Imagine a scene from an action movie in which a villain flees a crime scene down a highway in a sports car. He is pursued by a police helicopter. The car enters a tunnel with several exits. The pilot of the helicopter does not know from which exit the car will appear, and the villain leaves the chase.
VPN - this is the tunnel that connects many roads. No one from the outside knows where the cars entering it will end up. No one outside knows what is going on in the tunnel.
You've probably heard of VPNs more than once. On Lifehacker about this thing too. Most often, a VPN is recommended because it can be used to access geo-restricted content through the network and generally increase security when using the Internet. The truth is that accessing the Internet through a VPN can be no less dangerous than directly.
How Does a VPN Work?
Most likely, you have a Wi-Fi router at home. Devices connected to it can exchange data even without the Internet. It turns out that you have your own private network, but in order to connect to it, you need to be physically within range of the router's signal.
VPN (Virtual Private Network) is a virtual private network. It works over the Internet, so you can connect to it from anywhere.
For example, the company you work for may use a virtual private network for remote employees. Using a VPN, they connect to a work network. At the same time, their computers, smartphones or tablets are virtually transferred to the office and connected to the network from the inside. To enter a virtual private network, you need to know the VPN server address, username and password.
Using a VPN is pretty easy. Typically, a company sets up a VPN server somewhere on a local computer, server, or data center, and connects to it using a VPN client on the user's device.
Now built-in VPN clients are available in all current operating systems, including Android, iOS, Windows, macOS and Linux.
The VPN connection between the client and the server is usually encrypted.
So VPN is good?
Yes, if you are a business owner and want to secure corporate data and services. Letting employees into the work environment only through VPN and accounts, you will always know who and what did and is doing.
Moreover, the VPN owner can monitor and control all the traffic that goes between the server and the user.
Do employees spend a lot of time on VKontakte? You can close access to this service. Does Gennady Andreevich spend half of his day on websites with memes? All his activity is automatically logged and becomes iron argument for dismissal.
Why VPN then?
A VPN allows you to bypass geographic and legal restrictions.
For example, you are in Russia and want to . You are sorry to learn that this service is not available from Russia. You can only use it by accessing the Internet through the VPN server of the country in which Spotify operates.
In some countries, there is Internet censorship that restricts access to certain sites. You want to go to some resource, but in Russia it is blocked. You can open the site only by accessing the Internet through the VPN server of the country in which it is not blocked, that is, from almost any country except the Russian Federation.
VPN is a useful and necessary technology that does a good job with a certain range of tasks. But the security of personal data still depends on the good faith of the VPN service provider, your common sense, mindfulness and internet literacy.
The Internet is increasingly being used as a means of communication between computers because it offers efficient and inexpensive communication. However, the Internet is a network common use and in order to ensure secure communication through it, some mechanism is needed that satisfies at least the following tasks:
confidentiality of information;
data integrity;
availability of information;
These requirements are met by a mechanism called VPN (Virtual Private Network - virtual private network) - a generalized name for technologies that allow you to provide one or more network connections (logical network) over another network (for example, the Internet) using cryptography tools (encryption, authentication, infrastructure public keys, means to protect against repetition and change of messages transmitted over the logical network).
Creating a VPN does not require additional investments and allows you to stop using leased lines. Depending on the protocols used and the purpose, a VPN can provide three types of connections: host-host, host-network, and network-network.
For clarity, let's imagine the following example: an enterprise has several territorially remote branches and "mobile" employees working at home or on the road. It is necessary to unite all employees of the enterprise in a single network. The easiest way is to put modems in each branch and organize communication as needed. Such a solution, however, is not always convenient and profitable - sometimes you need a constant connection and a large bandwidth. To do this, you will either have to lay a dedicated line between branches, or rent them. Both are quite expensive. And here, as an alternative, when building a single secure network, you can use VPN connections of all company branches via the Internet and configure VPN tools on network hosts.
Rice. 6.4. site-to-site VPN connection
Rice. 6.5. VPN host-to-network connection
In this case, many problems are solved - branches can be located anywhere around the world.
The danger here is that, firstly, open network available for attacks from intruders around the world. Secondly, all data is transmitted over the Internet in the clear, and attackers, having hacked the network, will have all the information transmitted over the network. And, thirdly, data can be not only intercepted, but also replaced during transmission through the network. An attacker can, for example, compromise the integrity of databases by acting on behalf of the clients of one of the trusted branches.
To prevent this from happening, VPN solutions use tools such as data encryption to ensure integrity and confidentiality, authentication and authorization to verify user rights and allow access to a virtual private network.
A VPN connection always consists of a point-to-point link, also known as a tunnel. The tunnel is created in an insecure network, which is most often the Internet.
Tunneling or encapsulation is a way to transfer useful information through an intermediate network. Such information may be frames (or packets) of another protocol. With encapsulation, the frame is not transmitted as it was generated by the sending host, but is provided with an additional header containing routing information that allows the encapsulated packets to pass through the intermediate network (Internet). At the end of the tunnel, the frames are de-encapsulated and transmitted to the recipient. Typically, a tunnel is created by two edge devices located at entry points to the public network. One of the obvious advantages of tunneling is that this technology allows you to encrypt the entire original packet, including the header, which may contain data containing information that attackers use to hack the network (for example, IP addresses, number of subnets, etc.) .
Although a VPN tunnel is established between two points, each host can establish additional tunnels with other hosts. For example, when three remote stations need to contact the same office, three separate VPN tunnels will be created to this office. For all tunnels, the node on the office side can be the same. This is possible due to the fact that the node can encrypt and decrypt data on behalf of the entire network, as shown in the figure:
Rice. 6.6. Create VPN tunnels for multiple remote locations
The user establishes a connection to the VPN gateway, after which the user has access to the internal network.
Within a private network, encryption itself does not occur. The reason is that this part of the network is considered secure and under direct control, as opposed to the Internet. This is also true when connecting offices using VPN gateways. Thus, encryption is guaranteed only for information that is transmitted over an insecure channel between offices.
There are many different solutions for building virtual private networks. The most famous and widely used protocols are:
PPTP (Point-to-Point Tunneling Protocol) - this protocol has become quite popular due to its inclusion in Microsoft operating systems.
