In this article, Mr. Whoer will tell you about 12 potential vpn problems. This is not a comprehensive VPN troubleshooting guide, but it will hopefully guide you on what to do if your vpn stops working and how to set up a vpn connection.
1. I'm connecting to the VPN, but I can't see a specific website
It is possible that you are unable to connect to one specific website, especially if you see that your VPN is working fine and other websites are available. Try clearing the cache in your browser (Ctrl + F5). Restart your computer just in case.
DNS settings can also interfere with the loading of certain sites, read more about this in paragraph 3.
Additionally, the site may not be accessible from the VPN server of your choice due to geographic restrictions. Try changing the server country.
2. Connection to VPN is established, but data is not transmitted
Check if you are using another VPN client at the same time. You need to find vpn among running programs even if it is in the background. Disable and exit all VPN programs that are installed on your computer, except for the one you are planning to use at the moment.
Also, the problem with the Internet connection can sometimes arise if you use one VPN client simultaneously on several devices (for example, on a mobile device and a desktop computer) and these devices are connected to the same VPN server. Solution: if it turns out, for example, that the server country Germany is selected on the computer in the VPN client, and on the mobile device too, then try changing the country on one of the devices, say, to Switzerland.
3. Connection to the site works by IP address, but not by domain name
You can also try connecting to the site you want by its IP address, not by name. If you can access previously inaccessible resources using IP addresses, this could indicate a DNS problem. Check which DNS servers are configured for use on your computer.
You can find instructions on what DNS is and how to change it.
4. There is a VPN connection, but sites are not loading
Fire up your browser and visit several different sites to make sure your internet connection is actually working. If your computer is on a wireless network and you have problems connecting to the Internet or an access point, then before you can use a VPN, you need to resolve the wireless connection problems.
5. Problems with the VPN client
Make sure the VPN client was installed exactly as indicated in; reinstall the client, re-enter your login information.
1. Uninstall the application
2. Restart your computer
3. Install the client
4. Restart your computer
5. Try to connect
6. Connected to a VPN server, but no internet
If some servers are connecting and others are not, then the problem is related to the location of the server to which you were connecting when starting the VPN client. Try to reconnect, it is possible that one specific server is not working, but other servers in this country are. You can also try restarting the client, this is especially recommended if you are trying to connect to the server for the first time since installation.
7. Problems with VPN protocol
Select the option "Use UPD connection" in the settings.
8. VPN does not work on home network
If you are using a laptop or mobile device, visit a free public wi-fi hotspot (cafe, library) and try connecting to the VPN from there.
If the VPN works when connected via a hotspot network, you should look for the problem on your home network. Maybe you need to change some network settings that might be causing problems with vpn access.
9. Programs block VPN work
Firewall and anti-spyware can interfere with VPN performance. Antivirus software can also set default vpn limits. Usually, firewalls are not a problem. However, some older versions do not work as expected with a VPN connection. To find out if this is your case, temporarily disable your firewall and try to connect to the VPN server again. If the problem is with a firewall, you may have to open some outgoing ports, which may change depending on the VPN and firewall software.
You can also try disabling the security software and try again to connect to the VPN client. If that doesn't work, try adding the VPN client as an exception to your firewall and antivirus software and unblock the ports commonly used for VPN connections: TCP 443, TCP 1701, and TCP 1723.
10. Your home router (router) does not support VPN
Some routers do not support VPN Passthrough (a router function that allows traffic to flow freely over the Internet) and / or the protocols required for certain types of VPNs to work. When purchasing a new router, be sure to check if it is marked as VPN capable.
If you are having problems connecting to a VPN, search the Internet for a specific brand and model of router plus the word "VPN" to see if there are any reports that your router model does not work with VPN and if there is a way to fix it ...
Your router manufacturer may offer a firmware update that includes VPN support. If this update is not available, you will need to purchase a new home router, but first contact your ISP's technical support for advice.
11. Problems in router settings, VPN transit and VPN ports and protocols
If you find that your router model supports VPN Passthrough, check your home network's router and personal firewall configuration settings for the following:
In the security settings, you can find such vpn connection configuration options as enabling IPSec Passthrough and PPTP Passthrough. These are the two most common types of VPN connections. You can try enabling both.
Check port forwarding and protocols. Your firewall (inside the router and separately in any installed firewall software) may require transmission over specific ports and open protocols. IPSec VPNs must have UDP port forwarded 500 (IKE) and protocols 50 (ESP) and 51 (AH). For PPTP, Microsoft's VPN tunneling protocol, you need TCP forwarded port 1723 and IP protocol 47 (GRE).
It's not as difficult as it sounds. To get started, read the user manual of the router or look at the manufacturer's website for information related to "VPN". You need to find what is specific to your specific device model.
12. Problems arising when connecting to a local network.
VPN will not work if your IP address is in the same IP range as your local network. An example of this is your computer's IP address 192.168.1. , this means the network is using the 192.168.1 addressing scheme. ...
To find the IP address of your computer in Windows, go to Start\u003e Run ... and type cmd to launch a command window. In this window, enter ipconfig / all and press Enter. Find your network adapter and check the "IP Address" field.
