The Internet is increasingly being used as a means of communication between computers because it offers efficient and inexpensive communication. However, the Internet is a network common use and in order to ensure secure communication through it, some mechanism is needed that satisfies at least the following tasks:
confidentiality of information;
data integrity;
availability of information;
These requirements are met by a mechanism called VPN (Virtual Private Network - virtual private network) - a generalized name for technologies that allow one or more network connections (logical network) to be provided over another network (for example, the Internet) using cryptography tools (encryption, authentication, infrastructure public keys, means to protect against repetition and change of messages transmitted over the logical network).
Creating a VPN does not require additional investments and allows you to stop using leased lines. Depending on the protocols used and the purpose, a VPN can provide three types of connections: host-host, host-network, and network-network.
For clarity, let's imagine the following example: an enterprise has several territorially remote branches and "mobile" employees working at home or on the road. It is necessary to unite all employees of the enterprise in a single network. The easiest way is to put modems in each branch and organize communication as needed. Such a solution, however, is not always convenient and profitable - sometimes you need a constant connection and a large bandwidth. To do this, you will either have to lay a dedicated line between branches, or rent them. Both are quite expensive. And here, as an alternative, when building a single secure network, you can use VPN connections of all company branches via the Internet and configure VPN tools on network hosts.
Rice. 6.4. site-to-site VPN connection
Rice. 6.5. VPN host-to-network connection
In this case, many problems are solved - branches can be located anywhere around the world.
The danger here is that, firstly, the open network is open to attacks from intruders around the world. Secondly, all data is transmitted over the Internet in the clear, and attackers, having hacked the network, will have all the information transmitted over the network. And, thirdly, data can be not only intercepted, but also replaced during transmission through the network. An attacker can, for example, compromise the integrity of databases by acting on behalf of the clients of one of the trusted branches.
To prevent this from happening, VPN solutions use tools such as data encryption to ensure integrity and confidentiality, authentication and authorization to verify user rights and allow access to a virtual private network.
A VPN connection always consists of a point-to-point link, also known as a tunnel. The tunnel is created in an insecure network, which is most often the Internet.
Tunneling or encapsulation is a way to transfer useful information through an intermediate network. Such information may be frames (or packets) of another protocol. With encapsulation, the frame is not transmitted as it was generated by the sending host, but is provided with an additional header containing routing information that allows the encapsulated packets to pass through the intermediate network (Internet). At the end of the tunnel, the frames are de-encapsulated and transmitted to the recipient. Typically, a tunnel is created by two edge devices located at entry points to the public network. One of the clear advantages of tunneling is that this technology allows you to encrypt the entire original packet, including the header, which may contain data containing information that attackers use to hack the network (for example, IP addresses, number of subnets, etc.) .
Although a VPN tunnel is established between two points, each host can establish additional tunnels with other hosts. For example, when three remote stations need to contact the same office, three separate VPN tunnels will be created to this office. For all tunnels, the node on the office side can be the same. This is possible due to the fact that the node can encrypt and decrypt data on behalf of the entire network, as shown in the figure:
Rice. 6.6. Create VPN tunnels for multiple remote locations
The user establishes a connection to the VPN gateway, after which the user has access to the internal network.
Within a private network, encryption itself does not occur. The reason is that this part of the network is considered secure and under direct control, as opposed to the Internet. This is also true when connecting offices using VPN gateways. Thus, encryption is guaranteed only for information that is transmitted over an insecure channel between offices.
There are many various solutions for building virtual private networks. The most famous and widely used protocols are:
PPTP (Point-to-Point Tunneling Protocol) - this protocol has become quite popular due to its inclusion in Microsoft operating systems.
L2TP (Layer-2 Tunneling Protocol) - combines the L2F (Layer 2 Forwarding) protocol and PPTP protocol. Typically used in conjunction with IPSec.
IPSec (Internet Protocol Security) is an official Internet standard developed by the IETF (Internet Engineering Task Force) community.
The listed protocols are supported by D-Link devices.
The PPTP protocol is primarily intended for virtual private networks based on dial-up connections. The protocol allows remote access, so that users can establish dial-up connections with Internet providers and create a secure tunnel to their corporate networks. Unlike IPSec, the PPTP protocol was not originally intended to organize tunnels between local networks. PPTP extends the capabilities of PPP, a data-link protocol that was originally designed to encapsulate data and deliver it over point-to-point connections.
The PPTP protocol allows you to create secure channels for data exchange using various protocols - IP, IPX, NetBEUI, etc. The data of these protocols is packed into PPP frames, encapsulated using the PPTP protocol into IP protocol packets. They are then transported using IP in encrypted form over any TCP/IP network. The receiving node extracts the PPP frames from the IP packets and then processes them in the standard way, i.e. extracts an IP, IPX, or NetBEUI packet from a PPP frame and sends it over the local network. Thus, the PPTP protocol creates a point-to-point connection in the network and transmits data over the created secure channel. The main advantage of encapsulating protocols such as PPTP is their multiprotocol nature. Those. data protection at the data link layer is transparent to network and application layer protocols. Therefore, within the network, both the IP protocol (as in the case of an IPSec-based VPN) or any other protocol can be used as a transport.
Currently, due to the ease of implementation, the PPTP protocol is widely used both for obtaining reliable secure access to a corporate network and for accessing ISP networks when a client needs to establish a PPTP connection with an ISP in order to access the Internet.
The encryption method used in PPTP is specified at the PPP layer. Typically, the PPP client is a desktop computer with operating system Microsoft, and the Microsoft Point-to-Point Encryption (MPPE) protocol is used as the encryption protocol. This protocol is based on the RSA RC4 standard and supports 40 or 128 bit encryption. For many applications of this level of encryption, using this algorithm is sufficient, although it is considered less secure than a number of other encryption algorithms offered by IPSec, in particular, the 168-bit Triple-Data Encryption Standard (3DES).
How the connection is establishedPPTP?
PPTP encapsulates IP packets for transmission over an IP network. PPTP clients create a tunnel control connection that keeps the link alive. This process is performed at the transport layer of the OSI model. After the tunnel is created, the client computer and the server start exchanging service packets.
In addition to the PPTP control connection, a connection is created to send data over the tunnel. Encapsulating data before sending it to the tunnel involves two steps. First, the information part of the PPP frame is created. Data flows from top to bottom, from the OSI application layer to the link layer. The received data is then sent up the OSI model and encapsulated by upper layer protocols.
