You are on page 1of 44

( ti VPN (Virtual Private Network

______________________________________________________________________
__

I HC QUC GIA TP.H CH MINH


TRNG I HC KHOA HC T NHIN
KHOA IN T VIN THNG
-------------oOo---------------

ti :

GVHD: Nguyn Anh Vinh


Mn : Cng ngh mng
Nhm :
Phan B Tu
-0520091
Nguyn Minh Tm -0520093
Nguyn Thanh Hng -0520031
____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
1

( ti VPN (Virtual Private Network


______________________________________________________________________
__

MC LC
I. Gii thiu v Cng ngh VPN.....................................................2
1.1 VPN l g................................................................................................................3
1.2 Li ch ca VPN em li.......................................................................................3
VPN lm gim chi ph thng xuyn:......................................................................4
Gim chi ph qun l v h tr.................................................................................4
VPN m bo an ton thng tin, tnh ton vn v xc thc4Error: Reference source not found
VPN d dng kt ni cc chi nhnh thnh mt mng cc b ..4
1.3 Cc thnh phn cn thit to kt ni VPN. 4

II. Cc loi VPN...............................................................................5


2.1 VPN Remote Access.......................................Error: Reference source not found6
VPN Remote Access. 6
thc hin c VPN Remote Access cn:.........................................................6
2.2 VPN Site - to - Site.................................................................................................6
VPN Site - to - Site...................................................................................................6
Intranet VPN...........................................................................................................6
Extranet VPN..6
thc hin c VPN Site - to Site cn:..............................................................6

III. Cc cng ngh v giao thc h tr VPN..................................7


3.1 ng hm v m ho..............................................................................................
3.2 ng hm...............................................................................................................
3.2 M ho.................................................................................................................13
Cng ngh VPN lp 2............................................................................................14
Cng ngh VPN lp 3............................................................................................15
ng hm GRE....................................................................................................16
MPLS VPNs....................................................16Error: Reference source not found

IV. Giao thc bo mt IPSec17Error: Reference source not found


Digital Signatures............................................18Error: Reference source not found
IPSec Security Protocol..........................................................................................19
IPSec Transport Mode.....................................Error: Reference source not found20
IPSec Tunnle Mode.........................................Error: Reference source not found21
Encapsulating Security Header (ESP)............Error: Reference source not found22

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
2

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Authentication Header (AH)...........................Error: Reference source not found23


Tin trnh chng thc bt tay 3 bc -...........Error: Reference source not found24
Three-Way CHAP Authentication Process.....Error: Reference source not found25

V. Kt lun26
VI. Cch cu hnh m hnh VPN (Client to Site)..
VII.Ti liu tham kho.27

I. Gii thiu v Cng ngh VPN:


1.1 VPN l g?
Mng ring o hay cn c bit n vi t vit tt VPN, y khng phi l mt
khi nim mi trong cng ngh mng. VPN c th c inh ngha nh l mt dch
v mng o c trin khai trn c s h tng ca h thng mng cng cng vi
mc ch tit kim chi ph cho cc kt ni im-im. Mt cuc in thoi gia hai
c nhn l v d n gin nht m t mt kt ni ring o trn mng in thoi
cng cng. Hai c im quan trng ca cng ngh VPN l ''ring'' v ''o" tng
ng vi hai thut ng ting anh (Virtual and Private). VPN c th xut hin ti bt
c lp no trong m hnh OSI, VPN l s ci tin c s h tng mng WAN, lm
thay i v lm tng thm tch cht ca mng cc b cho mng WAN.

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
3

( ti VPN (Virtual Private Network


______________________________________________________________________
__

VPN= ng h m + M ho

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
4

( ti VPN (Virtual Private Network


______________________________________________________________________
__

1.2

Li ch ca VPN em li :

VPN lm gim chi ph thng xuyn:


VPN cho php tit kim chi ph thu ng truyn v gim chi ph pht sinh cho
nhn vin xa nh vo vic h truy cp vo h thng mng ni b thng
qua cc im cung cp dch v a phng POP(Point of Presence), hn
ch thu ng truy cp ca nh cung cp dn n gi thnh cho vic kt
ni Lan - to - Lan gim i ng k so vi vic thu ng Leased-Line
Gim chi ph qun l v h tr:
Vi vic s dng dch v ca nh cung cp, chng ta ch phi qun l cc kt ni
u cui ti cc chi nhnh mng khng phi qun l cc thit b chuyn
mch trn mng. ng thi tn dng c s h tng ca mng Internet v
i ng k thut ca nh cung cp dch v t cng ty c th tp trung
vo cc i tng kinh doanh.
VPN m bo an ton thng tin, tnh ton vn v xc thc

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
5

( ti VPN (Virtual Private Network


______________________________________________________________________
__

D liu truyn trn mng c m ho bng cc thut ton, ng thi c truyn


trong cc ng hm(Tunnle) nn thng tin c an ton cao.

