Implementation of IPsec-VPN Tunneling using GNS3

Virtual private networks (VPN) provide remotely secure connection for clients to exchange information with company networks. This paper deals with Site-to-site IPsec-VPN that connects the company intranets. IPsec-VPN network is implemented with security protocols for key management and exchange, authentication and integrity using GNS3 Network simulator. The testing and verification analyzing of data packets is done using both PING tool and Wireshark to ensure the encryption of data packets during data exchange between different sites belong to the same company


Introduction
A Virtual Private Network (VPN) appears to be the excellent method for distributed services provides on public network structure.VPN offers low cost, efficient use of bandwidth, scalable and flexible functionality, secure and private connections.VPN provides a virtual private line between two network sites that network traffic pass through.VPN network is affected by several points such as operating system, hardware devices being used, interoperability and algorithm being implemented [1].
VPN can be classified according to the tunneling security issue, location of endpoints, connectivity types, security mechanisms robustness, and the types of tunneling protocols [2].
VPN provide connectivity through a tunnel which is a virtual link between two nodes may separate by a number of networks.Figure 1 shows VPN tunneling structure.The tunnel is established within the router and provided with the IP address of the router at the second end.Every packet is encapsulated inside the IP datagram using IP address of the router at the far end of tunnel as a destination address [3].The two endpoints must use the same tunneling protocol.These logical tunnels that carry the IP packet are independent of the payload, and have different headers due to the protocol implemented [4].
VPN provides secure and encrypted virtual connections over IP network by encrypts and encapsulates each packet before passing it through a tunnel.VPN uses authentication to ensure data integrity and confidentiality [4].VPN uses dynamic tunnel for efficient bandwidth usage and flexibility matter for creating and removing tunnels at any time [5].
VPNs tunneling add an overhead to IP packets size, that effect bandwidth utilization in network specifically if the packet size is short.This effect lays on the end router to decapsulate the packet, performs decryption for the packet [6].
This paper analyzes the VPN tunneling protocols.The propsed VPN-IPsec tunneling scenario is configured using GNS3 simulator along with virtual network environemwnt for site to site network structure that can be impleneted as a real network desgin for a company, and also it can used as case study for understanding the VPN network structure using flexible, efficient practice.
The paper is arranged as follows: Section 2 presents VPN technologies, their advantages and disadvantages.Section 3 gives VPN simulation model and testing and verfications in section 4. Finally, the conclusions are presented in section 5.

Virtual Private Network
VPN relies on tunneling techniques for transmitting data.The tunneling protocols work at different OSI layers such as in data link layer, network layer, or the session layer [7].The most popular protocols that linked with VPN development are point to point tunneling protocol (PPTP), layer 2 tunneling protocol (L2TP), Internet protocol security (IPSec) and Secure socket layer (SSL) [7][8][9].These protocols secure VPN and provide authentication and encryption mechanisms [4].

Point to Point Tunneling Protocol (PPTP)
PPTP specification is described in network working group RFC 2637 [10].It operates at data link layer.It is an expansion of point-to-point protocol (PPP) using the same authentication mechanisms as PPP [11].2. Layer 2 Tunneling Protocol (L2TP) L2TP may establish a tunnel between the routers or the router and clients.L2TP combined the features of PPTP and layer two forwarding.L2TP eliminates the network traffic by flow control mechanisim to address congestion and keep overhead to minimum.L2TP header contains information about media, L2TP encapsulation that drive for high extent of data packet to surpass between the tunnel endpoints withought increasing high overhead on the network.L2TP is capable of establishing multiple tunnels simultaneously between two tunnel endpoints [12].

Internet Protocol Security (IPsec)
IPsec offer data integrity, data confidentiality, and authentication originality of data at the network layer in OSI model [4].It composed of different protocols such as: IPsec Key Exchange and Management Protocol (ISAKMP) for key management which specifies the negotiation, establishment, alteration, and omission of security association.Internet Key Exchange (IKE) for key exchange which create secure channel to protect the negotiation for setting up the IPsec tunnel for traffic protection.Authentication Header (AH) offers authentication originality, connectionless integrity, and anti-replay service.Encapsulated Security Payload (ESP) offers authentication originality, connectionless integrity, anti-replay service, and data confidentiality.
These protocols used to create connection and transmit traffic securely [4], [13].IPsec can employ two encryption modes: transport mode which encrypts data only and tunnel mode that encrypts header and data [4,5], [14].4. Secure Socket Layer (SSL) SSL offers encryption and authentication for web traffic over an encrypted tunnel [11].SSL support specific applications such web and email services since SSL tunnel traffic at session layer [15].Table 1 summarizes advantages and disadvantages of VPN Protocol tunnel solution.
VPN connection can be classified into two types Site-to-site VPN and Remote access VPN [1].In Site to site VPN, a VPN connection is established between single sites to the remote location site of an office.All the communication will happen through VPN gateway.It may use different protocols such as IPsec, GRE and MPLS.
In Remote access VPN, a VPN connection is created between users (mobile user) and a server in LAN by using VPN client software for accessing.Only authorized users can logon to VPN tunnel [4].It may use different protocols such as IPsec, SSL, PPTP and L2TP [1], [4], [8].Another category of VPN according to network management by customer or by service provider: Implementation of IPsec-VPN Tunneling using GNS3 (Fatimah Abdulnabi Salman) 857 a) Trusted VPN in which customer trusted VPN service providers offering data integrity and avoiding network traffic sniffing.b) Secure VPNs: Networks are established with encryption even though an attacker is able to inspect the traffic, he cannot discover it.c) Hybrid VPNs: New form of trusted VPN that runs a secure VPN as a part of a trusted VPN [9], [11].• No requirement for client software.
• Works on specific operating system: windows • Insecure network and transport header.
• Exposed to denial of services attack

Simulation Model
The network simulation is done using GNS3 consisting of routers with 7200 series type, two clients and server which implemented with virtual machine and connected to the GNS3 topology as shown in Figure 2. The server provides a web services for the clients in different sites.The routers represent different VPN sites as an IPsec-VPN gateway; they are configured with IPsec tunnel mode.The security strategy implemented in these routers is as follows: the IKE tunnel security with ISAKMP policy 10, AES 256 for encryption and pre-shared key group 5 for authentication.

Simulation Test
To test the network operation, two tools is used, PING and Wireshark.The tunneling establishment is ensured using ping tool; Figure 4 show the result of successival connectivity between the client and the server.The Wireshark is used to capture the traffic between the routers to analyze the network traffic and ensure the work of the security strategy.Figure 5 shows the capturing of data traffic between router 1 and router 3 that presents the ISAKMP process for negiotation, establishment, key management between the two routers.Figure 6 shows that the data traffic between the routers is encrypted with ESP.

Conclusion
VPN offers the enterprise company privacy issues and cost effectiveness services without distributing the communication.The main goal of this paper is to implement VPN network using IPsec tunneling mechanisim using GNS3 withh virtual clients and servers.The testing shows the successful verification of the security stratgey of IPsec and data packet processing under using security protocols.

Table 1
advantages and disadvantages of VPN Protocol tunnel solution.