Data from the link layer reaches the transport layer. However, the information cannot be sent to its destination, since the OSI link layer is responsible for this. Therefore, PPTP encrypts the payload field of the packet and takes over the second-level functions that usually belong to PPP, i.e., adds a PPP header (header) and an ending (trailer) to the PPTP packet. This completes the creation of the link layer frame. Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet that belongs to the network layer. GRE encapsulates network layer protocols such as IP, IPX to enable them to be transported over IP networks. However, using the GRE protocol alone will not ensure session establishment and data security. This uses PPTP's ability to create a tunnel control connection. The use of GRE as an encapsulation method limits the scope of PPTP to only IP networks.
After the PPP frame has been encapsulated in a frame with a GRE header, it is encapsulated in a frame with an IP header. The IP header contains the sender and recipient addresses of the packet. Finally, PPTP adds a PPP header and ending.
On the rice. 6.7 shows the data structure for forwarding over a PPTP tunnel:
Rice. 6.7. Data structure for forwarding over a PPTP tunnel
Setting up a VPN based on PPTP does not require large expenditures and complex settings: it is enough to install a PPTP server in the central office (PPTP solutions exist for both Windows and Linux platforms), and run on client computers necessary settings. If you need to combine several branches, then instead of setting up PPTP on all client stations, it is better to use an Internet router or a firewall with PPTP support: settings are made only on a border router (firewall) connected to the Internet, everything is absolutely transparent for users. Examples of such devices are DIR/DSR multifunctional Internet routers and DFL series firewalls.
GRE-tunnels
Generic Routing Encapsulation (GRE) is a network packet encapsulation protocol that provides traffic tunneling through networks without encryption. Examples of using GRE:
transmission of traffic (including broadcast) through equipment that does not support a specific protocol;
tunneling IPv6 traffic through an IPv4 network;
data transmission over public networks to implement a secure VPN connection.
Rice. 6.8. An example of a GRE tunnel
Between two routers A and B ( rice. 6.8) there are several routers, the GRE tunnel allows you to provide a connection between the local networks 192.168.1.0/24 and 192.168.3.0/24 as if routers A and B were connected directly.
L2 TP
The L2TP protocol appeared as a result of the merger of the PPTP and L2F protocols. The main advantage of the L2TP protocol is that it allows you to create a tunnel not only in IP networks, but also in ATM, X.25 and Frame relay networks. L2TP uses UDP as a transport and uses the same message format for both tunnel management and data forwarding.
As in the case of PPTP, L2TP begins assembling a packet for transmission to the tunnel by first adding the PPP header, then the L2TP header, to the PPP information data field. The packet thus received is encapsulated by UDP. Depending on the type of IPSec security policy chosen, L2TP can encrypt UDP messages and add an Encapsulating Security Payload (ESP) header and ending, as well as an IPSec Authentication ending (see "L2TP over IPSec" section). Then it is encapsulated in IP. An IP header is added containing the sender and recipient addresses. Finally, L2TP performs a second PPP encapsulation to prepare the data for transmission. On the rice. 6.9 shows the data structure to be sent over an L2TP tunnel.
Rice. 6.9. Data structure for forwarding over an L2TP tunnel
The receiving computer receives the data, processes the PPP header and ending, and strips the IP header. IPSec Authentication authenticates the IP information field, and the IPSec ESP header helps decrypt the packet.
The computer then processes the UDP header and uses the L2TP header to identify the tunnel. The PPP packet now contains only the payload that is being processed or forwarded to the specified recipient.
IPsec (short for IP Security) is a set of protocols for securing data transmitted over the IP Internet Protocol, allowing authentication and/or encryption of IP packets. IPsec also includes protocols for secure key exchange on the Internet.
IPSec security is achieved through additional protocols that add their own headers to the IP packet - encapsulation. Because IPSec is an Internet standard, then there are RFC documents for it:
RFC 2401 (Security Architecture for the Internet Protocol) is the security architecture for the IP protocol.
RFC 2402 (IP Authentication header) - IP authentication header.
RFC 2404 (The Use of HMAC-SHA-1-96 within ESP and AH) - Use of the SHA-1 hash algorithm to create an authentication header.
RFC 2405 (The ESP DES-CBC Cipher Algorithm With Explicit IV) - Use of the DES encryption algorithm.
RFC 2406 (IP Encapsulating Security Payload (ESP)) - Data Encryption.
RFC 2407 (The Internet IP Security Domain of Interpretation for ISAKMP) is the scope of the key management protocol.
RFC 2408( internet security Association and Key Management Protocol (ISAKMP) - management of keys and authenticators of secure connections.
RFC 2409 (The Internet Key Exchange (IKE)) - Key Exchange.
RFC 2410 (The NULL Encryption Algorithm and Its Use With IPsec) - The NULL Encryption Algorithm and Its Use.
RFC 2411 (IP Security Document Roadmap) is a further development of the standard.
RFC 2412 (The OAKLEY Key Determination Protocol) - Checking the Authenticity of a Key.
IPsec is an integral part of the IPv6 Internet Protocol and an optional extension of the IPv4 version of the Internet Protocol.
The IPSec mechanism performs the following tasks:
authentication of users or computers during secure channel initialization;
encryption and authentication of data transmitted between endpoints of a secure channel;
automatic supply of channel endpoints with secret keys necessary for the operation of authentication and data encryption protocols.
IPSec Components
AH (Authentication Header) protocol is a header identification protocol. Ensures integrity by verifying that no bits in the protected part of the packet have been changed during transmission. But using AH can cause problems, for example, when a packet passes through a NAT device. NAT changes the packet's IP address to allow Internet access from a private local address. Because in this case, the packet changes, then the AH checksum becomes incorrect (to eliminate this problem, the NAT-Traversal (NAT-T) protocol was developed, which provides ESP transmission over UDP and uses UDP port 4500 in its work). It's also worth noting that AH was designed for integrity only. It does not guarantee confidentiality by encrypting the contents of the package.
The ESP (Encapsulation Security Payload) protocol provides not only the integrity and authentication of transmitted data, but also data encryption, as well as protection against packet spoofing.
The ESP protocol is an encapsulating security protocol that provides both integrity and confidentiality. In transport mode, the ESP header is between the original IP header and the TCP or UDP header. In tunnel mode, the ESP header is placed between the new IP header and the fully encrypted original IP packet.
