Tìm hiểu mạng riêng ảo VPN

8/2/2019 Tm hiu mng ring o VPN

1/16

Tm hiu mng ring o VPN (Phn 1)

Gii php VPN(Virtual Private Network) c thit k cho nhng t chc c xu hng tng cng thng tin t xa va bn hot ng rng (trn ton quc hay ton cu). Ti nguyn trung tm c th kt ni n t nhiu ngun nntit kim c c chi ph v thi gian.

Mt mng VPN in hnh bao gm mng LAN chnh ti tr s (Vnphng chnh), cc mng LAN khc ti nhng vn phng t xa, ccim kt ni (nh 'Vn phng' ti gia) hoc ngi s dng (Nhn

vin di ng) truy cp n t bn ngoi.

Khi nim

V c bn, VPN l mt mng ring s dng h thng mng cng cng (thng l Internet) kt ni cc a imhoc ngi s dng t xa vi mt mng LAN tr s trung tm. Thay v dng kt ni tht kh phc tp nh ngdy thu bao s, VPN to ra cc lin kt o c truyn qua Internet gia mng ring ca mt t chc vi a im

hoc ngi s dng xa.Cc loi VPN

C hai loi ph bin hin nay l VPN truy cp t xa (Remote-Access ) v VPN im-ni-im (site-to-site)

VPN truy cp t xa cn c gi l mng Dial-up ring o (VPDN), l mt kt ni ngi dng-n-LAN, thng lnhu cu ca mt t chc c nhiu nhn vin cn lin h vi mng ring ca mnh t rt nhiu a im xa. V dnh cng ty mun thit lp mt VPN ln phi cn n mt nh cung cp dch v doanh nghip (ESP). ESP ny to mt my ch truy cp mng (NAS) v cung cp cho nhng ngi s dng t xa mt phn mm my khch cho mytnh ca h. Sau , ngi s dng c th gi mt s min ph lin h vi NAS v dng phn mm VPN my

khch truy cp vo mng ring ca cng ty. Loi VPN ny cho php cc kt ni an ton, c mt m.Hnh minh ha cho thy kt ni gia Vn phng chnh v "Vn phng" ti gia hoc nhn vin di ng l loi VPNtruy cp t xa).

VPN im-ni-im l vic s dng mt m dnh cho nhiu ngi kt ni nhiu im c nh vi nhau thng qumt mng cng cng nh Internet. Loi ny c th da trn Intranet hoc Extranet. Loi da trn Intranet: Nu mtcng ty c vi a im t xa mun tham gia vo mt mng ring duy nht, h c th to ra mt VPN intranet (VPNni b) ni LAN vi LAN. Loi da trn Extranet: Khi mt cng ty c mi quan h mt thit vi mt cng tykhc (v d nh i tc cung cp, khch hng...), h c th xy dng mt VPN extranet (VPN m rng) kt ni LANvi LAN nhiu t chc khc nhau c th lm vic trn mt mi trng chung.
http://www.vnexpress.net/Search/?p=1&r=1&a=1&s=M%26%237841%3Bng%20ri%26%23234%3Bng%20%26%237843%3Bohttp://www.vnexpress.net/Search/?p=1&r=1&a=1&s=M%26%237841%3Bng%20ri%26%23234%3Bng%20%26%237843%3Bohttp://www.vnexpress.net/Search/?p=1&r=1&a=1&s=M%26%237841%3Bng%20ri%26%23234%3Bng%20%26%237843%3Bo


2/16

Trong hnh minh ha trn, kt ni gia Vn phng chnh v Vn phng t xa l loi VPN Intranet, kt ni gia Vnphng chnh vi i tc kinh doanh l VPN Extranet.

Bo mt trong VPN

Tng la (firewall) l ro chn vng chc gia mng ring v Internet. Bn c th thit lp cc tng la hnch s lng cng m, loi gi tin v giao thc c chuyn qua. Mt s sn phm dng cho VPN nh router 1700ca Cisco c th nng cp gp nhng tnh nng ca tng la bng cch chy h iu hnh Internet Cisco IOS

thch hp. Tt nht l hy ci tng la tht tt trc khi thit lp VPN.Mt m truy cp l khi mt my tnh m ha d liu v gi n ti mt my tnh khc th ch c my mi gii mc. C hai loi l mt m ring v mt m chung.

Mt m ring (Symmetric-Key Encryption): Mi my tnh u c mt m b mt m ha gi tin trc khi gi timy tnh khc trong mng. M ring yu cu bn phi bit mnh ang lin h vi nhng my tnh no c th cim ln , my tnh ca ngi nhn c th gii m c.

Mt m chung (Public-Key Encryption) kt hp m ring v mt m cng cng. M ring ny ch c my ca bnnhn bit, cn m chung th do my ca bn cp cho bt k my no mun lin h (mt cch an ton) vi n. gim mt message, my tnh phi dng m chung c my tnh ngun cung cp, ng thi cn n m ring ca nna. C mt ng dng loi ny c dng rt ph bin l Pretty Good Privacy (PGP), cho php bn m ha hu nhbt c th g.

Giao thc bo mt giao thc Internet(IPSec) cung cp nhng tnh nng an ninh cao cp nh cc thut ton m hatt hn, qu trnh thm nh quyn ng nhp ton din hn.

IPSec c hai c ch m ha l Tunnel v Transport. Tunnel m ha tiu (header) v kch thc ca mi gi tin cTransport ch m ha kch thc. Ch nhng h thng no h tr IPSec mi c th tn dng c giao thc ny.Ngoi ra, tt c cc thit b phi s dng mt m kha chung v cc tng la trn mi h thng phi c cc thit lbo mt ging nhau. IPSec c th m ha d liu gia nhiu thit b khc nhau nh router vi router, firewall virouter, PC vi router, PC vi my ch.

