A virtuális magánhálózat (VPN) a magánhálózat kiterjesztése, amely megosztott vagy nyilvános hálózatokon (például interneten) keresztüli kapcsolatokat tartalmaz. Virtuális magánhálózattal úgy küldhet adatokat két számítógép között megosztott vagy nyilvános hálózaton keresztül, mintha a két gép közvetlen kapcsolatban lenne egymással. A virtuális magánhálózat kiépítése tulajdonképpen a virtuális magánhálózat létrehozását és beállítását jelenti.
A közvetlen kapcsolat emulálása érdekében az adatokhoz hozzáfűződik egy fejléc (ezt a műveletet nevezik beágyazásnak), amely az adatnak a végpont megosztott vagy nyilvános hálózaton keresztül történő eléréséhez szükséges útvonalára vonatkozó információkat tartalmazza. Magánkapcsolat emulálásánál biztonsági szempontok miatt az adatok titkosítva vannak. A megosztott vagy nyilvános hálózaton elfogott csomagok a titkosító kulcsok nélkül megfejthetetlenek. Az a kapcsolat, amelyben a személyes adatok be vannak ágyazva és titkosítva vannak, virtuális magánhálózati (VPN) kapcsolat.
Az alábbi kép a VPN-kapcsolat logikai felépítését ábrázolja.
Select the L2TP tab and use the image above as an example. Note that the IP addresses used in the image are for example only.
When a remote user connects to the internet, they receive an IP address from their service provider. When the VPN tunnel is negotiated with the VPN server, the server assigns the client an IP address from the corporate network. When the client accepts that address as part of the VPN negotiation, it adds it to the network interface in addition to the IP address from the internet service provider (ISP). This means that the VPN client actually has 2 addresses bound to it. One from the ISP, and one from the corporate network.
The VPN server needs to dynamically assign clients IP addresses from a pool of possible addresses. That is what we are specifying in this screen. You must specify both the starting and ending addresses of the IP pool that the VPN server is allowed to hand out to
connect clients. Note that when a client disconnects from the VPN, his IP address is freed up and put back in the pool to be used by future clients. It is also essential to be sure that the addresses that are used in this pool are not used by any other computers on the corporate network. If they are, conflicts will occur and neither user will be able to access the network.
Set PPP Authentication to MS-CHAPv2 and specify a Shared Secret. This Shared Secret should be the strongest possible password you can come up with. Make sure it is not a dictionary word. And, the more digits in the Shared Secret, the better. The 3 weakest parts of the VPN are the username and password the user uses to connect, and the Shared Secret. If you use weak passwords or secrets, a tunnel could be established by anyone who might be able to guess that information.
Next, select the PPTP tab. Just as before, you must specify a pool of addresses that can be used by VPN users who connect using PPTP.
Under Mac OS X Server, Mac clients generally connect to the VPN server using L2TP. Windows XP users connect using PPTP. L2TP is considered more cryptographically sound, but since Microsoft did not conform to IPSec based standards when they wrote XP’s VPN
client, Windows users are forced to use PPTP.
Finally, select the Client Information tab.
Here we specify the DNS servers the client should use once they have connected to the VPN. Since many corporations use internal DNS servers, the servers specified here will be used on any traffic that is traveling through the VPN.
Under Network Routing Definition we set the rules for the VPN routing. In my example, the corporate network is a Class C or addresses ranging from 18.104.22.168 â€“ 22.214.171.124. In this example, the Network Address is entered as 126.96.36.199, but it might more appropriately be entered as 188.8.131.52 since the Network Mask of 255.255.255.0 details the assignment of the entire Class C. The final key value here is the Network Type. It is set to Private. This means that any traffic to or from the client that is destined for the 66.62.25.x network is considered internal and should remain on the secure VPN. Any addresses not listed as private here are not secure and the VPN client will route that traffic over the normal internet connection rather than sending it down the VPN
tunnel to the corporate network. This is why the VPN client maintains a connection to the ISP assigned IP address in addition to the address that is assigned to it by the VPN server.
Lastly, a user account must be created on the server. This is done through the Workgroup Manager, and application located in the same directory as the Server Admin. When you create the account, be sure to set a strong password for the account. The username and password created here will be the credentials that the remote user will use when they log into the VPN.
Mac OS X VPN Client Configuration:
The Mac VPN client is much easier to configure than the Window XP based equivalent.
Select New VPN Connection from the file menu, then choose L2TP over IPSec and continue.
A new profile will open. Don’t fill in the information in this screen. If you do, you will miss one vital piece of information. There is no place to specify the Shared Secret for the connection. Without it, the tunnel will never establish. Select Edit Configurations from the Configuration menu.
Fill in the fields with the appropriate information. The description can be anything you want it to be. The Server Address is the IP address of the Mac VPN server. The Account Name and Password is the login that you created for the user in the Workgroup
Manager. Be sure to enter the same Shared Secret that you used when setup L2TP on the VPN server.
VPN On Demand is a new feature in 10.4. When you enable this feature, you are required to list domains that will trigger activation of the VPN tunnel when you try to access them.
When you click OK, your client is all set.
It is worth looking at some of the advanced options available under the Connect menu and then Options. There is an option to send all traffic over the VPN. This can be a powerful option. Normally you would not want to do this as it will increase traffic on the corporate end of the network. But, if you are a user on the road and using a hotspot or public wireless network, it might be a good idea to enable this option. In doing that, all of the traffic becomes protected from other users who might be sniffing traffic on the wireless network.
Windows XP VPN Client Configuration:
Windows XP also has a built-in VPN client, but it has some disadvantages. First and foremost, it does not fully comply with standards based VPN servers. Once again, Microsoft has decided that it knows better and went in it’s own direction. On the upside, if you enabled PPTP on your Mac VPN server, XP users can still access the network.
First of all, right click on My Network Places a choose Properties. You will see a list of your network adapters. Click Create a New Connection on the left.
Select Connect to the Network At My Workplace. Its an odd name for it, but this allows you to create a VPN.
Select Virtual Private Network Connection and click Next.
Give your VPN connection a logical name. Anything that works for you is fine here.
Here you specify the IP address of the Mac VPN server.
Click finish here. You’re not really done yet. We need to make some changes to the VPN adapters configuration before you can connect to the Mac server.
Now go back to the Network Connections window. A new adapter should have been added to the screen. It will have the name that you gave the VPN connection when you ran the wizard.
Right click on the VPN adapter and select Properties.
Under the General tab, you should see the IP address of the Mac VPN server.
Under Security, select Advanced and then click Settings.
Select the Allow These Protocols radio button and then uncheck all of the boxes except for Microsoft CHAP Version 2.
Now select the Networking tab and set the Type of VPN menu to PPTP VPN. Click OK and you are done configuring the client. In order to connect the VPN, double click on the VPN adapter in My Network Places. You will be prompted for your login information.
Once you click connect, your computer should negotiate the connection with the Mac sever.
Most corporate VPN servers are behind a firewall. In order for people outside of the firewall to gain access to the VPN server, certain Access Controls need to be added to the firewall. In my example, the Mac VPN server is behind a Cisco 2600 series router with its firewall enabled. This ACL shows the ports that were opened to allow both L2TP and PPTP access to the Mac server:
remark SOFTWARE VPN ACCESS RULES:
permit udp any 184.108.40.206 0.0.0.255 eq isakmp
permit udp any 220.127.116.11 0.0.0.255 eq non500-isakmp
permit esp any 18.104.22.168 0.0.0.255
permit gre any host 22.214.171.124
permit tcp any host 126.96.36.199 eq 1723