing tables

through the transmission of a variety of messages. The routing update message

is one such message that generally consists of all or a portion of a routing table.

By analyzing routing updates from all other routers, a router can build a detailed

picture of network topology. A link-state advertisement, another example of a

message sent between routers, informs other routers of the state of the sender's

links. Link information also can be used to build a complete picture of network

topology to enable routers to determine optimal routes to network destinations.

2.4.5 Routing Algorithms

Routing algorithms can be differentiated based on several key characteristics.

First, the particular goals of the algorithm designer affect the operation of the

resulting routing protocol. Second, various types of routing algorithms exist,

and each algorithm has a different impact on network and router resources.

Finally, routing algorithms use a variety of metrics that affect calculation of

optimal routes. The following sections analyze these routing algorithm

attributes.

2.4.5.1 Routing Algorithms Design Goals

Routing algorithms often have one or more of the following design goals:

Optimality

Simplicity and low overhead

Robustness and stability


23

Rapid convergence

Flexibility

Optimality refers to the capability of the routing algorithm to select the

best route, which depends on the metrics and metric weightings used to make

the calculation. For example, one routing algorithm may use a number of hops

and delays, but it may weigh delay more heavily in the calculation. Naturally,

routing protocols must define their metric calculation algorithms strictly.

Routing algorithms also are designed to be as simple as possible. In other

words, the routing algorithm must offer its functionality efficiently, with a

minimum of software and utilization overhead. Efficiency is particularly

important when the software implementing the routing algorithm must run on a

computer with limited physical resources.

Routing algorithms must be robust, which means that they should

perform correctly in the face of unusual or unforeseen circumstances, such as

hardware failures, high load conditions, and incorrect implementations. Because

routers are located at network junction points, they can cause considerable

problems when they fail. The best routing algorithms are often those that have

withstood the test of time and that have proven stable under a variety of network

conditions.

In addition, routing algorithms must converge rapidly. Convergence is the

process of agreement, by all routers, on optimal routes. When a network event

causes routes to either go down or become available, routers distribute routing

update messages that permeate networks, stimulating recalculation of optimal

routes and eventually causing all routers to agree on these routes. Routing

algorithms that converge slowly can cause routing loops or network outages.

Routing algorithms should also be flexible, which means that they should

quickly and accurately adapt to a variety of network circumstances. Assume, for

example, that a network segment has gone down. As many routing algorithms

become aware of the problem, they will quickly select the next-best path for all

routes normally using that segment. Routing algorithms can be programmed to

adapt to changes in network bandwidth, router queue size, and network delay,

among other variables.


24

2.4.6 Types of Routing:

Static Routing

Dynamic Routing

Default Routing

2.4.6.1 Static Routing

Static routing is a data communication concept describing one way of

configuring path selection of routers in computer networks. It is the type

of routing characterized by the absence of communication between routers

regarding the current of the network. This is achieved by manually

adding routes to the routing table. In these systems, routes through a data

network are described by fixed paths (statically). The system administrator

usually enters these routes into the router. An entire network can be configured

using static routes, but this type of configuration is not fault tolerant. When

there is a change in the network or a failure occurs between two statically

defined nodes, traffic will not be rerouted. This means that anything that wishes

to take an affected path will either have to wait for the failure to be repaired or

the static route to be updated by the administrator before restarting its journey.

Most requests will time out (ultimately failing) before these repairs can be

made. There are, however, times when static routes can improve the

performance of a network. Some of these include stub networks and default

routes.

Static Routing:

a. Routes for each destination network have to be manually configured by the

administrator.

b. Requires destination network ID for the configuration

c. Used in small networks.

d. Administrative distance for static route is

Disadvantages of static routing:

a. Topology changes cannot be dynamically updated

b. Compulsory need of all destination network ID's

c. Administrative work is more

d. Used for only small organizations


25

Syntax for Static Routing:

Router (config)# ip route <destination network ID><destination subnet

mask><next hop IP address> [Permanent]

Or


mask><exit interface type><interface number> [Permanent]

2.4.6.2 Default Routing

A default route, also known as the gateway of last resort, is the network route

used by a router when no other known route exists for a given IP packet's

destination address. All the packets for destinations not known by the

router's routing table are sent to the default route. This route generally leads to

another router, which treats the packet the same way: If the route is known, the

packet will get forwarded to the known route. If not, the packet is forwarded to

the default-route of that router which generally leads to another router. And so

on. Each router traversal adds a one-hop distance to the route.

Once the router with a known route to a host destination is reached, the

router determines which route is valid by finding the "most specific match". The

network with the longest subnet mask that matches the destination IP

address wins.

The default route in IPv4 (in CIDR notation) is 0.0.0.0/0, often called the

quad-zero route. Since the subnet mask given is /0, it effectively specifies no

network, and is the "shortest" match possible. A route lookup that doesn't match

anything will naturally fall back onto this route. Similarly, in IPv6 the default

address is given by ::/0.

Routers in an organization generally point the default route towards the

router that has a connection to a network service provider. This way, packets

with destinations outside the organization's local area network (LAN)—

typically to the Internet, WAN, or VPN—will be forwarded by the router with

the connection to that provider.


26

Once it is routed outside the network, if that router does not know the

route of the destination, it will forward it to its own Default Route, which is

usually a router connected to larger number of networks. Similarly, the packet

will progress to internet backbone if still no route is known about the

destination IP. It is then considered that the network does not exist, and the

packet is discarded.

Host devices in an organization generally refer to the default route as a default

gateway which can be, and usually is, a filtration device such as

a firewall or Proxy server.

Syntax for Default Routing:

Router (config)# ip route 0.0.0.0 0.0.0.0 <next hop IP address>

Or

Router (config)# ip route 0.0.0.0 0.0.0.0 <exit interface type><interface

number>

2.4.6.3 Dynamic routing

Dynamic routing protocols are supported by software applications running on

the routing device (the router) which dynamically learn network destinations

and how to get to them and also advertise those destinations to other routers.

This advertisement function allows all the routers to learn about all the

destination networks that exist and how to those networks.

A router using dynamic routing will ' learn' the routes to all networks that are

directly connected to the device. Next, the router will learn routes from

other routers that run the same routing protocol (RIP, RIP2, EIGRP, OSPF, IS-

IS, BGP etc). Each router will then sort through it's list of routes and select one

or more 'best' routes for each network destination the router knows or has

learned.

Dynamic routing protocols will then distribute this 'best route' information to

other routers running the same routing protocol, thereby extending the

information on what networks exist and can be reached. This gives dynamic

routing protocols the ability to adapt to logical network topology changes,

equipment failures or network outages 'on the fly'.


27

2.4.7 Types of Dynamic Routing Protocols:

Distance-vector protocol (RIP - Routing Information Protocol)it is Open

standard.

Link State Protocol (OSPF - Open shortest path first)it is Open standard.

Hybrid or Advanced distance vector Routing protocol (EIGRP- Enhanced

Interior Gateway Routing Protocol) it is a CISCO proprietary.

2.4.7.1 OPEN SHORTEST PATH FIRST (OSPF):

OSPF is a protocol that runs in the Transport Layer (OSPF runs over and its

protocol number in the IP datagram is 89.

OSPF is an Interior Gateway Protocol, which means that it is used by all

the routers inside the same Autonomous System in order to route packets inside

the AS. In an internet, which is divided into several AS's, the routing between 2

hosts on different AS's is done as follows: first, the packet is sent from the

original host to some Border Router using the Interior Gateway Protocol (IGP).

The Border Router uses Border Gateway Protocol (BGP) to route the packet to

the AS of the destination. Inside that AS, the packet is routed through the IGP

of that AS.

The general idea behind OSPF is the following:

OSPF is a link-state routing protocol, which is based on the SPF (Shortest Path

First) algorithm to find the least cost path to any destination in the network.

Each router sends the list of his neighbors to all the other routers. When a router

has received that information from all other routers, it is ready to deduce the

topology of the network, which will enable it, through the use of the Dijkstra

algorithm, to find the least-cost path to any IP address on the entire network.

OSPF can be described as follows:

In OSPF, each router maintains a database that describes the current

topology of the network. However, since OSPF is run inside ASs and since ASs

can be very large, there is a division of ASs into small sets of networks which


28

are called "Areas". The main idea is that each router should maintain a database

of the topology of the area in which it resides.

