Do an IPSec-VPN

HC VIN CNG NGH BU CHNH VIN THNG TPHCM KHOA CNG NGH THNG TIN II

BO CO N MN HC AN TON MNG ti:

Gio vin hng dn: Nhm thc hin:

Thy L Phc L Th Kim Anh Nguyn Th Cm T 405170002 405170092

Nguyn Th Lan Phng 405170049

Thnh Ph H Ch Minh 04 2009

n mn hc Bo mt mng

GVBM: Thy L Phc

MC LCI. Tm hiu k thut v VPN ........................................................................................................ - 2 1. Cc c trng ca VPN...................................................................................................... - 2 2. Cc giao thc dng trong VPN.......................................................................................... - 4 II. Tm hiu c ch m ha IPSec.................................................................................................. - 6 1. Gii thiu v IPSec.............................................................................................................. - 6 2. Cc ch lm vic............................................................................................................. - 6 a. Ch giao vn.............................................................................................................. - 6 b. Ch ng hm ......................................................................................................... - 6 c. Ch kt hp................................................................................................................ - 7 3. S dng IPSec ..................................................................................................................... - 7 a. Mc ch khi dng IPSec ............................................................................................... - 7 b. u im khi dng IPSec ................................................................................................ - 7 4. Trin khai IPSec.................................................................................................................. - 9 a. Cch IPSec bo mt lu lng ....................................................................................... - 9 b. IPSec Security Policy l g? ........................................................................................... - 9 c. Cc Policy IPSec lm vic vi nhau nh th no......................................................... - 11 5. Trin khai IPSec vi Certificates..................................................................................... - 11 a. Gii thiu Certificate.................................................................................................... - 11 b. Ti sao li dng Certificates vi IPSec bo mt lu lng mng ........................... - 12 III. M hnh kt ni IPSec VPN.................................................................................................... - 13 1. M hnh IPSec ................................................................................................................... - 13 2. M hnh GRE .................................................................................................................... - 14 3. M hnh Remote Access Client ........................................................................................ - 15 IV. Trin khai h thng IPSec/VPN trn windows server 2003................................................. - 16 1. M hnh trin khai ............................................................................................................ - 16 2. Ci t trn my ch VPN ............................................................................................... - 17 a. Ci t DC .................................................................................................................... - 17 b. Ci t IAS ................................................................................................................... - 19 c. Ci t VPN ................................................................................................................. - 20 3. Ci t cho my IIS .......................................................................................................... - 21 4. Ci t cho my CLIENT ................................................................................................ - 22 -

Trin khai h thng IPSec/VPN trn Windows Server 2003

-1-

n mn hc Bo mt mng

GVBM: Thy L Phc

I. Tm hiu k thut v VPN1. Cc c trng ca VPNVPN l mt mng ring s dng h thng mng cng cng (thng l Internet) kt ni cc a im hoc ngi s dng t xa vi mt mng LAN tr s trung tm. Thay v dng kt ni phc tp v tn km nh ng dy thu bao s, VPN to ra cc lin kt o c truyn qua Internet gia mng ring ca mt t chc vi a im hoc ngi s dng xa. nh ng hm (tunneling) l mt phn ct yu ca VPN dng cho vic ng gi mt giao thc vo trong mt giao thc khc. Trong VPN, nh ng hm che giu giao thc lp mng nguyn thy bng cch m ha gi d liu v cha gi m ha vo trong mt v bc IP (v bc IP ny thc ra l mt gi IP), sau s c chuyn i mt cch bo mt qua mng Internet. VPN cn cung cp cc tha thun v cht lng dch v (QoS), nhng tha thun ny thng nh ra mt gii hn trn cho php v tr trung bnh ca gi trong mng. Khi ni n VPN l ngi ta ngh ngay n cc thut ng sau: hiu qu, an ton, bo v tnh ring t ca d liu. t c nhng mc tiu ny th khi thit kt mt VPN c hiu qu cao th bt buc phi m bo bn c tnh sau : Bo mt d liu (Data confidentiality): nhng tc nhn bt hp php s khng hiu c ni dung ca thng ip. Ton vn d liu (Data integrity): m bo ni dung ca thng ip khng b thay i khi truyn t ngun n ch. Khng th chi ci (Sender non-repudiation): m bo ngi gi l hp php khi gi n ngi nhn. Xc thc thng ip (Message authentication): o bo rng mt thng ip c gi t mt ngun xc thc v n mt ch xc thc. Di y s minh ha mt s phng thc dng th hin cc c trng nu Tnh bo mt c minh ha bng hnh sau y :


-2-

n mn hc Bo mt mng

GVBM: Thy L Phc

Hnh: Tnh bo mt

Bn gi v bn nhn s s dng mt kha chung m ha v gii m. Gi s kha ny c trao i mt cch an ton gia bn gi v bn nhn bng thut ton Diffie Hellman. Tnh ton vn c minh ha bng hnh sau y:

Hnh: Tnh ton vn

Hm bm c s dng m bo tnh ton vn ca d liu. Tnh xc thc v khng th chi ci c minh ha bng hnh sau y:


-3-

n mn hc Bo mt mng

GVBM: Thy L Phc

Hnh: Tnh xc thc v khng th chi ci c

Ch k s cung cp mt phng thc gip bn nhn xc thc c thng ip v tnh khng th chi ci ca bn gi.