My ch AAA

AAA l vit tt ca ba ch Authentication (thm nh quyn truy cp), Authorization (cho php) v Accounting(kim sot). Cc server ny c dng m bo truy cp an ton hn. Khi yu cu thit lp mt kt ni c giti t my khch, n s phi qua my ch AAA kim tra. Cc thng tin v nhng hot ng ca ngi s dng lht sc cn thit theo di v mc ch an ton.

Sn phm cng ngh dnh cho VPN

Ty vo loi VPN (truy cp t xa hay im-ni-im), bn s cn phi ci t nhng b phn hp thnh no thit lp mng ring o. c th l:

- Phn mm cho desktop ca my khch dnh cho ngi s dng t xa.- Phn cng cao cp nh b x l trung tm VPN hoc firewall bo mt PIX.- Server VPN cao cp dnh cho dch v Dial-up.- NAS (my ch truy cp mng) do nh cung cp s dng phc v ngi s dng t xa.- Mng VPN v trung tm qun l.

B x l trung tm VPN


3/16

C nhiu loi my x l VPN ca cc hng khc nhau, nhng sn phm ca Cisco t ra vt tri mt s tnh nngTch hp cc k thut m ha v thm nh quyn truy cp cao cp nht hin nay, my x l VPN c thit kchuyn bit cho loi mng ny. Chng cha cc module x l m ha SEP, cho php ngi s dng d dng tngdung lng v s lng gi tin truyn ti. Dng sn phm c cc model thch hp cho cc m hnh doanh nghip tnh n ln (t100 cho n 10.000 im kt ni t xa truy cp cng lc).

B x l trung tm VPN s hiu 3000 ca hng Cisco. ( nh:quadrantcommunications)

Router dng cho VPN

Thit b ny cung cp cc tnh nng truyn dn, bo mt. Da trn h iu hnh Internet IOS ca mnh, hng Ciscopht trin loi router thch hp cho mi trng hp, t truy cp nh-ti-vn phng cho n nhu cu ca cc doanhnghip quy m ln.

Tng la PIX ca Cisco

Firewall trao i Internet ring (Private Internet Exchange) bao gm mt c ch dch a ch mng rt mnh, my chproxy, b lc gi tin, cc tnh nng VPN v chn truy cp bt hp php.

Thay v dng IOS, thit b ny c h iu hnh vi kh nng t chc cao, xoay s c vi nhiu giao thc, hotng rt mnh bng cch tp trung vo IP.


Hu ht cc VPN u da vo k thut gi l Tunneling to ra mt mng ring trn nn Internet. V bn cht, l qu trnh t ton b gi tin vo trong mt lp header (tiu ) cha thng tin nh tuyn c th truyn qua hthng mng trung gian theo nhng "ng ng" ring (tunnel).

Khi gi tin c truyn n ch, chng c tch lp header v chuyn n cc my trm cui cng cn nhn dliu. thit lp kt ni Tunnel, my khch v my ch phi s dng chung mt giao thc (tunnel protocol).

Giao thc ca gi tin bc ngoi c c mng v hai im u cui nhn bit. Hai im u cui ny c gi l

giao din Tunnel (tunnel interface), ni gi tin i vo v i ra trong mng.

K thut Tunneling yu cu 3 giao thc khc nhau:

- Giao thc truyn ti (Carrier Protocol) l giao thc c s dng bi mng c thng tin ang i qua.- Giao thc m ha d liu (Encapsulating Protocol) l giao thc (nh GRE, IPSec, L2F, PPTP, L2TP) c bcquanh gi d liu gc.- Giao thc gi tin (Passenger Protocol) l giao thc ca d liu gc c truyn i (nh IPX, NetBeui, IP).


4/16

Ngi dng c th t mt gi tin s dng giao thc khng c h tr trn Internet (nh NetBeui) bn trong mtgi IP v gi n an ton qua Internet. Hoc, h c th t mt gi tin dng a ch IP ring (khng nh tuyn) bntrong mt gi khc dng a ch IP chung (nh tuyn) m rng mt mng ring trn Internet.

K thut Tunneling trong mng VPN im-ni im

Trong VPN loi ny, giao thc m ha nh tuyn GRE (Generic Routing Encapsulation) cung cp c cu "ng ggiao thc gi tin (Passenger Protocol) truyn i trn giao thc truyn ti (Carier Protocol). N bao gm thng tin

v loi gi tin m bn nag m ha v thng tin v kt ni gia my ch vi my khch. Nhng IPSec trong c chTunnel, thay v dng GRE, i khi li ng vai tr l giao thc m ha. IPSec hot ng tt trn c hai loi mngVPN truy cp t xa v im- ni-im. Tt nhin, n phi c h tr c hai giao din Tunnel.

Trong m hnh ny, gi tin c chuyn t mt my tnh vn phngchnh qua my ch truy cp, ti router (ti y giao thc m ha GREdin ra), qua Tunnel ti my tnh ca vn phng t xa.

K thut Tunneling trong mng VPN truy cp t xa

Vi loi VPN ny, Tunneling thng dng giao thc im-ni-im PPP (Point-to-Point Protocol). L mt phn caTCP/IP, PPP ng vai tr truyn ti cho cc giao thc IP khc khi lin h trn mng gia my ch v my truy cp txa. Ni tm li, k thut Tunneling cho mng VPN truy cp t xa ph thuc vo PPP.

Cc giao thc di y c thit lp da trn cu trc c bn ca PPP v dng trong mng VPN truy cp t xa.

L2F(Layer 2 Forwarding) c Cisco pht trin. L2 F dng bt k c ch thm nh quyn truy cp no c PPPh tr.