In order to flood link state information throughout the area, OSPF

introduces the notion of Designated Routers. Once Designated Routers have

been selected, whenever some router want to send link state information, he

will transfer it to the Designated router in an exchange protocol. Next, the

designated router will transfer the information to all the other routers.

The shortest-path tree (or trees) is later used to build the routing table of

each router.

OSPF Features:

Open standard (IETF)

Successor of RIP

SPF or Dijikstra algorithm

Link-state routing protocol

Classless

Hello packets are sent every 10 seconds

Supports FLSM, VLSM, CIDR and Manual Summary

Incremental / trigged updates

Updates are sent as multicast (224.0.0.5 & 224.0.0.6)

Metric = Cost (cost = 10^8/bandwidth in bps)

Administrative distance = 110

Load balancing via equal cost paths by default ( unequal cost load

balancing not supported)

2.4.7.2 Link- state routing protocol

Auto neighbor discovery

Hierarchical network design

One area has to be designated as area 0 (backbone area)

sends periodic updates, known as link-state refresh, for every 30 second

Maintains similar database on all the routers within an area

router ID is used to identify each router


29

Router id

Router id is used to identify the router

The highest ip assigned to an active physical interface is the router id.

If logical interface is configured then the highest ip assigned to a logical

interface (loopback) is the router id.

Neighbors:

Routers that share a common link become neighbors.

Neighbors are discovered by hello packets.

To become neighbors the following should match.

a) Area id. b) Hello and dead intervals. c) Authentication

Adjacencies:

Adjacencies are formed once neighbor relation is established.

In adjacencies the database details are exchanged

OSPF tables.

Neighbor table:

neighbor table contains information about the directly connected OSPF

neighbors

Database tables:

It contains information about the entire view if the topology with respect

to each other.

Routing table:

It contains information about the best path calculated by the shortest path

first algorithm In the database tables.

OSPF CONFIGURATION:

Syntax:

Router (config)# ip routing

Router (config)# router ospf<process id>

Router (config-router)#network <network id><wildcard mask> area <area id>


30

2.5 VIRTUAL PRIVATE NETWORKING (VPN):

2.5.1 Introduction to Virtual Private Network?

There have been many improvements in the Internet including Quality of

Service, network performance, and inexpensive technologies, such as DSL. But

one of the most important advances has been in Virtual Private Networking

(VPN) Internet Protocol security (IPSec). IPSec is one of the most complete,

secure, and commercially available, standards-based protocols developed for

transporting data.

A VPN is a shared network where private data is segmented

from other traffic so that only the intended recipient has access. The term VPN

was originally used to describe a secure connection over the Internet. Today,

however, VPN is also used to describe private networks, such as Frame Relay,

Asynchronous Transfer Mode (ATM), and Multiprotocol Label Switching

(MPLS).A key aspect of data security is that the data flowing across the

network is protected by encryption technologies. Private networks lack data

security, which can allow data attackers to tap directly into the network and read

the data. IPSec-based VPNs use encryption to provide data security, which

increases the network’s resistance to data tampering or theft.IPSec-based VPNs

can be created over any type of IP network, including the Internet, Frame Relay,

ATM, and MPLS, but only the Internet is ubiquitous and inexpensive.

2.5.2 VPNs are traditionally usage

•Intranets

Intranets connect an organization’s locations. These locations range from

the

headquarters offices, to branch offices, to a remote employee’s home. Often this

connectivity

is used for e-mail and for sharing applications and files. While Frame Relay,

ATM, and MPLS accomplish these tasks, the shortcomings of each limits

connectivity. The cost of connecting home users is also very expensive

compared to Internet-access technologies, such as DSL or cable. Because of

this, organizations are moving their networks to the Internet, which is

inexpensive, and using IPSec to create these networks.


31

•Remote Access:

Remote access enables telecommuters and mobile workers to access e-

mail and business applications. A dial-up connection to an organization’s

modem pool is one method of access for remote workers, but it is expensive

because the organization must pay the associated long distance telephone and

service costs. Remote access VPNs greatly reduce expenses by enabling mobile

workers to dial a local Internet connection and then set up a secure IPSec-based

VPN communications to their organization.

•Extranets:

Extranets are secure connections between two or more organizations. Common

uses for extranets include supply-chain management, development partnerships,

and subscription services. These undertakings can be difficult using legacy

network technologies due to connection costs, time delays, and access

availability. IPSec-based VPNs are ideal for extranet connections. IPSec-

capable devices can be quickly and inexpensively installed on existing Internet

connections.

2.5.3 Virtual private networking

2.5.3.1 Key Management:

IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and

automate the SA setup and the exchange of keys between parties transferring

data. Using keys ensures that only the sender and receiver of a message can

access it.

IPSec requires that keys be re-created, or refreshed, frequently so that the

parties can communicate securely with each other. IKE manages the process of

refreshing keys; however,a user can control the key strength and the refresh

frequency. Refreshing keys on a regular basis ensures data confidentiality

between sender and receiver.

The VPN Consortium has developed specific scenarios to

aid system administrators in the often confusing process of connecting two

different vendor implementations of the IPSec standard. The examples in this

manual follow the addressing and configuration mechanics defined by the VPN

Consortium. It is a good idea to gather all the necessary information required to


32

establish a VPN before you begin the configuration process. You should

understand whether the firmware is up-to-date, all of the addresses that will be

necessary, and all of the parameters that need to be set on both sides. Try to

understand any incompatibilities before you begin, so that you minimize any

potential complications which may arise from normal firewall or WAN

processes.

2.5.3.2 VPN Process Overview

Even though IPSec is standards-based, each vendor has its own set of terms and

procedures for implementing the standard. Because of these differences, it may

be a good idea to review some of the terms and the generic processes for

connecting two gateways before diving into to the specifics. Network Interfaces

and Addresses

The VPN gateway is aptly named because it functions as a “gatekeeper”

for each of the computers connected on the Local Area Network behind it.

In most cases, each gateway will have a “public” facing address (WAN side)

and a “private” facing address (LAN side). These addresses are referred to as

the “network interface” in documentation regarding the construction of VPN

communication. Please note that the addresses used in the example .Interface

Addressing this document uses example addresses provided the VPN

Consortium. It is important to understand that you will be using addresses

specific to the devices that you are attempting to connect via IPSec VPN.

It is also important to make sure the addresses do not overlap or conflict. That

is, each set of addresses should be separate and distinct.

Each gateway must negotiate its Security Association with another

gateway using the parameters and processes established by IPSec. As illustrated

below, the most common method of accomplishing this process is via the

Internet Key Exchange (IKE) protocol which automates some of the negotiation

procedures. Alternatively, you can configure your gateways using manual key

exchange, which involves manually configuring each paramter on both

gateways. The IPSec software on Host A initiates the IPSec process in an

attempt to communicate with Host B. The two computers then begin the

Internet Key Exchange (IKE) process.


33

2.5.3.3 IKE Phase I.

a .The two parties negotiate the encryption and authentication algorithms to use

in the IKE SA’s.

b. The two parties authenticate each other using a predetermined mechanism,

such as pre -shared keys or digital certificates.

c. A shared master key is generated by the Diffie-Hellman Public key algorithm

within the IKE framework for the two parties. The master key is also used in the

second phase to derive IPsec keys for the SAs.

2.5.3.4 IKE Phase II.

a. The two parties negotiate the encryption and authentication algorithms to use

in the IPsec SAs.

b. The master key is used to derive the IPSec keys for the SAs. Once the SA

keys are created and exchanged, the IPsec SAs are ready to protect user data

between the two VPN gateways.

Data transfer. Data is transferred between IPSec peers based on the IPSec

parameters and keys stored in the SA database. IPsec tunnel termination. IPSec

SAs terminate through deletion or by timing out.

VPN Gateway to VPN Gateway

1) Communicationrequest sent to VPN Gateway

2) IKE Phase I authentication

3) IKE Phase II negotiation

4) Secure data transfer

IPsec tunnel terminationallows for a lot of flexibility. All

companies do not deploy the same networking hardware in their

environment, but as long as they are IPSec compliant, network

connectivity can be established via IPSec tunnelling protocol.

