Designing a Secured Private Network Connection Across a Public Network 1Ifeagwu N

International Journal of Trend in Research and Development, Volume 3(4), ISSN: 2394-9333 www.ijtrd.com Designing a Secured Private Network Connection across a Public Network 1Ifeagwu N. E., 2Alor M. 2Ugwu K.I. 1Michael Okpara University of Agriculture (MOUA),Umudike, Abia State, Nigeria 2Enugu State University of Science and Technology, Nigeria Abstract-- This paper is on designing a secure site-to-site VPN connection (also known as a router-to-router VPN private network connection across a public network. Cisco connection) [3]. packet tracer version 5.3.3a network simulation tool was used A. Types of VPN for carrying out the design and the materials used comprised of laptops, switches, routers, straight-through cable and a a. Remote access VPN crossover cable. Implementing this design involves, A remote access VPN connection is made by a remote access installation of the packet tracer, recognizing the devices client. A remote access client is a single computer user who needed, connecting the devices together through network connects to a private network from a remote location. The cables, configuring the devices and setting up its interface to VPN client authenticates itself to the VPN server and, for allow the flow of packets and setting up a tunnel in between the two sites for the security of the packets being shared. Its mutual authentication; the VPN server authenticates itself to result shows that there is connectivity between the two sites the VPN client [4]. The diagram of Remote access VPN is shown in figure 1. and a successful communication of the devices interface without any drop in the flow of the network. Keywords-- Cisco packet tracer, Private network, Tunnel, Routers I. INTRODUCTION An unsecured communication channels or a network is prone to network attacks and this always lead to ineffective communication. Security of data flowing across the public/strange networks that supports communication from one endpoint to another became a challenge. But with the introduction of Virtual Private Networks (VPN), which is characterized by maintaining privacy, data being sent from the sender to the receiver will be made to pass through Figure 1: Remote Access VPN [2]. tunnels that cannot be accessed by data that is not properly encrypted from the sender, and decrypted by the receiver using b. Site-to-site VPN some agreed encryption method by both sender and receiver. A site-to-site VPN connection as shown in figure 2 connects A Virtual Private Networks (VPN) is a supplement of an two portions of a private network or two private networks. For enterprise’s private internet across a public network, creating a example, this allows an organization to have routed secure private connection essentially through a private tunnel connections with separate offices, or with other organizations, [1]. VPNs securely convey information across the internet by over the internet. A routed VPN server provides a routed connection of remote users, branch offices and business connection to the network to which the VPN server is attached. partners into an extended corporate network. It is called VPN On a site-to-site VPN connection, the packets sent from either because the infrastructure of the network is transparent to any router across the VPN connection typically do not originate at VPN connection, there is privacy for the traffic that is to flow the routers, the calling router (the VPN client) authenticates over the VPN, and must effectively be perceived and treated as itself to the answering router (the VPN server) and for mutual an extension to the company’s network infrastructure. authentication, the answering router authenticates itself to the calling router [5]. II. VIRTUAL PRIVATE NETWORK Organizations use Virtual Private Networks (VPNs) to secure network traffic over an unsecured network, such as the internet. VPN helps to provide a secure mechanism for encrypting and encapsulating private network traffic and moving it through an intermediate network. Data is encrypted for confidentiality and packets that might be intercepted on the shared or public network are indecipherable without the correct encryption keys. Data is also encapsulated, or wrapped, with an IP header containing routing information [2]. Figure 2: Site-to-Site VPN [5]. There are number of ways to use VPN. The most common scenario is when a remote user accesses a private network c. Site-to-multisite VPN across the internet using a remote access VPN connection. In A site-to-multisite VPN connection as shown in figure 3 another scenario, a remote office connects to the corporate connects multiple portions of private network or three or more network using either a persistent or an on-demand site-to-site IJTRD | Jul-Aug 2016 Available [email protected] 509 International Journal of Trend in Research and Development, Volume 3(4), ISSN: 2394-9333 www.ijtrd.com private networks. It has same properties of a site-to-site C. Tunneling Protocols network except that multiple endpoints are at one end of the The various tunneling protocols include: network. This VPN allows an organization to have several secure connections with separate offices spread over various 1. Point-to-point tunneling protocol (PPTP) geographical locations over the internet. Here, the calling 2. Layer two tunneling protocol (L2TP) router authenticates itself to the answering router. 3. Internet protocol security ( IPsec) 4. Site-to-site VPN 5. Secure Socket Layer (SSL) 6. Generic Routing Encapsulation (GRE) 7. Transfer Layer Security (TSL) a. Point-to-point tunneling (PPTP) PPTP encapsulates point-to-point protocol (PPP) frames into IP datagrams for transmission over an IP based network, such as the internet or over a private intranet. PPTP uses a TCP connection, known as the control connection, to create, maintain, and terminate the tunnel. PPTP uses a modified version of Generic Routing Encapsulation (GRE) to encapsulate PPP frames as tunneled data, which can be encrypted, compressed or both. b. Layer two tunneling protocol (L2TP) Figure 3: Site-to-Multisite VPN [5]. This is combination of PPTP and layer2 forwarding (L2F) a technology developed by cisco systems, Inc. rather than having B. VPN Tunneling two incompatible tunneling protocols competing in the Tunneling is a network technology that enables the marketplace and causing customer confusion, the Internet encapsulation of one type of protocol packet within the Engineering Task Force (IETF) mandated that the two datagram of a different protocol [6]. After the tunnel is technologies be combined into a single tunneling protocol that established, data can be sent. The tunnel client or server uses a represent the best features of PPTP and L2F. L2TP is tunnel data transfer protocol to prepare the data for transfer. described in RFC 2661 in the IETC RFC Database, while For example, when the tunnel client sends a payload to the PPTP is described in RFC 2637 in the IETF RTC Database. tunnel server, the tunnel client first appends a tunnel data c. Internet protocol security (IPsec) transfer protocol header to the payload. The client then sends the resulting encapsulated payload across the network, which IPsec functions at the network layer, and its components are routes it to the tunnel server. The tunnel server accepts the defined by IETF in RFC 2401. It however, is made up of many packets removes the tunnel data transfer protocol header, and standards, including RFCs. It is add-on in IPv4, requiring forwards the payload to the target network. Information sent additional software on a device to implement it. However, it is between the tunnel server and the tunnel client behaves built into the IPv6 protocols stack. IPsec performs these main similarly. functions: There are two types of tunneling: 1. Authentication: It verifies the identity of the remote peer. This is accomplished by using digital signatures alongside 1. Voluntary tunneling symmetric or asymmetric (RSA) keys 2. Compulsory tunneling 2. Confidentiality: It guarantees that no intermediate device a. Voluntary tunneling can decipher the contents of the payload in a packet. It accomplishes this by using an encryption algorithm (DES, Voluntary tunneling occurs when a client computer or routing 3DES, SEAL, AES). server creates a virtual connection to the target tunnel server. To accomplish this, tunneling client software and the 3. Packet integrity: It guarantees that the contents of a packet appropriate tunneling protocol must be installed on the client have not been tampered with (changed) by an computer. A user or client computer can issue a VPN request intermediate device and are received from an authorized to configure and create voluntary tunnel. In this case, the device. user’s computer is a tunnel endpoint and acts as the tunnel 4. Encapsulation: it transports the data between two IPsec client [7]. devices; this is accomplished using an IPsec encapsulation b. Compulsory tunneling protocol (AH and ESP). In compulsory tunneling, a VPN capable remote access server 5. Antireplay protection: it ensures that a valid packet is not configures and creates a compulsory tunnel. With a replayed by an attacker, creating a Dos attack; this is compulsory tunnel, the user’s computer is not a tunnel accomplished using protected sequence numbers. endpoint. Another device, the dial-up access server, between d. Site-to-site VPN protocol the user’s computer and the tunnel server is the tunnel endpoint and acts as the tunnel client. This protocol allows two, or more, sites with their own networks, usually LANs, to connect together to form a VPN. A