VPN d dng kt ni cc chi nhnh thnh mt mng cc b


Vi xu th ton cu ho, mt cng ty c th c nhiu chi nhnh ti nhiu quc gia
khc nhau. Vic tp trung qun l thng tin ti tt c cc chi nhnh l cn
thit. VPN c th d dng kt ni h thng mng gia cc chi nhnh v
vn phng trung tm thnh mt mng LAN vi chi ph thp.
VPN h tr cc giao thc mng thng dng nht hin nay nh TCP/IP
Bo mt a ch IP : thng tin c gi i trn VPN c m ha do cc a
ch trn mng ring c che giu v ch s dng cc a ch bn ngoi internet

1.3 Cc thnh phn cn thit to nn kt ni VPN:


User authentication : cung cp c ch chng thc ngi dng, ch cho php
ngi dng hp l kt ni vo h thng VPN
Address management : cung cp a ch IP hp l cho ngi dng sau khi
gia nhp h thng VPN c th truy cp ti nguyn trn mng ni b
Data Encryption : cung cp gii php m ha d liu trong qu trnh truyn
nhm bo m tnh ring t v ton vn d liu.
Key Management: cung cp gii php qun l cc kha dng cho qu trnh
m ha v gii m d liu .

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
6

( ti VPN (Virtual Private Network


______________________________________________________________________
__

II. Cc loi VPN:


VPN c chia thnh 2 loi :
VPN Remote Accesss
VPN Site to Site
o VPN Intranet
o VPN Extranet

Hnh 1 - VPN Remote Access

2.1 VPN Remote Access


____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
7

( ti VPN (Virtual Private Network


______________________________________________________________________
__

VPN Remote Access : Cung cp kt ni truy cp t xa n mt mng Intranet hoc


Extranet da trn h tng c chia s. VPN Remote Access s dng ng truyn
Analog, Dial, ISDN, DSL, Mobile IP v Cable thit lp kt ni n cc Mobile
user.
Mt c im quan trng ca VPN Remote Access l: Cho php ngi dng di
ng truy cp t xa vo h thng mng ni b trong cng ty lm vic.

thc hin c VPN Remote Access cn:


C 01 VPN Getway(c 01 IP Public). y l im tp trung x l khi VPN
Client quay s truy cp vo h thng VPN ni b.
Cc VPN Client kt ni vo mng Internet

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
8

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Hnh 2 - VPN Site to Site

2.2 VPN Site - to Site:


VPN Site - to - Site c chia lm hai loi nh l VPN Intranet v VPN Extranet
Intranet VPN : Kt ni vn phng trung tm, cc chi nhnh v vn phng xa
vo mng ni b ca cng ty da trn h tng mng c chia s. Intranet VPN
khc vi Extranet VPN ch n ch cho php cc nhn vin ni b trong cng ty
truy cp vo h thng mng ni b ca cng ty.
Extranet VPN : Kt ni b phn khch hng ca cng ty, b phn t vn, hoc
cc i tc ca cng ty thnh mt h thng mng da trn h tng c chia s.
Extranet VPN khc vi Intranet VPN ch cho php cc user ngoi cng ty truy
cp vo h thng.
thc hin c VPN Site - to Site cn
C 02 VPN Getway(Mi VPN Getway c 01 IP Public). y l im tp
trung x l khi VPN Getway pha bn kia quay s truy cp vo.
Cc Client kt ni vo h thng mng ni b.

III. Cc cng ngh v giao thc h tr VPN:


3.1 ng hm v m ho
Chc nng chnh ca mt mng VPN l truyn thng tin c m ho trong mt
ng hm da trn h tng mng c chia s

3.2 ng hm
Hu ht cc VPN u da vo k thut gi l Tunneling to ra mt mng ring
trn nn Internet. V bn cht, y l qu trnh t ton b gi tin vo trong mt
____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
9

( ti VPN (Virtual Private Network


______________________________________________________________________
__

lp header (tiu ) cha thng tin nh tuyn c th truyn qua h thng mng
trung gian theo nhng "ng ng" ring (tunnel).
Khi gi tin c truyn n ch, chng c tch lp header v chuyn n cc
my trm cui cng cn nhn d liu. thit lp kt ni Tunnel, my khch v
my ch phi s dng chung mt giao thc (tunnel protocol).
Giao thc ca gi tin bc ngoi c c mng v hai im u cui nhn bit. Hai
im u cui ny c gi l giao din Tunnel (tunnel interface), ni gi tin i
vo v i ra trong mng.
K thut Tunneling yu cu 3 giao thc khc nhau:
- Giao thc truyn ti (Carrier Protocol) l giao thc c s dng bi mng c
thng tin ang i qua.
- Giao thc m ha d liu (Encapsulating Protocol) l giao thc (nh GRE, IPSec,
L2F, PPTP, L2TP) c bc quanh gi d liu gc.
- Giao thc gi tin (Passenger Protocol) l giao thc ca d liu gc c truyn i
(nh IPX, NetBeui, IP).
Ngi dng c th t mt gi tin s dng giao thc khng c h tr trn Internet (nh
NetBeui) bn trong mt gi IP v gi n an ton qua Internet. Hoc, h c th t mt gi tin dng
a ch IP ring (khng nh tuyn) bn trong mt gi khc dng a ch IP chung (nh tuyn)
m rng mt mng ring trn Internet.