If you find out that your IP address matches the IP range, you need to make some changes to your home router settings.
Go to the configuration page of your router and change the IP address of the router so that the first three blocks of numbers in the IP address are different from the IP subnet (in our example: to 192.168.2.1.)
Also find the DHCP server settings and change it so that the router issues IP addresses in the required address range (in our example, from 192.168.2.2 to 192.168.2.255.)
Additionally, watch our video, where we also talk about emerging VPN problems for users
VPN (Virtual Private Network) is a virtual private network.
In general terms, a VPN is a completely secure channel that connects your device with Internet access to any other on the global network. If it's even simpler, then you can imagine it more figuratively: without connecting to a VPN service, your computer (laptop, phone, TV or any other device) when it goes online is like a private house not fenced in. At any time, everyone can intentionally or accidentally break trees, trample the beds in your garden. Using a VPN, your home turns into an impregnable fortress, which will be simply impossible to break.
How it works?
The principle of VPN operation is simple and transparent for the end user. At the moment you go online, a virtual "tunnel" is created between your device and the rest of the Internet, blocking any outside attempts to get inside. For you, the VPN operation remains absolutely transparent and invisible. Your personal, business correspondence, Skype or telephone conversations cannot be intercepted or overheard in any way. All your data is encrypted using a special encryption algorithm, which is almost impossible to crack.
In addition to protection from outside intrusion, VPN provides the opportunity to virtually temporarily visit any country in the world and use the network resources of these countries, watch TV channels that were previously unavailable. VPN will replace your IP address with any other one. To do this, you just need to select a country from the proposed list, for example, the Netherlands and all sites and services that you will visit will automatically “think” that you are in this particular country.
Why not anonymizer or proxy?
The question arises: why not just use some kind of anonymizer or proxy server on the network, because they also spoof the IP address? Everything is very simple - none of the aforementioned services provide protection, you are still "visible" to intruders, and therefore all the data that you exchange on the Internet. And, in addition, working with proxy servers requires a certain skill from you to set precise settings. VPN operates according to the following principle: "Connect and work", it does not require any additional settings. The whole connection process takes a couple of minutes and is very simple.
About free VPNs
When choosing, keep in mind that free VPNs almost always have restrictions on the amount of traffic and data transfer rate. This means that a situation may arise where you simply cannot continue to use the free VPN. Do not forget that free VPNs are not always stable and often overloaded. Even if your limit is not exceeded, data transfer can be delayed for a long period of time due to the high load on the VPN server. Paid VPN services are distinguished by high bandwidth, the absence of restrictions on both traffic and speed, and the security level is higher than that of free ones.
Where to begin?
Most VPN services provide an opportunity to test the quality for free for a short period. The testing period can be from several hours to several days. During testing, you usually get full access to all the functionality of the VPN service. Our service makes it possible to find such VPN services by the link:
The Internet is increasingly being used as a means of communication between computers, as it offers efficient and inexpensive communication. However, the Internet is a public network and in order to ensure secure communication through it, a certain mechanism is needed that satisfies at least the following tasks:
confidentiality of information;
data integrity;
availability of information;
These requirements are met by a mechanism called VPN (Virtual Private Network) - a generalized name for technologies that allow one or more network connections (logical network) to be provided over another network (for example, the Internet) using cryptography (encryption, authentication, infrastructure public keys, means for protection against repetitions and changes of messages transmitted over the logical network).
The creation of a VPN does not require additional investments and allows you to stop using leased lines. Depending on the protocols used and the purpose, VPN can provide connections of three types: host-host, host-net and net-net.
For clarity, let's imagine the following example: an enterprise has several geographically remote branches and "mobile" employees working at home or on the road. It is necessary to unite all employees of the enterprise into a single network. The easiest way is to put modems in each branch and arrange communications as needed. Such a solution, however, is not always convenient and profitable - sometimes you need a constant connection and high bandwidth. To do this, you will either have to lay a dedicated line between the branches, or rent them. Both are quite expensive. And here, as an alternative when building a single secure network, you can use VPN connections of all branches of the company via the Internet and configure VPN tools on network hosts.
Figure: 6.4.Site-to-site VPN connection
Figure: 6.5.Host network VPN connection
In this case, many problems are solved - branches can be located anywhere around the world.
The danger here lies in the fact that, firstly, an open network is available for attacks from attackers around the world. Second, all data is transmitted over the Internet in clear text, and attackers, having hacked the network, will have all the information transmitted over the network. And thirdly, data can not only be intercepted, but also replaced during transmission over the network. An attacker could, for example, compromise the integrity of databases by acting on behalf of clients of one of the trusted branches.
To prevent this from happening, VPN solutions use tools such as data encryption to ensure integrity and confidentiality, authentication and authorization to validate user rights, and allow VPN access.
A VPN connection always consists of a point-to-point link, also known as a tunnel. The tunnel is created on an unsecured network, which is most often the Internet.