PPTP(Point-to-Point Tunneling Protocol) c tp on PPTP Forum pht trin. Giao thc ny h tr m ha 40 bv 128 bit, dng bt k c ch thm nh quyn truy cp no c PPP h tr.

L2TP(Layer 2 Tunneling Protocol) l sn phm ca s hp tc gia cc thnh vin PPTP Forum, Cisco v IETF. Khp cc tnh nng ca c PPTP v L2F, L2TP cng h tr y IPSec. L2TP c th c s dng lm giao thcTunneling cho mng VPN im-ni-im v VPN truy cp t xa. Trn thc t, L2TP c th to ra mt tunnel giamy khch v router, NAS v router, router v router. So vi PPTP th L2TP c nhiu c tnh mnh v an ton hn


5/16


Phn ny s gii thiu cch ci t mng VPN loi truy cp t xa theo giao thc Tunneling im-ni-im (PPTP). Mhnh thc nghim ny dng h iu hnh Windows XP cho my truy cp t xa v Windows Server 2003 cho cc mych.

M hnh VPN truy cp t xa n gin ha vi 5 my tnh.(nh: Microsoft)

VPN y c n gin ha vi 5 my tnh cn thit ng cc vai tr khc nhau trong mt mng ring o.

- My tnh chy Windows Server 2003, phin bn Enterprise Edition, t tn l DC1, hot ng nh mt trung tmiu khin domain (domain controller), mt my ch DNS (Domain Name System), mt my ch DHCP (DynamicHost Configuration Protocol) v mt trung tm chng thc CA (certification authority).

- My tnh chy Windows Server 2003, bn Standard Edition, mang tn VPN1, hot ng nh mt my ch VPN.VPN1 c lp t 2 adapter mng.

- My tnh chy Windows Server 2003, bn Standard Edition, mang tn IAS1, hot ng nh mt my ch qun lngi s dng truy cp t xa RADIUS (Remote Authentication Dial-in User Service).

- My tnh chy Windows Server 2003, bn Standard Edition, mang tn IIS1, hot ng nh mt my ch v web vfile.

- Mt my tnh chy Windows XP Professional, mang tn CLIENT1, hot ng nh mt my khch truy cp t xa.

y c cc phn on mng Intranet dnh cho mng LAN ca cng ty v phn on mng Internet. Tt c cc mtnh Intranet c kt ni vi mt HUB (my ch truy cp) hoc switch Layer 2. Tt c cc my tnh trn mngInternet c kt ni vi mt HUB hoc switch Layer 2. Ta s dng cc a ch 172.16.0.0/24 cho Intranet; a ch10.0.0.0/24 cho Internet. IIS1 cha cu hnh a ch IP, s dng giao thc DHCP. CLIENT1 cng dng giao thcDHCP cho cu hnh a ch IP nhng cng c xc nh bng mt cu hnh IP khc c th t trn mng Intranhoc Internet.

Di y l cch ci t cho ring tng my.

K 1: Cch lp t cho DC1

nh cu hnh DC1 cho cc dch v m n kim nhim, bn lm theo cc bc sau y:


6/16

1. Ci t Windows Server 2003, bn Enterprise Edition, lm mt server ring.2. Xc nh giao thc TCP/IP vi a ch IP l 172.16.0.1 v a ch cho mng cp di l 255.255.255.0.3. Chy Active Directory Installation Wizard (tp tin dcpromo.exe) cho mt domain mi example.com. Ci t dchv DNS khi c yu cu.4. S dng trnh qun l Active Directory Users and Computers, nhn chut phi vo domain example.com ri nhnvo Raise Domain Functional Level.5. Kch chut vo dng Windows Server 2003 v chn Raise.6. Ci t giao thc DHCP lm mt thnh phn ca Networking Services bng cch dng Control Panel => Addor Remove Programs.7. M trnh qun l DHCP t th mc Administrative Tools.8. Nhn vo mc Action => Authorize cho php s dng dch v DHCP.9. Trong cy th mc, nhn chut phi vo dc1.example.com ri nhn New Scope.10. Trn trang Welcome ca New Scope Wizard, nhn Next.11. trang Scope Name, nhp mt ci tn nh Mang Cong ty.12. Nhn vo Next. Trn trang a ch IP, nhp 172.16.0.10 Start IP address, 172.16.0.100 End IP address v24 mc Length.

Khai bo a ch IP.

13. Nhn Next. Trn trang Add Exclusions, nhn Next.14. Trn trang Lease Duration, nhn Next.15. Trn trang Configure DHCP Options, nhn Yes, I want to configure DHCP options now.16. Nhn Next. Trn trang Router (Default Gateway), nhn Next.17. Trn trang Domain Name and DNS Servers, nhp vo dng example.com trong mc Parent domain. Nhp172.16.0.1 trong a ch IP ri nhn Add.

18. Nhn Next. Trn trang WINS Servers, nhn Next.19. Trn trang Activate Scope, nhn Yes, I want to activate the scope now.20. Nhn Next. Trn trang Completing the New Scope Wizard, nhn Finish.21. Ci t Certificate Services lm mt CA gc vi tn Example CA bng cch dng Control Panel => Add orRemove Programs.22. M Active Directory Users and Computers.23. Trong cy th mc, chn example.com.24. Nhn chut phi vo Users, chn Computer.25. Trong hp thoi New Object Computer, nhp IAS1 trong mc Computer name.26. Nhn Next. Trong hp thoi Managed, nhn Next. Trong hp thoi New Object Computer, nhn Finish.27. Dng cc bc t 24 n 26 to thm ti khon my tnh vi cc tn IIS1, VPN1 v CLIENT1.