K thut Tunneling trong mng VPN im-ni im


Trong VPN loi ny, giao thc m ha nh tuyn GRE (Generic Routing
Encapsulation) cung cp c cu "ng gi" giao thc gi tin (Passenger Protocol)
truyn i trn giao thc truyn ti (Carier Protocol). N bao gm thng tin v
loi gi tin m bn nag m ha v thng tin v kt ni gia my ch vi my
khch. Nhng IPSec trong c ch Tunnel, thay v dng GRE, i khi li ng vai
tr l giao thc m ha. IPSec hot ng tt trn c hai loi mng VPN truy cp t
xa v im- ni-im. Tt nhin, n phi c h tr c hai giao din Tunnel.

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
10

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Trong m hnh ny, gi tin c chuyn t mt


my tnh vn phng chnh qua my ch truy
cp, ti router (ti y giao thc m ha GRE
din ra), qua Tunnel ti my tnh ca vn
phng t xa.

K thut Tunneling trong mng VPN truy cp t xa


Vi loi VPN ny, Tunneling thng dng giao thc im-ni-im PPP (Point-toPoint Protocol). L mt phn ca TCP/IP, PPP ng vai tr truyn ti cho cc giao
thc IP khc khi lin h trn mng gia my ch v my truy cp t xa. Ni tm
li, k thut Tunneling cho mng VPN truy cp t xa ph thuc vo PPP.
Cc giao thc di y c thit lp da trn cu trc c bn ca PPP v dng
trong mng VPN truy cp t xa.
Giao thc L2F

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
11

( ti VPN (Virtual Private Network


______________________________________________________________________
__

L giao thc lp 2 c pht trin bi Cisco System. L2F c thit k cho php
to ng hm gia NAS v mt thit b VPN Getway truyn cc Frame, ngi
s dng t xa c th kt ni n NAS v truyn Frame PPP t remote user n
VPN Getway trong ng hm c to ra.
Giao thc PPTP(Point-to-Point Tunneling Protocol)
y l giao thc ng hm ph bin nht hin nay. Giao thc c pht trin bi
Microsoft.
PPTP cung cp mt phn ca dch v truy cp t xa RAS(Remote Access Service).
Nh L2F, PPTP cho php to ng hm t pha ngi dng(Mobile User) truy
cp vo VPN Getway/Concentrator
Giao thc L2TP
L chun giao thc do IETF xut, L2TP tch hp c hai im mnh l truy nhp
t xa ca L2F(Layer 2 Forwarding ca Cisco System) v tnh kt ni nhanh Point to Point ca PPTP(Point to Point Tunnling Protocol ca Microsoft). Trong mi
trng Remote Access L2TP cho php khi to ng hm cho cc frame v s
dng giao thc PPP truyn d liu trong ng hm.

Mt s u im ca L2TP
L2TP h tr a giao thc
Khng yu cu cc phn mm m rng hay s h tr ca HH. V vy
nhng ngi dng t xa cng nh trong mng Intranet khng cn ci thm
cc phn mm c bit.
L2TP cho php nhiu Mobile user truy cp vo Remote Network thng qua
h thng mng cng cng
L2TP khng c tnh bo mt cao tuy nhin L2TP c th kt hp vi c ch
bo mt IPSec bo v d liu.

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
12

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Vi L2TP s xc thc ti khon da trn Host Getway Network do vy pha nh


cung cp dch v khng phi duy tr mt Database thm nh quyn truy cp
Giao thc Point to Point Protocol(PPP)
y l giao thc ng gi truyn d liu qua kt ni Serial. Li th ln nht ca
PPP l c th hot ng trn mi Data Terminal Equipment (DTE) hoc Data
Connection Equipment(DCE). Mt c im thun li ca PPP l n khng gii
hn tc truy cp. PPP l sn sng cho kt ni song cng (Full Duplex) v l gii
php tt cho kt ni Dial-up.
Cc ch :
Nu mun thit lp mt ci "ng o" b mt trn mng Internet theo c ch
truy cp t xa, bn ch c th s dng giao thc IPSec trc tip khi my
khch c a ch IP thc.
Do L2TP vi c ch m ha IPSec yu cu cu trc m kha chung (Public
Key Infrastructure) nn kh khai thc v tn km so vi PPTP. L2TP/IPSec
l giao thc L2TP chy trn nn IPSec, cn c ch truyn tin IPSec Tunel
Mode li l mt giao thc khc.
Do c c ch thm nh quyn truy cp nn L2TP/IPSec hay IPSec Tunnel
Mode ch c th truyn qua mt thit b dch a ch mng NAT (network
address translation) bng cch i qua nhiu ci "ng o" hn. Nu dng mt
NAT gia im hin din POP (Point of Present) v Internet, bn s gp kh
khn. Cn trong PPTP, mt gi tin IP c m ha t trong mt gi tin
IP khng c m ha nn n c th i qua mt NAT.
PPTP v L2TP c th hot ng vi cc h thng thm nh quyn truy cp
da trn mt khu v chng h tr quyn ny mc cao cp bng nhng
loi th thng minh, cng ngh sinh trc hc v cc thit b c chc nng
tng t.
Li khuyn:

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
13

( ti VPN (Virtual Private Network


______________________________________________________________________
__

PPTP l gii php ti u khi khch hng mun c c ch bo mt khng tn


km v phc tp. Giao thc ny cng t ra hu hiu khi cc lung d liu
phi truyn qua NAT. Khch hng nu mun c NAT v bo mt cao hn
c th nh cu hnh cho cc quy tc IPSec trn Windows 2000.
L2TP l gii php tt nht khi khch hng coi bo mt l vn quan trng
hng u v cam kt khai thc cu trc m kha chung PKI. Nu bn cn
mt thit b NAT trong ng truyn VPN th gii php ny c th khng
pht huy hiu qu.
IPSec Tunnel Mode li t ra hu hiu hn vi VPN im-ni-im (site to
site). Mc d giao thc ny hin nay cng c p dng cho VPN truy cp
t xa nhng cc hot ng ca n khng "lin thng" vi nhau. IPSec
Tunnel Mode s c cp k hn trong phn VPN im-ni-im k sau.

Tn
IPSE
C

So snh cc giao thc VPN


im mnh
im yu
+ Hot ng mt
+ Khng c qun l
cch c lp
ngi dng
+ Cho php giu
+ t sn phm c kh
a ch mng
nng tng tc vi

S dng trong mng


+ Phn mm tt nht
trn my ngi dng
i vi vic truy cp
t xa

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
14

( ti VPN (Virtual Private Network


______________________________________________________________________
__

PPTP

L2F

L2TP

+ p ng cc k
thut m ha
+ Chy trn nn
Win NT,98,95
+ nh ng hm
kt ni
+ Cung cp kh
nng a giao thc
+M ha RSA RC4
+ Cho php nh
ng hm a giao
thc
+ c cung cp
bi nhiu nh cung
cp
+ Kt hp PPTP v
L2F
+ Ch cn mt gi
chy trn X25 v
Frame relay
+ S dng IPSEC
cho vic m ha

nh sn xut
+ t h tr giao din
+ Khng cung cp m
ha d liu t nhng
my ch truy cp t
xa
+ Mang tnh c
quyn rng ln
+ Khng c m ha
+ Yu trong vic xc
thc ngi dng
+ Khng c iu
khinlung cho ng
hm
+ Cha c cung cp
nhiu trong sn phm
+ Khng bo mt
nhng on cui

+ c dng my
ch truy cp t xa
+ C th dng cho
my bn win9x
hay my trm dng
winNT
+ Dng cho truy cp
t xa

+ Dng cho truy cp


t xa

3.2 M ho

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
15

( ti VPN (Virtual Private Network


______________________________________________________________________
__

M ho l mt c im c bn trong vic xy dng v thit k mng VPN. Mng


VPN s dng h tng ca h thng Internet v cc mng cng cng khc.
Do vy d liu truyn trn mng c th b bt gi v xem thng tin.
m bo thng tin ch c c bi ngi nhn v ngi gi th d liu
phi c m ho vi cc thut ton phc tp. Tuy nhin ch nn m ho
cc thng tin quan trng v qu trnh m ho v gii m s nh hng n
tc truyn ti thng tin.
Cc nh cung cp dch v VPN chia VPN thnh 3 tp hp l VPN lp 1, 2 v 3.
VPN lp 1 c s dng vn chuyn cc dch v lp 1 trn h tng mng c
chia s, c iu khin v qun l bi Generalized Multiprotocol Label
Switching (GMPLS).
Hin nay, vic pht trin VPN lp 1 cn ang trong giai on th nghim nn VPN
Layer 1 khng c cp n trong ti ny.
Hiu n gin nht, mt kt ni VPN gia hai im trn mng cng cng l hnh
thc thit lp mt kt ni logic. Kt ni logic c th c thit lp trn lp 2 hoc
lp 3 ca m hnh OSI v cng ngh VPN c th c phn loi rng ri theo tiu
chun ny nh l VPN lp 2 v VPN lp 3(Layer 2 VPNs or Layer 3 VPNs).
Cng ngh VPN lp 2
VPN lp 2 thc thi ti lp 2 ca m hnh tham chiu OSI; Cc kt ni point-topoint c thit lp gia cc site da trn mt mch o(virtual circuit). Mt mch
o l mt kt ni logic gia 2 im trn mt mng v c th m rng thnh nhiu
im. Mt mch o kt ni gia 2 im u cui(end-to-end) thng c gi l
mt mch vnh cu(Permanent Virtual Circuit-PVC). Mt mch o kt ni ng 2
im trn mng(point to point) cn c bit n nh mng chuyn
mch(Switched Virtual Circuit - SVC). SVC t c s dng hn v phc tp
trong qu trnh trin khai cng nh khc phc h thng li. ATM v Frame Relay
l 02 cng ngh VPN lp 2 ph bin.