When creating IPSec tunnels, the main goal is to protect data flows that

carry confidential or sensitive data over an un trusted or public network.

Therefore, before planning your IPSec tunnel implementation, you must

have a solid understanding of the traffic you want protected by IPSec

tunnels, and the sources and destinations of this traffic.


34

2.6 IPsec (INTERNET PROTOCAL SECURITY):

2.6.1 Introduction:

IPsec (Internet Protocol Security) is a network layer security protocol that

is design environment over the Internet considering flexibility, scalability, and

interoperability. IPsec primarily supports security among hosts rather than users

unlike the other security protocols. Recently, IPsec is emphasized as one of the

important security infrastructures in the NGI (Next Generation Internet). It also

has suitable features to implement VPN (Virtual Private Network) efficiently

and its application areas are expected to grow rapidly. In this paper, the basic

concepts and related standard documents of IPsec will be introduced.

2.6.2 What Is IPSec and How Does It Work?

IPSec is an Internet Engineering Task Force (IETF) standard suite of

protocols that provides data authentication, integrity, and confidentiality as data

is transferred between communication points across IP networks. IPSec

provides data security at the IP packet level. A packet is a data bundle that is

organized for transmission across a network, and it includes a header and

payload (the data in the packet). IPSec emerged as a viable network security

standard because enterprises wanted to ensure that data could be securely

transmitted over the Internet.

IPSec protects against possible security exposures by protecting data

while in transit. IPSec Security Features IPSec is the most secure method

commercially available for connecting network sites. IPSec was designed to

provide the following security features when transferring packets across

networks:

•Authentication: Verifies that the packet received is actually from the claimed

sender.

•Integrity: Ensures that the contents of the packet did not change in transit.

•Confidentiality: Conceals the message content through encryption.


35

2.6.3 Terms and Definitions

Now that we have discussed the concepts of SG-to-SG VPN connections,

we can start addressing the topic in more detail. Here are some definitions and

Terms that will be used throughout the remainder of the paper.

Encryption - Provides data confidentiality.

Authentication - Provides data integrity.

2.6.4 Internet Protocol Security (IPSec)

A framework of open standards that provides data confidentiality, data

integrity, and data authentication between participating peers. IPSec provides

these security services at the IP layer; it uses IKE to handle negotiation of

protocols and algorithms based on local policy, and to generate the encryption

and authentication keys to be used by IPSec.

2.6.4.1 Internet Security Association and Key Management Protocol

(ISAKMP)

This is the framework which defines the mechanics of implementation a

key exchange protocol and the negotiation of a security association.

2.6.4.2 Internet Key exchange protocol (IKE) - Provides authentication of the

IPSec

peers, negotiates security associations, and establishes IPSec keys.

2.6.4.3 Hashed Message Authentication Code (HMAC) – Combination of

hash algorithm and secret shared key.

> DES - Data Encryption Standard used to encrypt packet data. 3DES is no

longer the best method of encryption, but is considered reliable and secure.

> MD5 (HMAC variant) - MD5 (Message Digest 5) is a hash algorithm.

HMAC is a keyed hash variant used to authenticate data.

> Peer - Refers to the two Cisco routers on either side of the VPN tunnel.

> Security association (SA) - IPSec security association which describes how

two or more entities will use security services for a particular data flow. This


36

includes the methods which will be used for encryption and authentication.

Security Parameter Index (SPI) -This is a number combined with an IP address

nd security protocol identifies a SA.Transform set - Represents a certain

combination of security protocols and algorithms that the peers on each end of

the tunnel must agree upon before initiating a secure data flow.

2.6.5 Tunnel – A secure communication path between two peers

2.6.5.1 IPSec Tunnelling:

Mode

SAs operate using modes. A mode is the method in which the IPSec

protocol is applied to the packet. IPSec can be used in tunnel mode or transport

mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel

protection, but transport mode is used for host-to-host IPSec tunnel protection.

A gateway is a device that monitors and manages incoming and outgoing

network traffic and routes the traffic accordingly. A host is a device that sends

and receives network traffic.

•Transport Mode:

The transport mode IPSec implementation encapsulates only the packet’s

packet contains the old IP header (with the source and destination IP addresses

unchanged) and the processed packet payload. Transport mode does not shield

the information in the IP header; therefore, an attacker can learn where the

packet is coming from and where it is going to.

•Tunnel Mode:

The tunnel mode IPSec implementation encapsulates the entire IP

packet. The entire packet becomes the payload of the packet that is processed

with IPSec. A new IP header is created that contains the two IPSec gateway

addresses. The gateways perform the encapsulation/encapsulation on behalf of

the hosts. Tunnel mode ESP prevents an attacker from analyzing the data and

deciphering it, as well as knowing who the packet is from and

where it is going.

Note: AH and ESP can be used in both transport mode and tunnel mode.

IPSec technology presents a way to protect sensitive data that travels across


37

untrusted networks. IPSec is the IETF standard for network layer tunnelling

described in RFC 1825 through 1829.9 “With IPsec, data can be transmitted

across a public network without fear of observation, modification, or spoofing.

This enables application intranets, extranet”10 IPsec allows the creation of a

secure tunnel between two Security Gateways or IPSec compliant routers.

Intranets in separate geographic locations can be created across the internet.

This concept is commonly referred to as transferring data from trusted networks

across an untrusted network. IPSec was created to provide the following

functionality across the internet.

• Data Confidentiality—the IPSec sender can encrypt packets before

transmitting them across a network.

• Data Integrity—the IPSec receiver can authenticate packets sent by the

IPSec sender to ensure that the data has not been altered during

transmission.

• Data Origin Authentication—the IPSec receiver can authenticate the

source of the IPSec packets sent. This service is dependent upon the data

integrity service.

• Anti-Replay—The IPSec receiver can detect and reject replayed.

2.6.5.2 Encapsulating Security Payload (ESP):

ESP provides authentication, integrity, and confidentiality, which protect

against data tampering and, most importantly, provide message content

protection.

IPSec provides an open framework for implementing industry standard

algorithms, such as SHA and MD5. The algorithms IPSec uses produce a

unique and unforgeable identifier for each packet, which is a data equivalent of

a fingerprint. This fingerprint allows the device to determine if a packet has

been tampered with. Furthermore, packets that are not authenticated are

discarded and not delivered to the intended receiver.

ESP also provides all encryption services in IPSec. Encryption translates

a readable message into an unreadable format to hide the message content. The


38

opposite process, called decryption, translates the message content from an

unreadable format to a readable message. Encryption/decryption allows only the

sender and the authorized receiver to read the data. In addition, ESP has an

option to perform authentication, called ESP authentication. Using ESP

authentication, ESP provides authentication and integrity for the payload and

not for the IP header.

The ESP header is inserted into the packet between the IP header and any

subsequent packet contents. However, because ESP encrypts the data, the

payload is changed. ESP does not encrypt the ESP header, nor does it encrypt

the ESP authentication.

2.6.5.3 Authentication Header (AH):

AH provides authentication and integrity, which protect against data tampering,

using the same algorithms as ESP. AH also provides optional anti-replay

protection, which protects against unauthorized retransmission of packets. The

authentication header is inserted into the packet between the IP header and any

subsequent packet contents. The payload is not touched.

Although AH protects the packet’s origin, destination, and contents from being

tampered with, the identity of the sender and receiver is known. In addition, AH

does not protect the data’s confidentiality. If data is intercepted and only AH is

used, the message contents can be read. ESP protects data confidentiality. For

added protection in certain cases, AH and ESP can be used together. In the

following table, IP HDR represents the IP header and includes both source and

destination IP addresses.

2.6.5.4 Security Association

IPSec introduces the concept of the Security Association (SA). An SA is a

logical connection between two devices transferring data. An SA provides data

protection for unidirectional traffic by using the defined IPSec protocols. An

IPSec tunnel typically consists of two unidirectional SAs, which together

provide a protected, full-duplex data channel .The SAs allow an enterprise to

control exactly what resources may communicate securely, according to

security policy. To do this an enterprise can set up multiple SAs to enable

multiple secure VPNs, as well as define SAs within the VPN to support

different departments and business partners.


39

3. SYSTEM ARCHITECTURE

3.0 System Architecture:

Fig-3 : Architecture of IPSec

3.1 MODULES:

IPsec was created to provide the following functionality across the internet.