7/16

28. Trong cy th mc, nhn chut phi vo Users, chn User.29. Trong hp thoi New Object User, nhp VPNUser trong mc First name v VPNUser trong User logon name.30. Nhn Next.31. Trong hp thoi New Object User, nhp mt password ty chn vo mc Password and Confirm password. Bdu User must change password at next logon v nh du Password never expires.32. Trong hp thoi New Object User, chn Finish.33. Trong cy th mc, nhn chut phi vo Users, chn Group.34. Trong hp thoi New Object Group, nhp vo dng VPNUsers mc Group name ri nhn OK.35. Kch p vo VPNUsers.36. Nhn vo th Members v nhn Add.37. Trong hp thoi Select Users, Contacts, Users hoc Groups, nhp vpnuser trong mc Enter the object names toselect.38. Nhn OK. Trong hp thoi Multiple Names Found, nhn OK. Account ca ngi s dng VPNUser c avo sanh sch nhm VPNUsers.39. Nhn OK lu cc thay i i vi nhm VPNUsers.


Phn ny gii thiu cch ci t mng VPN loi truy cp t xa theo giao thc Tunneling im-ni-im (PPTP). Mhnh thc nghim ny dng h iu hnh Windows XP cho my khch truy cp t xa v Windows Server 2003 chocc my ch.

K 2: Cch ci t cho my IAS1, IIS1, VPN1 v CLIENT1

IAS1

IAS1 l my tnh chy Windows Server 2003, bn Standard Edition, cung cp c ch thm nh quyn truy cpRADIUS, cho php truy cp v theo di qu trnh truy cp. nh cu hnh IAS1 lm my ch RADIUS, bn lmtheo nhng bc sau:

1. Ci t Windows Server 2003, Standard Edition cho my vi t cch l server thnh vin mang tn IAS1 trongdomain example.com.2. i vi kt ni c b Intranet, nh cu hnh giao thc TCP/IP vi a ch IP l 172.16.0.2, mng cp di (subnemask) l 255.255.255.0 v a ch IP ca my ch DNS l 172.16.0.1.3. Ci t dch v Internet Authentication Service trong Networking Services mc Control Panel-Add or RemovePrograms.4. M trnh Internet Authentication Service t th mc Administrative Tools.5. Nhn chut phi vo th Internet Authentication Service ri chn Register Server in Active Directory. Khi hpthoi Register Internet Authentication Service in Active Directory xut hin, nhn OK.6. Trong cy chng trnh, nhn chut phi vo Clients ri chn New RADIUS Client.7. Trn trang Name and Address ca mc New RADIUS Client, Friendly name, g VPN1 v li nhp tip VPN1ln na vo Confirm shared secret.8. Nhn Next. Trn trang Additional Information ca mc New RADIUS Client, Shared secret, g mt m b mchia s cho VPN1 v g tip ln na Confirm shared secret.9. Nhn Finish.10. cy chng trnh, nhn chut phi vo Remote Access Policies v chn New Remote Access Policy.11. Trn trang Welcome to the New Remote Access Policy Wizard, nhn Next.12. Trn trang Policy Configuration Method, nhp VPN remote access to intranet vo Policy name.


8/16

13. Nhn Next. Trn trang Access Method, chn VPN.

14. Nhn Next. Trn trang User or Group Access, chn Group.15. Nhn nt Add. Trong hp thoi Select Groups, g VPNUsers trong Enter the object names to select.16. Nhn OK. Nhm VPNUsers trong domain example.com c thm vo danh sch nhm trn trang Users orGroups.17. Nhn Next. Trn trang Authentication Methods, giao thc thm nh quyn truy cp MS-CHAP v2 c chnmc nh.18. Nhn Next. Trn trang Policy Encryption Level, b nh du trong cc Basic encryption v Strong encryption.19. Nhn Next. Trn trang Completing the New Remote Access Policy, nhn Finish.

IIS1

IIS1 chy Windows Server 2003, Standard Edition v dch v Internet Information Services (IIS). nh cu hnhcho IIS1 lm my ch v tp tin v web, bn thc hin cc bc sau:

1. Ci t Windows Server 2003, Standard Edition cho my vi t cch l server thnh vin mang tn IIS1 trongdomain example.com.2. Ci t IIS lm tiu mc thuc Application Server ca Windows Components Wizard trong Control Panel-Add orRemove Programs.3. Trn IIS1, dng Windows Explorer to mt c ch chia s mi cho th mc gc ca C:, dng tn ROOT vicc cho php mc nh.4. xc nh my ch web c hot ng chnh xc khng, hy chy trnh duyt Internet Explorer trn IAS1. NuInternet Connection Wizard nhc bn th hy nh cu hnh kt ni Internet cho mt kt ni LAN. Trong Internet

Explorer, mc Address, g http://IIS1.example.com/winxp.gif. Bn s nhn thy biu tng Windows XP.5. xc nh tp tin c hot ng chnh xc khng, trn IAS, nhn Start > Run, g \\IIS1\ROOT ri nhn OK. Nung, bn s thy ni dung ca th mc gc ca C: trn IIS1.