Tunneling (tunneling) or encapsulation (encapsulation) is a way of transferring useful information through an intermediate network. Such information can be frames (or packets) of another protocol. When encapsulated, the frame is not transmitted in the form in which it was generated by the sending host, but is provided with an additional header containing route information that allows the encapsulated packets to pass through the intermediate network (Internet). At the end of the tunnel, frames are de-encapsulated and sent to the recipient. Typically, the tunnel is created by two edge devices located at the points of entry into the public network. One of the clear advantages of tunneling is that this technology allows you to encrypt the entire original packet, including the header, which may contain data containing information that attackers use to hack the network (for example, IP addresses, number of subnets, etc.) ...
Although a VPN tunnel is established between two points, each node can establish additional tunnels with other nodes. For example, when three remote stations need to connect to the same office, three separate VPN tunnels will be created to that office. For all tunnels, the office-side node can be the same. This is possible because the host can encrypt and decrypt data on behalf of the entire network, as shown in the figure:
Figure: 6.6.Create VPN tunnels for multiple remote locations
The user establishes a connection to the VPN gateway, after which the user is granted access to the internal network.
The encryption itself does not take place inside the private network. The reason is that this part of the network is considered secure and under direct control as opposed to the Internet. This is also true when connecting offices using VPN gateways. Thus, encryption is guaranteed only for the information that is transmitted over an insecure channel between offices.
There are many different solutions for building virtual private networks. The most famous and widely used protocols are:
PPTP (Point-to-Point Tunneling Protocol) - this protocol has become quite popular due to its inclusion in Microsoft operating systems.
L2TP (Layer-2 Tunneling Protocol) - combines the L2F (Layer 2 Forwarding) protocol and the PPTP protocol. Typically used in conjunction with IPSec.
IPSec (Internet Protocol Security) is an official Internet standard developed by the Internet Engineering Task Force (IETF) community.
The listed protocols are supported by D-Link devices.
PPTP is primarily intended for virtual private networks based on dial-up connections. The protocol allows for remote access, allowing users to establish dial-up connections with ISPs and create a secure tunnel to their corporate networks. Unlike IPSec, PPTP was not originally designed for LAN-to-LAN tunnels. PPTP extends the capabilities of PPP, a data-link protocol originally developed for encapsulating data and delivering it over point-to-point connections.
PPTP allows you to create secure channels for exchanging data using various protocols - IP, IPX, NetBEUI, etc. The data of these protocols are packed into PPP frames, encapsulated using PPTP into IP packets. They are then transferred using IP in encrypted form over any TCP / IP network. The receiving node extracts PPP frames from the IP packets and then processes them in a standard way, i.e. extracts an IP, IPX or NetBEUI packet from a PPP frame and sends it over the local network. Thus, PPTP creates a point-to-point connection in the network and transmits data over the created secure channel. The main advantage of encapsulating protocols such as PPTP is that they are multi-protocol. Those. data protection at the data link layer is transparent to the protocols of the network and application layers. Therefore, within the network, you can use both the IP protocol (as in the case of a VPN based on IPSec) and any other protocol as a transport.
Nowadays, due to its ease of implementation, PPTP is widely used both for obtaining reliable secure access to the corporate network and for accessing the networks of ISPs when a client needs to establish a PPTP connection with an ISP to access the Internet.
The encryption method used in PPTP is specified at the PPP level. Typically, the PPP client is a Microsoft desktop computer, and the encryption protocol is Microsoft Point-to-Point Encryption (MPPE). This protocol is based on the RSA RC4 standard and supports 40- or 128-bit encryption. For many applications of this level of encryption, the use of this algorithm is sufficient, although it is considered less reliable than a number of other encryption algorithms offered by IPSec, in particular, the 168-bit Triple-Data Encryption Standard (3DES).
How the connection is establishedPPTP?
PPTP encapsulates IP packets for transmission over an IP network. PPTP clients create a tunnel-control connection to keep the link alive. This process is performed at the transport layer of the OSI model. After the tunnel is created, the client computer and the server begin to exchange service packets.
In addition to the PPTP control connection, a tunnel data connection is created. Encapsulating data before sending it into the tunnel involves two stages. First, the information part of the PPP frame is created. Data flows from top to bottom, from the OSI application layer to the data link layer. The received data is then sent up the OSI model and encapsulated by upper layer protocols.
Data from the link layer reaches the transport layer. However, the information cannot be sent to its destination, since the OSI data link layer is responsible for this. Therefore, PPTP encrypts the payload field of the packet and takes over the Layer 2 functions usually belonging to PPP, that is, adds a PPP header and trailer to the PPTP packet. This completes the creation of the link layer frame. Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet that belongs to the network layer. GRE encapsulates network layer protocols such as IP, IPX to enable them to be transported over IP networks. However, using only the GRE protocol will not ensure session establishment and data security. It uses PPTP's ability to create a tunnel control connection. The use of GRE as an encapsulation method limits the PPTP field of action to IP networks only.
After the PPP frame has been encapsulated in a GRE header frame, it is encapsulated in an IP header frame. The IP header contains the source and destination addresses of the packet. Finally, PPTP adds a PPP header and ending.