2. Cc giao thc dng trong VPNC 4 giao thc chnh dng xy dng VPN. Giao thc nh ng hm im im: PPTP (Point-to-Point Tunneling Protocol) l giao thc nh ng hm ph bin nht hin nay, n s dng cch m ha sn c ca Windows, xc thc ngi dng v l c s cu hnh giao thc im im PPP (Point-toPoint Protocol). Giao thc bo mt IP IPSec :Giao thc ny s dng trong vic m ha. IPSec c th c s dng thit lp mt VPN mt cch t ng v thch hp vi chnh sch bo mt tp trung v c th s dng thit lp mt VPN da trn c s l cc my tnh m khng phi l cc ngi dng. IPSec c cung cp nh mt phn ca h iu hnh Windows NT 4.0, Windows 2000, Windows Server 2003. Giao thc nh ng hm lp 2 L2TP: Giao thc ny s dng k thut kha cng cng (public key) thc hin vic xc thc ngi dng. L2TP thc hin trong mi trng a dng hn PPTP, v n khng th thc hin vic m ha. Giao thc chuyn tip lp 2 L2F: L c s xy dng L2TP. Sau y l bng so snh gia cc giao thc:


-4-

n mn hc Bo mt mng

GVBM: Thy L Phc

Tn

u im

Nhc im

S dng

+ Hot ng c lp vi + H tr hn ch trong + S dng tt cho vic truy cp cc ng dng mc cao. cc sn phm. t xa bng quay s (dial-up). + Cho php che giu a + t h tr giao din (v IPSec ch mng m khng cn y l phn nn bn di dng NAT. lp mng). + p ng pht trin cc k thut m ha. PPTP + Cung cp cho u + Khng cung cp m + Dng ti cc my ch truy cui-u cui v nh ha d liu t nhng my cp t xa cho nh ng hm ng hm nt-nt. ch truy cp t xa. proxy. + S dng nhng min + Mang tnh c quyn ngi dng Windows c ln, yu cu mt my sn cho vic xc thc. ch WinNT kt thc ng hm. + S dng RSA RC-4. + Client c th t pha + Ch s dng m ha bng RSA RC-4. sau NAT Router. L2F + C th dng cho my bn Win9x hay my trm dng WinNT. + PPTP c th s dng cho Remote Access hay Site-toSite VPN.

+ Cho php nh ng + Khng c m ha. + Dng cho truy cp t xa ti hm a giao thc. + Yu trong vic xc POP. + c cung cp bi thc ngi dng. nhiu nh cung cp. + Khng c iu khin lung cho ng hm. + Cha c cung cp + Dng cho truy cp t xa ti trong nhiu sn phm. POP.

L2TP + Kt hp PPTP v L2F.

+ S dng IPSec cho vic m ha. + Khng bo mt nhng on cui.

Hnh: Bng so snh gia cc giao thc

Trn h thng Microsoft, L2TP c kt hp vi IPSec Encapsulating Security Payload (ESP) cho qu trnh m ha d liu, gi l L2TP/IPSec. S kt hp ny khng ch cho php chng thc i vi ngi dng PPTP m cn cho php chng thc i vi cc my tnh thng qua cc chng ch, nng cao hn an ton ca d liu khi truyn, v qu trnh tunnel c th din ra trn nhiu h thng mng khc nhau. Tuy nhin trong mi trng L2TP/IPSec cc VPN Client khng th t pha sau NAT Router. Trong trng hp ny chng ta cn phi c VPN Server v VPN Client h tr IPSec NAT-T.


-5-

n mn hc Bo mt mng

GVBM: Thy L Phc

I. Tm hiu c ch m ha IPSec1. Gii thiu v IPSec cc my tnh trn h thng mng LAN/WAN hay Internet truyn thng c vi nhau ta cn phi s dng cng mt giao thc v giao thc c s dng ph bin nht hin nay l TCP/IP. D liu c truyn i cn phi c bo mt theo nhu cu ca ngi dng nn cc c ch m ha v chng thc cn c p dng. C nhiu gii php c a ra, trong IPSec c pht trin bi IETF, hot ng trn giao thc TCP/IP t ra hiu qu m li tit kim c nhiu chi ph. IPSec c trin khai rng ri thc thi VPN. Cc dch v ca IPSec nm trn lp mng ca chng giao thc. Trong qu trnh thc hin m ha, IPSec c th dng nhiu dng thc khc nhau. Cc dng thc ny s c trnh by c th phn sau. IPSec c nhng phng php m ha nh DES, 3DES, AES v cc phng php xc thc nh HMAC, MD5, SHA-1. Thy rng, tt c cc gi tin m ha trong IPSec u l kha i xng.

2. Cc ch lm vicC hai ch lm vic trong IPSec. - Ch giao vn (transport): ch c phn thuc lp giao vn trong gi tin c x l. - Ch ng hm (tunnel): ton b gi tin c x l.

a. Ch giao vn

Hnh: Cc trng hp ca ch giao vn

Ch giao vn c s dng cho c cng ni v host, cung cp c ch bo mt cho cc giao thc lp trn. Trong ch ny, AH c chn vo sau tiu IP v trc cc giao thc lp trn (TCP/ UDP, ICMP,)

b. Ch ng hm

Hnh: Cc trng hp ca ch ng hm

Trong ch ng hm, tiu IP cha a ch ngun v a ch ch, trong khi b xut tiu IP cha cc a ch IP khc (v d a ch ca cng ni). AH bo mt ton b gi IP bao gm c b nhp tiu IP. Bi v AH ch bo mt chng li vic thay i ni dung d liu nn cn phi c phng tin khc bo m tnh ring t ca d liu. Trong ch ng hm, iu nyTrin khai h thng IPSec/VPN trn Windows Server 2003 -6-

n mn hc Bo mt mng

GVBM: Thy L Phc

c thc hin bng cch m rng bo mt cho ni dung ca tiu IP, c bit l a ch ngun v ch. Mc d trong ch ng hm, ESP bo mt c ni dung ca d liu (chng li nghe trm) nhng khng bo mt c ton b lu lng. Mt cuc tn cng tinh vi c th c c a ch ngun v ch sau phn tch lu lng bit c phng thc truyn thng. Ch ng hm ESP cung cp thm cc c ch bo mt bng cch m ha ton b gi. Sau khi ton b ni dung d liu c m ha, ch ng hm ESP s to ra mt tiu mi nh tuyn cho cc gi d liu t pha my gi n my nhn

c. Ch kt hp

Hnh: Cc trng hp ca ch kt hp.

c th kt hp c AH v ESP trong ch ng hm hay ch giao vn, IPSec cn phi h tr cho s kt hp hai ch ng hm v giao vn. iu ny c thc hin bng cch s dng ch ng hm m ha v xc thc cc gi v tiu ca n ri gn vo AH hoc ESP hoc dng c hai trong ch giao vn bo mt cho tiu mi c to ra. Cn ch l AH v ESP khng th c s dng chung trong ch ng hm. L do l ESP c ring ty chn xc thc, ty chn ny nn s dng trong ch ng hm khi cc gi cn phi m ha v xc thc.