VPN1

VPN1 l my tnh chy Windows Server 2003, Standard Edition cung cp cc dch v my ch VPN cho cc mykhch VPN. nh cu hnh cho VPN1 lm my ch VPN, bn thc hin cc bc sau:

1. Ci t Windows Server 2003, Standard Edition cho my vi t cch l server thnh vin mang tn VPN1 trongdomain example.com.


9/16

2. M th mc Network Connections.3. i vi kt ni ni b Intranet, t li tn kt ni thnh "Mang Cong ty". i vi kt ni ni b Internet, t litn kt ni thnh "Internet".4. nh cu hnh giao thc TCP/IP cho kt ni Mang Cong ty vi a ch IP l 172.16.0.4, mng cp di (subnetmask) l 255.255.255.0 v a ch IP cho my ch DNS l 172.16.0.1.5. nh cu hnh giao thc TCP/IP cho kt ni Internet vi a ch IP l 10.0.0.2 v mng cp di l 255.255.255.06. Chy trnh Routing v Remote Access t th mc Administrative Tools.7. Trong cy chng trnh, nhn chut phi vo VPN1 v chn Configure and Enable Routing and Remote Access.8. Trn trang Welcome to the Routing and Remote Access Server Setup Wizard, nhn Next.9. Trn trang Configuration, Remote access (dial-up or VPN) c la chn mc nh.10. Nhn Next. Trn trang Remote Access, chn VPN.11. Nhn Next. Trn trang VPN Connection, nhn vo giao dien Internet trong Network interfaces.12. Nhn Next. Trn trang IP Address Assignment , ch Automatically c chn mc nh.13. Nhn Next. Trn trang Managing Multiple Remote Access Servers, nhn vo Yes, set up this server to work witha RADIUS server.14. Nhn Next. Trn trang RADIUS Server Selection, g 172.16.0.2 trong Primary RADIUS server v m b mtchung trong Shared secret.15. Nhn Next. Trn trang Completing the Routing and Remote Access Server Setup Wizard, nhn Finish.16. Bn s nhn c message nhc phi nh cu hnh DHCP Relay Agent.17. Nhn OK.18. Trong cy chng trnh, m VPN1 (local), sau l IP Routing v k tip l DHCP Relay Agent. Nhn chutphi vo DHCP Relay Agent ri chn Properties.19. Trong hp thoi DHCP Relay Agent Properties, g 172.16.0.1 trong Server address.20. Nhn Add ri OK.

CLIENT1

CLIENT1 l my tnh chy Windows XP Professional, hot ng nh mt my khch VPN v truy cp t xa n cti nguyn trong Intranet thng qua mng Internet. nh cu hnh cho CLIENT1 lm my khch, bn thc hincc bc sau:

1. Kt ni CLIENT1 vi phn on mng Intranet.2. Trn my CLIENT1, ci t Windows XP Professional nh l mt my tnh thnh vin c tn CLIENT1 thucdomain example.com.3. Thm ti khon VPNUser trong domain example.com vo nhm Administrators.4. Ri h thng (log off) ri vo li (log on), s dng ti khon VPNUser trong domain example.com.5. T Control Panel-Network Connections, t cc c im trn kt ni Local Area Network, sau t cc cim trn giao thc TCP/IP.6. Nhn vo th Alternate Configuration ri chn User configured.7. Trong a ch IP, g 10.0.0.1. Ti Subnet mask, g 255.255.255.0.8. Nhn OK lu cc thay i i vi giao thc TCP/IP. Nhn OK lu cc thay i i vi kt ni Local AreaNetwork.9. Tt my CLIENT1.10. Ngt CLIENT1 khi mng Intranet v kt ni n vi phn on mng Internet.11. Khi ng li my CLIENT1 v log on bng ti khon VPNUser.12. Trn my CLIENT1, m th mc Network Connections t Control Panel.13. Trong Network Tasks, chn Create a new connection.14. Trn trang Welcome to the New Connection Wizard ca New Connection Wizard, nhn Next.15. Trn trang Network Connection Type, nhn Connect to the network at my workplace.16. Nhn Next. Trn trang Network Connection, nhn Virtual Private Network connection.17. Nhn Next. Trn trang Connection Name, g PPTPtoCorpnet trong Company Name.18. Nhn Next. Trn trang VPN Server Selection , g 10.0.0.2 ti Host name or IP address.19. Nhn Next. Trn trang Connection Availability, nhn Next.


10/16

20. Trn trang Completing the New Connection Wizard, nhn Finish. Hp thoi Connect PPTPtoMangCongty hinra.21. Nhn vo mc Properties ri nhn vo th Networking.22. Trn th Networking, Type of VPN, nhn PPTP VPN.23. Nhn OK lu cc thay i i vi kt ni PPTPtoMangcongy. Hp thoi PPTPtoMangcongy hin ra.24. Trong User name, g example/VPNUser. Ti Password, g mt khu ca bn cho ti khon VPNUser.25. Nhn Connect.26. Khi kt ni hon tt, chy Internet Explorer.27. Nu Internet Connection Wizard nhc, nh cu hnh n cho kt ni LAN. Address, ghttp://IIS1.example.com/winxp.gif. Bn s nhn thy hnh nh ca Windows XP.28. Nhn Start > Run, g \\IIS1\ROOT ri nhn OK. Bn s thy cc ni dung ca C: trn my IIS1.29. Nhn chut phi vo kt ni PPTPtoMangcongty ri nhn vo Disconnect.


Phn ny s gii thiu kt ni VPN truy cp t xa theo giao thc L2TP/IPsec. C ch ny cn cc chng nhn bo m(certificate) trn c my khch v my ch VPN v c p dng khi ngi s dng cn cu trc m kha chung(public key infrastructure) mc cao hn PPTP.

M hnh thc nghim kt ni VPN truy cp t xa. nh: Microsoft

Trong m hnh thc nghim ny, bn cn:

- My tnh chy Windows Server 2003, phin bn Enterprise Edition, t tn l DC1, hot ng nh mt trung tmiu khin domain (domain controller), mt my ch DNS (Domain Name System), mt my ch DHCP (DynamicHost Configuration Protocol) v mt trung tm chng thc CA (certification authority).

- My tnh chy Windows Server 2003, bn Standard Edition, mang tn VPN1, hot ng nh mt my ch VPN.

VPN1 c lp t 2 adapter mng.- Mt my tnh chy Windows XP Professional, mang tn CLIENT1, hot ng nh mt my khch truy cp t xa.

