ecosmak.ru

Why do you need a vpn connection. Why do you need a VPN? Connection description and correct setting

In this article, we will answer the most FAQ what is a VPN server, will we tell you whether a VPN can increase your security, whether you need to use Double VPN and how to check if the VPN service keeps logs, as well as what modern technologies exist to protect personal information.

VPN is a virtual private network that provides encryption between the client and the VPN server.


The main purpose of a VPN is to encrypt traffic and change the IP address.

Let's see why and when it is needed.

What is a VPN for?

All ISPs log their customers' activities on the Internet. That is, the Internet provider knows what sites you visited. This is necessary in order to give out all information about the offender in case of requests from the police, as well as to relieve all legal responsibility for the user's actions.

There are many situations when a user needs to protect their personal data on the Internet and gain freedom of communication.

Example 1. There is a business and it is necessary to transfer confidential data over the Internet so that no one can intercept it. Most companies use VPN technology to transfer information between company branches.

Example 2. Many services on the Internet work on the principle of geo-referencing to the location and prohibit access to users from other countries.

For example, the Yandex Music service only works for IP addresses from Russia and the countries of the former CIS. Accordingly, the entire Russian-speaking population living in other countries does not have access to this service.

Example 3. Blocking certain sites in the office and in the country. Often, offices block access to social networks so that employees do not spend work time for communication.

For example, China has blocked many Google services. If a resident of China works with a company from Europe, then there is a need to use services such as Google Disk.

Example 4. Hide visited sites from the ISP. There are times when you need to hide the list of visited sites from the Internet provider. All traffic will be encrypted.


With traffic encryption, your ISP will not know what sites you have visited on the Internet. In this case, your IP address on the Internet will belong to the country of the VPN server.

When you connect to a VPN, a secure channel is created between your computer and the VPN server. All data in this channel is encrypted.


Thanks to a VPN, you will have the freedom to communicate and protect your personal data.

In the logs of the Internet provider there will be a set different characters. The picture below shows the analysis of data obtained by a special program.

In the HTTP header, you can immediately see which site you are connecting to. This data is recorded by Internet service providers.


The following picture shows the HTTP header when using a VPN. The data is encrypted and it is impossible to know which sites you have visited.

How to connect to a VPN

There are several ways to connect to a VPN network.

  • PPTP is an outdated protocol. Most modern operating systems have excluded it from the list of supported ones. Cons PPTP - low connection stability. The connection may drop and unsecured data may leak to the Internet.
  • L2TP (IPSec) connection is more reliable. Also built into most operating systems (Windows, Mac OS, Linux, iOS, Android, Windows Phone, and more). It has better reliability than PPTP connection.
  • SSTP connection was developed relatively recently. It's only supported on Windows, so it's not widely used.
  • IKEv2 is a modern protocol based on IPSec. This protocol has replaced the PPTP protocol and is supported by all popular operating systems.
  • OpenVPN connection is considered the most reliable. This technology can be flexibly configured and when the connection drops, OpenVPN blocks the sending of unprotected data to the Internet.

There are 2 data transfer protocols for OpenVPN technology:

  • UDP protocol - fast operation (recommended for VoiP telephony, Skype, online games)
  • TCP protocol - characterized by the reliability of the transmitted data (requires confirmation of receipt of the packet). Works a little slower than UDP.

How to set up a VPN

Setting up a VPN connection takes several minutes and differs in the VPN connection method.

On our service we use PPTP and OpenVPN connections.

VPN Security

We will always talk about integrated approach to safety. User security does not only consist of the VPN connection itself. It is important what program you use to connect to the VPN server.

Currently, services offer convenient VPN clients - these are programs that make it easy to set up a VPN connection. We ourselves offer a convenient VPN client. Thanks to such programs, setting up a VPN connection takes no more than 1 minute.


When we first started providing VPN services in 2006, all of our users set up the official OpenVPN app. It is open source. Of course, setting up the official OpenVPN client takes more time. But let's see what is better to use in terms of anonymity.

VPN client anonymity

We see the danger in using such programs. The thing is that the source code of such programs is the property of the company and in order to preserve the uniqueness of its program, no one publishes it.

Users cannot find out what data the program collects about you in the absence of open source code.

The VPN program can identify you as a specific user even when logs are turned off on the server.

Any program can have the functionality of recording the sites you visited, your real IP address. And since you yourself enter your login into the program, it is generally impossible to talk about any anonymity of using the program.

If your activity needs high level anonymity, we recommend that you ditch these VPNs and use the official open source release of OpenVPN.

At first, you will find this uncomfortable. But over time, you will get used to it if the factor of security and anonymity is in the first place for you.

We guarantee that Secure Kit does not save any data about you. But we must warn you that such programs can spy on you.

Another idea how to increase your security came from the point of view of the geographical location of the servers. On the Internet, it is called an offshore VPN.

What is an offshore VPN

Different countries have different levels of legislation. There are strong states with strong laws. And there are small countries whose level of development does not allow information protection of data in their country.

Initially, the concept of offshore was used to refer to a country in which the tax policy is relaxed. Such countries have very low taxes on business. Global companies have become interested in legal tax evasion in their country, and offshore bank accounts in the Cayman Islands have become very popular.

Currently, in many countries of the world there are already bans on the use of bank accounts in offshore countries.

Most offshore countries are small states located in remote corners of the planet. Servers in such countries are more difficult to find and they are more expensive due to the lack of a developed Internet infrastructure. VPN servers in such countries began to be called offshore.

It turns out that the word offshore VPN does not mean anonymous VPN, but only speaks of territorial belonging to an offshore state.

Should you use an offshore VPN?

An offshore VPN presents additional benefits in terms of anonymity.

Do you think it's much easier to write a formal request:

  • to the police department in Germany
  • or to the police department on the islands in Antigua Barbuda

An offshore VPN is an extra layer of protection. It is good to use an offshore server as part of the Double VPN chain.

No need to use only 1 offshore VPN server and think that it is completely secure. You need to approach your security and anonymity on the Internet from different angles.

Use an offshore VPN as a link to your anonymity.

And it's time to answer the most frequently asked question. Can an anonymous VPN service keep logs? And how to determine if the service keeps logs?

Anonymous VPN service and logs. How to be?

An anonymous VPN service should not keep logs. Otherwise, it can no longer be called anonymous.

We have compiled a list of questions, thanks to which you can accurately determine whether the service keeps logs.