3. S dng IPSeca. Mc ch khi dng IPSec IPSec c dng bo mt d liu khi truyn trn mng. Ngi qun tr thit lp chui chnh sch c gi l IPSec Policy. Nhng chnh sch ny bao gm b lc ch r loi lu lng no i hi phi m ha, ch k s hoc c hai. Sau mi gi my tnh gi i c n nh t nhn thy liu c ph hp vi iu kin ca chnh sch. Tin trnh ny trong sut vi ngi dng v cc ng dng bt u truyn d liu. Do IPSec c ng trong gi IP chun nn n c th truyn trn mng m khng i hi cu hnh c bit trn thit b gia hai host. IPSec khng th m ha mt s loi lu lng chng hn broadcast, multicast v gi giao thc Kerberos. b. u im khi dng IPSec Li ch chnh ca IPSec l n m ha trong sut hon ton i vi tt c giao thc lp 3 ca m hnh OSI v cao hn IPSec cung cp: o Xc thc ln nhau trc v trong qu trnh trao i o S cn mt trong sut qu trnh m ha ca lu lng IP v xc thc s ca gi. IPSec c 2 ch : ESP (Encapsulating Security Payload) m ha da


-7-

n mn hc Bo mt mng

GVBM: Thy L Phc

trn mt hoc mt vi thut ton no v AH (Authentication Header) xc thc lu lng nhng khng m ha n. o Ton vn lu lng IP bng cch loi b lu lng c thay i. C ESP v AH u dng xc nhn tnh ton vn ca tt c lu lng IP. Nu gi c thay i th ch k s s khng nh km v gi s b hy. o Ngn chn tn cng: C ESP v AH dng s tun t bt c gi no c capture li trong ln gi li sau s dng s khng tun t. Dng s c sp xp theo th t chc chc rng k tn cng khng th dng li hay gi li d liu c capture thit lp phin lm vic hoc thu thp thng tin bt hp php. Dng s tun t cng bo v tn cng cng bng cch chn message v sau dng message y ht truy nhp bt hp php vo ti nguyn, c th l vi thng sau . V d: Bi v vic capture li thng tin mt c th lm hi n s thnh cng ca mt t chc, nn mt t chc cn phi thit lp mt mng ring ng tin cy bo mt cc thng tin nhy cm chng hn d liu v sn phm, bo co ti chnh v kt hoch marketing. Bn c th dng IPSec chc chn rng s lin lc c ring t v bo mt trn network, intranet hoc extranet bao gm lin lc workstation to server v server to server. Chng hn, bn c th n nh chnh sch IPSec cho my kt ni vi server, my nm gi cc thng tin nhy cm c th lm mc tiu ca k tn cng no chng hn ti nguyn v nhn s v ti chnh hoc d liu v k hoch chin lc. Chnh sch IPSec bo v d liu ca bn khi tn cng t bn ngoi, gi cho n c bo mt v ton vn. Hnh di l mt v d v ng dng Internet VPN. C 3 ni trang b phn mm IPSec l: cng ni bo mt, client di ng v cc host. Tuy nhin khng phi tt c cc thit b u yu cu ci t phn mm IPSec m ty theo yu cu thit k mng. V d, nu cn to kt ni LAN-LAN VPN th ch cn cng ni bo mt IPSec l . Nu cn cho cc trm lm vic t xa quay s truy cp vo mng thng qua cc ISP th phn mm client IPSec cn c ci trn cc my tnh ca i tng di ng. Nu mun to mt VPN m tt c cc my tnh c th lin lc ln nhau thng qua giao thc IPSec th cn phi ci t phn mm IPSec trn tt c cc my tnh giao thc.

Hnh: Cc trm thnh phn ca mt Internet VPN


-8-

n mn hc Bo mt mng

GVBM: Thy L Phc

4. Trin khai IPSec a. Cch IPSec bo mt lu lng

Cu hnh IPSec c thit lp thng qua policy trn my cc b hoc policy nhm trong Active Directory directory service: IPSec policies c cung cp cho tt c my tnh: Policy quy nh cho b phn iu khin IPSec cch chy v nh ngha Security Association m c th c thit lp. Security asscociation chi phi giao thc m ha no c s dng cho loi lu lng no v phng thc xc thc no c thit lp. Security Association c thit lp: Phn Internet Key Exchange (IKE) thit lp Security Association. IKE kt hp gia hai giao thc: Internet Security Association v Key Management (ISAKMP) v Oakley Key Determination. Nu mt my client i hi certificate xc thc v mt client khc i hi giao thc Kerberos, IKE s khng th thit lp security association (s kt hp bo mt) gia hai my. Nu bn nhn thy gi trong Network Monitor th bn s thy gi ISAKMP nhng bn cng s khng thy bt c gi AH hay ESP theo sau. Gi IP c m ha: Sau khi security association c thit lp th b iu khin IPSec gim st ton b lu lng IP, so snh lu lng vi b lc c nh ngha

b. IPSec Security Policy l g?nh ngha IPSec security policy bao gm mt hoc nhiu quy lut quyt nh cch hot ng ca IPSecTrin khai h thng IPSec/VPN trn Windows Server 2003 -9-