IJTRD | Jul-Aug 2016 Available [email protected] 510 International Journal of Trend in Research and Development, Volume 3(4), ISSN: 2394-9333 www.ijtrd.com Site-To-Site protocol involves a much larger scale encryption, The TLS protocol is designed to provide three essential and encryption and decryption is done by the routers at the services to all applications running above it: encryption, ends. authentication and data integrity. e. Secure socket layer (SSL) D. VPN Authentication This is a VPN protocol that works within a web browser. It is Authentication is a technique by which a process verifies that already built into the majority of the web browsers and into its communication partner is who is supposed to be for some email programs so you do not need to install any new effective communication and deals with the question whether software in order to use it. SSL creates a secure session from you are actually communicating with a specific process. your browser to the application server you want to access and The authentication of virtual private network (VPN) clients by in other to have an access to the secure session, an account ID the VPN server is a vital security concern. Authentication and password are usually needed. takes place at two levels: f. Generic routing and encapsulation (GRE) a. Computer-level authentication This an IP encapsulation protocol that is used to transport When Internet Protocol security (IPsec) is used for a Layer packets over a network. Information is usually sent from one Two Tunneling Protocol (L2TP) over IPsec (L2TP/IPsec) VPN network to the other through a GRE tunnels. GRE encapsulates connection, computer-level authentication is performed packets into IP packets and redirects them to an intermediate through the exchange of computer certificates or a pre-shared host, where they are de-encapsulated and routed to their final key during the establishment of the IPsec security association. destination. GRE tunnels allows routing protocols like RIP and OSPF to forward data packets from one switch to another b. User- level authentication switch across the internet in addition, GRE tunnels can encapsulate multicast data streams for transmission over the Before data can be sent over the Point-to-Point Tunneling internet. GRE is described in RFC 2784. Under GRE Protocol (PPTP) or L2TP tunnel, the remote access client or demand-dial router that requests the VPN connection must be tunneling, data is routed by the system to the GRE end point authenticated. User-level authentication occurs through the use over routes established in the route table. (These routes can be of a Point-to-Point Protocol (PPP) authentication method. statically configured or dynamically learned by routing protocols such as RIP or OSPF). Routing information protocol E. VPN Encryption and Decryption (RIP) and Open shortest path First (OSPF) are routing protocols used to advertise about routes in a network. They are To help ensure confidentiality of the data as it traverses the used as interior gateway protocols (IGP), which are configured shared or public transit network, it is encrypted by the sender inside an autonomous system [8]. When a data packet is and decrypted by the receiver. Because data encryption is received by the GRE endpoint, it is de-encapsulated and routed performed between the VPN client and VPN server. The again by means of the endpoint configuration to the destination encryption and decryption processes depend on both the sender address of the tunnel. In this way, each data packet traveling and the receiver having knowledge of a common encryption over the GRE tunnel gets routed through the system twice. key. Intercepted packets sent along the VPN connection in the transit network are unintelligible to any computer that does not g. Transfer layer security (TLS) have the common encryption key. The length of the encryption key is an important security parameter. The TLS is used to secure communication in a wide variety of online transaction. It is used to create a Virtual Private a. Routing Network (VPN) that connects an external system to an internal network, allowing that system to access a multitude of internal Routing is the process of moving a packet of data from services and resources as if it were in the network. TLS is a source to destination. Routing is usually performed by a layered protocol that runs on top of a reliable transport dedicated device called a router. Routing enables messages to protocol – typically the transmission control protocol (TCP). pass from one computer to another and eventually reach the Applications protocols such as the Hypertext Transfer Protocol target machine. In the network design, static routing was used. (HTTP) and the Internet Message Access Protocol (IMAP) can Static routing , the alternative to dynamic routing, is the run on TLS. process in which the system network administrator would manually configure network routers with all the information necessary for successful packet forwarding. b. IPsec tunnel The IPsec standard provides a method to manage authentication and data protection between multiple crypto peers engaging in secure data transfer. IPsec includes the Internet Security Association and Key Management Protocol (ISAKMP) and two IPsec IP protocols: Encapsulating Security Protocol (ESP) and Authentication Header (AH). The diagram of an IPsec tunnel is shown in figure 5.