On fig. 6.7 shows the data structure for sending over the PPTP tunnel:
Figure: 6.7.PPTP tunnel data structure
To organize a PPTP-based VPN does not require large costs and complex settings: it is enough to install a PPTP server in the central office (PPTP solutions exist for both Windows and Linux platforms), and configure the necessary settings on the client computers. If you need to combine several branches, then instead of configuring PPTP on all client stations, it is better to use an Internet router or firewall with PPTP support: the settings are made only on the border router (firewall) connected to the Internet, everything is absolutely transparent for users. DIR / DSR series multifunctional Internet routers and DFL series firewalls are examples of such devices.
GRE- tunnels
Generic Routing Encapsulation (GRE) is a network packet encapsulation protocol that tunnels traffic over networks without encryption. Examples of using GRE:
transmission of traffic (including broadcast) through equipment that does not support a specific protocol;
tunneling IPv6 traffic over an IPv4 network;
data transmission over public networks to implement a secure VPN connection.
Figure: 6.8.An example of a GRE tunnel
Between two routers A and B ( fig. 6.8) there are multiple routers, the GRE tunnel allows the connection between the local networks 192.168.1.0/24 and 192.168.3.0/24 as if routers A and B were directly connected.
L2 TP
L2TP is the result of the combination of PPTP and L2F. The main advantage of L2TP is that it allows you to create a tunnel not only in IP networks, but also in ATM, X.25 and Frame relay networks. L2TP uses UDP as its transport and uses the same message format for both tunnel management and data transfer.
As with PPTP, L2TP begins assembling the packet for transmission to the tunnel by adding the PPP header first, then the L2TP header to the PPP information data field. The resulting packet is UDP encapsulated. Depending on the selected IPSec security policy type, L2TP can encrypt UDP messages and add an Encapsulating Security Payload (ESP) header and ending, as well as an IPSec Authentication ending (see "L2TP over IPSec"). Then IP encapsulation is done. An IP header is added containing the source and destination addresses. Finally, L2TP performs a second PPP encapsulation to prepare the data for transmission. On fig. 6.9 shows the data structure for forwarding over an L2TP tunnel.
Figure: 6.9.Data structure for forwarding over an L2TP tunnel
The receiving computer receives the data, processes the PPP header and termination, and strips the IP header. IPSec Authentication authenticates the IP information field, and the IPSec ESP header helps decrypt the packet.
The computer then processes the UDP header and uses the L2TP header to identify the tunnel. The PPP packet now contains only payload that is processed or forwarded to the specified recipient.
IPsec (short for IP Security) is a set of protocols to ensure the protection of data transmitted over Internet Protocol (IP), allowing for authentication and / or encryption of IP packets. IPsec also includes protocols for secure key exchange over the Internet.
IPSec security is achieved through additional protocols that add their own headers to the IP packet - encapsulations. Because IPSec is an Internet standard, there are RFCs for it:
RFC 2401 (Security Architecture for the Internet Protocol) - IP security architecture.
RFC 2402 (IP Authentication header) - IP authentication header.
RFC 2404 (The Use of HMAC-SHA-1-96 within ESP and AH) - Using the SHA-1 hashing algorithm to create an authentication header.
RFC 2405 (The ESP DES-CBC Cipher Algorithm With Explicit IV) - The use of the DES encryption algorithm.
RFC 2406 (IP Encapsulating Security Payload (ESP)) - data encryption.
RFC 2407 (The Internet IP Security Domain of Interpretation for ISAKMP) is the scope of the key management protocol.
RFC 2408 (Internet Security Association and Key Management Protocol (ISAKMP)) - Management of keys and authenticators for secure connections.
RFC 2409 (The Internet Key Exchange (IKE)) - Key exchange.
RFC 2410 (The NULL Encryption Algorithm and Its Use With IPsec) - the null encryption algorithm and its use.
RFC 2411 (IP Security Document Roadmap) is a further development of the standard.
RFC 2412 (The OAKLEY Key Determination Protocol) - Checking the authenticity of a key.
IPsec is an integral part of the IPv6 Internet Protocol and is an optional extension to the IPv4 Internet Protocol version.
The IPSec mechanism solves the following tasks:
authentication of users or computers when initializing a secure channel;
encryption and authentication of data transmitted between endpoints of a secure channel;
automatically provision channel endpoints with secret keys required for authentication and data encryption protocols.
IPSec components
AH (Authentication Header) protocol is a header identification protocol. Ensures integrity by verifying that no bit in the protected portion of the packet has been changed during transmission. But using AH can cause problems, for example, when a packet is traversing a NAT device. NAT changes the IP address of the packet to allow Internet access from a private local address. Because In this case, the packet will change, then the AH checksum will become incorrect (to eliminate this problem, the NAT-Traversal (NAT-T) protocol has been developed, which provides ESP transmission over UDP and uses UDP port 4500 in its work). It is also worth noting that AH was designed only for integrity purposes. It does not guarantee confidentiality by encrypting the contents of the package.
The ESP (Encapsulation Security Payload) protocol provides not only the integrity and authentication of transmitted data, but also data encryption, as well as protection against spoofed packet replay.