Now you have complete information about VPN connections. This knowledge is enough to make yourself anonymous on the Internet and make the transfer of personal data safe.

New VPN Technologies

Are there any new trends in the field of VPN?

We have already talked about the pros and cons of serial cascading of VPN servers (Double, Triple, Quad VPN).

To avoid the disadvantages of Double VPN technology, you can make a parallel cascade of chains. We called it Parallel VPN.

What is Parallel VPN

The essence of Parallel VPN is to direct traffic to a parallel data channel.

The downside of sequential cascading technology (Double, Triple, Quad VPN) is that each server decrypts the channel and encrypts it into the next channel. The data is sequentially encrypted.

There is no such problem in Parallel VPN technology, since all data is double-parallel encrypted. That is, imagine an onion that has several skins. In the same way, data passes in a channel that is double encrypted.

The Internet is increasingly being used as a means of communication between computers because it offers efficient and inexpensive communication. However, the Internet is a public network and in order to ensure secure communication through it, some mechanism is needed that satisfies at least the following tasks:

    confidentiality of information;

    data integrity;

    availability of information;

These requirements are met by a mechanism called VPN (Virtual Private Network - virtual private network) - a generalized name for technologies that allow you to provide one or more network connections (logical network) over another network (for example, the Internet) using cryptography tools (encryption, authentication, infrastructure public keys, means to protect against repetition and change of messages transmitted over the logical network).

Creating a VPN does not require additional investments and allows you to stop using leased lines. Depending on the protocols used and the purpose, a VPN can provide three types of connections: host-host, host-network, and network-network.

For clarity, let's imagine the following example: an enterprise has several territorially remote branches and "mobile" employees working at home or on the road. It is necessary to unite all employees of the enterprise in a single network. The easiest way is to put modems in each branch and organize communication as needed. Such a solution, however, is not always convenient and profitable - sometimes you need a constant connection and a large bandwidth. To do this, you will either have to lay a dedicated line between branches, or rent them. Both are quite expensive. And here, as an alternative, when building a single secure network, you can use VPN connections of all company branches via the Internet and configure VPN tools on network hosts.

Rice. 6.4. site-to-site VPN connection

Rice. 6.5. VPN host-to-network connection

In this case, many problems are solved - branches can be located anywhere around the world.

The danger here is that, firstly, the open network is open to attacks from intruders around the world. Secondly, all data is transmitted over the Internet in the clear, and attackers, having hacked the network, will have all the information transmitted over the network. And, thirdly, data can be not only intercepted, but also replaced during transmission through the network. An attacker can, for example, compromise the integrity of databases by acting on behalf of the clients of one of the trusted branches.

To prevent this from happening, VPN solutions use tools such as data encryption to ensure integrity and confidentiality, authentication and authorization to verify user rights and allow access to a virtual private network.

A VPN connection always consists of a point-to-point link, also known as a tunnel. The tunnel is created in an insecure network, which is most often the Internet.

Tunneling or encapsulation is a way to transfer useful information through an intermediate network. Such information may be frames (or packets) of another protocol. With encapsulation, the frame is not transmitted as it was generated by the sending host, but is provided with an additional header containing routing information that allows the encapsulated packets to pass through the intermediate network (Internet). At the end of the tunnel, the frames are de-encapsulated and transmitted to the recipient. Typically, a tunnel is created by two edge devices located at entry points to the public network. One of the obvious advantages of tunneling is that this technology allows you to encrypt the entire original packet, including the header, which may contain data containing information that attackers use to hack the network (for example, IP addresses, number of subnets, etc.) .

Although a VPN tunnel is established between two points, each host can establish additional tunnels with other hosts. For example, when three remote stations need to contact the same office, three separate VPN tunnels will be created to this office. For all tunnels, the node on the office side can be the same. This is possible due to the fact that the node can encrypt and decrypt data on behalf of the entire network, as shown in the figure:

Rice. 6.6. Create VPN tunnels for multiple remote locations

The user establishes a connection to the VPN gateway, after which the user has access to the internal network.

Within a private network, encryption itself does not occur. The reason is that this part of the network is considered secure and under direct control, as opposed to the Internet. This is also true when connecting offices using VPN gateways. Thus, encryption is guaranteed only for information that is transmitted over an insecure channel between offices.

There are many different solutions for building virtual private networks. The most famous and widely used protocols are:

    PPTP (Point-to-Point Tunneling Protocol) - this protocol has become quite popular due to its inclusion in OS Microsoft firm.

    L2TP (Layer-2 Tunneling Protocol) - combines the L2F (Layer 2 Forwarding) protocol and the PPTP protocol. Typically used in conjunction with IPSec.

    IPSec (Internet Protocol Security) is an official Internet standard developed by the IETF (Internet Engineering Task Force) community.

The listed protocols are supported by D-Link devices.

The PPTP protocol is primarily intended for virtual private networks based on dial-up connections. The protocol allows you to organize remote access, so that users can establish dial-up connections with Internet providers and create a secure tunnel to their corporate networks. Unlike IPSec, the PPTP protocol was not originally intended to organize tunnels between local networks. PPTP extends the capabilities of PPP, a data-link protocol that was originally designed to encapsulate data and deliver it over point-to-point connections.

The PPTP protocol allows you to create secure channels for data exchange using various protocols - IP, IPX, NetBEUI, etc. The data of these protocols is packed into PPP frames, encapsulated using the PPTP protocol into IP protocol packets. They are then transported using IP in encrypted form over any TCP/IP network. The receiving node extracts the PPP frames from the IP packets and then processes them in the standard way, i.e. extracts an IP, IPX, or NetBEUI packet from a PPP frame and sends it over the local network. Thus, the PPTP protocol creates a point-to-point connection in the network and transmits data over the created secure channel. The main advantage of encapsulating protocols such as PPTP is their multiprotocol nature. Those. data protection at the data link layer is transparent to network and application layer protocols. Therefore, within the network, both the IP protocol (as in the case of an IPSec-based VPN) or any other protocol can be used as a transport.

Currently, due to the ease of implementation, the PPTP protocol is widely used both for obtaining reliable secure access to a corporate network and for accessing ISP networks when a client needs to establish a PPTP connection with an ISP in order to access the Internet.