L2TP (Layer-2 Tunneling Protocol) - combines the L2F (Layer 2 Forwarding) protocol and the PPTP protocol. Typically used in conjunction with IPSec.
IPSec (Internet Protocol Security) is an official Internet standard developed by the IETF (Internet Engineering Task Force) community.
The listed protocols are supported by D-Link devices.
The PPTP protocol is primarily intended for virtual private networks based on dial-up connections. The protocol allows you to organize remote access, so that users can establish dial-up connections with Internet providers and create a secure tunnel to their corporate networks. Unlike IPSec, the PPTP protocol was not originally intended to organize tunnels between local networks. PPTP extends the capabilities of PPP, a data-link protocol that was originally designed to encapsulate data and deliver it over point-to-point connections.
The PPTP protocol allows you to create secure channels for data exchange using various protocols - IP, IPX, NetBEUI, etc. The data of these protocols is packed into PPP frames, encapsulated using the PPTP protocol into IP protocol packets. They are then transported using IP in encrypted form over any TCP/IP network. The receiving node extracts the PPP frames from the IP packets and then processes them in the standard way, i.e. extracts an IP, IPX, or NetBEUI packet from a PPP frame and sends it over the local network. Thus, the PPTP protocol creates a point-to-point connection in the network and transmits data over the created secure channel. The main advantage of encapsulating protocols such as PPTP is their multiprotocol nature. Those. data protection at the data link layer is transparent to network and application layer protocols. Therefore, within the network, both the IP protocol (as in the case of an IPSec-based VPN) or any other protocol can be used as a transport.
Currently, due to the ease of implementation, the PPTP protocol is widely used both for obtaining reliable secure access to a corporate network and for accessing ISP networks when a client needs to establish a PPTP connection with an ISP in order to access the Internet.
The encryption method used in PPTP is specified at the PPP layer. Typically, the PPP client is a desktop computer running a Microsoft operating system, and the encryption protocol is Microsoft Point-to-Point Encryption (MPPE). This protocol is based on the RSA RC4 standard and supports 40 or 128 bit encryption. For many applications of this level of encryption, using this algorithm is sufficient, although it is considered less secure than a number of other encryption algorithms offered by IPSec, in particular, the 168-bit Triple-Data Encryption Standard (3DES).
How the connection is establishedPPTP?
PPTP encapsulates IP packets for transmission over an IP network. PPTP clients create a tunnel control connection that keeps the link alive. This process is performed at the transport layer of the OSI model. After the tunnel is created, the client computer and the server start exchanging service packets.
In addition to the PPTP control connection, a connection is created to send data over the tunnel. Encapsulating data before sending it to the tunnel involves two steps. First, the information part of the PPP frame is created. Data flows from top to bottom, from the OSI application layer to the link layer. The received data is then sent up the OSI model and encapsulated by upper layer protocols.
Data from the link layer reaches the transport layer. However, the information cannot be sent to its destination, since the OSI link layer is responsible for this. Therefore, PPTP encrypts the payload field of the packet and takes over the second-level functions that usually belong to PPP, i.e., adds a PPP header (header) and an ending (trailer) to the PPTP packet. This completes the creation of the link layer frame. Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet that belongs to the network layer. GRE encapsulates network layer protocols such as IP, IPX to enable them to be transported over IP networks. However, using the GRE protocol alone will not ensure session establishment and data security. This uses PPTP's ability to create a tunnel control connection. The use of GRE as an encapsulation method limits the scope of PPTP to only IP networks.
After the PPP frame has been encapsulated in a frame with a GRE header, it is encapsulated in a frame with an IP header. The IP header contains the sender and recipient addresses of the packet. Finally, PPTP adds a PPP header and ending.
On rice. 6.7 shows the data structure for forwarding over a PPTP tunnel:
Rice. 6.7. Data structure for forwarding over a PPTP tunnel
Setting up a VPN based on PPTP does not require large expenses and complex settings: it is enough to install a PPTP server in the central office (PPTP solutions exist for both Windows and Linux platforms), and make the necessary settings on client computers. If you need to combine several branches, then instead of setting up PPTP on all client stations, it is better to use an Internet router or a firewall with PPTP support: settings are made only on a border router (firewall) connected to the Internet, everything is absolutely transparent for users. Examples of such devices are DIR/DSR multifunctional Internet routers and DFL series firewalls.
GRE-tunnels
Generic Routing Encapsulation (GRE) is a network packet encapsulation protocol that provides traffic tunneling through networks without encryption. Examples of using GRE:
transmission of traffic (including broadcast) through equipment that does not support a specific protocol;
tunneling IPv6 traffic through an IPv4 network;
data transmission over public networks to implement a secure VPN connection.
Rice. 6.8. An example of a GRE tunnel
Between two routers A and B ( rice. 6.8) there are several routers, the GRE tunnel allows you to provide a connection between the local networks 192.168.1.0/24 and 192.168.3.0/24 as if routers A and B were connected directly.
L2 TP
The L2TP protocol appeared as a result of the merger of the PPTP and L2F protocols. The main advantage of the L2TP protocol is that it allows you to create a tunnel not only in IP networks, but also in ATM, X.25 and Frame relay networks. L2TP uses UDP as a transport and uses the same message format for both tunnel management and data forwarding.
As in the case of PPTP, L2TP begins assembling a packet for transmission to the tunnel by first adding the PPP header, then the L2TP header, to the PPP information data field. The packet thus received is encapsulated by UDP. Depending on the type of IPSec security policy chosen, L2TP can encrypt UDP messages and add an Encapsulating Security Payload (ESP) header and ending, as well as an IPSec Authentication ending (see "L2TP over IPSec" section). Then it is encapsulated in IP. An IP header is added containing the sender and recipient addresses. Finally, L2TP performs a second PPP encapsulation to prepare the data for transmission. On rice. 6.9 shows the data structure to be sent over an L2TP tunnel.
Rice. 6.9. Data structure for forwarding over an L2TP tunnel
The receiving computer receives the data, processes the PPP header and ending, and strips the IP header. IPSec Authentication authenticates the IP information field, and the IPSec ESP header helps decrypt the packet.
The computer then processes the UDP header and uses the L2TP header to identify the tunnel. The PPP packet now contains only the payload that is being processed or forwarded to the specified recipient.
