CONTENTS

IPSec and VPN Tunnels

Lab Overview.  This lab is an introduction to IPSec and VPN Tunnels, where you will create a VPN and use IPSec to configure the permissions of the tunnel.  This lab is broken down into four sections.  The first section will describe the lab and the overall objective.  The second section covers all the technical details you much know to complete the lab objectives.  The third sections covers the VPN parameters and capturing traffic with Ethereal.  The final section holds the lab report format.  This lab is used in IS2820/TELECOM2813 Security Management

Lab resources for this assignment. 

  • 2 PIX 501 Firewalls (PIX1 , PIX2)
  • 3 Windows 2000 PC (PC1, PC2, PC3)
  • 2 WS 2940 Workgroup switches (SW1, SW4)
  • 1 WS 3550 Workgroup switch
  • 1 Hub
  • Cables and patch cords

Preliminary questions. 

1. What are the benefits or disadvantages of VPNs? Briefly mention the ways in which VPNs can be implemented.

2. What are the characteristics of each one of the phases of the ISAKMP/IKE protocol setup? What information is required during the setup of each phase?

Lab objective.  The network structure for this lab is shown in figure 1. All computers shown have the IP addresses displayed in the figure and are configured as FTP1 and Telnet servers.


Figure 1

You must establish an IPSec VPN tunnel between the two firewalls (PIX 501) so that the traffic that flows through the tunnel from LAN1 to LAN2 is encrypted and cannot be interpreted by any intruder in the public network.

Part A Requirements. 

1. Allow telnet access to PC1 from any PC outside LAN1.

a. PC1s true IP address should not be revealed so it is recommended that you create a static NAT entry for PC1

2. Configure NAT in PIX 1 and PIX2

3. Establish a telnet session from PC3 to PC1 and capture the session’s traffic with Ethereal on PC2 (The Intruder’s PC). Login from PC3 to PC1 with your seclab account.

4. Analyze the captured traffic and determine the packets in which the seclab’s account password is being sent.

The FTP service is not started automatically when you log in. You’ll have to activate it by following the procedures mentioned later in this document

Compliance criteria for Part A. 

1. Users from the networks outside LAN1 (PC3 and PC4) can telnet to PC1

2. Traffic from the private network that goes into the public network must not reveal the private network’s IP addresses.

3. The traffic flow between LAN 1 and LAN 2 can be captured for your analysis.

Part B Requirements. 

1. Reconfigure PIX1 and PIX2 to establish an IPSec VPN tunnel between them that will secure traffic flowing from LAN1 to LAN2. This means, securing traffic that will flow from 10.10.10.0 to 10.10.3.0.  For true VPN functionality, NO address translation must affect traffic flow between LAN1 and LAN2 ONLY. Additionally, services on LAN1 and LAN2 should work for any user of either LAN.

2. Establish a telnet session from PC3 to PC1 and capture the session’s traffic with Ethereal on PC2. Login from PC3 to PC1 with your seclab account.

3. Analyze the captured traffic and determine the differences with the packets captured for a similar session in part A.

4. Can you access any service on the PCs of LAN1 or LAN2 from PC4 ? Can the PCs from either LAN access services on PC4 ? What does this tell you about the security of the VPN tunnel you have configured?

Compliance criteria for Part B. 

1. Telnet and FTP access among the computers on LAN1 and LAN 2 works. (PC1 can Telnet to PC3 and vice versa, PC1 can FTP to PC3 and vice versa)

2. The captured traffic flow between LAN1 and LAN2 shows encrypted packets.