The encryption method used in PPTP is specified at the PPP layer. Typically, the PPP client is a desktop computer running a Microsoft operating system, and the encryption protocol is Microsoft Point-to-Point Encryption (MPPE). This protocol is based on the RSA RC4 standard and supports 40 or 128 bit encryption. For many applications of this level of encryption, using this algorithm is sufficient, although it is considered less secure than a number of other encryption algorithms offered by IPSec, in particular, the 168-bit Triple-Data Encryption Standard (3DES).

How the connection is establishedPPTP?

PPTP encapsulates IP packets for transmission over an IP network. PPTP clients create a tunnel control connection that keeps the link alive. This process is performed at the transport layer of the OSI model. After the tunnel is created, the client computer and the server start exchanging service packets.

In addition to the PPTP control connection, a connection is created to send data over the tunnel. Encapsulating data before sending it to the tunnel involves two steps. First, the information part of the PPP frame is created. Data flows from top to bottom, from the OSI application layer to the link layer. The received data is then sent up the OSI model and encapsulated by upper layer protocols.

Data from the link layer reaches the transport layer. However, the information cannot be sent to its destination, since the OSI link layer is responsible for this. Therefore, PPTP encrypts the payload field of the packet and takes over the second-level functions that usually belong to PPP, i.e., adds a PPP header (header) and an ending (trailer) to the PPTP packet. This completes the creation of the link layer frame. Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet that belongs to the network layer. GRE encapsulates network layer protocols such as IP, IPX to enable them to be transported over IP networks. However, using the GRE protocol alone will not ensure session establishment and data security. This uses PPTP's ability to create a tunnel control connection. The use of GRE as an encapsulation method limits the scope of PPTP to only IP networks.

After the PPP frame has been encapsulated in a frame with a GRE header, it is encapsulated in a frame with an IP header. The IP header contains the sender and recipient addresses of the packet. Finally, PPTP adds a PPP header and ending.

On rice. 6.7 shows the data structure for forwarding over a PPTP tunnel:

Rice. 6.7. Data structure for forwarding over a PPTP tunnel

Setting up a VPN based on PPTP does not require large expenses and complex settings: it is enough to install a PPTP server in the central office (PPTP solutions exist for both Windows and Linux platforms), and make the necessary settings on client computers. If you need to combine several branches, then instead of setting up PPTP on all client stations, it is better to use an Internet router or a firewall with PPTP support: settings are made only on a border router (firewall) connected to the Internet, everything is absolutely transparent for users. Examples of such devices are DIR/DSR multifunctional Internet routers and DFL series firewalls.

GRE-tunnels

Generic Routing Encapsulation (GRE) is a network packet encapsulation protocol that provides traffic tunneling through networks without encryption. Examples of using GRE:

    transmission of traffic (including broadcast) through equipment that does not support a specific protocol;

    tunneling IPv6 traffic through an IPv4 network;

    data transmission over public networks to implement a secure VPN connection.

Rice. 6.8. An example of a GRE tunnel

Between two routers A and B ( rice. 6.8) there are several routers, the GRE tunnel allows you to provide a connection between the local networks 192.168.1.0/24 and 192.168.3.0/24 as if routers A and B were connected directly.

L2 TP

The L2TP protocol appeared as a result of the merger of the PPTP and L2F protocols. The main advantage of the L2TP protocol is that it allows you to create a tunnel not only in IP networks, but also in ATM, X.25 and Frame relay networks. L2TP uses UDP as a transport and uses the same message format for both tunnel management and data forwarding.

As in the case of PPTP, L2TP begins assembling a packet for transmission to the tunnel by first adding the PPP header, then the L2TP header, to the PPP information data field. The packet thus received is encapsulated by UDP. Depending on the type of IPSec security policy chosen, L2TP can encrypt UDP messages and add an Encapsulating Security Payload (ESP) header and ending, as well as an IPSec Authentication ending (see "L2TP over IPSec" section). Then it is encapsulated in IP. An IP header is added containing the sender and recipient addresses. Finally, L2TP performs a second PPP encapsulation to prepare the data for transmission. On rice. 6.9 shows the data structure to be sent over an L2TP tunnel.

Rice. 6.9. Data structure for forwarding over an L2TP tunnel

The receiving computer receives the data, processes the PPP header and ending, and strips the IP header. IPSec Authentication authenticates the IP information field, and the IPSec ESP header helps decrypt the packet.

The computer then processes the UDP header and uses the L2TP header to identify the tunnel. The PPP packet now contains only the payload that is being processed or forwarded to the specified recipient.

IPsec (short for IP Security) is a set of protocols for securing data transmitted over the IP Internet Protocol, allowing authentication and/or encryption of IP packets. IPsec also includes protocols for secure key exchange on the Internet.

IPSec security is achieved through additional protocols that add their own headers to the IP packet - encapsulation. Because IPSec is an Internet standard, then there are RFC documents for it:

    RFC 2401 (Security Architecture for the Internet Protocol) is the security architecture for the IP protocol.

    RFC 2402 (IP Authentication header) - IP authentication header.

    RFC 2404 (The Use of HMAC-SHA-1-96 within ESP and AH) - Use of the SHA-1 hash algorithm to create an authentication header.

    RFC 2405 (The ESP DES-CBC Cipher Algorithm With Explicit IV) - Use of the DES encryption algorithm.

    RFC 2406 (IP Encapsulating Security Payload (ESP)) - Data Encryption.

    RFC 2407 (The Internet IP Security Domain of Interpretation for ISAKMP) is the scope of the key management protocol.

    RFC 2408 (Internet Security Association and Key Management Protocol (ISAKMP)) - Key and Authenticator Management for Secure Connections.

    RFC 2409 (The Internet Key Exchange (IKE)) - Key Exchange.

    RFC 2410 (The NULL Encryption Algorithm and Its Use With IPsec) - The NULL Encryption Algorithm and Its Use.

    RFC 2411 (IP Security Document Roadmap) is a further development of the standard.

    RFC 2412 (The OAKLEY Key Determination Protocol) - Checking the Authenticity of a Key.

IPsec is an integral part of the IPv6 Internet Protocol and an optional extension of the IPv4 version of the Internet Protocol.

The IPSec mechanism performs the following tasks:

    authentication of users or computers during secure channel initialization;

    encryption and authentication of data transmitted between endpoints of a secure channel;

    automatic supply of channel endpoints with secret keys necessary for the operation of authentication and data encryption protocols.