n mn hc Bo mt mng

GVBM: Thy L Phc

IPSec Security policy rules Bn trin khai IPSec bng cch thit lp policy. Mi policy c th cha ng mt vi quy lut nhng bn ch c th xc nhn mt policy ring l ti mt thi im bt k trn mt my. Bn phi phi hp tt c quy lut c yu cu thnh mt chnh sch n. Mi quy lut bao gm: B lc: B lc quy nh cho policy bit loi lu lng no p dng cho filter action. Chng hn, bn c th c b lc nhn dng ch lu lng giao thc HTTP hoc lu lng FTP. Filter action: Filter action quyt nh cho chnh sch phi lm g nu lu lng tha b lc. Chng hn, bn c th bo cho IPSec chn ng tt c lu lng FTP nhng i hi m ha tt c lu lng HTTP. Filter action cng c th ch r thut ton m ha v bm m policy nn dng. Phng php xc thc: C 3 phng php c th xc thc: certificates, giao thc Kerberos v Preshared key. Mi rule c th ch r nhiu phng php xc thc. Policy mc nh Window 2000 hoc sau , c 3 policy c cu hnh mc nh: Client (Respond only): Nu my tnh yu cu client dng IPSec th n s p ng vi IPSec. Policy Client (Respond Only) s khng khi to IPSec trn chnh n. Policy ny c 1 rule c gi l Default Response rule. Rule ny cho php host p ng i hi ESP cng nh c host trong Active Directory domains tin cy. ESP l ch IPSec cung cp s tin cy cng vi xc thc, ton vn v chng truyn li. Server (Request Security): Bn c th dng chnh sch ny trn c server v client. Chnh sch ny lun c gng dng IPSec nhng c th tr li qu trnh lin lc khng bo mt nu client khng c cu hnh vi IPSec policy. Chnh sch Response Security c 3 rule. Rule th nht l Default Response c m t. Rule th hai cho php lu lng ICMP. ICMP l giao thc duy tr trong TCP/IP, thng bo li v cho php kt ni n gin. Lnh ping dng ICMP thc hin vic g ri TCP/IP. Mc d ICMP l tin ch chun on tt nhng bn c th mun v hiu ha n trong mng bo mt cao v c mt vi t tn cng chng da trn ICMP. Rule th 3 i hi ESP cho tt c lu lng IP. Secure Server (Require Security): Bn c th s dng chnh sch ny trn c server v client. Nu chnh sch ny c gn th my tnh c th ch lin lc trn IPSec v s khng bao gi tr li ch lin lc khng bo mt. Policy ny cng c 3 rule. Hai rule u l Default Response v Permit ICMP th c ni trn. S khc nhau trong policy Secure Server (Require Security) l tt c lu lng phi c m ha vi ESP nu khng server s khng lin lc vi n. Rule ICMP ghi rule i hi bo mt cho tt c lu lng IP khc


- 10 -

n mn hc Bo mt mng

GVBM: Thy L Phc

c. Cc Policy IPSec lm vic vi nhau nh th noNo assigned policy Client (Respond Server (Request Secure Only) Security) (Require Security) No IPSec No IPSec Server

No assigned

policy No IPSec

No communication IPSec

Client (Respond No IPSec Only) Server (Request No IPSec Security) Secure Server No (Require communication Security)

No IPSec

IPSec

IPSec

IPSec

IPSec

IPSec

IPSec

IPSec

Tha thun s kt hp bo mt Bn ng bao gi so snh cc policy mt cch ring l. Cc my tnh c tha thun k thp bo mt phi c policy b sung. Bng trn ch ra cc tc ng khi cc policy mc nh lm vic vi nhau. Nu hai host c th tha thun kt hp bo mt tng thch vi n hau th lin lc c th c thc hin bng cch dng IPSec. Nu hai host c cc policy khng tng thch vi nhau th c th chng s tr li dng lin lc khng bo mt hoc khng th lin lc vi nhau. V d v cch thc cc policy lm vic vi nhau Bng trn ch p dng cho cc policy mc nh vi cc rule mc nh. Nu bn p policy vi rule l my A request ESP cho HTTP v my B require AH cho HTTP th sau hai my s khng th tha thun c s kt hp bo mt. Xc thc Kerberos l thit lp mc nh cho tt c cc policy mc nh. Giao thc Kerberos lm vic vi my tnh trong h thng Active Directory nhng nu mt my khng l thnh vin trong h thng th cc my tnh khc khng th tha thun xc thc. Nu my B c thay i s dng ch certificate cho xc thc lu lng IP th khng th thit lp kt hp bo mt. C th cu hnh li cho my B yu cu giao thc Kerberos hoc certificates. Khi tha phng php xc thc th xc thc c th c thc hin. Nu bn thit lp policy Secure Server (Require Security) th my tnh s khng th lin lc vi bt k my no khng ci t IPSec. Chng hn, my tnh cn truy cp server chy Microsoft SQL Server khng c IPSec th h thng s b fail. Nu bn thit lp policy Server (Request Security) th my tnh s quay v lin lc khng bo mt vi bt c my tnh no khng c policy. Policy IPSec s c thit lp bo mt lu lng cn c bo mt khi cho php thc hin cc lin lc c bn.

5. Trin khai IPSec vi Certificates a. Gii thiu CertificateTrin khai h thng IPSec/VPN trn Windows Server 2003 - 11 -

n mn hc Bo mt mng

GVBM: Thy L Phc

nh ngha Mt certificate X.509 certificate s l mt giy y nhim in t thng c s dng cho vic xc thc v bo mt trao i thng tin trn h thng mng m chng hn Internet, Extranets v Intranets. Mt certificate ni kt mt public key vi thc th nm gi private key tng ng. Chng hn, bn c th m ha d liu cho ngi nhn vi public key ca h v chc chn rng ch ngi nhn c private key dng gii m d liu. Ngi cung cp certificate c gi l Certification Authority (CA). Certificate c cung cp cho ngi dng, my tnh hoc mt dch v chng hn IPSec. Li ch ca certificate Mt trong nhng li ch chnh ca certificate l host s khng cn duy tr mt tp password cho i tng ring t cn c xc thc nh mt iu kin cho php truy cp. iu thay cho vic host ch n thun thit lp s tin cy trong mt CA cung cp certificate.

b. Ti sao li dng Certificates vi IPSec bo mt lu lng mng

Bng sau miu t mt vi trng bn c th dng certificate

S dng certificateCh k s

Miu tDng public key trong certificate xc nhn rng d liu c mt hiu vi private key tng ng Dng public key trong certificate m ha tp tin kha m ha Gip web client nhn dng web server. Web server cng c th dng certificate kim

Encrypting File System (EFS)

Xc thc Internet


- 12 -

n mn hc Bo mt mng tra web client IP Security

GVBM: Thy L Phc

Xc thc my tnh v m ha d liu khi n c truyn trn mng M ha v gii m e-mail Verifies the identity of a software publisher

