1. Concept
Virtual Private Network (VPN-Virtual Private Network) refers to the technology of establishing a private network on a public network. The reason why it is called a virtual network is mainly because the connection between any two nodes of the entire VPN network does not have the end-to-end physical link required by the traditional private network, but is constructed on the network platform provided by the public network service provider ( Such as Internet, ATM, Frame Relay, etc.) above the logical network, user data is transmitted in the logical link.
2. Use
1) Used for intranet (Intranet-VPN) of government, enterprise and institution headquarters and branch offices
2) Applicable to the network interconnection (Extranet-VPN) VPN function between business partners.
3) Inter-regional companies need to communicate internally. For example, the company's headquarters is located in Beijing, and there are branches in Shanghai. If the intranets of Beijing and Shanghai companies need to exchange messages, they need to use VPN technology.
3. Working principle
Usually, the VPN gateway adopts a dual network card structure, and the external network card uses the public IP to access the Internet.
Terminal A of network 1 (assumed to be the public internet) accesses terminal B of network 2 (assumed to be the company's intranet), and the destination address of the access data packet sent by it is the internal IP address of terminal B.
The VPN gateway of network 1 checks its destination address when receiving the access data packet sent by terminal A. If the destination address belongs to the address of network 2, it will encapsulate the data packet. The encapsulation method varies according to the VPN technology used. At the same time, the VPN gateway constructs a new VPN data packet, and uses the encapsulated original data packet as the payload of the VPN data packet. The destination address of the VPN data packet is the external address of the VPN gateway of network two.
The VPN gateway of network 1 sends the VPN data packet to the Internet. Since the destination address of the VPN data packet is the external address of the VPN gateway of network 2, the data packet will be correctly sent to the VPN gateway of network 2 by the route in the Internet.
The VPN gateway of network 2 checks the received data packet, and if it is found that the data packet is sent from the VPN gateway of network 1, it can determine that the data packet is a VPN data packet, and depacketize the data packet. The process of unpacking is mainly to first strip the header of the VPN data packet, and then reverse the processing of the data packet and restore it to the original data packet.
The VPN gateway of the network 2 sends the restored original data packet to the target terminal B. Since the target address of the original data packet is the IP of the terminal B, the data packet can be sent to the terminal B correctly. From the perspective of terminal B, the data packets it receives are the same as those sent directly from terminal A.
The process of processing data packets from terminal B back to terminal A is the same as the above process, so that the terminals in the two networks can communicate with each other. [1]
From the above description, it can be found that when the VPN gateway processes data packets, two parameters are very important for VPN communication: the destination address of the original data packet (VPN destination address) and the remote VPN gateway address. According to the VPN destination address, the VPN gateway can determine which data packets to perform VPN processing, and usually forward the data packets that do not need to be processed directly to the upper-level route; the remote VPN gateway address specifies the destination of the processed VPN data packets. Address, that is, the VPN gateway address of the other end of the VPN tunnel. Since network communication is bidirectional, during VPN communication, the VPN gateways at both ends of the tunnel must know the VPN destination address and the corresponding remote VPN gateway address.
4. Features
1) Network construction is fast and convenient. Users only need to connect each network node to the public network locally by means of a dedicated line, and configure the network.
2) Reduce investment in network construction Since VPN is a virtual private network established on the basis of public network, it can avoid the high investment in software and hardware required for building traditional private network
3) Cost savings Users adopting VPN networking can greatly save link rental fees and network maintenance costs, thereby reducing the operating costs of enterprises Establish logical tunnels and network layer encryption to prevent network data from being modified and stolen, and ensure the security and integrity of user data
5) Simplify the maintenance and management of the network for users. A large amount of network management and maintenance work is done by public network service providers.