Figure 4: Transport layer security [9]. TLS was known after SSL protocol was standardized by the IETF, and was renamed to TLS. But technically, they are different, since each describes a different version of protocol.

IJTRD | Jul-Aug 2016 Available [email protected] 511 International Journal of Trend in Research and Development, Volume 3(4), ISSN: 2394-9333 www.ijtrd.com

Figure 5: Diagram of an IPsec tunnel in a network. c. Authentication Figure 7: Diagram of an Access list control. Authentication as shown in figure 6 is any one method of authorizing your identity to achieve access to your account, III. MATERIALS AND METHOD i.e., entering a username and password to login. Authentication A. Materials is performed through the exchange of computer pre-shared key during the establishment of the IPsec security association. The materials used in the design consist of End Devices (laptops), Network Switches, Network Routers and Network Cables, Cross over cable and packet tracer. B. Method In the design, Laptop (0) up to router (0) is seen as site one while Laptop (1) up to router (1) is seen as site two, laptop (2) up to router (2) is seen as the unauthorized user trying to have access into the network existing between site one and site two, the switch in between router (0) and router (1) is seen as the internet. Message can be sent from site one to site two and also from site two back to site one successfully both laptop (2) cannot communicate with either site one or site two showing that the network is secured between both sites. Implementing this design involves, installation of the packet tracer, recognizing the devices needed, connecting the devices together through network cables, configuring the devices and setting up its interface to allow the flow of packets and setting up a tunnel in between the two sites for the security of the Figure 6: Diagram of Authentication. packets being shared. The design method of the project is d. Access Control List (ACL) shown in figure 8. Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. Your router examines each packet to determine whether to forward or drop the packet, on the basis of the criteria you specified within the access lists and to provide security for the network and when access lists is not configured on the router, all packets passing through the router could be allowed onto all parts of your network. Access lists can allow one host to access a part of your network and prevent another host from accessing the same area. For example, in the diagram below; host A is allowed to access the Human Resources network, and host B is prevented from accessing the Human Resources network. The diagram of Access list control is shown in figure 7.