• Data Confidentiality—the IPsec sender can encrypt packets before

transmitting them across a network.

• Data Integrity—the IPsec receiver can authenticate packets sent by the

IPsec sender to ensure that the data has not been altered during

transmission.

• Data Origin Authentication—the IPsec receiver can authenticate the

source of the IPsec packets sent. This service is dependent upon the data

integrity service.

• Anti-Replay—The IPsec receiver can detect and reject replayed .

3.2 SOFTWARE AND HARDWARE REQUIREMENTS:

3.2.1 Software Requirements:

Cisco Packet Tracer 5.3

3.2.2 Hardware Requirements:

Cisco Hubs, Wireless Device, Copper Straight-Through Cable , Copper

Cross-Over Cable, Fiber Optics Cable, Coaxial Cable.

The information in this document was created from the devices in a


40

specific lab environment. All of the devices used in this document

started with a cleared (default) configuration. If your network is live, make

sure that you understand the potential impact of any command.

Windows XP, Windows server 2003, Server & Client .And also this

document is not restricted to specific software and hardware versions.


41

4.SYSTEM STUDY

4.1 Feasibility Study:

It is a very important aspect of any project report. There is always chance of

manual errors. Cost factor is also there which depends upon the size of the

work.

Feasibility studies aim to objectively and rationally uncover the

strengths and weaknesses of the existing business or proposed venture,

opportunities and threats as presented by the environment, the resources

required to carry through, and ultimately the prospects for success. In its

simplest term, the two criteria to judge feasibility are cost required and value to

be attained. As such, a well-designed feasibility study should provide a

historical background of the business or project, description of the product or

service, accounting statements, details of the operations and management,

marketing research and policies, financial data, legal requirements and tax

obligations. Generally, feasibility studies precede technical development and

project implementation.

4.1.1 Technical Feasibility:

In the preliminary investigation phase, we examine the feasibility of the

project. We find the likelihood the Network which we established will be useful

to the organization. We determine whether the solution is a viable or not. For

thispurpose, the analyst clearly establishes the feasibility of each alternative

testing for benefits, costs and other resources.

4.1.2 Behavioral / Operational Feasibility :

For any network which we implemented and used by an

organization, its behavioral nature must be analyzed. It means that if any

organization want to access the net on many systems by using only one

internet service provider then it can be done by with the help of NAT

Operational feasibility is a measure of how well a proposed system

solves the problems, and takes advantage of the opportunities identified

during scope definition and how it satisfies the requirements identified in

the requirements analysis phase of system development.

4.1.3 Economic Feasibility:

This project does not specify an Internet standard of any kind.

Distribution of this project is unlimited. You can use private addresses on your


42

inside networks. Private addresses are not routable on the Internet. NAT hides

the local addresses from other networks, so attackers cannot learn the real

address of a server in the data center You can resolve IP routing problems such

as overlapping addresses when you have two interfaces connected to

overlapping subnets.

Economic analysis is the most frequently used method for evaluating the

effectiveness of a new system. More commonly known as cost/benefit analysis,

the procedure is to determine the benefits and savings that are expected from a

candidate system and compare them with costs. If benefits outweigh costs, then

the decision is made to design and implement the system. An entrepreneur must

accurately weigh the cost versus benefits before taking an action.


43

5. SYSTEM DESIGN

5.1.1 Introduction to DFD Diagrams:

The Data Flow diagram is a graphic tool used for expressing system

requirements in a graphical form. The DFD also known as the “bubble chart”

has the purpose of clarifying system requirements and identifying major

transformations that to become program in system design.

Thus DFD can be stated as the starting point of the design phase that

functionally decomposes the requirements specifications down to the lowest

level of detail.

The DFD consists of series of bubbles joined by lines. The bubbles

represent data transformations and the lines represent data flows in the system.

A DFD describes what data flow is rather than how they are processed, so it

does not depend on hardware, software, data structure or file organization.


44

5.2 At Source IP address:

5.1 Incoming Packet

Fig 5.1 : At source IP Address.


45

5.3 At receiving IP Address

Source Application:

Fig 5.1 : DFD for Source IP address

At the receiving end:

Fig. 5.2 – Packet receiving from the Source IP address.


46

6. SYSTEM IMPLEMENTATION

6.1 ALGORITHMS USED:

6.1.1 MD5:

The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value. Specified in RFC 1321,

MD5 has been utilized in a wide variety of security applications, and is also commonly used to check data integrity. MD5 was designed by Ron Rivest in

1991 to replace an earlier hash function, MD4. An MD5 hash is typically expressed as a hexadecimal number, 32 digits long.

However, it has since been shown that MD5 is not resistant; as such, MD5 is not suitable for applications like SSL certificates or digital signatures that rely

on this property. In 1996, a flaw was found with the design of MD5, and while it was not a clearly fatal weakness, cryptographers began recommending the use

of other algorithms, such as SHA-1—which has since been found to be vulnerable as well. In 2004, more serious flaws were discovered in MD5,

making further use of the algorithm for security purposes questionable—specifically, a group of researchers described how to create a pair of files that

share the same MD5 checksum. Further advances were made in breaking MD5 in 2005, 2006, and 2007. In December 2008, a group of researchers used this technique to fake SSL certificate validity, and CMU Software Engineering

Institute now says that MD5 "should be considered cryptographically broken and unsuitable for further use", and most U.S. government applications now

require the SHA-2 family of hash functions.

6.1.2 SHA( SECURE HASH ALGORITHM):

In cryptography, SHA-1 is a cryptographic hash function designed by the

United States National Security Agency and published by the United States NIST as a U.S. Federal Information Processing Standard. SHA stands for

"secure hash algorithm". The four SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, SHA-2, and SHA-3. SHA-1 is very similar

to SHA-0, but corrects an error in the original SHA hash specification that led to significant weaknesses. The SHA-0 algorithm was not adopted by many applications. SHA-2 on the other hand significantly differs from the SHA-1

hash function.

SHA-1 is the most widely used of the existing SHA hash functions, and is

employed in several widely used applications and protocols.

In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm

might not be secure enough for ongoing use. NIST required many applications in federal agencies to move to SHA-2 after 2010 because of the


47

weakness. Although no successful attacks have yet been reported on SHA-2, they are algorithmically similar to SHA-1. In 2012, following a long-running

competition, NIST selected an additional algorithm, Keccak, for standardization as SHA-3 .

Algorithm and

variant

Output

size

(bits)

Internal

state

size

(bits)

Block

size

(bits)

Max

message

size

(bits)

Word

size

(bits)

Rounds Operations Collisions

found?

SHA-0

160 160 512 264 – 1 32 80

add, and, or,

xor, rotate,

mod

Yes

SHA-1 Theoretical

attack (251)[6]

SHA-

2

SHA-

256/224 256/224 256 512 264 – 1 32 64

add, and, or,

xor, rotate,

mod, shift

No

SHA-

512/384 512/384 512 1024 2128 – 1 64 80

Table-6.1.2: Details about SHA-0,SHA-1,SHA-2

6.1.3 MD5 VS SHA:

MD5 has been cryptographically broken for quite some time now. This basically means that some of the properties usually guaranteed by hash

algorithms, do not hold anymore. For example it is possible to find hash collisions in much less time than potentially necessary for the output length.