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
16

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Cc nh cung cp h thng mng ATM v Frame Relay c th cung cp cc kt ni


site - to - site cho cc tp on, cng ty bng cch cu hnh cc mch o vnh
cu(PVC) thng qua h thng cp Backbone c chia s.
Mt s tin li ca VPN lp 2 l c lp vi cc lung d liu lp 3. Cc mng
ATM v Frame Relay kt ni gia cc site c th s dng rt nhiu cc loi giao
thc c nh tuyn khc nhau nh IP, IPX, AppleTalk, IP Multicast...ATM v
Frame Relay cn cung cp c im QoS(Quality of Service). y l iu kin tin
quyt khi vn chuyn cc lung d liu cho Voice.

Cng ngh VPN lp 3


Mt kt ni gia cc site c th c nh ngha nh l VPN lp 3. Cc loi VPN
lp 3 nh GRE, MPLS v IPSec. Cng ngh GRE v IPSec c s dng thc
hin kt ni point - to - point, cng ngh MPLS thc hin kt ni a im(any - to any)

ng hm GRE
Generic routing encapsulation (GRE) c khi xng v pht trin bi Cisco v
sau c IETF xc nhn thnh chun RFC 1702. GRE c dng khi to
cc ng hm v c th vn chuyn nhiu loi giao thc nh IP, IPX, Apple Talk
v bt k cc gi d liu giao thc khc vo bn trong ng hm IP. GRE khng
c chc nng bo mt cp cao nhng c th c bo v bng cch s dng c ch
IPSec. Mt ng hm GRE gia 2 site, IP c th vn ti c c th c
m t nh l mt VPN bi v d liu ring gia 2 site c th c ng gi thnh
cc gi tin vi phn Header tun theo chun GRE.

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
17

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Bi v mng Internet cng cng c kt ni trn ton th gii. Cc chi nhnh ca


mt tp on nm trn nhng vng a l khc nhau. cc chi nhnh ny c th
truyn d liu cho nhau v cho vn phng chnh ti trung tm th iu kin cn l
mi chi nhnh ch cn thit lp mt kt ni vt l n nh cung cp dch v
Internet(ISP). Thng qua mng VPN c thit lp s dng GRE Tunnel. Tt c
cc d liu gia cc chi nhnh s trao i vi nhau trong mt ng hm GRE.
Hn th d liu cn c bo mt v chng li cc nguy c tn cng
MPLS VPNs
Cng ngh MPLS VPN xy dng cc kt ni chuyn mch nhn(Label Switched
Path) thng qua cc Router chuyn mnh nhn(Label Switch Routers). Cc gi tin
c chuyn i da vo Label ca mi gi tin. MPLS VPN c th s dng cc giao
thc TDP(Tag Distribution Protocol), LDP(Label Ditribution Protocol) hoc
RSVP(Reservation Protocol)
Khi xng cho cng ngh ny l Cisco, MPLS c ngun gc l cc Tag trong
mng chuyn mch v sau c IETF chun ho thnh MPLS. MPLS c to
ra thng qua cc Router s dng c ch chuyn mch nhn(Label Switch Routers).
Trong mt mng MPLS, cc gi tin c chuyn mch da trn nhn ca mi gi
tin. Cc nh cung cp dch v hin nay ang tng cng trin khai MPLS cung
cp dch v VPN MPLS n khch hng.
Ngun gc ca tt c cc cng ngh VPN l d liu ring c ng gi v phn
phi n ch vi vic gn cho cc gi tin thm phn Header; MPLS VPN s dng
cc nhn(Label) ng gi d liu gc v thc hin truyn gi tin n ch.
RFC 2547 nh ngha cho dch v VPN s dng MPLS. Mt tin ch ca VPN
MPLS so vi cc cng ngh VPN khc l n gim phc tp cu hnh VPN
gia cc site.