IPSec Components

AH (Authentication Header) protocol is a header identification protocol. Ensures integrity by verifying that no bits in the protected part of the packet have been changed during transmission. But using AH can cause problems, for example, when a packet passes through a NAT device. NAT changes the packet's IP address to allow Internet access from a private local address. Because in this case, the packet changes, then the AH checksum becomes incorrect (to eliminate this problem, the NAT-Traversal (NAT-T) protocol was developed, which provides ESP transmission over UDP and uses UDP port 4500 in its work). It's also worth noting that AH was designed for integrity only. It does not guarantee confidentiality by encrypting the contents of the package.

The ESP (Encapsulation Security Payload) protocol provides not only the integrity and authentication of transmitted data, but also data encryption, as well as protection against packet spoofing.

The ESP protocol is an encapsulating security protocol that provides both integrity and confidentiality. In transport mode, the ESP header is between the original IP header and the TCP or UDP header. In tunnel mode, the ESP header is placed between the new IP header and the fully encrypted original IP packet.

Because both protocols - AH and ESP - add their own IP headers, each of them has its own protocol number (ID), by which you can determine what will follow the IP header. Each protocol, according to the IANA (Internet Assigned Numbers Authority - the organization responsible for the address space of the Internet), has its own number (ID). For example, for TCP this number is 6, and for UDP it is 17. Therefore, it is very important when working through a firewall to configure filters in such a way as to pass packets with ID AH and/or ESP of the protocol.

Protocol ID 51 is set to indicate that AH is present in the IP header, and 50 for ESP.

ATTENTION: The protocol ID is not the same as the port number.

IKE (Internet Key Exchange) protocol is a standard IPsec protocol used to secure communication in virtual private networks. The purpose of IKE is the secure negotiation and delivery of identified material to a security association (SA).

SA is the IPSec term for a connection. An established SA (a secure channel called a "secure association" or "security association" - Security Association, SA) includes a shared secret key and a set of cryptographic algorithms.

The IKE protocol performs three main tasks:

    provides a means of authentication between two VPN endpoints;

    establishes new IPSec links (creates a pair of SAs);

    manages existing relationships.

IKE uses UDP port number 500. When using the NAT Traversal feature, as mentioned earlier, the IKE protocol uses UDP port number 4500.

Data exchange in IKE occurs in 2 phases. In the first phase, the SA IKE association is established. At the same time, the endpoints of the channel are authenticated and data protection parameters are selected, such as the encryption algorithm, session key, etc.

In the second phase, SA IKE is used for protocol negotiation (usually IPSec).

With a configured VPN tunnel, one SA pair is created for each protocol used. SAs are created in pairs, as each SA is a unidirectional connection, and data must be sent in two directions. The received SA pairs are stored on each node.

Because each node is capable of establishing multiple tunnels with other nodes, each SA has a unique number to identify which node it belongs to. This number is called SPI (Security Parameter Index) or Security Parameter Index.

SA stored in a database (DB) SAD(Security Association Database).

Each IPSec node also has a second DB − SPD(Security Policy Database) - Security policy database. It contains the configured host policy. Most VPN solutions allow you to create multiple policies with combinations of suitable algorithms for each host you want to connect to.

The flexibility of IPSec lies in the fact that for each task there are several ways to solve it, and the methods chosen for one task are usually independent of the methods for implementing other tasks. However, the IETF Working Group has defined a core set of supported features and algorithms that must be implemented in the same way across all IPSec-enabled products. The AH and ESP mechanisms can be used with various authentication and encryption schemes, some of which are mandatory. For example, IPSec specifies that packets are authenticated using either the MD5 one-way function or the SHA-1 one-way function, and encryption is done using the DES algorithm. Manufacturers of products that run IPSec may add other authentication and encryption algorithms. For example, some products support encryption algorithms such as 3DES, Blowfish, Cast, RC5, etc.

Any symmetric encryption algorithm that uses secret keys can be used to encrypt data in IPSec.

Stream protection protocols (AH and ESP) can operate in two modes - in transport mode and in tunnel mode. When operating in transport mode, IPsec only deals with transport layer information; only the data field of the packet containing the TCP / UDP protocols is encrypted (the header of the IP packet is not changed (not encrypted)). Transport mode is typically used to establish a connection between hosts.

Tunneling mode encrypts the entire IP packet, including the network layer header. In order for it to be transmitted over the network, it is placed in another IP packet. Essentially, this is a secure IP tunnel. Tunnel mode can be used to connect remote computers to a virtual private network ("host-network" connection scheme) or to organize secure data transfer via open communication channels (for example, the Internet) between gateways to combine different parts of a virtual private network ("network connection scheme"). -net").

IPsec modes are not mutually exclusive. On the same host, some SAs may use transport mode, while others may use tunnel mode.

During the authentication phase, the ICV checksum (Integrity Check Value) of the packet is calculated. This assumes that both nodes know the secret key, which allows the recipient to calculate the ICV and compare with the result sent by the sender. If the ICV comparison is successful, the sender of the packet is considered authenticated.

In mode transportAH

    the entire IP packet, except for some fields in the IP header, which can be changed in transit. These fields, whose values ​​for ICV calculation are 0, can be part of the service (Type of Service, TOS), flags, fragment offset, time to live (TTL), as well as a checksum header;

    all fields in AH;

    payload of IP packets.

AH in transport mode protects the IP header (except for fields that are allowed to change) and the payload in the original IP packet (Figure 3.39).

In tunnel mode, the original packet is placed in a new IP packet, and data transfer is performed based on the header of the new IP packet.

For tunnel modeAH when performing a calculation, the following components are included in the ICV checksum:

    all fields in the outer IP header, with the exception of some fields in the IP header, which can be changed during transmission. These fields, whose values ​​for ICV calculation are 0, can be part of the service (Type of Service, TOS), flags, fragment offset, time to live (TTL), as well as a checksum header;

    all fields AH;

    original IP packet.

As you can see in the following illustration, AH tunnel mode protects the entire source IP packet with an additional outer header that AH transport mode does not use:

Rice. 6.10. Tunnel and transport modes of operation of the AN protocol

In mode transportESP does not authenticate the entire packet, but only protects the IP payload. The ESP header in the ESP transport mode is added to the IP packet immediately after the IP header, and the ESP ending (ESP Trailer) is added after the data accordingly.