Because both protocols - AH and ESP - add their own IP headers, each of them has its own protocol number (ID), by which you can determine what will follow the IP header. Each protocol, according to the IANA (Internet Assigned Numbers Authority - the organization responsible for the address space of the Internet), has its own number (ID). For example, for TCP this number is 6, and for UDP it is 17. Therefore, it is very important when working through a firewall to configure filters in such a way as to allow packets with protocol ID AH and/or ESP to pass through.
Protocol ID 51 is set to indicate that AH is present in the IP header, and 50 for ESP.
ATTENTION: The protocol ID is not the same as the port number.
IKE (Internet Key Exchange) protocol is a standard IPsec protocol used to secure communication in virtual private networks. The purpose of IKE is the secure negotiation and delivery of identified material to a security association (SA).
SA is the IPSec term for a connection. An established SA (a secure channel called a "secure association" or "security association" - Security Association, SA) includes a shared secret key and a set of cryptographic algorithms.
The IKE protocol performs three main tasks:
provides a means of authentication between two VPN endpoints;
establishes new IPSec links (creates a pair of SAs);
manages existing relationships.
IKE uses UDP port number 500. When using the NAT Traversal feature, as mentioned earlier, the IKE protocol uses UDP port number 4500.
Data exchange in IKE occurs in 2 phases. In the first phase, the SA IKE association is established. At the same time, the endpoints of the channel are authenticated and data protection parameters are selected, such as the encryption algorithm, session key, etc.
In the second phase, SA IKE is used for protocol negotiation (usually IPSec).
With a configured VPN tunnel, one SA pair is created for each protocol used. SAs are created in pairs, as each SA is a unidirectional connection, and data must be sent in two directions. The received SA pairs are stored on each node.
Since each node is capable of establishing multiple tunnels with other nodes, each SA has unique number A that allows you to determine which node it belongs to. This number is called SPI (Security Parameter Index) or Security Parameter Index.
SA stored in a database (DB) SAD(Security Association Database).
Each IPSec node also has a second DB − SPD(Security Policy Database) - Security policy database. It contains the configured host policy. Most VPN solutions allow you to create multiple policies with combinations of suitable algorithms for each host you want to connect to.
The flexibility of IPSec lies in the fact that for each task there are several ways to solve it, and the methods chosen for one task are usually independent of the methods for implementing other tasks. However, the IETF Working Group has defined a core set of supported features and algorithms that must be implemented in the same way across all IPSec-enabled products. The AH and ESP mechanisms can be used with various authentication and encryption schemes, some of which are mandatory. For example, IPSec specifies that packets are authenticated using either the MD5 one-way function or the SHA-1 one-way function, and encryption is done using the DES algorithm. Manufacturers of products that run IPSec may add other authentication and encryption algorithms. For example, some products support encryption algorithms such as 3DES, Blowfish, Cast, RC5, etc.
Any symmetric encryption algorithm that uses secret keys can be used to encrypt data in IPSec.
Stream protection protocols (AH and ESP) can operate in two modes - in transport mode and in tunnel mode. When operating in transport mode, IPsec only deals with transport layer information; only the data field of the packet containing the TCP / UDP protocols is encrypted (the header of the IP packet is not changed (not encrypted)). Transport mode is typically used to establish a connection between hosts.
Tunneling mode encrypts the entire IP packet, including the network layer header. In order for it to be transmitted over the network, it is placed in another IP packet. Essentially, this is a secure IP tunnel. Tunnel mode can be used to connect remote computers to a virtual private network ("host-network" connection scheme) or to organize secure data transfer via open communication channels (for example, the Internet) between gateways to combine different parts of a virtual private network ("network connection scheme"). -net").
IPsec modes are not mutually exclusive. On the same host, some SAs may use transport mode, while others may use tunnel mode.
During the authentication phase, the ICV checksum (Integrity Check Value) of the packet is calculated. It is assumed that both nodes know The secret key, which allows the recipient to calculate the ICV and compare it with the result sent by the sender. If the ICV comparison is successful, the sender of the packet is considered authenticated.
In mode transportAH
the entire IP packet, except for some fields in the IP header, which can be changed in transit. These fields, whose values for ICV calculation are 0, can be part of the service (Type of Service, TOS), flags, fragment offset, time to live (TTL), as well as a checksum header;
all fields in AH;
payload of IP packets.
AH in transport mode protects the IP header (except for fields that are allowed to change) and the payload in the original IP packet (Figure 3.39).
In tunnel mode, the original packet is placed in a new IP packet, and data transfer is performed based on the header of the new IP packet.
For tunnel modeAH when performing a calculation, the following components are included in the ICV checksum:
all fields in the outer IP header, with the exception of some fields in the IP header, which can be changed during transmission. These fields, whose values for ICV calculation are 0, can be part of the service (Type of Service, TOS), flags, fragment offset, time to live (TTL), as well as a checksum header;
all fields AH;
original IP packet.
As you can see in the following illustration, AH tunnel mode protects the entire source IP packet with an additional outer header that AH transport mode does not use:
Rice. 6.10. Tunnel and transport modes of operation of the AN protocol
In mode transportESP does not authenticate the entire packet, but only protects the IP payload. The ESP header in the ESP transport mode is added to the IP packet immediately after the IP header, and the ESP ending (ESP Trailer) is added after the data accordingly.
The ESP transport mode encrypts the following parts of the packet:
IP payload;
An encryption algorithm that uses the Cipher Block Chaining (CBC) encryption mode has an unencrypted field between the ESP header and the payload. This field is called the IV (Initialization Vector) for CBC calculation, which is performed on the receiver. Since this field is used to start the decryption process, it cannot be encrypted. Even though the attacker has the ability to view the IV, there is no way he can decrypt the encrypted part of the packet without the encryption key. To prevent attackers from changing the initialization vector, it is guarded by the ICV checksum. In this case, ICV performs the following calculations:
all fields in the ESP header;
payload including plaintext IV;
all fields in the ESP Trailer except for the authentication data field.
ESP tunnel mode encapsulates the entire original IP packet in a new IP header, an ESP header, and an ESP Trailer. To indicate that ESP is present in the IP header, the IP protocol identifier is set to 50, leaving the original IP header and payload unchanged. As with AH tunnel mode, the outer IP header is based on the IPSec tunnel configuration. In the case of using ESP tunnel mode, the IP packet's authentication area shows where the signature was made, certifying its integrity and authenticity, and the encrypted part shows that the information is protected and confidential. The original header is placed after the ESP header. After the encrypted part is encapsulated in a new tunnel header that is not encrypted, the IP packet is transmitted. When sent over a public network, such a packet is routed to the IP address of the gateway of the receiving network, and the gateway decrypts the packet and discards the ESP header using the original IP header to then route the packet to a computer located on the internal network. ESP tunneling mode encrypts the following parts of the packet:
For ESP tunnel mode, ICV is calculated as follows:
all fields in the ESP header;
the original IP packet, including the plaintext IV;
all ESP header fields except for the authentication data field.
original IP packet;
Rice. 6.11. Tunnel and transport mode of the ESP protocol
Rice. 6.12. Comparison of ESP and AH protocols
Summary of Application ModesIPSec:
Protocol - ESP (AH).