Bo mt e-mail Software code signing

Mc ch Dng certifiacate t mt CA ng tin cy c xem nh phng php xc thc gia hai host IPSec cho php cc doanh nghip lin lc vi nhau. Bn cng c th dng certificate enable Windows Routing and Remote Access service giao tip bo mt trn Internet vi router lp 3 h tr IPSec. Tuy nhin, v certificate phc tp hn c preshared keys hoc giao thc Kerberos nn chng i hi nhiu v vic thit lp ca admin. Certificate ch l mt thnh phn ca gii php PKI. Mc d PKI i hi ti nguyn qun l v lp k hoch nn Giao thc Kerberos v preshared keys Hai phng php khc cho vic xc thc gia hai host dng IPSec l: Giao thc Kerberos: i vi lu lng gia cc my tnh trong cng mt h thng domain th vic dng giao thc Kerberos mc nh l phng php xc thc n gin nht cho IPSec v khng i hi bt c cu hnh no. Giao thc Kerberos l mt thnh phn c Active Directory v th n cng l thnh phn ca cu trc enterprise domain. Tuy nhin, i vi cc client khng h tr giao thc Kerberos hoc cc client khng l thnh phn ca kin trc Active Directory th s dng preshared key hoc X.509 certificate Preshared keys: preshared key l chui k t di ngu nhin c dng lm password gia hai host IPSec. Preshared keys khng bo mt nh giao thc Kerberos hoc certificate v n c ct trong on clear text policy IPSec. Nu ngi tn cng ginh c quyn truy cp ca admin vo policy th s thy c preshared key. Preshared key cng khng c dng tt cho cu hnh nhiu my.

II.M hnh kt ni IPSec VPN1. M hnh IPSecM hnh kt ni n gin nht t c bng cch to ra mt IPSec VPN gia hai site, thng c gi l kt ni site-to-site, s dng m hnh IPSec. Cc v tr c th c kt ni thng qua mng IP ring nh mng Frame Relay hay ATM chy IP s dng ch giao vn (transport mode) hay thng qua mng Internet cng cng s dng ch ng hm (tunnel mode). M ha IPSec c p dng sau khi mt gi d liu clear text c nhn, quyt nh nh tuyn c a ra, v mt giao din c chn lm ng truyn ra (egressTrin khai h thng IPSec/VPN trn Windows Server 2003 - 13 -

n mn hc Bo mt mng

GVBM: Thy L Phc

transmission). Chnh sch IPSec c p dng cho giao din ng ra (egress interface), ni m tin trnh m ha l mt trong nhng hm cui cng c gi vo lc trc khi truyn gi. Mt cch tng t, cc gi m ha c nhn vo t giao din c p dng chnh sch IPSec c gii m trc khi hon tt quyt nh nh tuyn v chuyn tip. y, im mu cht l chnh sch IPSec kt hp vi giao din ng ra (egress interface) cho vic m ha gi tin v giao in ng vo (ingress interface) cho vic gii m gi tin. Thng thng, giao din ng ra v giao din ng vo l mt v nh nhau; v vy, chnh sch IPSec nht qun cho c hai lung theo hai hng truyn tin. Nu cc cng (gateway) IPSec c nhiu giao din ng ra, chnh sch nh tuyn trn cc im cui s m bo rng giao din c s dng cho lu lng vo v ra ging vi giao din m ti chnh sch IPSec c p dng. M hnh IPSec l m hnh khi nim tng i n gin v d hiu. N bo v lu lng unicast t mt subnet n mt subnet khc. Nhn chung, m hnh IPSec t thng dng nht v vin cnh v tim nng ca cc nt mng IPSec v kh nng thit lp kt ni gia cc site. D m hnh bo v n gin v khi nim nhng cu hnh ca n c th kh phc tp i vi cc mng VPN ln. i hi phi cu hnh mt cch r rng mt profile bo v cho lu lng gia mi mng con. Vic thm vo mt mng con trong VPN c th i hi cc cp nht cu hnh cho tt c cc cng (gateway) VPN khc trong mng. Cc nh thit k mng phi cp pht cn thn cc khi a ch IP ti mi site ti thiu ha phn cu hnh ca profile y nhim IPSec ring bit. Trong mt s trng hp, nhng nh quy hoch mng c th c iu khin thng qua cc phng thc cp pht a ch, phng thc ny c th cp pht vi a ch mng con khng hiu qu. Mt mng c kin trc ti s dng m hnh IPSec c bn s tr nn kh kim sot. V vy, cn phi phn tch vic cp pht a ch mng con t cc nh ngha chnh sch IPSec n gin ha vic lu tr. Mt iu bt li khc ca m hnh IPSec l thiu h tr cho a ch IP multicast, nh cc RFC IPSec nguyn bn khng cung cp multicast trong cc statement y nhim IPSec. Nhiu giao thc nh tuyn ng IGP (nh OSPF, EIGRP v RIP) s dng IP multicast thit lp cc quan h lng ging. Phn ln cc enterprise da vo cc giao thc Interior Gateway Protocol (IGP) d tm t ng cc con ng ti u thng qua VPN. M hnh IPSec lm gim gi tr ca IGP, to ra cc statement y nhim hnh x nh l cc ng nh tuyn tnh.

2. M hnh GREC nhng hn ch trong vic h tr nh tuyn ng v IP multicast khi s dng m hnh IPSec kt ni site-to-site. Mt cch vt qua nhng hn ch ny l s dng ng hm GRE (generic route encapsulation) ca lu lng site-to-site c bo v bi IPSec. Mt u im ng k ca m hnh GRE ny l n n gin ha cu hnh cho kt ni VPN site-tosite. Trong m hnh GRE, tt c lu lng gia cc site u qua ng hm GRE c bo v bi IPSec. V vy, cc profile IPSec trong m hnh ny c p dng cho cc gi tin bt ngun v kt thc ti giao din ng hm GRE. Mt VPN c xy dng vi s bo v ca GRE v IPSec c th c chia thnh 4 chc nng c bn sau:Trin khai h thng IPSec/VPN trn Windows Server 2003 - 14 -

n mn hc Bo mt mng

GVBM: Thy L Phc

To ra ng hm GRE. Bo v ng hm GRE vi IPSec. Cung cp kt ni IP gia cc im cui ng hm GRE v IPSec (nh tuyn ngoi VPN). Cung cp mt ng nh tuyn cho cc h thng cui thng qua cc ng hm GRE (nh tuyn bn trong VPN) S kt hp ca ng hm GRE v IPSec tch cc yu cu nh tuyn ng v lung lu lng subnet-to-subnet ra khi chnh sch bo v ca IPSec. S bo v IPSec c n gin ha bi cc c tnh u vit ca vic mt profile y quyn IPSec c th c nh ngha cho ng hm GRE m ng hm ny ti tt c cc lung lu lng gia hai cng VPN, bt chp loi lu lng, ngun hay ch. Tuy nhin, s tha hip vi vic s dng m hnh GRE i hi hai mc nh tuyn: Mc nh tuyn gia cc cng VPN nh tuyn cc gi tin trong ng hm c m ha. Mc nh tuyn khc gia cc cng VPN thng qua ng hm cung cp cc ng nh tuyn gia cc mng con ngi s dng u cui. V vy, m hnh GRE ti thiu ha cc yu cu cung cp IPSec trong khi to ra mt ng hm ph ln mng m lm phc tp vic qun tr.