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
18

( ti VPN (Virtual Private Network


______________________________________________________________________
__

IV. Giao thc bo mt IPSec:


Cng ngh VPN s dng c s h tng mng cng cng v cc mi trng truyn
dn c chia s khc truyn d liu, do vy bo mt d liu trong mng VPN
l vn v cng quan trng. gii quyt vn ny, VPN xy dng ng
hm(Tunnle) v s dng b giao thc IPSec m ho d liu trong ng hm.
Mt thut ton m ho c hai chc nng m ho v gii m
M ho(Encryption): C chc nng chuyn d liu dng bn r(Plain text) thnh
dng d liu c m ho
Gii m(Decryption): C chc nng chuyn thng tin c m ho thnh dng
bn r(Plain Text) vi key c cung cp.
Cc thut ton mt m c xp vo hai loi sau:

i xng(Symmetric)
Bt i xng(Asymmetric)

Thut ton mt m i xng(Symmetric) c c im l ngi nhn v ngi gi


cng s dng chung mt kho b mt(secret key). Bt k ai c kho b mt u c
th gii m bn m.
Thut ton mt m bt i xng(Asymmetric) cn c bit n nh l thut ton
kho cng khai(Public Key). Kho m c gi l kho cng khai v c th c
cng b, ch kho o(Private Key) l cn c gi b mt. Nh vy Public Key v
Private Key l lin quan n nhau. Bt k ai c Public Key u c th m ho bn
Plain Text nhng ch c ai c Private Key mi c th gii m t bn m v dng r.
____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
19

( ti VPN (Virtual Private Network


______________________________________________________________________
__

minh ho cho thut ton ny, chng ta quay tr li v d v bi ton mt m


in hnh l: Bob v Alice cn truyng thng tin b mt cho nhau s dng thut
ton m ho cng khai.

C ch m ho v gii m s dng Public Key


Trong thc t thut ton m kho cng khai t c s dng m ho ni dung
thng tin v thut ton ny x l chm hn so vi thut ton i xng. tuy nhin
____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
20

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Public Key thng c dng gii quyt vn phn phi Key ca thut ton
i xng. Public Key khng thay th Symmetric m chng tr gip ln nhau.
Digital Signatures
Mt ng dng khc ca thut ton m ho cng khai l ch k in t(Digital
Signature). Tr li bi ton Alice v Bob. Lc ny Bob mun chng thc l th
Alice gi cho mnh do chnh Alice gi ch khng phi l mt l th nc danh t
mt k thc 3 no . Do vy mt ch k in t c sinh ra v gn km vo tp
tin ca Alice, Bob s dng Public Key gii m v xc nhn y ng l ch k
ca Alice. C ch xc thc nh sau:

C ch xc thc ch k s

My tnh Alice s dng hm HASH bm vn bn cn mun gi cho Bob


thnh mt tp 512 byte gi l tp HASH.
____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
21

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Alice m ho tp HASH vi Private Key thnh ch k s. Ch k s c


nh km vo vn bn gi i

Bob gii m ch k in t ca Alice vi Public key to ra tp HASH1 v


sau s dng hm HASH bm tp Plain Text nhn c t Alice to ra tp
HASH2

HASH1 v HASH2 c so snh vi nhau, nu hp nht th vn bn Bob


nhn c ng l ca Alice gi.
IPSec Security Protocol
Mc ch ca IPSec l cung cp dch v bo mt cho gi tin IP ti lp Network.
Nhng dch v ny bao gm iu khin truy cp, ton vn d liu, chng thc v
bo mt d liu.
Encapsulating security payload (ESP) v authentication header (AH) l hai giao
thc chnh c s dng cung cp tnh nng bo mt cho gi IP. IPSec hot
ng vi hai c ch Transport Mode v Tunnel Mode
IPSec Transport Mode
Trong ch ny mt IPSec Transport Header(AH hoc ESP) c chn vo gia
IP Header v cc Header lp trn.

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
22
Hnh: Hin th mt IP Packet c bo v bi IPSec trong
ch Transport Mode

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Trong ch ny, IP Header cng ging nh IP Header ca gi d liu gc tr


trng IP Protocol l c thay i nu s dng giao thc ESP(50) hoc AH(51)
v IP Header Checksum l c tnh ton li. Trong ch ny, a ch IP ch
trong IP Header l khng c thay i bi IPSec ngun v vy ch ny ch
c s dng bo v cc gi c IP EndPoint v IPSec EndPoint ging nhau.
IPSec Transport Mode l rt tt khi bo v lung d liu gia hai host hn l m
hnh site-to-site. Hn th hai a ch IP ca hai host ny phi c nh tuyn(Nhn
thy nhau trn mng) iu tng ng vi vic cc Host khng c php
NAT trn mang. Do vy IPSec Transport Mode thng c dng bo v cc
Tunnle do GRE khi to gia cc VPN Getway trong m hnh Site-to-Site,
IPSec Tunnle Mode
Dch v IPSec VPN s dng ch Transport v phng thc ng gi GRE gia
cc VPN Getway trong m hnh Site-to-Site l hiu qu. Nhng khi cc Client kt
ni vo Getway VPN th t Client v Getway VPN l cha c bo v, hn th
khi cc Client mun kt ni vo mt Site th vic bo v IPSec cng l mt vn .
IPSec Tunnle Mode ra i h tr vn ny.
ch Tunnle Mode, gi IP ngun c ng gi trong mt IP Datagram v mt
IPSec header(AH hoc ESP) c chn vo gia outer v inner header, bi v ng
____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
23