Mode - tunnel (transport).
Key exchange method - IKE (manual).
IKE mode - main (aggressive).
DH key – group 5 (group 2, group 1) – group number for selecting dynamically created session keys, group length.
Authentication - SHA1 (SHA, MD5).
Encryption - DES (3DES, Blowfish, AES).
When creating a policy, it is usually possible to create an ordered list of algorithms and Diffie-Hellman groups. Diffie-Hellman (DH) is an encryption protocol used to establish shared secret keys for IKE, IPSec, and PFS (Perfect Forward Secrecy). In this case, the first position that matches on both nodes will be used. It is very important that everything in the security policy allows you to achieve this coincidence. If everything else matches except for one part of the policy, hosts will still not be able to establish a VPN connection. When setting up a VPN tunnel between various systems you need to find out what algorithms are supported by each side so that you can choose the most secure policy of all possible.
The main settings that the security policy includes:
Symmetric algorithms for data encryption/decryption.
Cryptographic checksums to check data integrity.
Node identification method. The most common methods are pre-shared secrets or CA certificates.
Whether to use tunnel mode or transport mode.
Which Diffie-Hellman group to use (DH group 1 (768-bit); DH group 2 (1024-bit); DH group 5 (1536-bit)).
Whether to use AH, ESP, or both.
Whether to use PFS.
A limitation of IPSec is that it only supports data transfer at the IP protocol layer.
There are two main schemes for using IPSec, differing in the role of the nodes that form the secure channel.
In the first scheme, a secure channel is formed between the end hosts of the network. In this scheme, the IPSec protocol protects the host that is running:
Rice. 6.13. Create a secure channel between two endpoints
In the second scheme, a secure channel is established between two Security Gateways. These gateways receive data from end hosts connected to networks behind the gateways. The end hosts in this case do not support the IPSec protocol, the traffic directed to the public network passes through the security gateway, which performs protection on its own behalf.
Rice. 6.14. Creating a secure channel between two gateways
For hosts that support IPSec, both transport mode and tunnel mode can be used. For gateways, only tunnel mode is allowed.
Installation and supportVPN
As mentioned above, installing and maintaining a VPN tunnel is a two-step process. In the first stage (phase), the two nodes agree on an identification method, an encryption algorithm, a hash algorithm, and a Diffie-Hellman group. They also identify each other. All this can happen as a result of the exchange of three unencrypted messages (the so-called aggressive mode, Aggressive mode) or six messages, with the exchange of encrypted identification information (standard mode, Main mode).
In the Main Mode, it is possible to negotiate all the configuration parameters of the sender and recipient devices, while in the Aggressive Mode this is not possible, and some parameters (Diffie-Hellman group, encryption and authentication algorithms, PFS) must be pre-configured in the same way on each device. However, in this mode, both the number of exchanges and the number of packets sent are fewer, resulting in less time to establish an IPSec session.
Rice. 6.15. Messaging in standard (a) and aggressive (b) modes
Assuming the operation completed successfully, a first phase SA is created − Phase 1 SA(also called IKESA) and the process proceeds to the second phase.
In the second step, the key data is generated, the nodes agree on the policy to be used. This mode, also called Quick mode, differs from Phase 1 in that it can only be established after Phase 1, when all Phase 2 packets are encrypted. The correct completion of the second phase leads to the appearance Phase 2 SA or IPSecSA and on this the installation of the tunnel is considered complete.
First, a packet arrives at the node with a destination address on another network, and the node initiates the first phase with the node that is responsible for the other network. Let's say the tunnel between the nodes has been successfully established and is waiting for packets. However, nodes need to re-identify each other and compare policies after a certain period of time. This period is called the Phase One lifetime or IKE SA lifetime.
Nodes must also change the key to encrypt data after a period of time called the Phase Two or IPSec SA lifetime.
Phase Two lifetime is shorter than the first phase, because the key needs to be changed more often. You need to set the same lifetime parameters for both nodes. If you do not do this, then it is possible that initially the tunnel will be established successfully, but after the first inconsistent period of life, the connection will be interrupted. Problems can also arise when the lifetime of the first phase is less than that of the second phase. If the previously configured tunnel stops working, then the first thing to check is the lifetime on both nodes.
It should also be noted that if you change the policy on one of the nodes, the changes will take effect only at the next onset of the first phase. For the changes to take effect immediately, you must remove the SA for this tunnel from the SAD database. This will force a revision of the agreement between nodes with the new security policy settings.
Sometimes when setting up an IPSec tunnel between equipment different manufacturers there are difficulties associated with the coordination of parameters when establishing the first phase. You should pay attention to such a parameter as Local ID - this is a unique identifier for the tunnel endpoint (sender and recipient). This is especially important when creating multiple tunnels and using the NAT Traversal protocol.
Deadpeerdetection
During VPN operation, if there is no traffic between the endpoints of the tunnel, or if the initial data of the remote node changes (for example, changing the dynamically assigned IP address), a situation may arise when the tunnel is essentially no longer such, becoming, as it were, a ghost tunnel . In order to maintain constant readiness for data exchange in the created IPSec tunnel, the IKE mechanism (described in RFC 3706) allows you to control the presence of traffic from the remote node of the tunnel, and if it is absent for a set time, a hello message is sent (in firewalls D-Link sends a message "DPD-R-U-THERE"). If there is no response to this message within a certain time, in the D-Link firewalls set by the "DPD Expire Time" settings, the tunnel is dismantled. D-Link firewalls after that, using the "DPD Keep Time" settings ( rice. 6.18) automatically attempt to re-establish the tunnel.
ProtocolNATTraversal
IPsec traffic can be routed according to the same rules as other IP protocols, but since the router cannot always extract information specific to transport layer protocols, it is impossible for IPsec to pass through NAT gateways. As mentioned earlier, to solve this problem, the IETF has defined a way to encapsulate ESP in UDP, called NAT-T (NAT Traversal).