Figure 8: Diagram of VPN system design.

IJTRD | Jul-Aug 2016 Available [email protected] 512 International Journal of Trend in Research and Development, Volume 3(4), ISSN: 2394-9333 www.ijtrd.com a. Configuration of the devices Table 2: laptop(0) setup. IP Address 192.168.1.2 Subnet Mask 255.255.255.0 Default Gateway 192.168.1.3 Figure 11: The routing commands for router (0) In Table 2, the laptop (0) setup is shown. The IP address of d. IPsec tunnel laptop (0) is given as 192.168.1.2, the subnet address is Figure 12 shows the command codes for IPsec tunneling in 255.255.255.0 the default gateway is given as 192.168.1.3. . ROUTER(0) Also, figure 9 shows the screenshot showing laptop(0) setup.

Figure 12: The command codes for IPsec tunneling in ROUTER (0) IV. RESULTS The results obtained from the work are shown in figures 13 and 14.

A. Pinging result from laptop (0) to 192.168.1.3; Figure 9: Screenshot showing Laptop (0) setup. Figure 13 shows the snap shoot of four packets being sent and four packets and received. b. Router (0) setup The following algorithms were used to configure Router (0) with laptop (0) Enter the User mode: > enable Enter the privelege mode: # enable Enter Global mode: config t (configure terminal) Interface fastethernet 0/0 IP address 192.168.1.2 255.255.255.0 No shutdown Do write. Figure 10 shows the screenshot of Router (0) setup.

Figure13: 4/4 successful packets sent and received. B. Confirmation of Encryption of Router Figure 14 shows the result of the encrypted router

Figure 10: Screenshot showing Router (0) setup. c. Routing commands for router (0) Figure 11 shows the routing commands for router (0)

IJTRD | Jul-Aug 2016 Available [email protected] 513 International Journal of Trend in Research and Development, Volume 3(4), ISSN: 2394-9333 www.ijtrd.com

Figre 14: Results obtained from the of encyption of Routers CONCLUSION The ultimate goal of the research is to establish a secured connection in a private network extended across a public network such as the internet. The public network is being supported by internet service providers(ISPs) for effective communication, but the project work made use of a network simulator from Cisco corporation known as Cisco packet tracer 5.3.3 version to design the site-to-site network. The simulator switch model 2950-24TT is standing in as the ISP in the project design and through which the communication tunnel cuts across. When packets are being sent from site (A) to site (B), it moves through the tunnel being encrypted by ISAKMP and IPsec policy and in which any unauthorized user having not the permission of the policy existing in the tunnel cannot be able to participate in the network. References [1] Geier, (2013). OpenBSDssh manual page, VPN section, p.2. [2] Cisco Systems, Inc. (2004). Internetworking Technologies Handbook. Networking Technology Series (4 ed.). Cisco Press. p. 5. [3] Mason, (2002). Comparing, designing, and deploying VPNs (1st print. ed.). Indianapolis, Ind.: p. 11. [4] Microsoft, (2007) Address Allocation for Private Internets, RFC 1918, p.8. [5] SoftEther VPN: Using HTTPS Protocol to Establish VPN Tunnels "OpenConnect". Retrieved 2013-04-08. [6] Tanenbaum, (2008). Layer Two Tunneling Protocol "L2TP", RFC 2661, pp. 9,14. [7] Ogletree, (2004). "RFC 2547 BGP/MPLS VPNs". Internet Engineering Task Force (IETF). p. 10. [8] Richard A. (2009), IP Based Virtual Private Networks, RFC 2341, p.14. [9] Polk &Mckay, (2014). Point-to-Point Tunneling Protocol (PPTP), RFC 2637, p.15.

IJTRD | Jul-Aug 2016 Available [email protected] 514