5. Business advantages
VPN is not only a product, but also a service. VPN establishes a private data transmission channel through the public network to connect remote branch offices, business partners, mobile office workers, etc. It can reduce the burden of remote access costs for enterprises, save money, and provide a secure end-to-end data communication method. VPN combines many features of the public network and private network. It combines the reliable performance, scalability, and rich functions of the public network with the security, flexibility, and efficiency of the private network. It can bring the following benefits to enterprises and service providers:
(1) Significantly reduces the user's investment in network equipment access and lines;
(2) The company employing remote access pays the full cost of purchasing and supporting the remote access infrastructure for the entire enterprise in advance;
(3) Reduce the cost of user network operation and maintenance and personnel management;
(4) The network is easy to use, manageable and expandable;
(5) The company can use the ubiquitous INTERNET to provide seamless and secure connections for branch offices through a single network structure;
(6) It can strengthen the relationship with users, business partners and suppliers; operators, ISPs and enterprise users can all benefit from it.
Six, VPN virtual private network security
There are different procedures to follow depending on the type of VPN being checked during a penetration test. Regardless of the VPN type used, basic testing steps include:
Reconnaissance: Determines the type of VPN to use and the ports the VPN process listens on. This can be done with port scanning tools such as Nmap. Depending on the VPN type, the service sometimes listens on UDP port 500 (IPSec), TCP port 1723, TCP port 443 (SSL VPN), UDP port 1194 (OpenVPN), or other non-default ports.
Overflow: After successfully identifying which port the VPN is associated with, the specific vendor and version of the daemon can be determined by the Ike scanning tool. It then checks to see if the vendor contains any existing CVE exploits that can be exploited by existing exploits or newly written exploits in the Metasploit framework.
Authentication: A daemon listening for incoming connections must correctly check the password submitted by the client. Don't just rely on usernames, passwords, and the use of security credentials to improve the overall security of your VPN service. There should be a password policy in place to ensure that strong passwords are used with certificates to limit brute force attacks. [3]
Seven, commonly used VPN technology
1. MPLS VPN is an IP VPN based on MPLS technology. It applies MPLS (Multiprotocol Label Switching, Multiprotocol Label Switching) technology on network routing and switching equipment, simplifies the routing selection method of core routers, and uses label switching combined with traditional routing technology. Implemented IP Virtual Private Network (IP VPN). The advantage of MPLS lies in the combination of Layer 2 switching and Layer 3 routing technology, and has excellent performance in solving major problems in IP networks such as VPN, service classification and traffic engineering. Therefore, MPLS VPN is increasingly favored by operators in solving enterprise interconnection and providing various new services, and has become an important means for IP network operators to provide value-added services. MPLS VPNs can be further classified into Layer 2 MPLS VPNs (MPLS L2 VPNs) and Layer 3 MPLS VPNs (MPLS L3 VPNs).
2. SSL VPN is a VPN technology based on HTTPS (Secure HTTP, that is, the HTTP protocol supporting SSL), and works between the transport layer and the application layer. SSL VPN makes full use of the certificate-based authentication, data encryption and message integrity verification mechanisms provided by the SSL protocol, and can establish secure connections for communication between application layers. SSL VPN is widely used in web-based remote secure access, providing security guarantee for users to remotely access the company's internal network.
3. IPSec VPN is a VPN technology based on the IPSec protocol, and the IPSec protocol provides tunnel security. IPSec is an end-to-end mechanism designed by the IETF to ensure the data security of IP-based communications. It provides high-quality, interoperable, cryptography-based security guarantees for data transmitted over the Internet.
8. Frequently Asked Questions
Error 691: Prompt "Access is denied due to invalid username and/or password on domain"
The usual reason is that the account and/or password entered when connecting to the VPN is incorrect, or that you do not have permission to use the VPN service.
One VPN account is limited to one computer by default, check your username for duplicate logins.
If you are disconnected during use, don't rush to connect again, please wait patiently for a few minutes.
If the error is still displayed, please contact the network administrator.
Error 691: Prompt "The port has been disconnected"
There are a small number of routers on the market that do not support VPN well, which causes errors such as error 691, only a few machines can be connected, frequent disconnections, and sometimes error 800. The reason is that the router adopts the NAT method, which cannot allow the VPN protocol to penetrate.