The NAT Traversal protocol encapsulates IPSec traffic and simultaneously creates UDP packets that NAT forwards correctly. To do this, NAT-T places an additional UDP header before the IPSec packet so that it is treated like a normal UDP packet throughout the network and the recipient host does not perform any integrity checks. After the packet arrives at its destination, the UDP header is removed and the data packet continues on its way as an encapsulated IPSec packet. Thus, using the NAT-T mechanism, it is possible to establish communication between IPSec clients in secure networks and public IPSec hosts through firewalls.
There are two points to note when configuring D-Link firewalls on the receiving device:
in the Remote Network and Remote Endpoint fields, specify the network and IP address of the remote sending device. It is necessary to allow translation of the IP address of the initiator (sender) using NAT technology (Figure 3.48).
when using shared keys with multiple tunnels connected to the same remote firewall that have been NATted to the same address, it is important to ensure that the Local ID is unique for each tunnel.
Local ID can be one of:
- performance improvement in each of the virtual networks, since the switch sends frames only to the destination host;
- isolate networks from each other to manage user access rights and create protective barriers in the path of broadcast storms.
- - vpnRoot, droidVPN,
- - tor browser for surfing networks, aka orbot
- - InBrowser, orfox (firefox+tor),
- - SuperVPN Free VPN Client
- - Open VPN Connect
- - Tunnel Bear VPN
- - Hideman VPN
- - free app Tunnelbear, with which you can connect to VPN servers in any country.
- - OpenVPN connect is one of the best VPN clients. Here, to run the application, you must first import rsa-keys via itunes to your phone.
- - Cloak is a shareware application, because for some time the product can be "used" for free, but to use the program after the demo period expires, you will have to buy it.
Auto– the IP address of the outgoing traffic interface is used as the local identifier.
IP– IP address of the WAN port of the remote firewall
DNS– DNS address
Backup of encrypted files
An important design aspect of any file encryption mechanism is that applications cannot access decrypted data except through the encryption mechanisms. This limitation is especially important for utilities Reserve copy, with which files are stored on archive media. EFS solves this problem by providing a mechanism for backup utilities to create backups files and restore them in encrypted form. Thus, backup utilities do not need to encrypt or decrypt file data during the backup process.
EFS is used when it is necessary to encrypt the contents of files at rest. Other mechanisms are used to ensure the secure transfer of files and other data over a network. One of them is ¾ virtual private networks.
VPN (English) Virtual Private Network - virtual private network) - a logical network created on top of another network, such as the Internet. Despite the fact that communications are carried out over public networks using insecure protocols, encryption creates information exchange channels closed from outsiders. VPN allows you to combine, for example, several offices of an organization into a single network using uncontrolled channels for communication between them.
AT Microsoft Windows the term "VPN" refers to one of the implementations virtual network- PPTP, and often used not to create private networks. Most often, to create a virtual network, encapsulation of the PPP protocol into some other protocol - IP or Ethernet (PPPoE) is used. VPN technology has recently been used not only to create private networks themselves, but also by some "last mile" providers to provide Internet access.
A VPN consists of two parts: an "internal" (controlled) network, of which there may be several, and an "external" network through which the encapsulated connection passes (usually the Internet is used). It is also possible to connect to a virtual network separate computer. A remote user is connected to the VPN through an access server that is connected to both the internal and external (public) networks. When connecting a remote user (or when establishing a connection to another secure network), the access server requires the identification process to go through, and then the authentication process. After successful completion of both processes, the remote user ( remote network) is empowered to work on the network, that is, the authorization process takes place.
VPN classification
VPN solutions can be classified according to several main parameters:
1. By type of medium used
Protected
The most common version of virtual private networks. With its help, it is possible to create a reliable and secure subnet based on an unreliable network, usually the Internet. Examples of secure VPNs are: IPSec, OpenVPN, and PPTP.
Trusted
They are used in cases where the transmission medium can be considered reliable and it is only necessary to solve the problem of creating a virtual subnet within a larger network. Security issues become irrelevant. Examples of such VPN solutions are: Multi-protocol label switching (MPLS) and L2TP (Layer 2 Tunnelling Protocol). (It is more correct to say that these protocols shift the task of providing security to others, for example, L2TP is usually used in tandem with IPSec).
2. By way of implementation
In the form of special software and hardware
Implementation of the VPN network is carried out using a special set of software and hardware. This implementation provides high performance and, as a rule, a high degree security.
· As software solution
use Personal Computer with special software that provides VPN functionality.
· Integrated solution
VPN functionality is provided by a complex that also solves the problems of filtering network traffic, organizing a firewall and ensuring quality of service.
3. By appointment
Used to combine into a single secure network several distributed branches of one organization that exchange data over open channels connections.
Remote Access VPN
Used to create a secure channel between a corporate network segment (central office or branch office) and a single user who, while working at home, connects to corporate resources with home computer or, while on a business trip, connects to corporate resources using a laptop.
Used for networks to which "external" users connect. The level of trust in them is much lower than in the company's employees, so it is necessary to provide special "frontiers" of protection that limit the latter's access to especially valuable, confidential information.
4. By type of protocol
There are implementations of virtual private networks under TCP/IP, IPX and AppleTalk. But today there is a trend towards a general transition to the TCP / IP protocol, and the vast majority of VPN solutions support it.
5. By network protocol level
By network protocol layer, based on a mapping to the layers of the ISO/OSI network reference model.
test questions
1. What happens when you first encrypt an EFS file?
2. How does EFS solve the problem of backing up encrypted files?
3. What encryption algorithms are used in EFS?
4. What is a VPN used for?
5. How are VPNs classified by purpose?
Lecture 8
INTEGRITY CONTROL MECHANISMS
IN WINDOWS FAMILY OS
Integrity control mechanisms appeared in latest version MS Windows ¾ Vista.
The concept of private virtual networks, abbreviated as VPN (from English appeared in computer technology recently. The creation of this type of connection made it possible to combine computer terminals and mobile devices into virtual networks without the usual wires, regardless of the location of a particular terminal. Now let's look at how a VPN connection works, and at the same time give some recommendations for setting up such networks and related client programs.
What is a VPN?
As already understood, a VPN is a virtual private network with several devices connected to it. You should not flatter yourself - it usually does not work to connect two or three dozen simultaneously working computer terminals (as this can be done in the "locale"). This has its limitations in setting up a network, or even just in bandwidth router responsible for assigning IP addresses and
However, the idea originally incorporated in the connection technology is not new. They tried to substantiate it for a long time. And many modern users computer networks they do not even realize that they have known about this all their lives, but simply did not try to get to the heart of the matter.