The ESP transport mode encrypts the following parts of the packet:

    IP payload;

An encryption algorithm that uses the Cipher Block Chaining (CBC) encryption mode has an unencrypted field between the ESP header and the payload. This field is called the IV (Initialization Vector) for CBC calculation, which is performed on the receiver. Since this field is used to start the decryption process, it cannot be encrypted. Even though the attacker has the ability to view the IV, there is no way he can decrypt the encrypted part of the packet without the encryption key. To prevent attackers from changing the initialization vector, it is guarded by the ICV checksum. In this case, ICV performs the following calculations:

    all fields in the ESP header;

    payload including plaintext IV;

    all fields in the ESP Trailer except for the authentication data field.

ESP tunnel mode encapsulates the entire original IP packet in a new IP header, an ESP header, and an ESP Trailer. To indicate that ESP is present in the IP header, the IP protocol identifier is set to 50, leaving the original IP header and payload unchanged. As with AH tunnel mode, the outer IP header is based on the IPSec tunnel configuration. In the case of using the ESP tunnel mode, the IP packet's authentication area shows where the signature was made, certifying its integrity and authenticity, and the encrypted part shows that the information is protected and confidential. The original header is placed after the ESP header. After the encrypted part is encapsulated in a new tunnel header that is not encrypted, the IP packet is transmitted. When sent over a public network, such a packet is routed to the IP address of the gateway of the receiving network, and the gateway decrypts the packet and discards the ESP header using the original IP header to then route the packet to a computer located on the internal network. ESP tunneling mode encrypts the following parts of the packet:

    original IP packet;

  • For ESP tunnel mode, ICV is calculated as follows:

    all fields in the ESP header;

    the original IP packet, including the plaintext IV;

    all ESP header fields except for the authentication data field.

Rice. 6.11. Tunnel and transport mode of the ESP protocol

Rice. 6.12. Comparison of ESP and AH protocols

Summary of Application ModesIPSec:

    Protocol - ESP (AH).

    Mode - tunnel (transport).

    Key exchange method - IKE (manual).

    IKE mode - main (aggressive).

    DH key – group 5 (group 2, group 1) – group number for selecting dynamically created session keys, group length.

    Authentication - SHA1 (SHA, MD5).

    Encryption - DES (3DES, Blowfish, AES).

When creating a policy, it is usually possible to create an ordered list of algorithms and Diffie-Hellman groups. Diffie-Hellman (DH) is an encryption protocol used to establish shared secret keys for IKE, IPSec, and PFS (Perfect Forward Secrecy). In this case, the first position that matches on both nodes will be used. It is very important that everything in the security policy allows you to achieve this coincidence. If everything else matches except for one part of the policy, hosts will still not be able to establish a VPN connection. When setting up a VPN tunnel between different systems, you need to find out which algorithms are supported by each side so that you can choose the most secure policy of all possible.

The main settings that the security policy includes:

    Symmetric algorithms for data encryption/decryption.

    Cryptographic checksums to check data integrity.

    Node identification method. The most common methods are pre-shared secrets or CA certificates.

    Whether to use tunnel mode or transport mode.

    Which Diffie-Hellman group to use (DH group 1 (768-bit); DH group 2 (1024-bit); DH group 5 (1536-bit)).

    Whether to use AH, ESP, or both.

    Whether to use PFS.

A limitation of IPSec is that it only supports data transfer at the IP protocol layer.

There are two main schemes for using IPSec, differing in the role of the nodes that form the secure channel.

In the first scheme, a secure channel is formed between the end hosts of the network. In this scheme, the IPSec protocol protects the host that is running:

Rice. 6.13. Create a secure channel between two endpoints

In the second scheme, a secure channel is established between two Security Gateways. These gateways receive data from end hosts connected to networks behind the gateways. The end hosts in this case do not support the IPSec protocol, the traffic directed to the public network passes through the security gateway, which performs protection on its own behalf.

Rice. 6.14. Creating a secure channel between two gateways

For hosts that support IPSec, both transport mode and tunnel mode can be used. For gateways, only tunnel mode is allowed.

Installation and supportVPN

As mentioned above, installing and maintaining a VPN tunnel is a two-step process. In the first stage (phase), the two nodes agree on an identification method, an encryption algorithm, a hash algorithm, and a Diffie-Hellman group. They also identify each other. All this can happen as a result of the exchange of three unencrypted messages (the so-called aggressive mode, Aggressive mode) or six messages, with the exchange of encrypted identification information (standard mode, Main mode).

In the Main Mode, it is possible to negotiate all the configuration parameters of the sender and recipient devices, while in the Aggressive Mode this is not possible, and some parameters (Diffie-Hellman group, encryption and authentication algorithms, PFS) must be pre-configured in the same way on each device. However, in this mode, both the number of exchanges and the number of packets sent are fewer, resulting in less time to establish an IPSec session.

Rice. 6.15. Messaging in standard (a) and aggressive (b) modes

Assuming the operation completed successfully, a first phase SA is created − Phase 1 SA(also called IKESA) and the process proceeds to the second phase.

In the second step, the key data is generated, the nodes agree on the policy to be used. This mode, also called Quick mode, differs from Phase 1 in that it can only be established after Phase 1, when all Phase 2 packets are encrypted. The correct completion of the second phase leads to the appearance Phase 2 SA or IPSecSA and on this the installation of the tunnel is considered completed.

First, a packet arrives at the node with a destination address on another network, and the node initiates the first phase with the node that is responsible for the other network. Let's say the tunnel between the nodes has been successfully established and is waiting for packets. However, nodes need to re-identify each other and compare policies after a certain period of time. This period is called the Phase One lifetime or IKE SA lifetime.

Nodes must also change the key to encrypt data after a period of time called the Phase Two or IPSec SA lifetime.

Phase Two lifetime is shorter than the first phase, because the key needs to be changed more often. You need to set the same lifetime parameters for both nodes. If you do not do this, then it is possible that initially the tunnel will be established successfully, but after the first inconsistent period of life, the connection will be interrupted. Problems can also arise when the lifetime of the first phase is less than that of the second phase. If the previously configured tunnel stops working, then the first thing to check is the lifetime on both nodes.

It should also be noted that if you change the policy on one of the nodes, the changes will take effect only at the next onset of the first phase. For the changes to take effect immediately, you must remove the SA for this tunnel from the SAD database. This will force a revision of the agreement between nodes with the new security policy settings.