SHA-512 (one of the SHA-2 family of hash functions) is, for now, secure enough but possibly not much longer for the foreseeable future. That's why the

NIST started a contest for SHA-3.Generally, you want hash algorithms to be one-way functions. They map some input to some output. Usually the output

is of a fixed length, thereby providing a "digest" of the original input. However, flaws in design or implementation often result in reduced complexity for attacks. Once those are known it's time to evaluate whether still using a hash

function. If the attack complexity drops far enough practical attacks easily get in the range of people without specialized computing equipment.

http://en.wikipedia.org/wiki/Hash_collision

http://en.wikipedia.org/wiki/SHA-1#cite_note-6


48

6.2 ROUTER CONFIGURATION:

Fig 6.1: Routers configuration AT RTTC, Hyderabad


49

6.2.1 INITIAL CONFIGURATION AT TRIPURA

Router> (User Mode)

Router>enable

Router# (Privilege Mode)

Router# configure terminal

Router(config)# (Global Configuration Mode)

Router(config)# hostname TRIPURA

Configuration for assigning an IP address to Fastethernet interface

TRIPURA(config)# interface fastethernet 0/0

TRIPURA(config-if)# (Interface Configuration Mode)

TRIPURA(config-if)# ip address 192.168.4.49 255.255.255.240

TRIPURA(config-if)# no shutdown

TRIPURA(config-if)# exit

Configuration for setting a TELNET session and password

TRIPURA(config)# line vty 0 4

TRIPURA(config-line)# (Line Configuration Mode)

TRIPURA(config-line)# password cisco

TRIPURA(config-line)# login

TRIPURA(config-line)# exit

Configuration for setting a CONSOLE password

TRIPURA(config)# line con 0

TRIPURA(config-line)# password cisco

TRIPURA(config-line)# login

TRIPURA(config-line)# exit

Configuration for setting a ENABLE password

TRIPURA(config)# enable password cisco

TRIPURA(config)# exit


50

Configuration of an IP address to the serial interface

TRIPURA(config)#interface serial 0/1/0

TRIPURA(config-if)# ip address 192.168.4.82 255.255.255.252

TRIPURA(config-if)# no shutdown

TRIPURA(config-if)# encapsulation ppp

TRIPURA(config-if)# ^Z

TRIPURA# wr ( for saving the configuration )

6.2.2 INITIAL CONFIGURATION OF SHILLONG

SHILLONG

Router> (User Mode)

Router>enable


Router# config terminal


Router(config)# hostname SHILLONG


SHILLONG(config)# interface fastethernet 0/0

SHILLONG(config-if)# (Interface Configuration Mode)

SHILLONG(config-if)# ip address 192.168.4.33 255.255.255.240

SHILLONG(config-if)# no shutdown

SHILLONG(config-if)# exit


SHILLONG(config)# line vty 0 15

SHILLONG(config-line)# (Line Configuration Mode)

SHILLONG(config-line)# password 0 cisco

SHILLONG(config-line)# login

SHILLONG(config-line)# exit


51


SHILLONG(config)# line con 0

SHILLONG(config-line)# password 0 cisco

SHILLONG(config-line)# login

SHILLONG(config-line)# exit


SHILLONG(config)# enable password cisco

SHILLONG(config)# exit


SHILLONG(config)#interface serial 0/0/0

SHILLONG(config-if)# ip address 192.168.4.94 255.255.255.252

SHILLONG(config-if)# no shutdown

SHILLONG(config-if)# encapsulation ppp

SHILLONG(config-if)# exit

SHILLONG(config)#

6.2.3 INITIAL CONFIGURATION OF CALCUTTA

CALCUTTA

Router> (User Mode)

Router>enable




Router(config)# hostname CALCUTTA


CALCUTTA(config)# interface fastethernet 0/0


52

CALCUTTA(config-if)# (Interface Configuration Mode)

CALCUTTA(config-if)# ip address 192.168.4.17 255.255.255.240

CALCUTTA(config-if)# no shutdown

CALCUTTA(config-if)# exit


CALCUTTA(config)# line vty 0 15

CALCUTTA(config-line)# (Line Configuration Mode)

CALCUTTA(config-line)# password 0 cisco

CALCUTTA(config-line)# login

CALCUTTA(config-line)# exit


CALCUTTA(config)# line con 0

CALCUTTA(config-line)# password 0 cisco

CALCUTTA(config-line)# login

CALCUTTA(config-line)# exit


CALCUTTA(config)# enable password cisco

CALCUTTA(config)# exit


CALCUTTA(config)#interface serial 0/1/0



CALCUTTA(config-if)# encapsulation ppp

CALCUTTA(config-if)# exit

CALCUTTA(config)#interface serial 0/1/1



CALCUTTA(config-if)# encapsulation ppp

CALCUTTA# wr( save the configuration)


53

6.3 Configuration of Open Shortest Path First (OSPF) in IPv4 domain

Fig 6.2 Configuration of OSPF in IPv4 domain on

SHILLONG,TRIPURA& CALCUTTA Routers considering the area as

Back bone area (Area 0)

CALCUTTA # configure terminal

CALCUTTA (config)# ip routing

CALCUTTA (config)# router ospf 10

CALCUTTA (config-router)# network 192.168.4.16 0.0.0.15 area 0



CALCUTTA (config-router)#^Z

CALCUTTA#wr (save the configuration)

SHILLONG(config)#ip routing

SHILLONG (config)#router ospf 10

SHILLONG (config-ospf)#network 192.168.4.32 0.0.0.15 area 0

SHILLONG (config-ospf)#network 192.168.4.92 0.0.0.3 area 0

SHILLONG (config-ospf)#^Z

SHILLONG# wr (save the configuration)

TRIPURA#configure terminal

TRIPURA (config)#ip routing

TRIPURA (config)#router ospf


54

TRIPURA (config-ospf)#network 192.168.4.48 0.0.0.15 area 0

TRIPURA (config-ospf)#network 192.168.4.80 0.0.0.3 area 0

TRIPURA (config-ospf)#^Z

TRIPURA # wr (save the configuration)

Show commands @ Any router for checking the OSPF process

ROUTER#sh ip route (Display the Routing table)

ROUTER#sh ip ospf neighbor (Display the Neighbor information)

ROUTER#sh ip ospf database (Display the OSPF database)

Also check the connectivity using “ping” commands to interface ipv6 addresses

and end to end connectivity from PC in one router LAN to PC in other router

LAN.

6.4 Configuration of NMREC- Engineering, NMREC-Jr. College and

NMREC-School network on IPv4

Fig 6.3 : NMREC- Engineering, NMREC-Jr. College and NMREC-School

network on IPv4 .


55

6.4.1 INITIAL CONFIGURATION AT NMREC

Router> (User Mode)

Router>enable


Router# configure terminal


Router(config)# hostname NMREC


NMREC(config)# interface fastethernet 0/0

NMREC(config-if)# (Interface Configuration Mode)

NMREC(config-if)# ip address 192.168.1.0 255.255.255.0

NMREC(config-if)# no shutdown

NMREC(config-if)# exit


NMREC(config)# line vty 0 4

NMREC(config-line)# (Line Configuration Mode)

NMREC(config-line)# password cisco

NMREC(config-line)# login

NMREC(config-line)# exit


NMREC(config)# line con 0

NMREC(config-line)# password cisco

NMREC(config-line)# login

NMREC(config-line)# exit


NMREC(config)# enable password cisco

NMREC(config)# exit


56


NMREC(config)#interface serial 0/0/0

NMREC(config-if)# ip address 192.168.6.1 255.255.255.252

NMREC(config-if)# no shutdown

NMREC(config-if)# encapsulation ppp

NMREC(config-if)# ^Z

NMREC# wr ( for saving the configuration )

6.4.2 INITIAL CONFIGURATION OF NMREC-JR. COLLEGE

NMREC-JR. COLLEGE

Router> (User Mode)

Router>enable




Router(config)# hostname NMREC-JR. COLLEGE


NMREC-JR. COLLEGE(config)# interface fastethernet 0/0

NMREC-JR. COLLEGE(config-if)# (Interface Configuration Mode)

NMREC-JR. COLLEGE(config-if)# ip address 192.168.2.1 255.255.255.0

NMREC-JR. COLLEGE(config-if)# no shutdown

NMREC-JR. COLLEGE(config-if)# exit


NMREC-JR. COLLEGE(config)#interface serial 0/1/0



NMREC-JR. COLLEGE(config-if)# encapsulation ppp

NMREC-JR. COLLEGE(config-if)# ^Z

NMREC-JR. COLLEGE# wr ( for saving the configuration )


57

NMREC-JR. COLLEGE(config)#interface serial 0/1/1



NMREC-JR. COLLEGE(config-if)# encapsulation ppp

NMREC-JR. COLLEGE(config-if)# ^Z

NMREC-JR. COLLEGE# wr ( for saving the configuration )

6.4.3 INITIAL CONFIGURATION OF NMREC-SCHOOL

NMREC-SCHOOL

Router> (User Mode)

Router>enable




Router(config)# hostname NMREC-SCHOOL


NMREC-SCHOOL(config)# interface fastethernet 0/0

NMREC-SCHOOL(config-if)# (Interface Configuration Mode)