How a VPN connection works: basic principles and technologies
For a better understanding, we will give the simplest example that is known to any modern person. Take at least the radio. After all, in fact, it is a transmitting device (translator), an intermediary unit (relay) responsible for the transmission and distribution of the signal, and a receiving device (receiver).
Another thing is that the signal is broadcast to absolutely all consumers, and the virtual network works selectively, combining only certain devices into one network. Note that neither in the first nor in the second case, wires are required to connect transmitting and receiving devices that exchange data with each other.
But even here there are subtleties. The fact is that initially the radio signal was unprotected, that is, it can be received by any radio amateur with a working device at the appropriate frequency. How Does a VPN Work? Yes, exactly the same. Only in this case, the role of the repeater is played by the router (router or ADSL modem), and the role of the receiver is played by a stationary computer terminal, laptop or mobile device, which has a special module in its equipment wireless connection(wi-fi).
With all this, the data coming from the source is initially encrypted, and only then, using a special decoder, are played back on specific device. This principle of communication through VPN is called tunneling. And this principle is most consistent with mobile connection when the redirect occurs to a specific subscriber.
Tunneling local virtual networks
Let's understand how a VPN works in tunnel mode. In essence, it involves the creation of a certain straight line, say, from point "A" to point "B", when, when transferring data from a central source (a router with a server connection), the definition of all network devices performed automatically according to a predetermined configuration.
In other words, a tunnel is created with encoding when sending data and decoding when receiving. It turns out that no other user who tried to intercept data of this type during transmission will be able to decrypt it.
Means of implementation
One of the most powerful tools for this kind of connection and at the same time security are Cisco systems. True, some inexperienced admins have a question about why VPN-Cisco equipment does not work.
This is primarily due to incorrect configuration and installed drivers for routers such as D-Link or ZyXEL, which require fine tuning only because they have built-in firewalls.
In addition, you should pay attention to the wiring diagrams. There can be two of them: route-to-route or remote access. In the first case, we are talking about the association of several distribution devices, and in the second, it is about managing the connection or data transfer using remote access.
Access protocols
In terms of protocols, PCP/IP level configuration tools are mostly used today, although the internal protocols for VPNs may vary.
VPN stopped working? You should look at some hidden options. So, for example, the additional protocols based on TCP technology PPP and PPTP still belong to the TCP / IP protocol stacks, but for a connection, say, in the case of using PPTP, you must use two IP addresses instead of the required one. However, in any case, tunneling involves the transfer of data wrapped in internal protocols such as IPX or NetBEUI, and all of them are provided with special PPP-based headers to seamlessly transfer data to the appropriate network driver.
Hardware devices
Now let's look at a situation where the question arises of why the VPN does not work. The fact that the problem may be related to incorrect hardware configuration is understandable. But there may be another situation.
It is worth paying attention to the routers themselves, which control the connection. As mentioned above, you should use only devices that are suitable for connection parameters.
For example, routers like the DI-808HV or DI-804HV can connect up to forty devices simultaneously. As for the ZyXEL equipment, in many cases it can even work through the built-in ZyNOS network operating system, but only using the ZyXEL mode. command line through the Telnet protocol. This approach allows you to configure any device with data transfer to three networks in a common Ethernet environment with IP traffic, as well as use the unique Any-IP technology designed to use a standard table of routers with forwarded traffic as a gateway for systems that were originally configured to work on other subnets.
What to do if VPN does not work (Windows 10 and below)?
The very first and most important condition is the correspondence of output and input keys (Pre-shared Keys). They must be the same at both ends of the tunnel. It is also worth paying attention to the algorithms cryptographic encryption(IKE or Manual) with or without an authentication function.
For example, the same AH protocol (in the English version - Authentication Header) can provide only authorization without the possibility of using encryption.
VPN clients and their configuration
As for VPN clients, it's not all that simple either. Most programs based on such technologies use standard configuration methods. However, there are some pitfalls here.
The problem is that no matter how you install the client, when the service is turned off in the “OS” itself, nothing good will come of it. That is why you first need to enable these settings in Windows, then enable them on the router (router), and only then proceed to configure the client itself.
In the system itself, you will have to create a new connection, and not use an existing one. We will not dwell on this, since the procedure is standard, but on the router itself you will have to go into additional settings (most often they are located in the WLAN Connection Type menu) and activate everything related to the VPN server.
It is also worth noting the fact that it will have to be installed into the system as a companion program. But then it can be used even without manual setting by simply choosing the nearest location.
One of the most popular and easiest to use VPN client-server called SecurityKISS. The program is installed, but then you don’t even need to go into the settings to ensure normal communication for all devices connected to the distributor.
It happens that a fairly well-known and popular Kerio package VPN Client does not work. Here you will have to pay attention not only to either the “OS” itself, but also to the parameters client program. As a rule, the introduction of the correct parameters allows you to get rid of the problem. As a last resort, you will have to check the settings of the main connection and the TCP / IP protocols used (v4 / v6).
What is the result?
We've covered how a VPN works. In principle, there is nothing complicated in the connection itself or the creation of networks of this type. The main difficulties lie in setting up specific equipment and setting its parameters, which, unfortunately, many users overlook, relying on the fact that the whole process will be reduced to automatism.
On the other hand, we have now dealt more with issues related to the technology of the VPN virtual networks themselves, so you will have to configure the equipment, install device drivers, etc. using separate instructions and recommendations.
In addition to its main purpose - increasing the throughput of connections in the network - the switch allows you to localize information flows, as well as control and manage these flows using the mechanism custom filters. However, the user filter is able to prevent the transmission of frames only to specific addresses, while it transmits broadcast traffic to all network segments. This is the principle of operation of the bridge algorithm implemented in the switch, therefore, networks created on the basis of bridges and switches are sometimes called flat - due to the absence of barriers to broadcast traffic.
Introduced a few years ago, the technology of virtual local area networks (Virtual LAN, VLAN) overcomes this limitation. A virtual network is a group of network nodes whose traffic, including broadcast traffic, is completely isolated from other nodes at the data link layer (see Figure 1). This means that direct frame transfer between different virtual networks is not possible, regardless of the type of address - unique, multicast or broadcast. At the same time, within the virtual network, frames are transmitted in accordance with the switching technology, i.e., only to the port to which the frame's destination address is assigned.