Sometimes, when setting up an IPSec tunnel between equipment from different manufacturers, there are difficulties associated with the coordination of parameters during the establishment of the first phase. You should pay attention to such a parameter as Local ID - this is a unique identifier for the tunnel endpoint (sender and recipient). This is especially important when creating multiple tunnels and using the NAT Traversal protocol.

Deadpeerdetection

During VPN operation, if there is no traffic between the endpoints of the tunnel, or if the initial data of the remote host changes (for example, changing the dynamically assigned IP address), a situation may arise when the tunnel is essentially no longer such, becoming, as it were, a ghost tunnel . In order to maintain constant readiness for data exchange in the created IPSec tunnel, the IKE mechanism (described in RFC 3706) allows you to control the presence of traffic from the remote node of the tunnel, and if it is absent for a set time, a hello message is sent (in firewalls D-Link sends a message "DPD-R-U-THERE"). If there is no response to this message within a certain time, in the D-Link firewalls set by the "DPD Expire Time" settings, the tunnel is dismantled. D-Link firewalls after that, using the "DPD Keep Time" settings ( rice. 6.18) automatically attempt to re-establish the tunnel.

ProtocolNATTraversal

IPsec traffic can be routed according to the same rules as other IP protocols, but since the router cannot always extract information specific to transport layer protocols, it is impossible for IPsec to pass through NAT gateways. As mentioned earlier, to solve this problem, the IETF has defined a way to encapsulate ESP in UDP, called NAT-T (NAT Traversal).

The NAT Traversal protocol encapsulates IPSec traffic and simultaneously creates UDP packets that NAT forwards correctly. To do this, NAT-T places an additional UDP header before the IPSec packet so that it is treated like a normal UDP packet throughout the network and the recipient host does not perform any integrity checks. After the packet arrives at its destination, the UDP header is removed and the data packet continues on its way as an encapsulated IPSec packet. Thus, using the NAT-T mechanism, it is possible to establish communication between IPSec clients in secure networks and public IPSec hosts through firewalls.

There are two points to note when configuring D-Link firewalls on the receiving device:

    in the Remote Network and Remote Endpoint fields, specify the network and IP address of the remote sending device. It is necessary to allow translation of the IP address of the initiator (sender) using NAT technology (Figure 3.48).

    When using shared keys with multiple tunnels connected to the same remote firewall that have been NATted to the same address, it is important to ensure that the Local ID is unique for each tunnel.

Local ID can be one of:

    Auto– the IP address of the outgoing traffic interface is used as the local identifier.

    IP– IP address of the WAN port of the remote firewall

    DNS– DNS address

    Virtual Private Network technology- a generalized name for the methods of switching between individual computers or other devices within another environment. Can be used with various means cryptographic protection, thereby increasing the security of data transmission. Which is important in many cases, especially for networks of all kinds large companies and banks.

    What is VPN

    The abbreviation VPN stands for Virtual Private Network. In fact, this type of connection allows you to create a dedicated zone in an existing environment. Machines included in it can see printers, hard drives and other common equipment, which is quite convenient. At the same time, no outsider can get into this selected zone.

    Create a connection

    In order to create and connect the environment of the type in question, you must have minimal knowledge of the computer and the Windows operating system. To carry out this operation, you must follow the following steps in strict order:




    1. large icons;
    2. small icons;
    3. categories;

    After completing all the steps, it will be necessary to configure the VPN, taking into account all possible nuances. Each case has its own nuances. All of them must be taken into account. Most ISPs create step-by-step instructions specifically for interacting with their server.

    VPN setup

    Everything is completely individual, not only in relation to different operators, but also in different versions of the operating system Microsoft Windows. Since in each there were various kinds of changes regarding the input of certain parameters.

    Video: networking in an organization

    Windows XP

    For the normal functioning of the Virtual Private Network in the operating room Windows system XP must follow the steps in strict order:

    • press the "Start" button, select "Control Panel";

    • an area called "New Connection Wizard" will open, you must select an item called "Connect to the network at the workplace";

      Photo: Selecting "Connect to a network at my workplace"

    • in the window that opens, select the second item from the top, it is designated as "Connecting to a virtual private network";

      Photo: checkbox "Connect to a virtual private network"

    • the window that appears next allows you to write a name for the future environment - you can enter anything in it, it can be the name of the server, provider, or any random word, phrase;

    • after the completion of operations in the previous window, it is necessary to register the server with which the operation will be carried out (you can enter an IP address or do it in some other way);

    • when the wizard completes, you can create a shortcut.

    It is often necessary to pay attention to various additional options for data exchange in normal mode.

    You can do this by doing the following in strict order:


    In each individual case, everything is purely individual, there is a direct dependence on a specific server or Internet provider.

    Windows 8

    In order to figure out how to create an environment of this type in the Windows 8 operating system, you need to perform just a few mouse clicks. This process is highly automated.

    You need to do it this way:

    • opening an empty Desktop, find the status icon and right-click on it;

    • in the context menu that opens, select "Network and Sharing Center";

      Photo: Choosing a Network and Sharing Center

    • then select the icon signed as "Creating a new connection or network";

      Photo: Create a new connection or network icon

    • determine the method of communication, for work you need to click on "Use my Internet connection";

      Photo: item using my internet connection

    • after completing the previous step and clicking on the next button, you will need to enter the Internet address and the name of the destination object, as well as check other options related to credentials, the use of smart cards.

    After completing all the above actions, you need to decide on the various options regarding the functioning of the environment.

    For this you need:


    The setting of all parameters is purely individual in each case.

    Windows 7

    Setting up the connection in question in the operating system version 7 of Microsoft Windows is quite simple. Any user will cope with its implementation, even with the smallest experience of interacting with a PC.

    After the connection has already been created, the configuration is performed as follows:

    • open the list by left-clicking on the icon with the monitor in the lower right corner of the screen - a window will open in which there will be a button called "Connection";

    • click on it in order to open activate tabs through which you can access the properties;

    • the window that opens next allows you to carry out comprehensive settings, there are the following tabs:

    Usually, for normal operation, painstaking adjustment of each parameter is required, otherwise the connection will not be established at all, or problems will constantly arise during use.

    How to set up a VPN on Android

    To operate an Android device with Virtual Private Network, you need to perform the following simple steps in strict order:


    After completing all of the above steps, you can get to work.

    Technology and properties

    It is possible to determine why a connection of the type in question is needed only by knowing its features and properties. First of all, it should be remembered that this type of communication implies various kinds of delays in the process of processing traffic.