ESP is an encapsulating security protocol that provides both integrity and confidentiality. In transport mode, the ESP header is between the original IP header and the TCP or UDP header. In tunnel mode, the ESP header is placed between the new IP header and the fully encrypted original IP packet.
Because both AH and ESP add their own IP headers, each with its own protocol number (ID), which can be used to determine what follows the IP header. Each protocol, according to the IANA (Internet Assigned Numbers Authority - the organization responsible for the address space of the Internet), has its own number (ID). For example, for TCP this number is 6, and for UDP - 17. Therefore, it is very important when working through a firewall to configure filters in such a way as to allow packets with AH and / or ESP protocol IDs.
Protocol ID 51 is set to indicate AH in the IP header, and 50 for ESP.
ATTENTION: Protocol ID is not the same as port number.
Internet Key Exchange (IKE) is a standard IPsec protocol used to secure communications in virtual private networks. The purpose of IKE is to securely negotiate and deliver identified material for a Security Association (SA).
SA is an IPSec term for a connection. An established SA (a secure channel called a "secure association" or "security association" - Security Association, SA) includes a shared secret key and a set of cryptographic algorithms.
IKE serves three main purposes:
provides means of authentication between two VPN endpoints;
establishes new IPSec links (creates an SA pair);
manages existing links.
IKE uses UDP port 500. When using NAT Traversal, as mentioned earlier, IKE uses UDP port 4500.
IKE data exchange occurs in 2 phases. In the first phase, an IKE SA is established. In this case, the channel endpoints are authenticated and the data protection parameters are selected, such as the encryption algorithm, session key, etc.
In the second phase of the SA, IKE is used for protocol negotiation (usually IPSec).
With a VPN tunnel configured, one SA pair is created for each protocol used. SAs are created in pairs because each SA is a unidirectional connection, and data must be sent in two directions. The resulting SA pairs are stored on each node.
Since each node is able to establish multiple tunnels with other nodes, each SA has a unique number to determine which node it belongs to. This number is called the SPI (Security Parameter Index) or security parameter index.
SA stored in a database (DB) SAD (Security Association Database).
Each IPSec node also has a second DB - SPD (Security Policy Database) - database of security policy. It contains the configured site policy. Most VPN solutions allow the creation of multiple policies with combinations of suitable algorithms for each node to which you want to connect.
The flexibility of IPSec lies in the fact that for each task there are several ways to solve it, and the methods chosen for one task usually do not depend on the methods for implementing other tasks. At the same time, the IETF working group has defined a basic set of supported functions and algorithms, which should be consistently implemented in all products that support IPSec. The AH and ESP mechanisms can be used with a variety of authentication and encryption schemes, some of which are required. For example, IPSec specifies that packets are authenticated using either one-way MD5 or one-way SHA-1, and encryption is done using DES. Manufacturers of products running IPSec can add other authentication and encryption algorithms. For example, some products support encryption algorithms such as 3DES, Blowfish, Cast, RC5, etc.
Any symmetric encryption algorithm that uses secret keys can be used to encrypt data in IPSec.
Stream protection protocols (AH and ESP) can operate in two modes - in transport mode and in tunneling mode... When operating in transport mode, IPsec only works with transport layer information, i.e. only the data field of the packet containing the TCP / UDP protocols is encrypted (the IP packet header is not changed (not encrypted)). Transport mode is typically used to establish a connection between hosts.
Tunneling mode encrypts the entire IP packet, including the network layer header. In order to be able to transfer it over the network, it is placed in another IP packet. It is essentially a secure IP tunnel. Tunnel mode can be used to connect remote computers to a virtual private network ("host-network" connection scheme) or to organize secure data transmission through open communication channels (for example, the Internet) between gateways to combine different parts of a virtual private network ("network -network").
IPsec modes are not mutually exclusive. On the same node, some SAs can use transport mode while others use tunnel mode.
In the authentication phase, the ICV (Integrity Check Value) checksum of the packet is calculated. This assumes that both nodes know the secret key, which allows the receiver to calculate the ICV and compare it with the result sent by the sender. If the ICV comparison is successful, the sender of the packet is considered authenticated.
In mode transportAH
the entire IP packet, with the exception of some fields in the IP header that can be changed in transit. These fields, whose values \u200b\u200bfor the ICV calculation are 0, can be part of the service (Type of Service, TOS), flags, chunk offset, time to live (TTL), and checksum header;
all fields in AH;
payload of IP packets.
AH in transport mode protects the IP header (except for the fields that can be modified) and the payload in the original IP packet (Figure 3.39).
In tunnel mode, the original packet is placed in a new IP packet and data transmission is performed based on the header of the new IP packet.
For tunnel modeAH When calculating, the ICV checksum includes the following components:
all fields in the outer IP header, with the exception of some fields in the IP header that can be changed in transit. These fields, whose values \u200b\u200bfor the ICV calculation are 0, can be part of the service (Type of Service, TOS), flags, chunk offset, time to live (TTL), and checksum header;
all AH fields;
original IP packet.