Virtual networks can overlap if one or more computers are included in more than one virtual network. In Figure 1, the server Email is part of virtual networks 3 and 4, and therefore its frames are transmitted by switches to all computers included in these networks. If a computer is assigned only to virtual network 3, then its frames will not reach network 4, but it can interact with network 4 computers through a common mail server. This scheme does not completely isolate virtual networks from each other - thus, a broadcast storm initiated by the email server will overwhelm both network 3 and network 4.
It is said that the virtual network forms a broadcast traffic domain (broadcast domain), by analogy with the collision domain, which is formed by repeaters of Ethernet networks.
VLAN ASSIGNMENT
VLAN technology makes it easy to create isolated networks that communicate through routers that support a network layer protocol such as IP. This solution creates much more powerful barriers to erroneous traffic from one network to another. Today, it is believed that any large network should include routers, otherwise the streams of erroneous frames, in particular broadcasts, through switches transparent to them, will periodically “flood” it entirely, resulting in an inoperable state.
Virtual network technology provides a flexible basis for building a large network connected by routers, since switches allow you to create completely isolated segments programmatically without resorting to physical switching.
Before the advent of VLAN technology for deployment separate network either physically isolated pieces of coaxial cable were used, or unconnected segments based on repeaters and bridges. Then the networks were combined through routers into a single composite network (see Figure 2).
Changing the composition of the segments (user transition to another network, splitting large sections) with this approach implied physical reconnection of connectors on the front panels of repeaters or in cross panels, which is not very convenient in large networks - this is very laborious work, and the probability of error is very high. Therefore, to eliminate the need for physical reswitching of nodes, multi-segment hubs began to be used so that the composition of a shared segment could be reprogrammed without physical reswitching.
However, changing the composition of segments using hubs imposes great restrictions on the network structure - the number of segments of such a repeater is usually small, and it is unrealistic to allocate each node its own, as can be done using a switch. In addition, with this approach, all the work of transferring data between segments falls on routers, and switches with their high performance remain "out of work". Thus, config-switched repeater-based networks still share the media with a large number of nodes and therefore have much lower performance compared to switch-based networks.
When using virtual network technology in switches, two tasks are simultaneously solved:
Combining virtual networks into a common network is performed on network layer, which can be accessed using a separate router or software switch. The latter in this case becomes a combined device - the so-called third-level switch.
Technology for the formation and operation of virtual networks using switches for a long time was not standardized, although it was implemented in a very wide range of switch models from different manufacturers. The situation changed after the adoption in 1998 of the IEEE 802.1Q standard, which defines the basic rules for building virtual local networks, regardless of which link layer protocol is supported by the switch.
Due to the long absence of a VLAN standard, each major switch company has developed its own virtual network technology, and, as a rule, is incompatible with technologies from other manufacturers. Therefore, despite the appearance of the standard, it is not uncommon for a situation where virtual networks created on the basis of switches from one vendor are not recognized and, accordingly, are not supported by switches from another.
CREATING A VLAN ON THE BASIS OF A SINGLE SWITCH
When creating virtual networks based on a single switch, the switch port grouping mechanism is usually used (see Figure 3). Moreover, each of them is assigned to one or another virtual network. A frame received from a port belonging to, for example, virtual network 1 will never be transmitted to a port that is not part of it. A port can be assigned to several virtual networks, although this is rarely done in practice - the effect of complete isolation of networks disappears.
Grouping the ports of one switch is the most logical way to form a VLAN, since in this case there cannot be more virtual networks than ports. If a repeater is connected to some port, then it makes no sense to include the nodes of the corresponding segment in different virtual networks - all the same, their traffic will be common.
This approach does not require a large amount of manual work from the administrator - it is enough to assign each port to one of several pre-named virtual networks. This operation is usually done with special program supplied with the switch. The administrator creates virtual networks by dragging the port icons onto the network icons.
Another way to form virtual networks is based on MAC address grouping. Each MAC address known to the switch is assigned to one or another virtual network. If the network has many nodes, the administrator will have to perform a lot of manual operations. However, when building virtual networks based on several switches, this method is more flexible than port grouping.
CREATING A VLAN BASED ON MULTIPLE SWITCHES
Figure 4 illustrates the situation that occurs when creating virtual networks based on multiple switches through port trunking. If the nodes of any virtual network are connected to different switches, then a separate pair of ports must be allocated to connect the switches of each such network. Otherwise, information about the frame belonging to a particular virtual network will be lost during transmission from switch to switch. Thus, the port trunking method requires as many ports to connect switches as they support VLANs, resulting in a very wasteful use of ports and cables. In addition, to organize the interaction of virtual networks through the router, each network requires a separate cable and a separate router port, which also leads to high overhead costs.
Grouping MAC addresses into a virtual network on each switch eliminates the need to connect them through multiple ports, because in this case, the label of the virtual network is the MAC address. However, this method requires a lot of manual MAC address tagging on each switch in the network.
The two described approaches are based only on adding information to the address tables of the bridge and do not include information about the frame belonging to a virtual network in the transmitted frame. Other approaches use the existing or additional fields of the frame to record information about the ownership of the frame when it moves between network switches. In addition, there is no need to remember on each switch which virtual networks the internetwork MAC addresses belong to.
The extra field marked virtual network number is used only when the frame is being sent from switch to switch, and is usually removed when the frame is sent to the end node. At the same time, the "switch-switch" interaction protocol is modified, while the software and Hardware end nodes remain unchanged. There are many examples of such proprietary protocols, but they have one common drawback - they are not supported by other manufacturers. Cisco has proposed the 802.10 protocol header as a standard addition to frames of any LAN protocols, the purpose of which is to support security features. computer networks. The company itself refers to this method in cases where switches are interconnected using the FDDI protocol. However, this initiative was not supported by other leading switch manufacturers.
To store the virtual network number, the IEEE 802.1Q standard provides an additional two-byte header that is used in conjunction with the 802.1p protocol. In addition to the three bits for storing the frame's priority value, as described by the 802.1p standard, 12 bits in this header are used to store the number of the virtual network to which the frame belongs. This Additional Information called a virtual network tag (VLAN TAG) and allows switches from different manufacturers to create up to 4096 shared virtual networks. Such a frame is called "tagged". The length of the marked Ethernet frame is increased by 4 bytes, because in addition to the two bytes of the tag itself, two more bytes are added. The structure of the marked Ethernet frame is shown in Figure 5. When the 802.1p/Q header is added, the data field is reduced by two bytes.
 |
| Figure 5. The structure of the marked Ethernet frame. |
The advent of the 802.1Q standard made it possible to overcome differences in proprietary VLAN implementations and achieve compatibility when building virtual local area networks. The VLAN technique is supported by both switch and NIC manufacturers. In the latter case, the NIC can generate and receive tagged Ethernet frames containing a VLAN TAG field. If the network adapter generates tagged frames, then by doing so it determines whether they belong to a particular virtual local area network, so the switch must process them accordingly, i.e., transmit or not transmit to the output port, depending on the port ownership. The network adapter driver obtains the number of its (or its) virtual local area network from the network administrator (by manual configuration) or from some application running on this node. Such an application is able to function centrally on one of the network servers and manage the structure of the entire network.