IPsec (short for IP Security) is a set of protocols for securing data transmitted over the IP Internet Protocol, allowing authentication and/or encryption of IP packets. IPsec also includes protocols for secure key exchange on the Internet.
IPSec security is achieved through additional protocols that add their own headers to the IP packet - encapsulation. Because IPSec is an Internet standard, then there are RFC documents for it:
RFC 2401 (Security Architecture for the Internet Protocol) is the security architecture for the IP protocol.
RFC 2402 (IP Authentication header) - IP authentication header.
RFC 2404 (The Use of HMAC-SHA-1-96 within ESP and AH) - Use of the SHA-1 hashing algorithm to create an authentication header.
RFC 2405 (The ESP DES-CBC Cipher Algorithm With Explicit IV) - Use of the DES encryption algorithm.
RFC 2406 (IP Encapsulating Security Payload (ESP)) - Data Encryption.
RFC 2407 (The Internet IP Security Domain of Interpretation for ISAKMP) is the scope of the key management protocol.
RFC 2408 (Internet Security Association and Key Management Protocol (ISAKMP)) - Key and Authenticator Management for Secure Connections.
RFC 2409 (The Internet Key Exchange (IKE)) - Key Exchange.
RFC 2410 (The NULL Encryption Algorithm and Its Use With IPsec) - The NULL Encryption Algorithm and Its Use.
RFC 2411 (IP Security Document Roadmap) is a further development of the standard.
RFC 2412 (The OAKLEY Key Determination Protocol) - Checking the Authenticity of a Key.
IPsec is an integral part of the IPv6 Internet Protocol and an optional extension of the IPv4 version of the Internet Protocol.
The IPSec mechanism performs the following tasks:
authentication of users or computers during secure channel initialization;
encryption and authentication of data transmitted between endpoints of a secure channel;
automatic supply of channel endpoints with secret keys necessary for the operation of authentication and data encryption protocols.
IPSec Components
AH (Authentication Header) protocol is a header identification protocol. Ensures integrity by verifying that no bits in the protected part of the packet have been changed during transmission. But using AH can cause problems, for example, when a packet passes through a NAT device. NAT changes the packet's IP address to allow Internet access from a private local address. Because in this case, the packet changes, then the AH checksum becomes incorrect (to eliminate this problem, the NAT-Traversal (NAT-T) protocol was developed, which provides ESP transmission over UDP and uses UDP port 4500 in its work). It's also worth noting that AH was designed for integrity only. It does not guarantee confidentiality by encrypting the contents of the package.
The ESP (Encapsulation Security Payload) protocol provides not only the integrity and authentication of transmitted data, but also data encryption, as well as protection against packet spoofing.
The ESP protocol is an encapsulating security protocol that provides both integrity and confidentiality. In transport mode, the ESP header is between the original IP header and the TCP or UDP header. In tunnel mode, the ESP header is placed between the new IP header and the fully encrypted original IP packet.
Because both protocols - AH and ESP - add their own IP headers, each of them has its own protocol number (ID), by which you can determine what will follow the IP header. Each protocol, according to the IANA (Internet Assigned Numbers Authority - the organization responsible for the address space of the Internet), has its own number (ID). For example, for TCP this number is 6, and for UDP it is 17. Therefore, it is very important when working through a firewall to configure filters in such a way as to pass packets with ID AH and/or ESP of the protocol.
Protocol ID 51 is set to indicate that AH is present in the IP header, and 50 for ESP.
ATTENTION: The protocol ID is not the same as the port number.
IKE (Internet Key Exchange) is a standard IPsec protocol used to secure communication in virtual private networks. The purpose of IKE is the secure negotiation and delivery of identified material to a security association (SA).
SA is the IPSec term for a connection. An established SA (a secure channel called a "secure association" or "security association" - Security Association, SA) includes a shared secret key and a set of cryptographic algorithms.
The IKE protocol performs three main tasks:
provides a means of authentication between two VPN endpoints;
establishes new IPSec links (creates a pair of SAs);
manages existing relationships.
IKE uses UDP port number 500. When using the NAT Traversal feature, as mentioned earlier, the IKE protocol uses UDP port number 4500.
Data exchange in IKE occurs in 2 phases. In the first phase, the SA IKE association is established. At the same time, the endpoints of the channel are authenticated and data protection parameters are selected, such as the encryption algorithm, session key, etc.
In the second phase, SA IKE is used for protocol negotiation (usually IPSec).
With a configured VPN tunnel, one SA pair is created for each protocol used. SAs are created in pairs, as each SA is a unidirectional connection, and data must be sent in two directions. The received SA pairs are stored on each node.
Because each node is capable of establishing multiple tunnels with other nodes, each SA has a unique number to identify which node it belongs to. This number is called SPI (Security Parameter Index) or Security Parameter Index.
SA stored in a database (DB) SAD(Security Association Database).
Each IPSec node also has a second DB − SPD(Security Policy Database) - Security policy database. It contains the configured host policy. Most VPN solutions allow you to create multiple policies with combinations of suitable algorithms for each host you want to connect to.
The flexibility of IPSec lies in the fact that for each task there are several ways to solve it, and the methods chosen for one task are usually independent of the methods for implementing other tasks. However, the IETF Working Group has defined a core set of supported features and algorithms that must be implemented in the same way across all IPSec-enabled products. The AH and ESP mechanisms can be used with various authentication and encryption schemes, some of which are mandatory. For example, IPSec specifies that packets are authenticated using either the MD5 one-way function or the SHA-1 one-way function, and encryption is done using the DES algorithm. Manufacturers of products that run IPSec may add other authentication and encryption algorithms. For example, some products support encryption algorithms such as 3DES, Blowfish, Cast, RC5, etc.
Any symmetric encryption algorithm that uses secret keys can be used to encrypt data in IPSec.
Stream protection protocols (AH and ESP) can operate in two modes - in transport mode and in tunnel mode. When operating in transport mode, IPsec only deals with transport layer information; only the data field of the packet containing the TCP / UDP protocols is encrypted (the header of the IP packet is not changed (not encrypted)). Transport mode is typically used to establish a connection between hosts.
Tunneling mode encrypts the entire IP packet, including the network layer header. In order for it to be transmitted over the network, it is placed in another IP packet. Essentially, this is a secure IP tunnel. Tunnel mode can be used to connect remote computers to a virtual private network ("host-network" connection scheme) or to organize secure data transfer via open communication channels (for example, the Internet) between gateways to combine different parts of a virtual private network ("network connection scheme"). -net").