If the system firewall is turned on in your computer, you can turn it off and try again.
If it happens occasionally, redial a few times, or restart your computer and router and try again.
If the user accesses the Internet through a local area network or a router, ask the network administrator to open UDP ports 1701~1704 on the server or router.
If the router cannot be set, you can try to connect the computer directly to the external network, connect to the Internet with a single-machine dial-up method, and then try the VPN dial-up again.
Some networks, such as campus network, radio network, Great Wall Broadband, and Broadband, are prone to 691 errors, and you need to contact the network access department.
The operating system installed with the simplified version is prone to missing related components, and you can download and install the error 691 registry file.
Error 721: Prompt "The remote computer is not responding"
This situation may be caused by network delay. You can try several times. If it still doesn't work, you can try the following solutions:
Click Start, then click Run".
In Run, type regedit.exe, and then click OK.
In Registry Editor, locate the following subkey: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/{4D36E972-E325-11CE-BFC1-08002bE10318}/<000x>, where <000x> is the WAN miniport (PPTP) driver The program's network adapter.
On the Edit menu, point to New, and then click DWORD Value.
Type ValidateAddress and press Enter. The default setting for this value is "1" (on); therefore, you can turn it off by setting it to "0".
Exit Registry Editor.
Restart your computer.
Error 742/741: Prompt "The remote server does not support encryption"
Select the VPN connection, right-click Properties, and click Security.
In the data encryption item, select "Connect without encryption" (click Network Sharing Center - Change Adapter - Click the VPN connection icon - View Properties - Secure Data Encryption - select "Connect without encryption" in Win7).
Error 800: The prompt is "The VPN connection cannot be established, the VPN server cannot be reached"
If the system firewall is turned on in your computer, you can turn it off and try again.
If you have installed a router, it is recommended to restart the router.
Some networks, such as campus network, radio network, Great Wall Broadband, and Broadband, are prone to 800 errors, so you need to contact the network access department.
Right-click "My Computer" or "Computer" on the desktop, open "Management", click "Services" in "Services and Applications", find the "IPsec Policy Agent" service, and check whether the service is disabled. If it is disabled, it will be changed to automatic state and the service will be started.
Error 619
If the firewall is opened (including the system's own): close the firewall, or set the firewall to allow UDP port 1701.
Use a router to access the Internet: do not use a router, or map UDP port 1701.
If none of the above two symptoms exist, but the 619 error still occurs: Close all software that is using the network, restart the computer and reconnect.
After connecting to a foreign VPN, the speed of opening domestic web pages is very slow
Because the foreign line of the VPN is connected, the local network outlet has been changed to the national bandwidth outlet, so the speed of accessing domestic web pages in the state of VPN connection is relatively slow, which can be simply understood as: because the transmission of the line needs to be from domestic to foreign countries , and then return home from abroad. And if it is to visit a foreign web page, at this time, the direct transmission from domestic to foreign is relatively fastest. And it also depends on the distance of the route you choose, if you choose the route in the United States, then accessing the domestic web page will definitely be slower.
Can't connect to mobile terminal
The current network is a 3G network: 3G networks are usually unstable and there is no guarantee that you can connect every time.
If you are using the company's wireless network in the office but cannot connect to the VPN or fail to respond to the PPTP server error: please consult the relevant personnel in detail whether the network broadband service provider supports VPN, and then check whether the network router you are located in has prohibited the VPN port.
The VPN can be connected to the computer, but not the mobile phone: please confirm whether the VPN in the computer is in the "connecting" state, if so, please disconnect the computer and try to connect the mobile phone again. Please note that one account cannot be logged into two devices at the same time.
Error 789
The connection attempt failed because the security layer encountered a processing error while initializing negotiation with the remote computer
1. Click Start, click Run, type regedit, and then click OK
2. Locate the following registry subkey and click it:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
3. On the Edit menu, click New -> DWORD Value
4. In the Name box, type ProhibitIpSec
5. In the Value Data box, type 1, and then click OK
6. Exit Registry Editor and restart your computer