NMREC-SCHOOL(config-if)# ip address 192.168.3.1 255.255.255.0

NMREC-SCHOOL(config-if)# no shutdown

NMREC-SCHOOL(config-if)# exit


NMREC-SCHOOL(config)# line vty 0 15

NMREC-SCHOOL(config-line)# (Line Configuration Mode)

NMREC-SCHOOL(config-line)# password 0 cisco

NMREC-SCHOOL(config-line)# login

NMREC-SCHOOL(config-line)# exit


58


NMREC-SCHOOL(config)# line con 0

NMREC-SCHOOL(config-line)# password 0 cisco

NMREC-SCHOOL(config-line)# login

NMREC-SCHOOL(config-line)# exit


NMREC-SCHOOL(config)# enable password cisco

NMREC-SCHOOL(config)# exit


NMREC-SCHOOL(config)#interface serial 0/2/0



NMREC-SCHOOL(config-if)# encapsulation ppp

NMREC-SCHOOL(config-if)# exit

NMREC-SCHOOL(config)#interface serial 0/2/1



NMREC-SCHOOL(config-if)# encapsulation ppp

NMREC-SCHOOL(config-if)# ^Z

NMREC-SCHOOL# wr ( save the configuration)

6.5 ROUTING

6.5.1 Static Routing

IPV4:


mask><exit interface type><interface number> [Permanent]

Static routing for NMREC, NMREC-JR. COLLEGE and NMREC-

SCHOOL


59

Fig 6.4 : An Example of Static Routing

6.5.1.1 Configuring at NMREC-ENGG:

Input commands: (IPV4)

NMREC(config)#ip route 192.168.2.0 255.255.255.0 Serial0/0/0

NMREC(config)# ip route 192.168.3.0 255.255.255.0 Serial0/0/0






NMREC(config)#exit

NMREC# wr

Output results:

interface Serial0/0/0


60

ip address 192.168.6.1 255.255.255.252

encapsulation ppp

ipv6 address FD00:0:0:F1::1/64

clock rate 500000

!


no ip address

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 192.168.2.0 255.255.255.0 Serial0/0/0

ip route 192.168.3.0 255.255.255.0 Serial0/0/0

ip route 192.168.4.0 255.255.255.0 Serial0/0/0

ip route 192.168.5.0 255.255.255.0 Serial0/0/0

ip route 192.168.6.4 255.255.255.252 Serial0/0/0

ip route 192.168.6.8 255.255.255.252 Serial0/0/0

ip route 192.168.6.12 255.255.255.252 Serial0/0/0

!

ipv6 route FD00:0:0:2::/64 Serial0/0/0




ipv6 route FD00:0:0:F2::/64 Serial0/0/0



Verification commands:

NMREC#show ip route (ipv4)

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2


61

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.1.0/24 is directly connected, FastEthernet0/0

S 192.168.2.0/24 is directly connected, Serial0/0/0




192.168.6.0/30 is subnetted, 4 subnets

C 192.168.6.0 is directly connected, Serial0/0/0

S 192.168.6.4 is directly connected, Serial0/0/0



6.5.1.2 NMREC-JR. COLLEGE:


NMREC-JR.COLLEGE(config)#ip route 192.168.1.0 255.255.255.0 Serial0/1/0




NMREC-JR.COLLEGE(config)#ip route 192.168.6.8 255.255.255.252

Serial0/1/1

NMREC-JR.COLLEGE(config)#ip route 192.168.6.12 255.255.255.252

Serial0/1/1

NMREC-JR.COLLEGE(config)#exit

NMREC-JR.COLLEGE#wr


62

Output results:


ip address 192.168.6.2 255.255.255.252

encapsulation ppp


!


ip address 192.168.6.5 255.255.255.252

encapsulation ppp


clock rate 125000

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 192.168.1.0 255.255.255.0 Serial0/1/0

ip route 192.168.3.0 255.255.255.0 Serial0/1/1

ip route 192.168.4.0 255.255.255.0 Serial0/1/1

ip route 192.168.5.0 255.255.255.0 Serial0/1/1

ip route 192.168.6.8 255.255.255.252 Serial0/1/1

ip route 192.168.6.12 255.255.255.252 Serial0/1/1

!








NMREC-JR. COLLEGE#show ip route (ipv4)


63

Results:



















6.5.1.3 CONFIGURING AT NMREC-SCHOOL


NMREC-SCHOOL(config)#ip route 192.168.4.0 255.255.255.240 Serial0/2/1






NMREC-SCHOOL(config)#exit

NMREC-SCHOOL#wr


64

Output results:

interface FastEthernet0/0

ip address 192.168.3.1 255.255.255.0

duplex auto

speed auto

ipv6 address FD00:0:0:3::1/64

!


no ip address

duplex auto

speed auto

shutdown

!


ip address 192.168.6.6 255.255.255.252

encapsulation ppp


!


ip address 192.168.6.9 255.255.255.252

encapsulation ppp


clock rate 125000

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 192.168.2.0 255.255.255.240 Serial0/2/0

ip route 192.168.4.0 255.255.255.240 Serial0/2/1

ip route 192.168.1.0 255.255.255.240 Serial0/2/0

ip route 192.168.5.0 255.255.255.240 Serial0/2/1

ip route 192.168.6.0 255.255.255.252 Serial0/2/0

ip route 192.168.6.12 255.255.255.252 Serial0/2/1

!


65








NMREC-SCHOOL#show ip route (ipv4)
























66

Ping commands:

Pinging from NMREC router to NMREC-JR. COLLEGE router

NMREC#ping 192.168.2.1 (ipv4)

Result:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 3/27/121 ms

Pinging from NMREC router to NMREC-SCHOOL router




!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 47/62/109 ms.

Pinging from NMREC-JR. COLLEGE router to NMREC router

NMREC-JR. COLLEGE#ping 192.168.1.1 (ipv4)



!!!!!



67

Pinging from NMREC-JR. COLLEGE router to NMREC-SCHOOL

router




!!!!!


Pinging from NMREC-SCHOOL router to NMREC router

NMREC-SCHOOL#ping 192.168.1.1 (ipv4)



!!!!!


Pinging from NMREC-SCHOOL router to NMREC-JR. COLLEGE

router




!!!!!



68

6.5.2 RIP ROUTING

Configuration of RIP in IPv4 domain on NMREC, NMREC-JR.

COLLEGE&NMREC-SCHOOL Routers:

Fig 6.5: An Example of RIP Routing



NMREC#configure terminal

NMREC(config)#router rip

NMREC(config)#network 192.168.1.1

NMREC(config)#network 192.168.4.2

NMREC(config)#exit

NMREC#wr

Output results:


ip address 192.168.1.1 255.255.255.0

duplex auto


69

speed auto


!


no ip address

duplex auto

speed auto

shutdown

!


ip address 192.168.4.1 255.255.255.252

encapsulation ppp


clock rate 125000

!


no ip address

shutdown

!

interface Vlan1

no ip address

shutdown

!

router rip

version 2

network 192.168.1.0

network 192.168.4.0

!

ip classless

!

!

!

!

!

!

!

line con 0


70

line vty 0 4

login

!

!

!

end


NMREC#sh ip route










R 192.168.2.0/24 [120/1] via 192.168.4.2, 00:00:03, Serial0/0/0

R 192.168.3.0/24 [120/2] via 192.168.4.2, 00:00:03, Serial0/0/0



R 192.168.4.4 [120/1] via 192.168.4.2, 00:00:03, Serial0/0/0

6.5.2.2 Configuring at NMREC-JR. COLLEGE


NMREC-JR. COLLEGE#configure terminal

NMREC-JR. COLLEGE(config)#router rip

NMREC-JR. COLLEGE(config)#network 192.168.2.1



NMREC-JR. COLLEGE(config)#exit

NMREC-JR. COLLEGE#wr


71

Output results:


ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto


!


no ip address

duplex auto

speed auto

shutdown

!


ip address 192.168.4.2 255.255.255.252

encapsulation ppp


!


ip address 192.168.4.5 255.255.255.252

encapsulation ppp


clock rate 125000

!

interface Vlan1

no ip address

shutdown

!

router rip

version 2

network 192.168.2.0

network 192.168.4.0

!

ip classless

!

!