IPsec modes are not mutually exclusive. On the same host, some SAs may use transport mode, while others may use tunnel mode.
During the authentication phase, the ICV checksum (Integrity Check Value) of the packet is calculated. This assumes that both nodes know the secret key, which allows the recipient to calculate the ICV and compare with the result sent by the sender. If the ICV comparison is successful, the sender of the packet is considered authenticated.
In mode transportAH
the entire IP packet, except for some fields in the IP header, which can be changed in transit. These fields, whose values for ICV calculation are 0, can be part of the service (Type of Service, TOS), flags, fragment offset, time to live (TTL), as well as a checksum header;
all fields in AH;
payload of IP packets.
AH in transport mode protects the IP header (except for fields that are allowed to change) and the payload in the original IP packet (Figure 3.39).
In tunnel mode, the original packet is placed in a new IP packet, and data transfer is performed based on the header of the new IP packet.
For tunnel modeAH when performing a calculation, the following components are included in the ICV checksum:
all fields in the outer IP header, with the exception of some fields in the IP header, which can be changed during transmission. These fields, whose values for ICV calculation are 0, can be part of the service (Type of Service, TOS), flags, fragment offset, time to live (TTL), as well as a checksum header;
all fields AH;
original IP packet.
As you can see in the following illustration, AH tunnel mode protects the entire source IP packet with an additional outer header that AH transport mode does not use:
Rice. 6.10. Tunnel and transport modes of operation of the AN protocol
In mode transportESP does not authenticate the entire packet, but only protects the IP payload. The ESP header in the ESP transport mode is added to the IP packet immediately after the IP header, and the ESP ending (ESP Trailer) is added after the data accordingly.
The ESP transport mode encrypts the following parts of the packet:
IP payload;
An encryption algorithm that uses the Cipher Block Chaining (CBC) encryption mode has an unencrypted field between the ESP header and payload. This field is called the IV (Initialization Vector) for CBC calculation, which is performed on the receiver. Since this field is used to start the decryption process, it cannot be encrypted. Even though the attacker has the ability to view the IV, there is no way he can decrypt the encrypted part of the packet without the encryption key. To prevent attackers from changing the initialization vector, it is guarded by the ICV checksum. In this case, ICV performs the following calculations:
all fields in the ESP header;
payload including plaintext IV;
all fields in the ESP Trailer except for the authentication data field.
ESP tunnel mode encapsulates the entire original IP packet in a new IP header, an ESP header, and an ESP Trailer. To indicate that ESP is present in the IP header, the IP protocol identifier is set to 50, leaving the original IP header and payload unchanged. As with AH tunnel mode, the outer IP header is based on the IPSec tunnel configuration. In the case of using the ESP tunnel mode, the IP packet's authentication area shows where the signature was made, certifying its integrity and authenticity, and the encrypted part shows that the information is protected and confidential. The original header is placed after the ESP header. After the encrypted part is encapsulated in a new tunnel header that is not encrypted, the IP packet is transmitted. When sent over a public network, such a packet is routed to the IP address of the gateway of the receiving network, and the gateway decrypts the packet and discards the ESP header using the original IP header to then route the packet to a computer located on the internal network. ESP tunneling mode encrypts the following parts of the packet:
For ESP tunnel mode, ICV is calculated as follows:
all fields in the ESP header;
the original IP packet, including the plaintext IV;
all ESP header fields except for the authentication data field.
original IP packet;
Rice. 6.11. Tunnel and transport mode of the ESP protocol
Rice. 6.12. Comparison of ESP and AH protocols
Summary of Application ModesIPSec:
Protocol - ESP (AH).
Mode - tunnel (transport).
Key exchange method - IKE (manual).
IKE mode - main (aggressive).
DH key – group 5 (group 2, group 1) – group number for selecting dynamically created session keys, group length.
Authentication - SHA1 (SHA, MD5).
Encryption - DES (3DES, Blowfish, AES).
When creating a policy, it is usually possible to create an ordered list of algorithms and Diffie-Hellman groups. Diffie-Hellman (DH) is an encryption protocol used to establish shared secret keys for IKE, IPSec, and PFS (Perfect Forward Secrecy). In this case, the first position that matches on both nodes will be used. It is very important that everything in the security policy allows you to achieve this coincidence. If everything else matches except for one part of the policy, hosts will still not be able to establish a VPN connection. When setting up a VPN tunnel between various systems you need to find out what algorithms are supported by each side so that you can choose the most secure policy of all possible.
The main settings that the security policy includes:
Symmetric algorithms for data encryption/decryption.
Cryptographic checksums to check data integrity.
Node identification method. The most common methods are pre-shared secrets or CA certificates.
Whether to use tunnel mode or transport mode.
Which Diffie-Hellman group to use (DH group 1 (768-bit); DH group 2 (1024-bit); DH group 5 (1536-bit)).
Whether to use AH, ESP, or both.
Whether to use PFS.
A limitation of IPSec is that it only supports data transfer at the IP protocol layer.
There are two main schemes for using IPSec, differing in the role of the nodes that form the secure channel.
In the first scheme, a secure channel is formed between the end hosts of the network. In this scheme, the IPSec protocol protects the host that is running:
Rice. 6.13. Create a secure channel between two endpoints
In the second scheme, a secure channel is established between two Security Gateways. These gateways receive data from end hosts connected to networks behind the gateways. The end hosts in this case do not support the IPSec protocol, the traffic directed to the public network passes through the security gateway, which performs protection on its own behalf.
Rice. 6.14. Creating a secure channel between two gateways
For hosts that support IPSec, both transport mode and tunnel mode can be used. For gateways, only tunnel mode is allowed.
Installation and supportVPN
As mentioned above, installing and maintaining a VPN tunnel is a two-step process. In the first stage (phase), the two nodes agree on an identification method, an encryption algorithm, a hash algorithm, and a Diffie-Hellman group. They also identify each other. All this can happen as a result of the exchange of three unencrypted messages (the so-called aggressive mode, Aggressive mode) or six messages, with the exchange of encrypted identification information (standard mode, Main mode).