( ti VPN (Virtual Private Network


______________________________________________________________________
__

gi vi mt "outer" IP Packet, ch Tunnle c c th c s dng cung


cp dch v bo mt gia cc IP Node ng sau mt VPN Getway

Hnh: Gi IP trong ch IPSec Tunnle

Encapsulating Security Header (ESP)


ESP cung cp s bo mt, ton vn d liu, v chng thc ngun gc d liu v
dch v chng tn cng Anti-reply

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
24
Gi d liu IP c bo v bi ESP

( ti VPN (Virtual Private Network


______________________________________________________________________
__

ESP in gi tr 50 trong IP Header. ESP Header c chn vo sau IP Header v


trc Header ca giao thc lp trn. IP Header c th l mt IP Header mi trong
ch Tunnle hoc l IP Header ngun nu trong ch Transport.

Gi IP c bo v bi ESP trong ch Transport

Gi IP c bo v bi ESP trong ch Tunnle


Tham s bo mt Security Parameter Index (SPI) trong ESP Header l mt gi tr
32 bit c tch hp vi a ch ch v giao thc trong IP Header.
SPI l mt s c la chn bi Host ch trong sut qu trnh din ra thng
lng Public Key gia cc Peer-to-Peer. S ny tng mt cch tun t v nm
____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
25

( ti VPN (Virtual Private Network


______________________________________________________________________
__

trong Header ca ngi gi. SPI kt hp vi c ch Slide Window to thnh c ch


chng tn cng Anti-Replay.
Authentication Header (AH)
AH cng cung cp c ch kim tra ton vn d liu, chng thc d liu v chng
tn cng. Nhng khng ging EPS, n khng cung cp c ch bo mt d
liu. Phn Header ca AH n gin hn nhiu so vi EPS

Gi IP c bo v bi AH
AH l mt giao thc IP, c xc nh bi gi tr 51 trong IP Header. Trong ch
Transport, g tr giao thc lp trn c bo v nh UPD, TCP..., trong ch
Tunnle, gi tr ny l 4. V tr ca AH trong ch Transport v Tunnle nh trong
hnh sau:

____________________________________________________________
__
Hnh: Gi IP c bo v bi AH trong ch
Khoa in T Vin Thng i hcTransport
Khoa Hc T Nhin
26

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Gi IP bo v bi AH trong ch Tunnle
Trong ch Transport, AH l rt tt cho kt ni cc endpoint s dng IPSec,
trong ch Tunnle AH ng gi gi IP v thm IP Header vo pha trc Header.
Qua AH trong ch Tunnle c s dng cung cp kt ni VPN end-to-end
bo mt. Tuy nhin phn ni dung ca gi tin l khng c bo mt
Tin trnh chng thc bt tay 3 bc Three-Way CHAP Authentication Process

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
27

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Khi thit lp mt kt ni VPN, Client, NAS hoc Home Getway s dng c ch


chng thc qua 3 bc cho php hoc khng cho php(Allow or Denied) ti
khon c php thit lp kt ni.
CHAP l giao thc chng thc challenge/response(Hi p/phn hi). N m ho
Password thnh mt ch k c di 64 bit thay cho vic gi password i trn
mng dng Plain Text. C ch ny h tr bo mt Password t Client n Home
Getway.
Tin trnh ny c m t nh sau:

Khi user khi to mt phin kt ni PPP vi NAS, NAS gi mt challenge


n Client

Client gi mt CHAP Response n NAS trong c user dng clear text,


NAS s dng s khi user quay s n xc nhn im cui ca ng hm IP.
Ti im ny PPP m phn v tm dng , v NAS hi mt AAA Server v
thng tin ng hm. AAA Server tr gip thng tin chng thc tunnle gia
NAS v Home Getway. NAS v Home Getway chng thc v thit lp ng
hm gia NAS v Home Getway. Sau NAS chuyn cc thng tin m phn
PPP vi Client n Home Getway

Home Getway chng thc Client v sau tr v mt Response, ci m


c chuyn tip qua NAS n Client v gi mt CHAP success hoc failure
n Client.

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
28

Hinh: Tin trnh chng thc CHAP 3 bc

( ti VPN (Virtual Private Network


______________________________________________________________________
__

VI. Kt lun
Hin nay xu hng cc cng ty c nhiu chi nhnh l ph bin, do nhu cu trao i
thng tin gia cc chi nhnh l cn thit v cp bch. Do vy trong tng lai, nhu
cu trin khai h thng mng VPN gia cc chi nhnh trong mt cng ty l nhu cu
tt yu.