    They are present for the following reasons:

    • communication is required;
    • need to encrypt or decrypt data;
    • adding new headers to packets.

    Otherwise, the differences from other methods and protocols of work are insignificant. Global differences exist only in technology.

    It has the following features And:

    • no need for a dial-up connection (no modems required);
    • no dedicated lines needed.

    To work in a secure environment of any type, you only need an Internet connection and special programs at both ends of the line that are capable of encrypting and decrypting protected data.

    The operation of a Virtual Private Network involves the use of tunneling (encapsulation). This data transfer method allows the sent packet of information to easily reach the final destination where de-encapsulation takes place.

    Classification

    The compound of the type under consideration has a rather branched classification system.

    The Virtual Private Network is divided according to the type of environment security:


    Also, Virtual Private Network is often classified according to the method of implementation.

    There are the following varieties:

    • software solution (specialized software is used);
    • integrated solution (a whole complex of software and hardware is used).

    Protocols

    Virtual networks of this type can be implemented using the following protocols:

    • TCP/IP;
    • AppleTalk.

    Most networks today are designed using TCP/IP.


    Why do you need a VPN in the first place? Its main purpose is to protect information from outsiders. That is why it is often used for communication between different government agencies, as well as in other situations where the issue of data protection comes first.

    To understand what a VPN is, it is enough to decipher and translate this abbreviation. It is understood as a "virtual private network", which unites individual computers or local networks in order to ensure the secrecy and security of transmitted information. This technology involves establishing a connection with a special server based on a public network using special programs. As a result, a channel appears in the existing connection, which is reliably protected by modern encryption algorithms. In other words, a VPN is a point-to-point connection within or over an insecure network, which is a secure tunnel for exchanging information between users and a server.

    Fundamental features of a VPN

    Understanding what a VPN is is incomplete without understanding its key features: encryption, authentication, and access control. It is these three criteria that distinguish a VPN from an ordinary corporate network that operates on the basis of public connections. The implementation of these properties makes it possible to protect users' computers and servers of organizations. Information that passes through materially unprotected channels becomes invulnerable to the influence of external factors, the possibility of its leakage and illegal use is excluded.

    VPN typology

    Having understood what a VPN is, you can proceed to consider its subspecies, which are distinguished based on the protocols used:

    1. PPTP is a point-to-point tunneling protocol that creates a secure channel over a normal network. The connection is established using two network sessions: data is transmitted via PPP using the GRE protocol, the connection is initialized and managed via TCP (port 1723). It can be difficult to set up on mobile and some other networks. Today, this type of VPN is the least reliable. It should not be used when working with data that should not fall into the hands of third parties.
    2. L2TP - layer 2 tunneling. This advanced protocol was developed from PPTP and L2F. Thanks to IPSec encryption, as well as combining the main and control channels into a single UDP session, it is much more secure.
    3. SSTP is SSL-based secure socket tunneling. This protocol creates reliable communications over HTTPS. For the protocol to function, an open port 443 is required, which allows communication from any point, even beyond the proxy.

    VPN features

    IN previous sections talked about what a VPN is from a technical point of view. Now you should look at this technology through the eyes of users and figure out what specific benefits it brings:

    1. Safety. Not a single Internet user will like it if his page on a social network is hacked or, even worse, passwords from bank cards and virtual wallets are stolen. VPN effectively protects personal data. Both outgoing and incoming information flows are transmitted through the tunnel in encrypted form. Even the ISP cannot access them. This item is especially important for those who often connect to the network in Internet cafes and other points with unsecured Wi-Fi. If you do not use a VPN in such places, then not only the transmitted information, but also the connected device will be at risk.
    2. Anonymity. VPN removes the issues of hiding and changing IP addresses, because it never shows the user's real IP to the resources that he visits. The entire flow of information passes through a secure server. Connection through anonymous proxies does not imply encryption, user activity is not a secret for the provider, and IP can become the property of the resource used. VPN in this case will issue its own IP as a user's one.
    3. Unlimited access. Many sites are blocked at the level of states or local networks: for example, they are not available at the offices of serious firms social media. But it’s worse when you can’t get to your favorite site even from home. VPN, replacing the user's IP with its own, automatically changes its location and opens the way to all blocked sites.

    Applications of VPN

    VPNs are most commonly used for:

    1. Providers and system administrators of companies to provide secure access to the global network. At the same time, different security settings are used to work within the local network and to enter the general level.
    2. Administrators to restrict access to the private network. This case is classic. With the help of VPN, divisions of enterprises are united, and the possibility of remote connection of employees is also provided.
    3. Network aggregation administrators various levels. As a rule, corporate networks are multi-level, and each next level is provided with increased protection. VPN in this case provides greater reliability than a simple connection.

    The main nuances when setting up a VPN

    Users who already know what a VPN connection is often set out to set it up on their own. Step by step instructions on setting up secure networks for various operating systems can be found everywhere, but they do not always mention one important point. With a standard VPN connection, the main gateway is specified for the VPN network, as a result of which the user loses the Internet or connects through a remote network. This creates inconvenience, and sometimes leads to extra costs for paying for double traffic. To avoid trouble, you need to do the following: in the network settings, find the TCP / IPv4 properties and in the advanced settings window, uncheck the box that allows the use of the main gateway in the remote network.

    VPN is nothing more than Virtual Private Network technology. And if translated approximately into the Russian dialect, it will be like this: a virtual private network.

    All this technology is simply designed to combine certain computers (their interconnection) in a secure network environment: for example, to provide the owners of these computers with an encrypted channel and anonymous access to third-party network resources.

    That is, let's say, something like a network within a network, but the use of VPN technologies provides a more secure connection of all connected computers. Thus, computer machines can be located in different parts of the world (distance is not critical) and their users can easily and safely exchange "secret" documents:

    But let's go in order:

    how VPN works

    Text by paragraph:

    Virtual Private Network - virtual private network - general principle technologies that make it quite easy to provide one or more network connections (a kind of local logical network) within the main network - for example, the Internet.

    Virtual private networks are worked out through the so-called tunnels, which are established between "one or two" computers and remote servers.

    All data transmitted through this tunnel (or almost all)) will be encrypted - that is, encrypted.

    Well, for a fundamental example: imagine a certain lake (we will have it like the Internet) on top of which all kinds of sailboats, yachts, boats ... network users go. You can easily watch all this surfing! ..