In the Main Mode, it is possible to negotiate all the configuration parameters of the sender and recipient devices, while in the Aggressive Mode this is not possible, and some parameters (Diffie-Hellman group, encryption and authentication algorithms, PFS) must be pre-configured in the same way on each device. However, in this mode, both the number of exchanges and the number of packets sent are fewer, resulting in less time to establish an IPSec session.
Rice. 6.15. Messaging in standard (a) and aggressive (b) modes
Assuming the operation completed successfully, a first phase SA is created − Phase 1 SA(also called IKESA) and the process proceeds to the second phase.
In the second step, the key data is generated, the nodes agree on the policy to be used. This mode, also called Quick mode, differs from Phase 1 in that it can only be established after Phase 1, when all Phase 2 packets are encrypted. The correct completion of the second phase leads to the appearance Phase 2 SA or IPSecSA and on this the installation of the tunnel is considered complete.
First, a packet arrives at the node with a destination address on another network, and the node initiates the first phase with the node that is responsible for the other network. Let's say the tunnel between the nodes has been successfully established and is waiting for packets. However, nodes need to re-identify each other and compare policies after a certain period of time. This period is called the Phase One lifetime or IKE SA lifetime.
Nodes must also change the key to encrypt data after a period of time called the Phase Two or IPSec SA lifetime.
Phase Two lifetime is shorter than the first phase, because the key needs to be changed more often. You need to set the same lifetime parameters for both nodes. If you do not do this, then it is possible that initially the tunnel will be established successfully, but after the first inconsistent period of life, the connection will be interrupted. Problems can also arise when the lifetime of the first phase is less than that of the second phase. If the previously configured tunnel stops working, then the first thing to check is the lifetime on both nodes.
It should also be noted that if you change the policy on one of the nodes, the changes will take effect only at the next onset of the first phase. For the changes to take effect immediately, you must remove the SA for this tunnel from the SAD database. This will force a revision of the agreement between nodes with the new security policy settings.
Sometimes, when setting up an IPSec tunnel between equipment from different manufacturers, there are difficulties associated with the coordination of parameters during the establishment of the first phase. You should pay attention to such a parameter as Local ID - this is a unique identifier for the tunnel endpoint (sender and recipient). This is especially important when creating multiple tunnels and using the NAT Traversal protocol.
Deadpeerdetection
During VPN operation, if there is no traffic between the endpoints of the tunnel, or if the initial data of the remote host changes (for example, changing the dynamically assigned IP address), a situation may arise when the tunnel is essentially no longer such, becoming, as it were, a ghost tunnel . In order to maintain constant readiness for data exchange in the created IPSec tunnel, the IKE mechanism (described in RFC 3706) allows you to control the presence of traffic from the remote node of the tunnel, and if it is absent for a set time, a hello message is sent (in firewalls D-Link sends a message "DPD-R-U-THERE"). If there is no response to this message within a certain time, in the D-Link firewalls set by the "DPD Expire Time" settings, the tunnel is dismantled. D-Link firewalls after that, using the "DPD Keep Time" settings ( rice. 6.18) automatically attempt to re-establish the tunnel.
ProtocolNATTraversal
IPsec traffic can be routed according to the same rules as other IP protocols, but since the router cannot always extract information specific to transport layer protocols, it is impossible for IPsec to pass through NAT gateways. As mentioned earlier, to solve this problem, the IETF has defined a way to encapsulate ESP in UDP, called NAT-T (NAT Traversal).
The NAT Traversal protocol encapsulates IPSec traffic and simultaneously creates UDP packets that NAT forwards correctly. To do this, NAT-T places an additional UDP header before the IPSec packet so that it is treated like a normal UDP packet throughout the network and the recipient host does not perform any integrity checks. After the packet arrives at its destination, the UDP header is removed and the data packet continues on its way as an encapsulated IPSec packet. Thus, using the NAT-T mechanism, it is possible to establish communication between IPSec clients in secure networks and public IPSec hosts through firewalls.
There are two points to note when configuring D-Link firewalls on the receiving device:
in the Remote Network and Remote Endpoint fields, specify the network and IP address of the remote sending device. It is necessary to allow translation of the IP address of the initiator (sender) using NAT technology (Figure 3.48).
When using shared keys with multiple tunnels connected to the same remote firewall that have been NATted to the same address, it is important to ensure that the Local ID is unique for each tunnel.
Local ID can be one of:
Auto– the IP address of the outgoing traffic interface is used as the local identifier.
IP– IP address of the WAN port of the remote firewall
DNS– DNS address
The concept of private virtual networks, abbreviated as VPN (from English, appeared in computer technology relatively recently. The creation of a connection of this type made it possible to combine computer terminals and mobile devices into virtual networks without the usual wires, regardless of the location of a particular terminal. Now consider the issue of how a VPN connection works, and at the same time we will give some recommendations for setting up such networks and related client programs.
What is a VPN?
As already understood, a VPN is a virtual private network with several devices connected to it. You should not flatter yourself - it usually does not work to connect two or three dozen simultaneously working computer terminals (as this can be done in the "locale"). This has its limitations in setting up a network, or even just in bandwidth router responsible for assigning IP addresses and
However, the idea originally incorporated in the connection technology is not new. They tried to substantiate it for a long time. And many modern users of computer networks do not even imagine that they have known about it all their lives, but simply did not try to get to the heart of the matter.
How a VPN connection works: basic principles and technologies
For a better understanding, we will give the simplest example that is known to any modern person. Take at least the radio. After all, in fact, it is a transmitting device (translator), an intermediary unit (repeater) responsible for the transmission and distribution of the signal, and a receiving device (receiver).
Another thing is that the signal is broadcast to absolutely all consumers, and the virtual network works selectively, combining only certain devices into one network. Note that neither in the first nor in the second case, wires are required to connect transmitting and receiving devices that exchange data with each other.
But even here there are subtleties. The fact is that initially the radio signal was unprotected, that is, it can be received by any radio amateur with a working device at the appropriate frequency. How Does a VPN Work? Yes, exactly the same. Only in this case the role of the repeater is played by the router (router or ADSL modem), and the role of the receiver is played by a stationary computer terminal, laptop or mobile device, which has in its equipment a special wireless connection module (Wi-Fi).
With all this, the data coming from the source is initially encrypted, and only then, using a special decoder, are played on a specific device. This principle of communication through VPN is called tunneling. And this principle is most consistent with mobile connection when the redirect occurs to a specific subscriber.