3. M hnh Remote Access ClientNhu cu ca vic m ha lu lng gia cc client (nh my tnh, PDA) v cc cng VPN t ra cc thch thc khc nhau. M hnh RAC (Remote Access Client) i hi rt nhiu nng lc khc nhau cung cp vic gn a ch cho cc host ng, thiu iu khin cu hnh, v cc kt ni tm thi. C hai m hnh IPSec v GRE hot ng rt hiu qu i vi kt ni site-to-site, kt ni m tt c cc a ch IP im cui c bit v cu hnh trc trong cc site. Tuy nhin, c hai m hnh ny s khng hot ng i vi mt nhn vin, phi thng xuyn di chuyn, khi c gng kt ni n mng VPN ca cng ty (kt ni IPSec) nu nh khng bit a ch IP. V vy, cn phi c mt gii php hiu qu v linh ng cho php cc client truy nhp t xa n mng VPN ca cng ty. Vic s dng cc c tnh u vit ca IPSec, m hnh RAC cho php client s dng a ch IP c gn ng. N cng c th cho php cc nh cung cp mng (network provisioning staff) nh ngha cc chnh sch cho client n gin ha cc hot ng qun tr mng. C m hnh IPSec v GRE u khng cung cp kh nng ny. Cn c mt cch thc mi trao i nhng thng tin v kh nng v thuc tnh trong sut qu trnh thit lp kt ni IPSec. C th thc hin vic trao i cc thng tin v kh nng v thuc tnh bng cch m rng IKE. Tin trnh cu hnh ch IKE gn cc thuc tnh kt ni cho client, gi s rng n l host n. Cc thuc tnh thng c gn bao gm: a ch IP private


- 15 -

n mn hc Bo mt mng

GVBM: Thy L Phc

Server DNS private Server WINS private Tn domain private a ch IP private c gn thng ly t mt khi phm vi cc a ch (address pool) c cu hnh trn hub. Sau , mt IPSec proxy c to ra bo v lu lng t a ch private c gn n mt dy cc a ch c bo v bi hub. Hub qung b khi phm vi a ch cho cc thit b mng, v d nh ng kh hi c cung cp cho client. Thng thng client gi tt c lu lng cho hub khi vic chia ng hm khng c cho php. M hnh RAC r rng n gin ha qu trnh cung cp bng cch t ng phn b chnh sch cho cc client s dng cu hnh ch IKE. Cc chnh sch bo v c th c nh ngha v qun l trung tm ngi iu khin mng khng phi cu hnh cho mi im cui u xa. C hai nhc im i vi m hnh ny. Mt l, cc kt ni IPSec ch c th c khi to t client n server. Hai l, kt ni s dng mt statement y nhim IPSec khng h tr multicast.

III. Trin khai h thng IPSec/VPN trn windows server 20031. M hnh trin khai

Hnh: M hnh trin khai h thng IPSec/VPN

VPN y c n gin ha vi 3 my tnh cn thit ng cc vai tr khc nhau trong mt mng ring o. My tnh chy Windows Server 2003, bn Standard Edition, mang tn VPN, hot ng nh mt my ch VPN. VPN c lp t hai adapter mng. ng thi hot ng nh mt trung tm iu khin domain DC (domain controller), mt my ch IAS qun l ngi s dng truy cp t xa RADIUS (Remote Authentication Dial-in User Service), mt my ch DNS (Domain Name System), mt my ch DHCP


- 16 -

n mn hc Bo mt mng

GVBM: Thy L Phc

(Dynamic Host Configuration Protocol) v mt trung tm chng thc CA (certification authority). My tnh chy Windows XP Professional, mang tn CLIENT, hot ng nh mt my khch truy cp t xa. My tnh chy Windows Server 2003, bn Standard Edition, mang tn IIS, hot ng nh mt my ch v web v file.

2. Ci t trn my ch VPN a. Ci t DCThit lp cc cu hnh v ti khon ti DC Chy Active Directory Installation Wizard (tp tin dcpromo.exe) cho mt domain mi ptit.com. Ci t dch v DNS khi c yu cu. S dng trnh qun l Active Directory Users and Computers, nhn chut phi vo domain ptit.com ri nhn vo Raise Domain Functional Level. Kch chut vo dng Windows Server 2003 v chn Raise. Ci t giao thc DHCP lm mt thnh phn ca Networking Services bng cch dng Control Panel => Add or Remove Programs. M trnh qun l DHCP t th mc Administrative Tools. Nhn vo mc Action => Authorize cho php s dng dch v DHCP. Trong cy th mc, nhn chut phi vo dc.ptit.com ri nhn New Scope. Trn trang Welcome ca New Scope Wizard, nhn Next. trang Scope Name, nhp mt ci tn nh PTIT Network. Nhn vo Next. Trn trang a ch IP, nhp 192.168.3.10 Start IP address, 192.168.3.100 End IP address v 24 mc Length.

Hnh: Khai bo a ch IP

-

Nhn Next. Trn trang Add Exclusions, nhn Next. Trn trang Lease Duration, nhn Next.