72

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end


NMREC-JR. COLLEGE#sh ip route









R 192.168.1.0/24 [120/1] via 192.168.4.1, 00:00:20, Serial0/1/0


R 192.168.3.0/24 [120/1] via 192.168.4.6, 00:00:08, Serial0/1/1





73

6.5.2.3 Configuring at NMREC-SCHOOL


NMREC-SCHOOL#configure terminal

NMREC-SCHOOL(config)#router rip

NMREC-SCHOOL(config)#network 192.168.3.1

NMREC-SCHOOL(config)#network 192.168.4.5

NMREC-SCHOOL(config)#exit

NMREC-SCHOOL#wr

Output results:


ip address 192.168.3.1 255.255.255.0

duplex auto

speed auto


!


no ip address

duplex auto

speed auto

shutdown

!


ip address 192.168.4.6 255.255.255.252

encapsulation ppp


!


no ip address

shutdown

!

interface Vlan1

no ip address

shutdown

!

router rip


74

version 2

network 192.168.3.0

network 192.168.4.0

!

ip classless

!

!

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end


NMREC-SCHOOL#sh ip route









R 192.168.1.0/24 [120/2] via 192.168.4.5, 00:00:19, Serial0/2/0

R 192.168.2.0/24 [120/1] via 192.168.4.5, 00:00:19, Serial0/2/0



75


R 192.168.4.0 [120/1] via 192.168.4.5, 00:00:19, Serial0/2/0


Ping commands:



Result:



!!!!!






!!!!!






!!!!!



76


router




!!!!!






!!!!!



router




!!!!!


Ping commands:




77

Result:



!!!!!






!!!!!






!!!!!



router

Router#ping 192.168.3.1 (ipv4)



!!!!!



78





!!!!!



router




!!!!!


6.5.3 OSPF ROUTING:

Configuration of OSPF in IPv4 domain on NMREC, NMREC-JR.

COLLEGE&NMREC-SCHOOL Routers considering the area as Back

bone area (Area 0)

Fig 6.6: An Example of OSPF Routing


79



NMREC-ENGG(config)#ip routing

NMREC-ENGG(config)#router ospf 10

NMREC-ENGG(config-ospf)#network 192.168.1.1 0.0.0.0 area 0

NMREC-ENGG(config-ospf)#network 192.168.6.1 0.0.0.3 area 0

NMREC-ENGG(config-ospf)#^Z

NMREC-ENGG#wr

Output results:


ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto


ipv6 ospf 9 area 0

!


no ip address

duplex auto

speed auto

shutdown

!


ip address 192.168.4.1 255.255.255.252

encapsulation ppp


ipv6 ospf 9 area 0

clock rate 125000

!


no ip address

shutdown

!

interface Vlan1

no ip address


80

shutdown

!

router ospf 9

log-adjacency-changes

network 192.168.1.1 0.0.0.0 area 0

network 192.168.4.0 0.0.0.3 area 0

!

router rip

!

ipv6 router ospf 9

router-id 1.1.1.1


!

ip classless

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end


NMREC-ENGG#sh ip route








81




O 192.168.2.0/24 [110/65] via 192.168.4.2, 00:05:36, Serial0/0/0



O 192.168.4.4 [110/128] via 192.168.4.2, 00:05:25, Serial0/0/0

6.5.3.2CONFIGURING AT NMREC-JR. COLLEGE:


NMREC-JR. COLLEGE#configure terminal

NMREC-JR. COLLEGE(config)# ip routing

NMREC-JR. COLLEGE(config)# router ospf 10

NMREC-JR. COLLEGE(config-router)# network 192.168.2.1 0.0.0.0 area 0



NMREC-JR. COLLEGE(config-router)#^Z

NMREC-JR. COLLEGE#wr

Output results:


ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto


ipv6 ospf 10 area 0

!


no ip address

duplex auto

speed auto

shutdown

!


ip address 192.168.4.2 255.255.255.252


82

encapsulation ppp


ipv6 ospf 10 area 0

!


ip address 192.168.4.5 255.255.255.252

encapsulation ppp


ipv6 ospf 10 area 0

clock rate 125000

!

interface Vlan1

no ip address

shutdown

!

router ospf 10


network 192.168.2.1 0.0.0.0 area 0

network 192.168.4.0 0.0.0.3 area 0

network 192.168.4.4 0.0.0.3 area 0

!

ipv6 router ospf 10

router-id 2.2.2.2


!

ip classless

!

!

!

!

!

!

!

line con 0

line vty 0 4

login

!


83

!

!

end


NMREC-JR. COLLEGE#sh ip route









O 192.168.1.0/24 [110/65] via 192.168.4.1, 00:01:07, Serial0/1/0





6.5.3.3 CONFIGURING AT NMREC-SCHOOL


NMREC-SCHOOL#configure terminal

NMREC-SCHOOL(config)#ip routing

NMREC-SCHOOL(config)#router ospf

NMREC-SCHOOL(config-ospf)#network 192.168.3.1 0.0.0.0 area 0

NMREC-SCHOOL(config-ospf)#network 192.168.6.6 0.0.0.3 area 0

NMREC-SCHOOL(config-ospf)#^Z

NMREC-SCHOOL#wr

Output results:


ip address 192.168.3.1 255.255.255.0


84

duplex auto

speed auto


ipv6 ospf 11 area 0

!


no ip address

duplex auto

speed auto

shutdown

!


ip address 192.168.4.6 255.255.255.0

encapsulation ppp


ipv6 ospf 11 area 0

!


no ip address

shutdown

!

interface Vlan1

no ip address

shutdown

!

router ospf 11


network 192.168.3.1 0.0.0.0 area 0

network 192.168.4.4 0.0.0.3 area 0

!

ipv6 router ospf 11

router-id 3.3.3.3


!

ip classless

!

!


85

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end


Router#show ip route









O 192.168.2.0/24 [110/65] via 192.168.4.5, 00:01:07, Serial0/2/0


C 192.168.4.0/24 is directly connected, Serial0/2/0

Ping commands:




86

Result:



!!!!!






!!!!!






!!!!!



router




!!!!!



87





!!!!!



router




!!!!!



88

CHAPTER-7 : TESTING.

7.1 Introduction to testing:

Software testing is an investigation conducted to provide stakeholders with

information about the quality of the product or service under test.[1] Software

testing also provides an objective, independent view of the software to allow the

business to appreciate and understand the risks of software implementation.

Test techniques include, but are not limited to, the process of executing a

program or application with the intent of finding software bugs.

Software testing can also be stated as the process of validating and verifying

that a software program/application/product:

1.meets the business and technical requirements that guided its design and

development;

2.works as expected; and

3.can be implemented with the same characteristics.

Software testing, depending on the testing method employed, can be

implemented at any time in the development process. However, most of the test

effort occurs after the requirements have been defined and the coding process

has been completed. As such, the methodology of the test is governed by the

software development methodology adopted.

Different software development models will focus the test effort at different

points in the development process. Newer development models, such as Agile,

often employ test driven development and place an increased portion of the

testing in the hands of the developer, before it reaches a formal team of testers.

In a more traditional model, most of the test execution occurs after the

requirements have been defined and the coding process has been completed.

7.2 Testing Levels:

Tests are frequently grouped by where they are added in the software

development process, or by the level of specificity of the test.

7.2.1 Unit testing:

Unit testing refers to tests that verify the functionality of a specific section of

code, usually at the function level. In an object-oriented environment, this is

usually at the class level, and the minimal unit tests include the constructors and

destructors.

These type of tests are usually written by developers as they work on code

(white-box style), to ensure that the specific function is working as expected.


89

One function might have multiple tests, to catch corner cases or other branches

in the code. Unit testing alone cannot verify the functionality of a piece of

software, but rather is used to assure that the building blocks the software uses

work independently of each other.

Unit testing is also called component testing.

7.2.2 Integration testing:

Integration testing is any type of software testing that seeks to verify the

interfaces between components against a software design. Software components

may be integrated in an iterative way or all together ("big bang"). Normally the

former is considered a better practice since it allows interface issues to be

localized more quickly and fixed.

Integration testing works to expose defects in the interfaces and interaction

between integrated components (modules). Progressively larger groups of tested

software components corresponding to elements of the architectural design are

integrated and tested until the software works as a system.

7.2.3 System testing:

System testing tests a completely integrated system to verify that it meets its

requirements.