Tunneling local virtual networks
Let's understand how a VPN works in tunnel mode. In essence, it involves the creation of a certain straight line, say, from point "A" to point "B", when, when transferring data from a central source (a router with a server connection), the definition of all network devices performed automatically according to a predetermined configuration.
In other words, a tunnel is created with encoding when sending data and decoding when receiving. It turns out that no other user who tried to intercept data of this type during transmission will be able to decrypt it.
Means of implementation
One of the most powerful tools for this kind of connection and at the same time security are Cisco systems. True, some inexperienced admins have a question about why VPN-Cisco equipment does not work.
This is primarily due to incorrect configuration and installed drivers for routers such as D-Link or ZyXEL, which require fine tuning only because they are equipped with built-in firewalls.
In addition, you should pay attention to the wiring diagrams. There can be two of them: route-to-route or remote access. In the first case, we are talking about the association of several distribution devices, and in the second, it is about managing the connection or data transfer using remote access.
Access Protocols
In terms of protocols, PCP/IP level configuration tools are mostly used today, although the internal protocols for VPNs may vary.
VPN stopped working? You should look at some hidden options. So, for example, the additional protocols based on TCP technology, PPP and PPTP, still belong to the TCP / IP protocol stacks, but for a connection, say, in the case of using PPTP, you must use two IP addresses instead of the required one. However, in any case, tunneling involves the transfer of data contained in internal protocols such as IPX or NetBEUI, and all of them are provided with special PPP-based headers to seamlessly transfer data to the appropriate network driver.
Hardware devices
Now let's look at a situation where the question arises of why the VPN does not work. The fact that the problem may be related to incorrect hardware configuration is understandable. But there may be another situation.
It is worth paying attention to the routers themselves, which control the connection. As mentioned above, you should use only devices that are suitable for connection parameters.
For example, routers like the DI-808HV or DI-804HV can connect up to forty devices simultaneously. As for the ZyXEL hardware, in many cases it can even run through the ZyNOS embedded network operating system, but only using command line mode via the Telnet protocol. This approach allows you to configure any device with data transfer to three networks in a common Ethernet environment with IP traffic transfer, as well as use unique technology Any-IP, which is designed to use a standard router table with forwarded traffic as a gateway for systems that were originally configured to work on other subnets.
What to do if VPN does not work (Windows 10 and below)?
The very first and most important condition is the correspondence of output and input keys (Pre-shared Keys). They must be the same at both ends of the tunnel. You should also pay attention to cryptographic encryption algorithms (IKE or Manual) with or without an authentication function.
For example, the same AH protocol (in the English version - Authentication Header) can provide only authorization without the possibility of using encryption.
VPN clients and their configuration
As for VPN clients, it's not all that simple either. Most programs based on such technologies use standard configuration methods. However, there are some pitfalls here.
The problem is that no matter how you install the client, when the service is turned off in the “OS” itself, nothing good will come of it. That is why you first need to enable these settings in Windows, then enable them on the router (router), and only then proceed to configure the client itself.
In the system itself, you will have to create a new connection, and not use an existing one. We will not dwell on this, since the procedure is standard, but on the router itself you will have to go into additional settings (most often they are located in the WLAN Connection Type menu) and activate everything related to the VPN server.
It is also worth noting the fact that it will have to be installed into the system as a companion program. But then it can be used even without manual settings, simply by choosing the nearest location.
One of the most popular and easiest to use VPN client-server called SecurityKISS. The program is installed, but then you don’t even need to go into the settings to ensure normal communication for all devices connected to the distributor.
It happens that a fairly well-known and popular Kerio VPN Client package does not work. Here you will have to pay attention not only to either the “OS” itself, but also to the parameters of the client program. As a rule, the introduction of the correct parameters allows you to get rid of the problem. As a last resort, you will have to check the settings of the main connection and the TCP / IP protocols used (v4 / v6).
What is the result?
We've covered how a VPN works. In principle, there is nothing complicated in the connection itself or the creation of networks of this type. The main difficulty lies in setting up specific equipment and setting its parameters, which, unfortunately, many users overlook, relying on the fact that the whole process will be reduced to automatism.
On the other hand, we have now dealt more with issues related to the technology of the VPN virtual networks themselves, so you will have to configure the equipment, install device drivers, etc. using separate instructions and recommendations.
fuel cell- this is an electrochemical device similar to a galvanic cell, but differs from it in that the substances for the electrochemical reaction are fed into it from the outside - in contrast to the limited amount of energy stored in a galvanic cell or battery.
Rice. 1. Some fuel cells
Fuel cells convert the chemical energy of the fuel into electricity, bypassing the inefficient combustion processes that occur with heavy losses. As a result of a chemical reaction, they convert hydrogen and oxygen into electricity. As a result of this process, water is formed and a large amount of heat is released. A fuel cell is very similar to a battery that can be charged and then used to store electrical energy. The inventor of the fuel cell is William R. Grove, who invented it back in 1839. In this fuel cell, a solution of sulfuric acid was used as an electrolyte, and hydrogen was used as a fuel, which combined with oxygen in an oxidizer medium. Until recently, fuel cells were used only in laboratories and on spacecraft.
Rice. 2.
Unlike other power generators such as motors internal combustion or turbines running on gas, coal, fuel oil, etc., fuel cells do not burn fuel. This means no noisy rotors high pressure, loud exhaust noise, vibrations. Fuel cells generate electricity through a silent electrochemical reaction. Another feature of fuel cells is that they convert the chemical energy of the fuel directly into electricity, heat and water.
Fuel cells are highly efficient and do not produce a large number greenhouse gases such as carbon dioxide, methane and nitrous oxide. The only products emitted by fuel cells are water in the form of steam and a small amount of carbon dioxide, which is not emitted at all if pure hydrogen is used as fuel. Fuel cells are assembled into assemblies and then into individual functional modules.
Fuel cells don't have moving parts (at least not inside the cell itself), and so they don't obey Carnot's law. That is, they will have more than 50% efficiency and are especially effective at low loads. Thus, fuel cell vehicles can be (and have already been proven to be) more fuel efficient than regular cars in real driving conditions.
The fuel cell provides the generation of electric current constant voltage, which can be used to drive an electric motor, lighting fixtures and other electrical systems in the car.