- 17 -

n mn hc Bo mt mng

GVBM: Thy L Phc

-

Trn trang Configure DHCP Options, nhn Yes, I want to configure DHCP options now. Nhn Next. Trn trang Router (Default Gateway), nhn Next. Trn trang Domain Name and DNS Servers, nhp vo dng ptit.com trong mc Parent domain. Nhp 192.168.3.1 trong a ch IP ri nhn Add. Nhn Next. Trn trang WINS Servers, nhn Next. Trn trang Activate Scope, nhn Yes, I want to activate the scope now. Nhn Next. Trn trang Completing the New Scope Wizard, nhn Finish. Ci t Certificate Services lm mt CA gc vi tn PTIT CA bng cch dng Control Panel => Add or Remove Programs. M Active Directory Users and Computers. Trong cy th mc, chn ptit.com. Nhn chut phi vo Users, chn Computer. Trong hp thoi New Object Computer, nhp IIS trong mc Computer name. Nhn Next. Trong hp thoi Managed, nhn Next. Trong hp thoi New Object Computer, nhn Finish. Dng cc bc t 22 n 24 to thm ti khon my tnh vi cc tn VPN v CLIENT. Trong cy th mc, nhn chut phi vo Users, chn User. Trong hp thoi New Object User, nhp VPNUser trong mc First name v VPNUser trong User logon name. Nhn Next. Trong hp thoi New Object User, nhp mt password ty chn vo mc Password and Confirm password. B du User must change password at next logon v nh du Password never expires. Trong hp thoi New Object User, chn Finish. Trong cy th mc, nhn chut phi vo Users, chn Group. Trong hp thoi New Object Group, nhp vo dng VPNUsers mc Group name ri nhn OK. Kch p vo VPNUsers. Nhn vo th Members v nhn Add. Trong hp thoi Select Users, Contacts, Users hoc Groups, nhp VPNuser trong mc Enter the object names to select. Nhn OK. Trong hp thoi Multiple Names Found, nhn OK. Account ca ngi s dng VPNUser c a vo danh sch nhm VPNUsers. Nhn OK lu cc thay i i vi nhm VPNUsers. Di y l cch nh cu hnh cho DC t ng np cc chng nhn cho my tnh:

-

-

M Active Directory Users v mc Computers.- 18 -


n mn hc Bo mt mng

GVBM: Thy L Phc

-

Trong cy chng trnh, nhn p chut vo Active Directory Users and Computers, nhn chut phi vo ptit.com, chn Properties. M th Group Policy, nhn vo Default Domain Policy, chn Edit. Trong cy chng trnh, m mc Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Settings. Nhn chut phi vo Automatic Certificate Request Settings, chn New ri nhn Automatic Certificate Request. Trn trang Welcome to the Automatic Certificate Request Setup Wizard, nhn Next. Trn trang Certificate Template, nhn Computer. Nhn Next. Trn trang Automatic Certificate Request Setup Wizard, nhn Finish. Lc ny, kiu chng nhn s xut hin trong hin th chi tit ca Group Policy Object Editor. G gpupdate du nhc cp nht Group Policy trn DC. Sau khi cp nht cc chng nhn mi, bn cn phi ngng v khi ng li chnh sch v cc dch v IPsec Policy Agent v Remote Access

-

-

Nhn Start > Administrative Tools > Services Trong hin th chi tit, tr vo IPSEC Services > Action, sau nhn Restart. Trong hin th chi tit, tr vo Routing and Remote Access > Action ri nhn Restart.

b. Ci t IASIAS cung cp c ch thm nh quyn truy cp RADIUS, cho php truy cp v theo di qu trnh truy cp. Ci t dch v Internet Authentication Service trong Networking Services mc Control Panel-Add or Remove Programs. M trnh Internet Authentication Service t th mc Administrative Tools. Nhn chut phi vo th Internet Authentication Service ri chn Register Server in Active Directory. Khi hp thoi Register Internet Authentication Service in Active Directory xut hin, nhn OK. Trong cy chng trnh, nhn chut phi vo Clients ri chn New RADIUS Client. Trn trang Name and Address ca mc New RADIUS Client, Friendly name, g VPN CLIENTv li nhp tip vo client address 192.168.3.1. Nhn Next. Trn trang Additional Information ca mc New RADIUS Client, Shared secret, g mt m b mt chia s cho VPN v g tip ln na Confirm shared secret. Nhn Finish. cy chng trnh, nhn chut phi vo Remote Access Policies v chn New Remote Access Policy. Trn trang Welcome to the New Remote Access Policy Wizard, nhn Next. Trn trang Policy Configuration Method, nhp VPN remote access to intranet vo Policy name.- 19 -

-

-


n mn hc Bo mt mng

GVBM: Thy L Phc

-

Nhn Next. Trn trang Access Method, chn VPN. Nhn Next. Trn trang User or Group Access, chn Group. Nhn nt Add. Trong hp thoi Select Groups, g VPNUsers trong Enter the object names to select. Nhn OK. Nhm VPNUsers trong domain ptit.com c thm vo danh sch nhm trn trang Users or Groups. Nhn Next. Trn trang Authentication Methods, giao thc thm nh quyn truy cp MS-CHAP v2 c chn mc nh. Nhn Next. Trn trang Policy Encryption Level, b nh du trong cc Basic encryption v Strong encryption. Nhn Next. Trn trang Completing the New Remote Access Policy, nhn Finish.

c. Ci t VPNVPN l my tnh chy Windows Server 2003, Standard Edition cung cp cc dch v my ch VPN cho cc my khch VPN. nh cu hnh cho VPN lm my ch VPN, bn thc hin cc bc sau: Ci t Windows Server 2003, Standard Edition cho my vi t cch l server thnh vin mang tn VPN trong domain ptit.com. M th mc Network Connections. i vi kt ni ni b Intranet, t li tn kt ni thnh "PTIT Network". i vi kt ni ni b Internet, t li tn kt ni thnh "Internet". nh cu hnh giao thc TCP/IP cho kt ni PTIT Network vi a ch IP l 192.168.3.1, subnet mask l 255.255.255.0 v a ch IP cho my ch DNS l 192.168.3.1. nh cu hnh giao thc TCP/IP cho kt ni Internet vi a ch IP l 10.0.0.1 v mng cp di l 255.0.0.0. Chy trnh Routing v Remote Access t th mc Administrative Tools.