VI. Cch cu hnh m hnh VPN (Client to Site)

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
29

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Quy c:
card LAN: card mng dng ni gia 2 my vi nhau
card INTERNET: card mng ni n switch cc my u thy nhau v ni vo
Router
- M hnh bi Lab nh sau:

**Quy c:
card LAN: card mng dng ni gia 2 my vi nhau
card INTERNET: card mng ni n switch cc my u thy nhau
v ni vo Router
Client1 : s dng 1 card
Card LAN:
IP Address : 172.16.1.2
Subnet Mask : 255.255.0.0
Default Gateway : 172.16.1.1
Preferred DNS : trng
SERVER1
Card LAN:
IP Address : 172.16.1.1
Subnet Mask : 255.255.0.0

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
30

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Default Gateway : trng


Preferred DNS : trng
Card INTERNET:
IP Address : 192.168.1.1
Subnet Mask : 255.255.255.0
Default Gateway : 192.168.1.254 (tr v router )
Preferred DNS : 210.245.24.20
Client2: s dng 1 card
Card INTERNET
IP Address : 10.0.0.5
Subnet Mask : 255.255.255.0
Default Gateway : 10.0.0.2
Preferred DNS : 210.245.24.20
Cc bc thc hin
1.NAT port 1723 ca Router ADSL v my SERVER1.
2. Cu hnh VPN Server trn my SERVER:
Bc 1 : To user Client2 kt ni vo VPN Server
User: u1
____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
31

( ti VPN (Virtual Private Network


______________________________________________________________________
__

Password: 123
-b du chn ti User must change password at next logon.
OK Cho php U1 c quyn Allow access

Bc 2: Chn Start -- Programs -- Administrative Tools -- Routing and Remote


Access.
Trong ca s Routing and Remote Access, Click chut phi SERVER1 --- chn
Configure and Enable Routing and Remote Access.

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
32

( ti VPN (Virtual Private Network


______________________________________________________________________
__

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
33

( ti VPN (Virtual Private Network


______________________________________________________________________
__

- Bc 3: Ca s Welcome to the Routing and Remote Access Server Setup


Wizard, nhn Next.Ti ca s Configuration, check vo Remote Access (dial-up
or VPN) v Next

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
34

( ti VPN (Virtual Private Network


______________________________________________________________________
__

- Bc 4: Next Ca s Remote Access, check vo VPN

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
35

( ti VPN (Virtual Private Network


______________________________________________________________________
__

- Bc 5: Ca s VPN Connection ,chn card INTERNET v b du chn ti


Enable security on the selected packet filters , nhn Next .

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
36

( ti VPN (Virtual Private Network


______________________________________________________________________
__

- Bc 6: Ca s IP Address Assignment, check vo From a specified range of


addresses nhn Next

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
37

( ti VPN (Virtual Private Network


______________________________________________________________________
__

- Bc 7: Ti ca s Address Range Assignment, chn New

- Bc 8: Ti ca s New Address Range, nhp vo Start IP v End IP, nhn OK -Next


____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
38

( ti VPN (Virtual Private Network


______________________________________________________________________
__

- Bc 9: Ti ca s Managing Multiple Remote Access Servers, check vo No,


use Routing and requests--> Next -- > Finish --->OK

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
39

( ti VPN (Virtual Private Network


______________________________________________________________________
__

3.Cu hnh VPN Client trn my Client2:


-Click chut phi trn My Network Places chn Properties - Create a new
connection -- ca s Welcome --> Next.
-Ti ca s Network Connection Type --> check vo Connect to the network at
my workplace --->Next

- Ca s Network Connection, check vo Virtual Private Network Connection


-- Next

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
40

( ti VPN (Virtual Private Network


______________________________________________________________________
__

- Ti ca s Connection Name -->ti Company Name g vo tn bt k


(VD:ITLab) Next.

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
41

( ti VPN (Virtual Private Network


______________________________________________________________________
__

-Ti ca s VPN Server Selection, g Hostname ng k trn NO-IP vo


Host name or IP address --> Next --->Finish

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
42

( ti VPN (Virtual Private Network


______________________________________________________________________
__

**Lu : Ti SERVER1 bn phi ci chng trnh cp nht IP cho host name


banbeit.no-ip.com !
-Ti ca s Connect, nhp User name l u1, Password l 123 v Connect

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
43

( ti VPN (Virtual Private Network


______________________________________________________________________
__

VII. Ti liu tham kho

1.
2.
3.

Ti liu VPN ca HSP K Thut Hng Yn


K thut mng ring o Bin son Trn Cng Hng
Vnexpress.net

____________________________________________________________
__
Khoa in T Vin Thng i hc Khoa Hc T Nhin
44

You might also like