There are several types of fuel cells, differing in the chemical processes used. Fuel cells are usually classified according to the type of electrolyte they use.
Some types of fuel cells are promising for use as power plants power plants, and others for portable devices or for driving cars.
1. Alkaline fuel cells (AFC)
Alkaline fuel cell- This is one of the very first developed elements. Alkaline fuel cells (ALFCs) are one of the most studied technologies used since the mid-1960s by NASA in the Apollo and Space Shuttle programs. On board these spaceships fuel cells produce electricity and drinking water.
Rice. 3.
Alkaline fuel cells are one of the most efficient elements used to generate electricity, with power generation efficiency reaching up to 70%.
Alkaline fuel cells use an electrolyte, i.e. water solution potassium hydroxide contained in a porous stabilized matrix. The concentration of potassium hydroxide may vary depending on the operating temperature of the fuel cell, which ranges from 65°C to 220°C. The charge carrier in the SFC is a hydroxide ion (OH-) moving from the cathode to the anode, where it reacts with hydrogen to produce water and electrons. The water produced at the anode moves back to the cathode, again generating hydroxide ions there. As a result of this series of reactions taking place in the fuel cell, electricity is produced and, as a by-product, heat:
Anode reaction: 2H2 + 4OH- => 4H2O + 4e
Reaction at the cathode: O2 + 2H2O + 4e- => 4OH
General reaction of the system: 2H2 + O2 => 2H2O
The advantage of SFCs is that these fuel cells are the cheapest to manufacture, since the catalyst needed on the electrodes can be any of the substances that are cheaper than those used as catalysts for other fuel cells. In addition, SFCs operate at relatively low temperatures and are among the most efficient.
One of the characteristic features of SFC is its high sensitivity to CO2, which can be contained in fuel or air. CO2 reacts with the electrolyte, quickly poisons it, and greatly reduces the efficiency of the fuel cell. Therefore, the use of SFCs is limited to closed spaces such as space and underwater vehicles, they operate on pure hydrogen and oxygen.
2. Carbonate melt fuel cells (MCFC)
Fuel cells with molten carbonate electrolyte are high temperature fuel cells. High operating temperature allows direct use natural gas without fuel processor and fuel gas with low calorific value of fuel production processes and from other sources. This process developed in the mid 1960s. Since that time, manufacturing technology, performance and reliability have been improved.
Rice. 4.
The operation of RCFC is different from other fuel cells. These cells use an electrolyte from a mixture of molten carbonate salts. Currently, two types of mixtures are used: lithium carbonate and potassium carbonate or lithium carbonate and sodium carbonate. To melt carbonate salts and achieve high degree mobility of ions in the electrolyte, fuel cells with molten carbonate electrolyte operate at high temperatures (650°C). The efficiency varies between 60-80%.
When heated to a temperature of 650°C, the salts become a conductor for carbonate ions (CO32-). These ions travel from the cathode to the anode where they combine with hydrogen to form water, carbon dioxide and free electrons. These electrons are sent along the outer electrical circuit back to the cathode, while generating electricity and heat as a by-product.
Anode reaction: CO32- + H2 => H2O + CO2 + 2e
Reaction at the cathode: CO2 + 1/2O2 + 2e- => CO32-
General element reaction: H2(g) + 1/2O2(g) + CO2(cathode) => H2O(g) + CO2(anode)
The high operating temperatures of molten carbonate electrolyte fuel cells have certain advantages. The advantage is the ability to use standard materials (stainless steel sheet and nickel catalyst on the electrodes). The waste heat can be used to produce high pressure steam. High reaction temperatures in the electrolyte also have their advantages. The use of high temperatures takes a long time to reach optimal operating conditions, and the system reacts more slowly to changes in energy consumption. These characteristics allow the use of fuel cell systems with molten carbonate electrolyte in constant power conditions. High temperatures prevent damage to the fuel cell by carbon monoxide, "poisoning", etc.
Molten carbonate fuel cells are suitable for use in large stationary installations. Industrially produced thermal power plants with output electric power 2.8 MW. Plants with an output power of up to 100 MW are being developed.
3. Fuel cells based on phosphoric acid (PFC)
Fuel cells based on phosphoric (orthophosphoric) acid became the first fuel cells for commercial use. This process was developed in the mid-60s of the XX century, tests have been carried out since the 70s of the XX century. As a result, stability and performance have been increased and cost has been reduced.
Rice. 5.
Fuel cells based on phosphoric (orthophosphoric) acid use an electrolyte based on orthophosphoric acid (H3PO4) with a concentration of up to 100%. The ionic conductivity of phosphoric acid is low at low temperatures, so these fuel cells are used at temperatures up to 150-220 °C.
Charge carrier in fuel cells of this type is hydrogen (H+, proton). A similar process occurs in proton exchange membrane fuel cells (MEFCs), in which hydrogen supplied to the anode is split into protons and electrons. The protons pass through the electrolyte and combine with oxygen from the air at the cathode to form water. The electrons are directed along an external electrical circuit, and an electric current is generated. Below are the reactions that generate electricity and heat.
Anode reaction: 2H2 => 4H+ + 4e
Reaction at the cathode: O2(g) + 4H+ + 4e- => 2H2O
General element reaction: 2H2 + O2 => 2H2O
The efficiency of fuel cells based on phosphoric (orthophosphoric) acid is more than 40% when generating electrical energy. In the combined production of heat and electricity, the overall efficiency is about 85%. In addition, given the operating temperatures, the waste heat can be used to heat water and generate steam at atmospheric pressure.
The high performance of thermal power plants on fuel cells based on phosphoric (orthophosphoric) acid in the combined production of heat and electricity is one of the advantages of this type of fuel cells. The plants use carbon monoxide at a concentration of about 1.5%, which greatly expands the choice of fuel. Simple design, low electrolyte volatility and increased stability are also advantages of such fuel cells.
Thermal power plants with an output electric power of up to 400 kW are industrially produced. Installations with a capacity of 11 MW have passed the relevant tests. Plants with an output power of up to 100 MW are being developed.
4. Fuel cells with a proton exchange membrane (MOFEC)
Fuel cells with proton exchange membrane considered the most best type fuel cells for power generation Vehicle, which can replace gasoline and diesel engines internal combustion. These fuel cells were first used by NASA for the Gemini program. Installations on MOPFC with power from 1 W to 2 kW are developed and shown.