As you can see in the following illustration, AH tunneling mode protects the entire original IP packet with an additional outer header that is not used in AH transport mode:
Figure: 6.10.Tunnel and transport modes of the AN protocol
In mode transportESP does not authenticate the entire packet, but only protects the IP payload. The ESP header in ESP transport mode is added to the IP packet immediately after the IP header, and the ESP (ESP Trailer) ending is added after the data.
ESP transport mode encrypts the following parts of the packet:
iP payload;
An encryption algorithm that uses Cipher Block Chaining (CBC) mode has an unencrypted field between the ESP header and the payload. This field is called the Initialization Vector (IV) for the CBC calculation that is performed at the receiver. Since this field is used to start the decryption process, it cannot be encrypted. Despite the fact that the attacker has the ability to view the IV, he will not be able to decrypt the encrypted part of the packet without the encryption key. To prevent intruders from changing the initialization vector, it is guarded by the ICV checksum. In this case, ICV performs the following calculations:
all fields in the ESP header;
payload including plain text IV;
all fields in ESP Trailer except for the authentication data field.
ESP tunnel mode encapsulates the entire original IP packet in the new IP header, ESP header and ESP Trailer. To indicate that ESP is present in the IP header, the IP protocol identifier is set to 50, leaving the original IP header and payload unchanged. As with AH tunnel mode, the outer IP header is based on the IPSec tunnel configuration. In the case of using ESP tunnel mode, the authentication scope of the IP packet shows where the signature was signed, confirming its integrity and authenticity, and the encrypted part shows that the information is secure and confidential. The original header is placed after the ESP header. After the encrypted portion is encapsulated in a new tunnel header that is not encrypted, the IP packet is transmitted. When sent over the public network, such a packet is routed to the IP address of the gateway of the receiving network, and the gateway decrypts the packet and discards the ESP header using the original IP header to route the packet to a computer on the internal network. ESP tunnel mode encrypts the following parts of the packet:
For ESP tunnel mode, the ICV is calculated as follows:
all fields in the ESP header;
original IP packet including plaintext IV;
all ESP header fields except for the authentication data field.
original IP packet;
Figure: 6.11.ESP tunnel and transport mode
Figure: 6.12.Comparison of ESP and AH protocols
Mode Application SummaryIPSec:
Protocol - ESP (AH).
Mode - tunnel (transport).
Key exchange method - IKE (manual).
IKE mode - main (aggressive).
DH key - group 5 (group 2, group 1) - group number to select dynamically generated session keys, group length.
Authentication - SHA1 (SHA, MD5).
Encryption - DES (3DES, Blowfish, AES).
When creating a policy, it is usually possible to create an ordered list of algorithms and Diffie-Hellman groups. Diffie-Hellman (DH) is an encryption protocol used to establish shared secret keys for IKE, IPSec, and PFS (Perfect Forward Secrecy). In this case, the first position that matches on both nodes will be used. It is very important that everything in the security policy allows for this coincidence. If, except for one part of the policy, everything else matches, the peers will still be unable to establish a VPN connection. When setting up a VPN tunnel between different systems, you need to find out which algorithms are supported by each side so that you can choose the most secure policy of all.
The main settings that the security policy includes:
Symmetric algorithms for encrypting / decrypting data.
Cryptographic checksums for checking data integrity.
Host identification method. The most common methods are pre-shared secrets or CA certificates.
Whether to use tunnel mode or transport mode.
Which Diffie-Hellman group to use (DH group 1 (768-bit); DH group 2 (1024-bit); DH group 5 (1536-bit)).
Whether to use AH, ESP, or both.
Whether to use PFS.
The limitation of IPSec is that it only supports data transfer at the IP protocol layer.
There are two main schemes for using IPSec, differing in the role of the nodes that form the secure channel.
In the first scheme, a secure channel is formed between the end hosts of the network. In this scheme, IPSec protects the host that is running:
Figure: 6.13.Create a secure channel between two endpoints
In the second scheme, a secure channel is established between two Security Gateways. These gateways receive data from end hosts connected to networks behind the gateways. The end hosts in this case do not support the IPSec protocol, the traffic directed to the public network passes through the Security Gateway, which protects on its own behalf.
Figure: 6.14.Creating a secure channel between two gateways
For hosts that support IPSec, both transport and tunnel modes can be used. For gateways, only tunnel mode is allowed.
Installation and supportVPN
As mentioned above, setting up and maintaining a VPN tunnel is a two-step process. In the first stage (phase), the two nodes agree on an identification method, encryption algorithm, hash algorithm, and Diffie-Hellman group. They also identify each other. All this can take place as a result of the exchange of three unencrypted messages (the so-called aggressive mode, Aggressive mode) or six messages, with the exchange of encrypted identification information (standard mode, Main mode).
In Main Mode, it is possible to agree on all configuration parameters of the sender and receiver devices, while in Aggressive Mode this is not possible, and some parameters (Diffie-Hellman group, encryption and authentication algorithms, PFS) must be pre-configured identically on each device. However, in this mode, both the number of exchanges and the number of packets sent are fewer, as a result of which it takes less time to establish an IPSec session.