- My tnh chy Windows Server 2003, bn Standard Edition, mang tn IAS1, hot ng nh mt my ch qun lngi s dng truy cp t xa RADIUS (Remote Authentication Dial-in User Service).

- My tnh chy Windows Server 2003, bn Standard Edition, mang tn IIS1, hot ng nh mt my ch v web vfile.


11/16

V cc ch cn bn cho m hnh thc nghim, mi bn xem li bi Tm hiu mng ring o VPN ( Phn 3). Trong, ch phn on mng Internet ch l m phng. Khi kt ni ra mng Internet ngoi, bn cn t a ch IP thcc domain thc thay cho example.com. Cch ci t cho IAS1 v IIS1 ging nh trong phn 3. Thc ra, bn cng cth thc hin m hnh rt gn vi 3 my CD1, VPN1 v CLIENT1.

DC1

Di y l cch nh cu hnh cho DC1 t ng np cc chng nhn cho my tnh:

1. M Active Directory Users v mc Computers2. Trong cy chng trnh, nhn p chut vo Active Directory Users and Computers, nhn chut phi voexample.com, chn Properties.3. M th Group Policy, nhn vo Default Domain Policy, chn Edit.4. Trong cy chng trnh, m mc Computer Configuration > Windows Settings > Security Settings > Public KeyPolicies > Automatic Certificate Request Settings.5. Nhn chut phi vo Automatic Certificate Request Settings, chn New ri nhn Automatic Certificate Request.6. Trn trang Welcome to the Automatic Certificate Request Setup Wizard, nhn Next.7. Trn trang Certificate Template, nhn Computer.8. Nhn Next. Trn trang Automatic Certificate Request Setup Wizard, nhn Finish. Lc ny, kiu chng nhn sxut hin trong hin th chi tit ca Group Policy Object Editor.9. G gpupdate du nhc cp nht Group Policy trn DC1.

Cp nht Group Policy trn VPN1: g lnh gpupdate ti du nhc lnh.

Sau khi cp nht cc chng nhn mi, bn cn phi ngng v khi ng li cc dch v IPsec Policy Agent vRemote Access:

1. Nhn Start > Administrative Tools > Services2. Trong hin th chi tit, tr vo IPSEC Services > Action, sau nhn Restart.3. Trong hin th chi tit, tr vo Routing and Remote Access > Action ri nhn Restart.

np cc chng nhn trn my ny v nh cu hnh cho mt kt ni VPN truy cp t xa theo giao thcL2TP/IPsec, bn thc hin cc bc nh sau:

1. Tt my CLIENT1.2. Ngt kt ni CLIENT1 khi phn on mng Internet m phng v kt ni my ny vo phn on mng Intrane3. Khi ng li CLIENT1 v ng nhp vo my vi ti khon VPNUser. My tnh v Group Policy c cp nht ng.4. Tt my CLIENT1.5. Ngt kt ni CLIENT1 khi phn on mng Intranet v kt ni my vi phn on Internet m phng.6. Khi ng li CLIENT1 v ng nhp vo vi ti khon VPNUser.7. Trn CLIENT1, trong Control Panel, m th mc Network Connections.8. Trong Network Tasks, nhn vo Create a new connection.9. Trn trang Welcome to the New Connection Wizard, nhn Next.10. Trn trang Network Connection Type, nhn Connect to the network at my workplace.11. Nhn Next. Trn trang Network Connection, nhn vo Private Network connection.12. Nhn Next. Trn trang Connection Name, g L2TPtoMangcongty.13. Nhn Next. Trn trang Public Network, nhn Do not dial the initial connection.14. Nhn Next. Trn trang VPN Server Selection, g 10.0.0.2 trong Host name or IP address.15. Nhn Next. Trn trang Connection Availability, nhn Next.16. Trn trang Completing the New Connection Wizard, nhn Finish. Hp thoi L2TPtoMangcongty xut hin.17. Nhn vo mc Properties ri nhn vo th Networking.18. Trn th Networking, trong mc Type of VPN, nhn vo L2TP/IPSec VPN.
http://www.vnexpress.net/Vietnam/Vi-tinh/Kinh-nghiem/2006/05/3B9EA3C4/http://www.vnexpress.net/Vietnam/Vi-tinh/Kinh-nghiem/2006/07/3B9EBA0A/http://www.vnexpress.net/Vietnam/Vi-tinh/Kinh-nghiem/2006/07/3B9EBA0A/http://www.vnexpress.net/Vietnam/Vi-tinh/Kinh-nghiem/2006/05/3B9EA3C4/http://www.vnexpress.net/Vietnam/Vi-tinh/Kinh-nghiem/2006/07/3B9EBA0A/


12/16

19. Nhn OK lu cc thay i i vi kt ni L2TPtoMangcongty. Hp thoi Connect L2TPtoMangcongty xuthin.20. Trong User name, g example\VPNUser. Trong Password, g mt khu ty cho ti khon VPNUser.21. Nhn Connect.22. Khi kt ni c thit lp, chy trnh duyt web.23. Trong Address, g http://IIS1.example.com/iisstart.htm. Bn s thy mt thng bo l trang web ang trong qutrnh thit k. Trn thc t, bn phi c mt tn min thc, thay cho example.com.24. Nhn Start > Run > g \\IIS1\ROOT > OK. Bn s thy cc ni dung ca ni b ( C) trn IIS1.25. Nhn chut phi vo kt ni L2TPtoMangcongty ri chn Disconnect.

Cc ch :

Nu mun thit lp mt ci "ng o" b mt trn mng Internet theo c ch truy cp t xa, bn ch c th s dnggiao thc IPSec trc tip khi my khch c a ch IP thc.