With VLAN support for network adapters, you can bypass static configuration by assigning a port to a specific virtual network. However, the static VLAN configuration method remains popular because it allows you to create a structured network without involving end-node software.
Natalya Olifer is a columnist for the Journal of Network Solutions/LAN. She can be contacted at:
Every year, electronic communication is improving, and ever higher demands are placed on information exchange for the speed, security and quality of data processing.
And here we will take a closer look at a vpn connection: what it is, what a vpn tunnel is for, and how to use a vpn connection.
This material is a kind of introductory word to a series of articles where we will tell you how to create a vpn on various operating systems.
vpn connection what is it?
So, a virtual private network vpn is a technology that provides a secure (closed from external access) connection of a logical network over a private or public one in the presence of high-speed Internet.
Such network connection computers (geographically distant from each other at a considerable distance) uses a point-to-point connection (in other words, "computer-to-computer").
Scientifically, this connection method is called a vpn tunnel (or tunnel protocol). You can connect to such a tunnel if you have a computer with any operating system that has an integrated VPN client that can “forward” virtual ports using the TCP / IP protocol to another network.
What is vpn for?
The main advantage of vpn is that negotiators need a connectivity platform that not only scales quickly, but also (primarily) provides data confidentiality, data integrity, and authentication.
The diagram clearly shows the use of vpn networks.
Beforehand, the rules for connections over a secure channel must be written on the server and router.
how vpn works
When a vpn connection occurs, information about the IP address of the VPN server and the remote route is transmitted in the message header.
Encapsulated data passing over a public or public network cannot be intercepted because all information is encrypted.
The VPN encryption stage is implemented on the sender's side, and the recipient's data is decrypted by the message header (if there is a common encryption key).
After the message is correctly decrypted, a vpn connection is established between the two networks, which also allows you to work in a public network (for example, exchange data with a client 93.88.190.5).
Concerning information security, then the Internet is an extremely unsecured network, and a VPN network with OpenVPN, L2TP / IPSec, PPTP, PPPoE protocols is completely secure and in a safe way data transmission.
What is a vpn channel for?
vpn tunneling is used:
Inside the corporate network;
To unite remote offices, as well as small branches;
For digital telephony service with big set telecommunication services;
To access external IT resources;
To build and implement videoconferencing.
Why do you need a vpn?
vpn connection is required for:
Anonymous work on the Internet;
Application downloads, in the case when the ip address is located in another regional zone of the country;
Safe work in a corporate environment using communications;
Simplicity and convenience of connection setup;
Collateral high speed connections without breaks;
Creation of a secure channel without hacker attacks.
How to use vpn?
Examples of how vpn works are endless. So, on any computer in the corporate network, when installing a secure vpn connections you can use mail to check messages, publish materials from anywhere in the country, or download files from torrent networks.
Vpn: what is it in the phone?
Access via vpn on your phone (iPhone or any other Android device) allows you to remain anonymous when using the Internet in public places, as well as prevent traffic interception and device hacking.
A VPN client installed on any OS allows you to bypass many settings and rules of the provider (if he has set any restrictions).
Which vpn to choose for the phone?
Android mobile phones and smartphones can use applications from the Google Play market:
Most of these programs serve for the convenience of "hot" system configuration, placement of launch shortcuts, anonymous Internet surfing, and selection of the type of connection encryption.
But the main task of using a VPN on your phone is to check corporate mail, creating video conferences with multiple participants, as well as holding meetings outside the organization (for example, when an employee is on a business trip).
What is vpn on iphone?
Consider which vpn to choose and how to connect it to an iPhone in more detail.
Depending on the type of network supported, when you first start the VPN configuration on iphone, you can select the following protocols: L2TP, PPTP, and Cisco IPSec (in addition, you can “make” a vpn connection using third-party applications).
All of these protocols support encryption keys, user identification with a password and certification.
Among additional features when setting up a VPN profile on an iPhone, you can note: RSA security, encryption level, and authorization rules for connecting to the server.
For iphone phone from the appstore you should choose:
Creating a VPN: choosing and configuring equipment
For corporate communications large organizations or clusters of remote offices use hardware capable of maintaining uninterrupted, secure networking.
To implement vpn technologies, the following can act as a network gateway: Unix servers, windows server, network router and network gateway on which VPN is raised.
The server or device used to create a vpn network of an enterprise or a vpn channel between remote offices must perform complex technical tasks and provide a full range of services to users both on workstations and on mobile devices.
Any router or vpn router should provide reliable network operation without “freezes”. And the built-in vpn function allows you to change the network configuration for working at home, in an organization or a remote office.
vpn setup on router
In the general case, VPN configuration on the router is carried out using the router's web interface. On "classic" devices for organizing vpn, you need to go to the "settings" or "network settings" section, where you select the VPN section, specify the protocol type, enter your subnet address settings, masks and specify the range of ip addresses for users.
In addition, to secure the connection, you will need to specify encoding algorithms, authentication methods, generate negotiation keys, and specify DNS WINS servers. In the "Gateway" parameters, you need to specify the ip-address of the gateway (your ip) and fill in the data on all network adapters.
If there are several routers in the network, it is necessary to fill in the vpn routing table for all devices in the VPN tunnel.
Here is a list of hardware equipment used in building VPN networks:
Dlink routers: DIR-320, DIR-620, DSR-1000 with new firmware or D-Link router DI808HV.
Routers Cisco PIX 501, Cisco 871-SEC-K9
Linksys Rv082 Router Supporting About 50 VPN Tunnels
Netgear router DG834G and router models FVS318G, FVS318N, FVS336G, SRX5308
Mikrotik router with OpenVPN function. Example RouterBoard RB/2011L-IN Mikrotik
Vpn equipment RVPN S-Terra or VPN Gate
ASUS RT-N66U, RT-N16 and RT N-10 Routers
ZyXel routers ZyWALL 5, ZyWALL P1, ZyWALL USG