-


- 20 -

n mn hc Bo mt mng

GVBM: Thy L Phc

-

Trong cy chng trnh, nhn chut phi vo VPN v chn Configure and Enable Routing and Remote Access. Trn trang Welcome to the Routing and Remote Access Server Setup Wizard, nhn Next. Trn trang Configuration, Remote access (dial-up or VPN) c la chn mc nh. Nhn Next. Trn trang Remote Access, chn VPN. Nhn Next. Trn trang VPN Connection, nhn vo giao din Internet trong Network interfaces. Nhn Next. Trn trang IP Address Assignment , ch Automatically c chn mc nh. Nhn Next. Trn trang Managing Multiple Remote Access Servers, nhn vo Yes, set up this server to work with a RADIUS server. Nhn Next. Trn trang RADIUS Server Selection, g 192.168.3.1 trong Primary RADIUS server v m b mt chung trong Shared secret. Nhn Next. Trn trang Completing the Routing and Remote Access Server Setup Wizard, nhn Finish. Bn s nhn c message nhc phi nh cu hnh DHCP Relay Agent. Nhn OK. Trong cy chng trnh, m VPN(local), sau l IP Routing v k tip l DHCP Relay Agent. Nhn chut phi vo DHCP Relay Agent ri chn Properties. Trong hp thoi DHCP Relay Agent Properties, g 192.168.3.1 trong Server address. Nhn Add ri OK.

Cp nht Group Policy trn VPN: g lnh gpupdate ti du nhc lnh. Sau khi cp nht cc chng nhn mi, bn cn phi ngng v khi ng li cc dch v IPsec Policy Agent v Remote Access: Nhn Start > Administrative Tools > Services Trong hin th chi tit, tr vo IPSEC Services > Action, sau nhn Restart. Trong hin th chi tit, tr vo Routing and Remote Access > Action ri nhn Restart.

3. Ci t cho my IISIIS chy Windows Server 2003, Standard Edition v dch v Internet Information Services (IIS). nh cu hnh cho IIS lm my ch v tp tin v web, bn thc hin cc bc sau: Ci t Windows Server 2003, Standard Edition cho my vi t cch l server thnh vin mang tn IIS trong domain ptit.com.


- 21 -

n mn hc Bo mt mng

GVBM: Thy L Phc

-

Ci t IIS lm tiu mc thuc Application Server ca Windows Components Wizard trong Control Panel-Add or Remove Programs. Trn IIS, dng Windows Explorer to mt c ch chia s mi cho th mc gc ca C:, dng tn ROOT vi cc cho php mc nh. xc nh my ch web c hot ng chnh xc khng, hy chy trnh duyt Internet Explorer trn IAS. Nu Internet Connection Wizard nhc bn th hy nh cu hnh kt ni Internet cho mt kt ni LAN. Trong Internet Explorer, mc Address, g http://IIS.ptit.com/winxp.gif. Bn s nhn thy biu tng Windows XP. xc nh tp tin c hot ng chnh xc khng, trn IAS, nhn Start > Run, g \\IIS\ROOT ri nhn OK. Nu ng, bn s thy ni dung ca th mc gc ca C: trn IIS.

-

4. Ci t cho my CLIENTCLIENT l my tnh chy Windows XP Professional, hot ng nh mt my khch VPN v truy cp t xa n cc ti nguyn trong Intranet thng qua mng Internet. nh cu hnh cho CLIENT lm my khch, bn thc hin cc bc sau: Kt ni CLIENT vi phn on mng Intranet. Trn my CLIENT, ci t Windows XP Professional nh l mt my tnh thnh vin c tn CLIENT thuc domain ptit.com. Thm ti khon VPNUser trong domain ptit.com vo nhm Administrators. Ri h thng (log off) ri vo li (log on), s dng ti khon VPNUser trong domain ptit.com. T Control Panel-Network Connections, t cc c im trn kt ni Local Area Network, sau t cc c im trn giao thc TCP/IP. Nhn vo th Alternate Configuration ri chn User configured. Trong a ch IP, g 10.0.0.2. Ti Subnet mask, g 255.0.0.0. Nhn OK lu cc thay i i vi giao thc TCP/IP. Nhn OK lu cc thay i i vi kt ni Local Area Network.

np cc chng nhn trn my ny v nh cu hnh cho mt kt ni VPN truy cp t xa theo giao thc L2TP/IPsec, bn thc hin cc bc nh sau: Khi ng li CLIENT v ng nhp vo my vi ti khon VPNUser. My tnh v Group Policy c cp nht t ng. Tt my CLIENT. Ngt kt ni CLIENT khi phn on mng Intranet v kt ni my vi phn on Internet. Khi ng li CLIENT v ng nhp vo vi ti khon VPNUser. Trn CLIENT, trong Control Panel, m th mc Network Connections. Trong Network Tasks, nhn vo Create a new connection. Trn trang Welcome to the New Connection Wizard, nhn Next.


- 22 -

n mn hc Bo mt mng

GVBM: Thy L Phc

-

Trn trang Network Connection Type, nhn Connect to the network at my workplace. Nhn Next. Trn trang Network Connection, nhn vo Private Network connection. Nhn Next. Trn trang Connection Name, g L2TP to PTIT Network. Nhn Next. Trn trang Public Network, nhn Do not dial the initial connection. Nhn Next. Trn trang VPN Server Selection, g 10.0.0.1 trong Host name or IP address. Nhn Next. Trn trang Connection Availability, nhn Next. Trn trang Completing the New Connection Wizard, nhn Finish. Hp thoi L2TP to PTIT Network xut hin. Nhn vo mc Properties ri nhn vo th Networking. Trn th Networking, trong mc Type of VPN, nhn vo L2TP/IPSec VPN. Nhn OK lu cc thay i i vi kt ni L2TP to PTIT Network. Hp thoi Connect L2TP to PTIT Network xut hin. Trong User name, g ptit\VPNUser. Trong Password, g mt khu ty cho ti khon VPNUser. Nhn Connect. Khi kt ni c thit lp, chy trnh duyt web. Trong Address, g http://IIS.ptit.com/iisstart.htm. Bn s thy mt thng bo l trang web ang trong qu trnh thit k. Trn thc t, bn phi c mt tn min thc, thay cho ptit.com. Nhn Start > Run > g \\IIS\ROOT > OK. Bn s thy cc ni dung ca ni b ( C) trn IIS. Nhn chut phi vo kt ni L2TP to PTIT Network ri chn Disconnect.

-


- 23 -

Documents

Do an IPSec-VPN