Do L2TP vi c ch m ha IPSec yu cu cu trc m kha chung (Public Key Infrastructure) nn kh khai thc vtn km so vi PPTP. L2TP/IPSec l giao thc L2TP chy trn nn IPSec, cn c ch truyn tin IPSec Tunel Modeli l mt giao thc khc.

Do c c ch thm nh quyn truy cp nn L2TP/IPSec hay IPSec Tunnel Mode ch c th truyn qua mt thit bdch a ch mng NAT (network address translation) bng cch i qua nhiu ci "ng o" hn. Nu dng mt NATgia im hin din POP (Point of Present) v Internet, bn s gp kh khn. Cn trong PPTP, mt gi tin IP c m ha t trong mt gi tin IP khng c m ha nn n c th i qua mt NAT.

PPTP v L2TP c th hot ng vi cc h thng thm nh quyn truy cp da trn mt khu v chng h tr quyny mc cao cp bng nhng loi th thng minh, cng ngh sinh trc hc v cc thit b c chc nng tng t.

Li khuyn:

PPTP l gii php ti u khi khch hng mun c c ch bo mt khng tn km v phc tp. Giao thc ny cng tra hu hiu khi cc lung d liu phi truyn qua NAT. Khch hng nu mun c NAT v bo mt cao hn c thnh cu hnh cho cc quy tc IPSec trn Windows 2000.

L2TP l gii php tt nht khi khch hng coi bo mt l vn quan trng hng u v cam kt khai thc cu trcm kha chung PKI. Nu bn cn mt thit b NAT trong ng truyn VPN th gii php ny c th khng pht huhiu qu.

IPSec Tunnel Mode li t ra hu hiu hn vi VPN im-ni-im (site to site). Mc d giao thc ny hin nay cnc p dng cho VPN truy cp t xa nhng cc hot ng ca n khng "lin thng" vi nhau. IPSec Tunnel Mods c cp k hn trong phn VPN im-ni-im k sau.

Tm hiu mng ring o VPN (Phn 6)Nh cp phn trc, bo mt ca VPN cn c h tr bng cng ngh th thng minh v sinh trc hc.Micrsoft tch hp mt giao thc khc gi l EAP-TLS trong Windows, chuyn trch cng vic ny cho VPN truycp t xa.

EAP-TLS l ch vit tt ca Extensible Authentication Protocol - Transport Layer Security (giao thc thm nhquyn truy cp c th m rng - bo mt lp truyn dn). Kt ni da trn giao thc ny i hi c mt chng nhnngi s dng (user certificate) trn c my khch v my ch IAS ca mng VPN. y l c ch c mc an tonht cp ngi s dng.


13/16

Mc d cng ngh th thng minh hay sinh trc hc vn cn l khi nim mi m Vit Nam, chng ti xin giithiu cch ci t c gi c th hnh dung nhng g Windows h tr.

M hnh thc nghim VPN truy cp t xa. nh: Microsoft

M hnh thc nghim vn l 5 my tnh vi cc chc nng khc nhau (xem li phn 3, 4 hoc 5 bit thm chi tit

Khi bt tay vo ci t, bn bt tt c cc my (5 my tnh ny kt ni trc vi nhau nh hnh v).

My DC1

Bn s nh cu hnh DC1 lm nhim v tip nhn t ng cc chng nhn v ngi s dng.

1. Nhn menu Start > Run > g mmc du nhc > OK.2. Trn menu File, nhn Add/Remove Snap-in > Add.3. Di mc Snap-in, kch p vo Certificate Templates > Close > OK.4. Trong cy chng trnh, nhn Certificate Templates. Tt c m hnh chng nhn s c trnh by trong hin thchi tit.

5. Trong hin th chi tit, nhn vo mu User.6. Trn menu Action, nhn vo Duplicate Template.7. Trong hp Template display name, g VPNUser.8. nh du chn trong Publish Certificate in Active Directory.9. Nhn vo th Security.10. Trong danh sch Group or user names, nhn vo Domain Users.11. Trong danh sch Permissions for Domain Users, nh du chn cc Read, Enroll v Autoenroll cho phpcc chc nng ny.12. Nhn vo th Subject Name.13. B du chn trong cc Include E-mail name in subject name v E-mail name. Do bn khng nh cu hnhmt tn e-mail no cho ti khon VPNUser nn bn phi b du ny "pht hnh" c chng nhn ngi s dn

14. Nhn OK.15. M trnh qun l Certification Authority t th mc Administrative Tools.16. Trong cy chng trnh, m Certification Authority > m Example CA > Certificate Templates.17. Trn menu Action, tr vo New ri nhn Certificate Template to Issue.18. Nhn VPNUser.19. Nhn OK.20. M trnh qun l Active Directory Users and Computers.21. Trong cy chng trnh, nhn p vo Active Directory Users and Computers, nhn chut phi vo example.com> chn Properties.22. Trn th Group Policy, chn Default Domain Policy > Edit.23. Trong cy chng trnh, m User Configuration > Windows Settings > Security Settings > Public Key Policies.


14/16

24. Trong hin th chi tit, nhn p vo Autoenrollment Settings.25. Nhn Enroll certificates automatically. nh du chn trong Renew expired certificates, update pendingcertificates, and remove revoked certificates v Certificates that use certificate templates.26. Nhn OK.

Mt sn phm th thng minh dng "trm x l"GlobalAdmin ca hng Realtime dng cho VPN truy cp txa.

nh: Realtime

My ch IAS1

Bn s nh cu hnh cho IAS1 vi mt chng nhn my tnh cho thm nh quyn truy cp EAP-TLS.