    However, the VPN route (tunnel) in this performance will act like a submarine that goes under water through certain closed encrypted channels (tunnels), and, as you understand, all the information placed inside this submarine of ours will be our information, but hidden from prying eyes, and transmitted with the maximum possible contamination between points (such an example - the pun is out).

    The same is shown in the picture below:

    picture from someone else's site (the address is lost, but I really liked it)

    what can a VPN be used for by an ordinary user

    1. A certain site is blocked (no access) but you are desperate, you need to visit it ... a description of another way to solve the problem of visiting a blocked site.
    2. If we often use online banking, and we need to somehow secure our transactions.
    3. ... or some resource (website) is “broadcast” only for European countries, and again you don’t know ... you need to read “it”, or watch movies ...
    4. You don't want the sites you visit to track (and possibly steal) your data!
    5. Or, for example, you do not have a lotion router, however, it is possible to connect a couple of computers in local network, thereby providing access to the Internet to both computers.

    Well, in order to enjoy all this benefit of VPN, it is enough to have: the network itself, a computer (tablet) and a remote server.

    vpn and encryption work principle looks like this

    A virtual network environment is created between the user's computer and the server with the VPN software installed. Well, for example Openvpn.

    In service programs, a key (password) is generated - which serves to encrypt (at the output) and decrypt (at the input) to the client (you and me)

    And with such a secured bundle, the computer creates a request - which is encrypted using the previously created key.

    Well, it’s hardly worth saying that all this “encryption” is transmitted through the tunnel to the server connecting the computers.

    After the data has successfully arrived through the tunnel to the server, it is decrypted and the request is “turned on”: sending a file (document), starting to eavesdrop on a song, etc ...))

    The server, on the other hand, prepares a response to the request and sends it to the client: it encrypts all this and - ordered from you, and “top secret”.

    However, in order for the files to be received by you cleanly and readably, your computer decrypts the data with the previously created (generated) key.

    What's funny:

    devices included in a virtual private network can be located at any distance from each other (i.e. not tied to geographic restrictions)

    how and where you can use VPN technology

    The inventors of such a miracle advise using vpn to transfer any data (this is ideally) so that they do not end up in the hands of third or fourth parties: well, you understand - all sorts of passwords, logins ... card numbers, love correspondence, etc ...

    Especially this technology saves when you and I use open Wi-Fi access points somewhere in cafes, amusement parks and aero-space ports ...

    The technology will also come in handy for those comrades who want to freely access any sites / sites tracker services, including those blocked by a certain provider, or resources that have limited the circle of their users.

    some differences between VPN and TOR, proxy and anonymizers

    The VPN works globally and redirects the work of the full network through the system tunnel. software installed on some computer.

    Any request - through a browser, chat, cloud storage client, such as dropbox - before arriving at the addressee, rushes through the tunnel and is encrypted. Intermediate “machines”, like Susanin, confuse the traces of “your data”, encrypt and decrypt only before sending it to the final addressee: that is, you and me. What!

    And as a result of a wonderful meaning - the final destination of the request, for example, a site where we would not like to leave our mark)) captures not the user's data (ours), not ours geographical position and so on and so forth... BUT!! VPN server data.

    i.e. it is theoretically difficult to track which sites the user is interested in (and visits) and what he works for there (our interests are secret)).

    To a certain extent, anonymizers, proxies and TOR can rightly be considered analogues of VPNs, however, all these listed goodies lose out in some ways and are inferior to virtual private networks - VPNs.

    Therefore, let's see what:

    What is the difference between VPN and TOR

    Very similar to a VPN, TOR technology encrypts requests and transfers them from the user to the server. And, accordingly, vice versa. Only here is a lovely catch - the TOR system does not create permanent tunnels !! the ways of transmitting / receiving user data change with each request (request), and this, as you understand, reduces the chances of intercepting valuable data packets. However, it should be said: the constant processing / creation of "ciphers" has a powerful effect on the speed of delivery of the data packets themselves.

    The choice is ours.

    TOR - maintained by enthusiasts. Absolutely free! and in that case, "freebies" to expect some stable operation do not have to.

    what is the difference between a VPN and a proxy

    Not encryption, just...

    Proxy, like VPN, redirects the request from site to site (user's computer) and similarly passes this request through some intermediary servers (located somewhere far away).

    However, the hidden hitch makes you wonder!! - it is not difficult to intercept requests organized by proxy, - information is exchanged without any, even simple encryption.

    Alex will not come to Eustace))

    what is the difference between VPN and anonymizer

    Suffice it to say that the anonymizer is a castrated (stripped down) version of the proxy, capable of more or less decent work only in the window of an open browser tab (limited by the browser).

    Through the anonymizer, you may be able to access the desired page, but you will never be able to use most of the features (its counterparts described above).

    Is it worth adding that there is nothing to talk about any kind of encryption ...

    In terms of data exchange speed, of course, proxy will win, because channel encryption is not used.

    So far, VPN has firmly established itself in second place, because it is able to clearly provide not only anonymity, but also protection over an “encrypted channel / tunnel”.

    The third place was captured by the anonymizer, although it is limited to working in an open browser (browser) window.

    TOR comes down when there is no time, desire or opportunity to connect to a VPN. As you understand from the above, you should not rely on the high-speed processing of our requests.

    Of course, these are very approximate calculations of charms and speeds, but - fundamentally close! because a lot depends on the workload of the World servers used. Or from the accepted laws of this or that country of this world.

    …what you need to know when choosing

    A fashionable article in modern times about that - because even if they lag behind Telegram, they will certainly stick to some other site !! So it is useful to have knowledge at hand! and knowledge in the article at the link ...

    (using NordVPN as an example)…

    ... and finally, let's see

    how to connect to internet via vpn

    The ru segment offers a lot and a lot of ways and services to provide access to VPN. And many more variations to connect to vpn in the world!

    Services are paid! - leave the free ones out of brackets.

    From a few dollars to several tens/hundreds of dollars per month/year.


    If something is not clear and you have questions, share them in the comments ...

Loading...

You might be interested:

History of samurai in japan School of samurai in japan
Sport

History of samurai in japan School of samurai in japan

Japanese culture appears to Westerners as a set of ideas and colorful images. And the most striking of them is the image of a samurai warrior. It has a heroic halo and is considered a kind of symbol of courage and stamina in battle. But do we all know

Advertising