Rice. 6.
The electrolyte in these fuel cells is a solid polymer membrane (thin plastic film). When impregnated with water, this polymer passes protons, but does not conduct electrons.
The fuel is hydrogen, and the charge carrier is a hydrogen ion (proton). At the anode, the hydrogen molecule is separated into a hydrogen ion (proton) and electrons. The hydrogen ions pass through the electrolyte to the cathode, while the electrons move around the outer circle and produce electrical energy. Oxygen, which is taken from the air, is fed to the cathode and combines with electrons and hydrogen ions to form water. The following reactions occur at the electrodes: Anode reaction: 2H2 + 4OH- => 4H2O + 4eCathode reaction: O2 + 2H2O + 4e- => 4OHTotal cell reaction: 2H2 + O2 => 2H2O Compared to other types of fuel cells, fuel cells with a proton exchange membrane produce more energy for a given volume or weight of the fuel cell. This feature allows them to be compact and lightweight. In addition, the operating temperature is less than 100°C, which allows you to quickly start operation. These characteristics, as well as the ability to rapidly change energy output, are just some of the features that make these fuel cells a prime candidate for use in vehicles.
Another advantage is that the electrolyte is a solid rather than a liquid. It is easier to keep gases at the cathode and anode with a solid electrolyte, so such fuel cells are cheaper to manufacture. When using a solid electrolyte, there are no difficulties such as orientation, and fewer problems due to the occurrence of corrosion, which increases the durability of the cell and its components.
Rice. 7.
5. Solid oxide fuel cells (SOFC)
Solid oxide fuel cells are the fuel cells with the highest operating temperature. Working temperature can vary from 600°C to 1000°C, which allows the use Various types fuel without special pre-treatment. To handle these high temperatures, the electrolyte used is a thin ceramic-based solid metal oxide, often an alloy of yttrium and zirconium, which is a conductor of oxygen (O2-) ions. The technology of using solid oxide fuel cells has been developing since the late 1950s and has two configurations: planar and tubular.
A solid electrolyte provides a hermetic gas transition from one electrode to another, while liquid electrolytes are located in a porous substrate. The charge carrier in fuel cells of this type is the oxygen ion (О2-). At the cathode, oxygen molecules are separated from the air into an oxygen ion and four electrons. Oxygen ions pass through the electrolyte and combine with hydrogen to form four free electrons. The electrons are directed through an external electrical circuit, generating electrical current and waste heat.
Rice. 8.
Anode reaction: 2H2 + 2O2- => 2H2O + 4e
Reaction at the cathode: O2 + 4e- => 2O2-
General element reaction: 2H2 + O2 => 2H2O
The efficiency of electrical energy production is the highest of all fuel cells - about 60%. In addition, high operating temperatures allow for combined heat and power generation to generate high pressure steam. Combining a high-temperature fuel cell with a turbine creates a hybrid fuel cell to increase the efficiency of electrical power generation by up to 70%.
Solid oxide fuel cells operate at very high temperatures (600°C-1000°C), resulting in a significant time to reach optimum operating conditions, and the system is slower to respond to changes in power consumption. At such high operating temperatures, no converter is required to recover hydrogen from the fuel, allowing the thermal power plant to operate with relatively impure fuels from coal gasification or waste gases, and the like. Also, this fuel cell is excellent for working with high power, including industrial and large central power plants. Industrially produced modules with an output electrical power of 100 kW.
6. Fuel cells with direct methanol oxidation (DOMTE)
Fuel cells with direct methanol oxidation are successfully used in the field of powering mobile phones, laptops, as well as to create portable power sources, which is what the future use of such elements is aimed at.
The structure of fuel cells with direct oxidation of methanol is similar to the structure of fuel cells with a proton exchange membrane (MOFEC), i.e. a polymer is used as an electrolyte, and a hydrogen ion (proton) is used as a charge carrier. But liquid methanol (CH3OH) is oxidized in the presence of water at the anode, releasing CO2, hydrogen ions and electrons, which are sent through an external electrical circuit, and an electric current is generated. Hydrogen ions pass through the electrolyte and react with oxygen from the air and electrons from the external circuit to form water at the anode.
Anode reaction: CH3OH + H2O => CO2 + 6H+ + 6eCathode reaction: 3/2O2 + 6H+ + 6e- => 3H2O Total element reaction: CH3OH + 3/2O2 => CO2 + 2H2O 1990s and their specific power and efficiency were increased up to 40%.
These elements have been tested in temperature range 50-120°C. Due to low operating temperatures and no need for a converter, these fuel cells are the best candidate for applications in mobile phones and other consumer products, as well as in car engines. Their advantage is also small dimensions.
7. Polymer electrolyte fuel cells (PETE)
In the case of polymer electrolyte fuel cells, the polymer membrane consists of polymer fibers with water regions in which the conduction of water ions H2O+ (proton, red) is attached to the water molecule. Water molecules present a problem due to slow ion exchange. Therefore, a high concentration of water is required both in the fuel and on the exhaust electrodes, which limits the operating temperature to 100°C.
8. Solid acid fuel cells (SCFC)
In solid acid fuel cells, the electrolyte (CsHSO4) does not contain water. The operating temperature is therefore 100-300°C. The rotation of the SO42-oxyanions allows the protons (red) to move as shown in the figure. Typically, a solid acid fuel cell is a sandwich in which a very thin layer of solid acid compound is sandwiched between two tightly compressed electrodes to provide good contact. When heated, the organic component evaporates, leaving through the pores in the electrodes, retaining the ability of numerous contacts between the fuel (or oxygen at the other end of the cell), electrolyte and electrodes.
Rice. 9.
9. Comparison of the most important characteristics of fuel cells
Fuel cell type | Working temperature | Power Generation Efficiency | Fuel type | Scope |
Medium and large installations |
||||
pure hydrogen | installations |
|||
pure hydrogen | Small installations |
|||
Most hydrocarbon fuels | Small, medium and large installations |
|||
portable installations |
||||
pure hydrogen | Space explored |
|||
pure hydrogen | Small installations |
Rice. 10.
10. Use of fuel cells in cars
Rice. eleven.
Rice. 12.