1. Khi ng li IAS1 m bo my ny t ng np mt chng nhn my tnh.2. M trnh qun l Internet Authentication Service.3. Trong cy chng trnh, nhn Remote Access Policies.4. Trong hin th chi tit, nhn p vo VPN remote access to Intranet. Hp thoi VPN remote access to intranetProperties xut hin.5. Nhn vo Edit Profile, chn th Authentication.6. Trn th Authentication, chn EAP Methods. Hp thoi Select EAP Providers hin ra.7. Nhn Add. Hp thoi Add EAP xut hin.8. Nhn vo Smart Card or other certificate > OK.9. Nhn Edit. Hp thoi Smart Card or other Certificate Properties xut hin.10. Cc thuc tnh ca chng nhn my tnh cho IAS1 c hin th. Bc ny xc nh rng IAS1 c mt chngnhn my tnh c ci t thc hin quyn thm nh truy cp theo giao thc EAP-TLS. Nhn OK.11. Nhn OK lu li cc thay i i vi nh cung cp EAP. Nhn OK lu cc thay i v ci t cu hnh.12. Khi c hi xem cc mc tr gip, nhn No. Nhn OK lu cc thay i lu cc thay i i vi quy nhtruy cp t xa.


15/16

Cc thay i cu hnh ny s cho php truy cp t xa trong VPN hay truy cp t xa trong Intranet thm nh cc ktni VPN dng phng php xc nh quyn truy cp theo giao thc EAP-TLS.

My CLIENT1

Bn cng np mt chng nhn trn my ny ri nh cu hnh cho kt ni VPN truy cp t xa da trn giao thcEAP-TLS.

1. Tt my CLIENT1.2. Ngt kt ni khi phn on mng Internet m phng v kt ni vo phn on mng Intranet.3. Khi ng li my CLIENT1 v ng nhp bng ti khon VPNUser. Lc ny, my tnh v Group Policy ccp nht t ng.4. Tt my CLIENT1.5. Ngt CLIENT1 khi phana on mng Intranet v kt ni n vo phn on mng Internet m phng.6. Khi ng li CLIENT1 v ng nhp vo bng ti khon VPNUser.7. Trn CLIENT1, trong Control Panel, m th mc Network Connections.8. Trong mc Network Tasks, chn Create a new connection.9. Trn trang Welcome to the New Connection Wizard page ca New Connection Wizard, nhn Next.10, Trn trang Network Connection Type, chn Connect to the network at my workplace.11. Nhn Next. Trn trang Network Connection, chn kt ni Virtual Private Network.12. Nhn Next. Trn trang Connection Name, g EAPTLStoMangcongty trong Company Name.13. Nhn Next. Trn trang Public Network, nhn Do not dial the initial connection.14. Nhn Next. Trn trang VPN Server Selection, g 10.0.0.2 trong a ch Host name or IP address.15. Nhn Next. Trn trang Connection Availability , nhn Next.16. Trn trang Completing the New Connection Wizard , nhn Finish. Hp thoi Connect EAPTLStoMangcongtyxut hin.17. Nhn vo Properties > th Security.18. Trn th Security, nhn Advanced > Settings. Hp thoi Advanced Security Settings xut hin.19. Trong hp thoi Advanced Security Settings, nhn vo Use Extensible Authentication Protocol (EAP).20. Nhn vo Properties. Trong hp thoi Smart Card or other Certificate Properties, nhn Use a certificate on thiscomputer.21. Nhn OK lu cc thay i trong hp thoi. Nhn OK lu cc thay i trong Advanced Security Settings.Nhn OK lu cc thay i trong th Security. Kt ni ngay lp tc c khi to v dng n chng nhn ngis dng va ci t. Ln u tin bn th kt ni, my c th mt vi ln mi hot ng thnh cng.22. Khi kt ni thnh cng, bn hy chy trnh duyt web.23. Trong Address, g http://IIS1.example.com/iisstart.htm. Bn s nhn thy thng bo trang web ang trong qutrnh xy dng. Trn thc t, y phi l mt tn min tht.24. Nhn Start > Run, gfile://IIS1/ROOT > OK. Bn s thy ni dung ca ni b ( C) trn IIS1.25. Nhn chut phi vo kt ni EAPTLStoMangcongty ri nhn Disconnect.

Cc my cn li c ci t nh trong phn 4.

Cc lu khi s dng quyn chng nhn CA (Certificate Authority) ca cc bn pht trin th 3 cho c ch thmnh quyn truy cp theo giao thc EAP-TLS:

Chng nhn trn my ch thm nh phi:

- c ci t trong kho chng nhn ca my tnh ni b.- C mt key ring tng ng.- C nh cung cp dch v mt m h tr. Nu khng, chng nhn khng th c dng v khng th chn ct trnh Smart Card or Other Certificate trn th Authentication.- C mc ch chng nhn thm nh quyn truy cp my ch, cn c gi l EKU (Enhanced Key Usage).
http://iis1.example.com/iisstart.htmhttp://iis1/ROOThttp://iis1/ROOThttp://iis1.example.com/iisstart.htmhttp://iis1/ROOT


16/16

- Phi cha tn min c thm nh y , gi l FQDN, ca ti khon my tnh trong Subject Alternative Nameca chng nhn.

Hn na, cc chng nhn CA gc ca cc CA phi c ci t trong kho chng nhn Trusted Root CertificationAuthorities ca cc my ch thm nh.

Chng nhn trn cc my khch VPN phi:

- C mt key ring tng ng.- Phi cha EKU thm nh quyn truy cp cho my khch.- Phi c ci t trong kho chng nhn ca Current User.- Cha tn UPN (universal principal name) ca ti khon ngi s dng trong Subject Alternative Name ca chngnhn.

Ngoi ra, cc chng nhn CA gc ca cc CA ( pht hnh cc chng nhn my tnh trn my ch IAS) phi cci t trong kho Trusted Root Certification Authorities ca my khch VPN.

Documents

Tìm hiểu mạng riêng ảo VPN