Figure: 6.15.Messaging in standard (a) and aggressive (b) modes
Assuming the operation completed successfully, the first phase SA is created - Phase 1 SA (also called IKESA) and the process proceeds to the second phase.
In the second step, key data is generated, the nodes agree on the policy to be used. This mode, also called Quick mode, differs from the first phase in that it can only be established after the first phase, when all packets in the second phase are encrypted. Correct completion of the second phase leads to the appearance Phase 2 SA or IPSecSA and this completes the installation of the tunnel.
First, a packet arrives at a node with a destination address in another network, and the node initiates the first phase with the node that is responsible for the other network. Let's say a tunnel between nodes was successfully established and is waiting for packets. However, nodes need to re-identify each other and compare policies over a period of time. This period is called the Phase One lifetime or IKE SA lifetime.
Nodes must also change the encryption key over a period of time called the Phase Two lifetime or IPSec SA lifetime.
Phase Two lifetime is shorter than that of the first phase, because the key must be changed more often. You need to set the same lifetime parameters for both nodes. If this is not done, then it is possible that the tunnel will initially be established successfully, but after the first inconsistent period of time to live, the connection will be interrupted. Problems can also arise in the case when the lifetime of the first phase is less than that of the second phase. If a previously configured tunnel stops working, then the first thing that needs to be checked is the lifetime on both nodes.
It should also be noted that if you change the policy on one of the nodes, the changes will take effect only at the next onset of the first phase. For the changes to take effect immediately, the SA for this tunnel must be removed from the SAD database. This will force a renegotiation of the agreement between the nodes with new security policy settings.
Sometimes, when setting up an IPSec tunnel between equipment from different manufacturers, there are difficulties associated with negotiating parameters when establishing the first phase. You should pay attention to such parameter as Local ID - this is a unique identifier of the tunnel endpoint (sender and receiver). This is especially important when creating multiple tunnels and using the NAT Traversal protocol.
DeadPeerDetection
In the course of VPN operation, in the absence of traffic between the endpoints of the tunnel, or when the original data of the remote node changes (for example, changing the dynamically assigned IP address), a situation may arise when the tunnel, in fact, is no longer such, becoming, as it were, a ghost tunnel ... In order to maintain constant readiness for data exchange in the created IPSec tunnel, the IKE mechanism (described in RFC 3706) allows you to control the presence of traffic from the remote tunnel node, and if it is absent for a specified time, a hello message is sent (in firewalls D-Link sends the message "DPD-RU-THERE"). If there is no response to this message within a certain time, in the D-Link firewalls specified by the "DPD Expire Time" settings, the tunnel is dismantled. D-Link firewalls after that using the "DPD Keep Time" ( fig. 6.18) automatically try to restore the tunnel.
ProtocolNATTraversal
IPsec traffic can be routed according to the same rules as other IP protocols, but since the router cannot always retrieve information specific to transport layer protocols, IPsec cannot pass through NAT gateways. As mentioned earlier, to address this problem, the IETF has defined a way to encapsulate ESP in UDP called NAT-T (NAT Traversal).
NAT Traversal encapsulates IPSec traffic and simultaneously creates UDP packets that NAT forwards correctly. To do this, NAT-T places an additional UDP header in front of the IPSec packet so that it is treated as a regular UDP packet throughout the network and the recipient host does not perform any integrity checks. Once the packet arrives at its destination, the UDP header is removed and the data packet continues on its way as an encapsulated IPSec packet. Thus, using the NAT-T mechanism, it is possible to establish communication between IPSec clients on secure networks and public IPSec hosts through firewalls.
When configuring D-Link firewalls in the receiving device, two items should be noted:
in the Remote Network and Remote Endpoint fields, specify the network and IP address of the remote sending device. It is necessary to allow the translation of the IP address of the initiator (sender) using NAT technology (Figure 3.48).
when using shared keys with multiple tunnels connected to the same remote firewall that have been NATed to the same address, it is important to ensure that the Local ID is unique for each tunnel.
Local ID can be one of:
- All traffic between you and the service you are using the VPN is encrypted, making it impossible to see what you are doing on the Internet.
- As long as you are connected to a VPN (which has no restrictions), you will be able to access any site without censorship.
- You can access services and sites that are restricted in your area or geographic location if you use a VPN server that is located in the region where they are available.
- Connecting to servers will not show your real IP address, only the VPN server.
- You can surf the internet, check emails or send confidential information in public without the risk of being spied on.
Auto- the IP address of the outgoing traffic interface is used as the local identifier.
IP- IP address of the WAN port of the remote firewall
DNS- DNS address
Many people are interested in knowing what a VPN connection is and why you need it. Let's deal with this in simple, philistine language, let's not throw in professional terminology so that everyone can understand what it is. A VPN connection is a secured network (tunnel) created within the Internet that is not secured. If we consider the simplest form, then this is a tunnel consisting of a VPN client, which is located on the user's PC, and a VPN server. In the tunnel there are:
Encryption;
Changing information exchanged between the user's PC and sites located on the Internet.