7.2.3.1 Alpha testing:

Alpha testing is simulated or actual operational testing by potential

users/customers or an independent test team at the developers' site. Alpha

testing is often employed for off-the-shelf software as a form of internal

acceptance testing, before the software goes to beta testing.[28]

7.2.3.2 Beta testing:

Beta testing comes after alpha testing and can be considered a form of external

user acceptance testing. Versions of the software, known as beta versions, are

released to a limited audience outside of the programming team. The software is

released to groups of people so that further testing can ensure the product has

few faults or bugs. Sometimes, beta versions are made available to the open

public to increase the feedback field to a maximal number of future users .

7.2.4 Security testing:

Security testing is essential for software that processes confidential data to

prevent system intrusion by hackers.


90

7.3 Testing done in our project:

7.3.1 Integration testing:

Integration testing (sometimes called Integration and Testing, abbreviated

"I&T") is the phase in software testing in which individual software modules

are combined and tested as a group. It occurs after unit testing and before

validation testing. Integration testing takes as its input modulesthat have been

unit tested, groups them in larger aggregates, applies tests defined in an

integration test plan to those aggregates, and delivers as its output the integrated

system ready for system testing.

The purpose of integration testing is to verify functional, performance, and

reliability requirements placed on major design items. These "design items", i.e.

assemblages (or groups of units), are exercised through their interfaces using

Black box testing, success and error cases being simulated via appropriate

parameter and data inputs. Simulated usage of shared data areas and inter-

process communication is tested and individual subsystems are exercised

through their input interface. Test cases are constructed to test that all

components within assemblages interact correctly, for example across

procedure calls or process activations, and this is done after testing individual

modules, i.e. unit testing. The overall idea is a "building block" approach, in

which verified assemblages are added to a verified base which is then used to

support the integration testing of further assemblages.

Some different types of integration testing are big bang, top-down, and bottom-

up. Other Integration Patterns are: Collaboration Integration, Backbone

Integration, Layer Integration, Client/Server Integration, Distributed Services

Integration and High-frequency Integration.

7.3.2 Functional testing:

Functional testing is a quality assurance (QA) process and a type of black box

testing that bases its test cases on the specifications of the software component

under test. Functions are tested by feeding them input and examining the output,

and internal program structure is rarely considered (not like in white-box

testing). Functional Testing usually describes 'what' the system does.

Functional testing differs from system testing in that functional testing "verifies

a program by checking it against design document(s) or specification(s)", while

system testing "validate a program by checking it against the published user or

system requirements"

Functional testing typically involves five steps:


91

1. The identification of functions that the software is expected to perform

2. The creation of input data based on the function's specifications

3. The determination of output based on the function's specifications

4. The execution of the test case

5. The comparison of actual and expected outputs.

The Internet Control Message Protocol (ICMP) is one of the core

protocols of the Internet Protocol Suite which is used as functional testing in our

project . It is used by the operating systems of networked computers to send

error messages indicating, for example, that a requested service is not available

or that a host or router could not be reached. ICMP can also be used to relay

query messages.[1] It is assigned protocol number 1.[2]

ICMP differs from transport protocols such as TCP and UDP in that it is not

typically used to exchange data between systems, nor is it regularly employed

by end-user network applications (with the exception of some diagnostic tools

like ping and traceroute).ICMP for Internet Protocol version 4 (IPv4) is also

known as ICMPv4. IPv6 has a similar protocol, ICMPv6.

7.3.2.1 Technical details of ICMP:

The Internet Control Message Protocol is part of the Internet Protocol Suite, as

defined in RFC 792. ICMP messages are typically used for diagnostic or control

purposes or generated in response to errors in IP operations ICMP errors are

directed to the source IP address of the originating packet.

Although ICMP messages are contained within standard IP datagrams, ICMP

messages are usually processed as a special case, distinguished from normal IP

processing, rather than processed as a normal sub-protocol of IP. In many cases,

it is necessary to inspect the contents of the ICMP message and deliver the

appropriate error message to the application that generated the original IP

packet, the one that prompted the sending of the ICMP message.

Many commonly used network utilities are based on ICMP messages. The

tracert (traceroute), Pathping commands are implemented by transmitting UDP

datagrams with specially set IP TTL header fields, and looking for ICMP Time

to live exceeded in transit (above) and "Destination unreachable" messages

generated in response. The related ping utility is implemented using the ICMP

"Echo request" and "Echo reply" message.


92

8. SCREEN SHOTS

Fig 8.1 : A network designed with two VPN’s and an ISP


93

Fig 8.2: Packet delivery successful noticed on the highlighted region

Fig 8.3: Transfer of packets from one VPN Branch 1 to VPN Branch 2


94

Fig 8.4 : Exchange of Packets between two VPN Branches

Fig 8.5: Exchange of packets in ISP and IPSec is defined on ISP now.


95

Fig 8.6 : Delivery of packets on the other ends i.e., at VPN 1 and VPN 2.

Fig 8.7 : Acknowledgement that the packet is delivered successfully on B1


96

Fig 8.8 : Acknowledgement that the packet is delivered successfully on B2

Fig 8.9 : Pinging successful between two networks when traced from PC


97

Fig 8.10 : Pinging successful between two networks when traced from

Server

Fig 8.11: Showing the directly connected and indirectly connected systems.


98

9. CONCLUSION AND FUTURE SCOPE

The use of VPN technology continues to increase because of the tremendous

cost saving advantages to companies. There are many different types of VPN

technologies available, one being site-to-site VPN which is established between

IPSec compliant security gateways.

These security gateways can be configured with various security

associations to protect private data across the internet. Configuration of security

gateways has been presented and explained to assist an individual in

establishing their own IPSec connection. The use of NAT, IP extended access

lists and IP accounting can be implemented to provide additional security for an

IPSec tunnel termination points.

In the future, the research can be extended from several aspects. First of

all, we focused on centralized policy management in this research. The research

can be extended for distributed policy management in which distributed policy

servers can communicate and make joint decision on correct policies. The

constraint and optimization of policy generation for distributed architecture

need further study.

Furthermore, we developed algorithm to automatically generate correct

policies to satisfy all given requirements. If no policies can satisfy all

requirements, then we will generate a failure message. In this case, the conflict

may reside at requirement level. The requirement conflict resolution techniques

will demand further research. Last, we’ve specified a higher-level security

policy that is implementation independent. More levels of security policy may

be specified until the whole hierarchy is clearly established.


99

10 . REFERENCES AND BIBILIOGRAPHY

1. Kent, S.; Atkinson, R. (November 1998). IP Encapsulating Security

Payload (ESP). IETF. RFC 2406.

2. "RFC4301: Security Architecture for the Internet Protocol". Network

Working Group of the IETF. December 2005. p. 4. "The spelling "IPsec"

is preferred and used throughout this and all related IPsec standards. All

other capitalizations of IPsec [...] are deprecated."

3. Thayer, R.; Doraswamy, N.; Glenn, R. (November 1998). IP Security

Document Roadmap. IETF. RFC 2411.

4. Hoffman, P. (December 2005). Cryptographic Suites for IPsec.IETF.

RFC 4308.

5. Kent, S.; Atkinson, R. (November 1998). IP Authentication

Header. IETF. RFC 2402.

6. Kent, S. (December 2005). IP Authentication Header.IETF. RFC 4302.

7. The Internet Key Exchange (IKE), RFC 2409, §1 Abstract

8. Harkins, D.; Carrel, D. (November 1998). The Internet Key Exchange

(IKE). IETF. RFC 2409.

9. Kaufman, C., ed. IKE Version 2. IETF. RFC 4306.

10. Sakane, S.; Kamada, K.; Thomas, M.; Vilhuber, J. (November

1998). Kerberized Internet Negotiation of Keys (KINK). IETF. RFC

4430.

https://tools.ietf.org/html/rfc2406


http://en.wikipedia.org/wiki/Internet_Engineering_Task_Force

http://tools.ietf.org/html/rfc4301#page-4











http://en.wikipedia.org/wiki/Internet_Key_Exchange

http://tools.ietf.org/html/rfc2409








Date post:	22-Jan-2018
Category:	Documents
Upload:	vanitha-joshi
View:	665 times
Download:	1 times

Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)

Documents