The advantages of this protection
And what is its advantage? Sometimes a VPN is required to hide your IP address in order to become anonymous user. There are times when it is needed to download files from the network, which prohibits doing this from the IP addresses of the countries in which the clients are located. There is also a need to encrypt traffic transmitted from the user's PC to the destination (point). It turns out that there are quite a few situations in which a VPN connection is used.
VPN connection mechanism
Let's look at an example that we often encounter in real life. Free and often open Wi-Fi networks are growing in popularity these days. They are everywhere:
In restaurants;
In hotels;
In other public places.
The number of devices that allow you to connect to the Internet is constantly increasing. There are PDAs, mobile phones, netbooks and other devices. This pleases modern people, as it allows in many places to easily connect to their mail, go to the social network, now you can work on vacation, combining business with pleasure.
But have you ever wondered how safe it is? Are you sure that in the open space of unsecured networks, no one will steal your credentials and passwords? Not everyone knows, but by analyzing such unprotected traffic, it is easy to gain access to personal information by establishing control over your PC. This is where a VPN connection comes in. You must install it before connecting over an unsecured network.
How to install a VPN
Windows 7 isn't hard. The principle is almost the same as in any you need a control panel, there go to the section called "Network and Internet", in which click on "Setting up a new connection or network". After that, select the connection option. It's about the item "Connection to the workplace", it is he who will allow you to configure the VPN. Then you need to provide information about how the VPN connection will be performed. On top of an existing Internet connection or on a dedicated phone number. If in doubt, opt for the first option. In the next step, enter the IP address (you can name the PC), to which you will connect using the VPN tunnel. Ask for this. Then enter your access credentials. Then click the "Connect" button.
It is important to create a VPN connection, after establishing a secure channel, data interception is no longer scary. You can safely check your mail, go to the necessary sites under your password.
You've probably heard about VPNs, however, most likely you haven't used this type of service until now.
What is such an effective tool and how effectively it works. A cursory glance may not see the true value of such services, but over time you will find that such connections are as important as the Internet.
This article explains what a VPN is, how it works, and how it is useful for you.
Read this guide and you will easily understand why it is worth using a VPN service when you browse the Internet while connected to public wireless networks (hereinafter OBS).
In short, a VPN is defined as an interconnection between local area networks (LANs) using a secure tunnel that typically runs over the Internet.
This means that a VPN extends the public private network to allow users to send and receive sensitive data.
Then computers will be directly connected to the same local network, even if, from a physical point of view, it is not on the same local network.
This information is easier to understand if I give an example of a real-life situation.
Let's say you and a colleague / friend want to exchange a lot of information, but your partner is from town and doesn't use their own computer.
The simplest solution to this problem is to set up a VPN connection to your local network, which will allow a friend / colleague to connect to the virtual network.
This connection will pretend that you are both on the same local network and information exchange can be achieved more easily.
In other words, such a connection will help you pretend that you are on the same local network when, in fact, your only connection is the Internet.
How VPN works
To plunge a little deeper into specific details, it should be said about Internet traffic.
When using access to various Internet services, the source is its own local area network (LAN).
However, this situation will change if you are connected to a VPN and all your traffic goes through this virtual network - the outside world sees you as part of the local VPN network. Thus, the source is no longer your local network, but a VPN connection.
This means that sites and other services with which you communicate will no longer be able to see the real IP address of your computer as a source of requests for access, but will see the address of the virtual private network that you are using.
In addition, your ISP will only see one connection: the VPN established between you and the service you are using, all of which will be fully encrypted.
Thus, the provider will not be able to see what you are doing inside the VPN connection, therefore, will not be able to control anything.
However, there is a small problem: if you are using a VPN server, then it is very likely that the ISP can see the network traffic.
However, the ISP will not be able to figure out what is happening on the network traffic, because your activity is happening on the VPN server and not on your computer.
In some respects, this function is similar to typical proxies, provided that your ISP only sees the proxy connection and therefore the proxy is the source of your access.
However, unlike a VPN, proxy connections can be easily monitored by your ISP because they can see the access requests made to you, provided they are not encrypted. In other words, a simple search will reveal all of your online activity.
How to connect to a VPN
There are several ways to connect to a VPN, but the main idea behind any of them is that you must identify yourself.
The easiest way to establish a secure connection is through a direct connection to the VPN server using a username and password.
If you want to connect in Windows 10 using the method described above, I recommend reading the instructions:, and if on android devices,
There is also the option of installing special software that will allow you to create a secure tunnel.
This program handles encryption and decryption of transmitted data. As with the previous method, this requires a username and password to verify your identity as required.
However, you have the option to use other forms of authentication like tokens or smart cards.
The advantage of using identification is that it is very difficult to hack such a connection, even for hackers. Moreover, each identification is unique.
Benefits of Using a Virtual Private VPN
Below is a short summary of the benefits of using VPNs:
VPNs have become a necessity in the era of online monitoring, especially if you want to protect your privacy or want to have secure connections.
This creates a private tunnel of a closed connection that cannot be decrypted by outside agents such as an Internet service provider or others.
This means that the information you send and receive cannot be intercepted.
Hope this article helped you understand more clearly what a VPN is and how it works. If you have any questions, please contact us in the comments using the form below. Good luck.
