As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options

VPN? I am clueless.

RobAnybodyRobAnybody Registered User regular
edited June 2008 in Help / Advice Forum
So there is a job I want really badly. But they require you to have some knowledge of VPN. I understand that it's a Virtual private network, I have hit up Wiki and whatnot. I get that it doesn't bestow extra security. It seems that it more or less helps organize things, and cuts down on the amount of cable you have to run. However, I feel like this is a pretty significant hole in my knowledge base, given that I am sure there is more to it than that.

Can anyone shed some light on this VPN stuff? Like what I have to understand about how it works, what are some critical resources for learning more, why people would chose it over other networking methods, etc. Thank you in advance :)

"When a man's hands are even with your head, his crotch is even with your teeth."
-Ancient Dwarfish Proverb
RobAnybody on

Posts

  • Options
    mastmanmastman Registered User regular
    edited June 2008
    It's a tunneling program designed to let you work on networks without having to actually be there. Many companies lock down(restrict access) to file servers, print servers, and other such internal resources to a small subset of IP addresses for security purposes. Usually the ip range is the range that the company owns and thus only machines physically in the office can use them. VPN allows you to make use of these things w/o having to actually be in the office.

    If you are connected to a vpn host, all of your network traffic is routed through the host, to your "virtual" ip address then to your computer. You appear on the intarwebs as your virtual IP address, not your real one.

    mastman on
    ByalIX8.png
    B.net: Kusanku
  • Options
    El Roach0El Roach0 Registered User regular
    edited June 2008
    First read this

    It's very dumb... and breaks up little pieces that really don't need to be broken up. Explains in big chunks sometimes, small ones others...

    Then read this

    I think between the two, you'll piece it together.

    El Roach0 on
    newroach.jpg
  • Options
    DrFrylockDrFrylock Registered User regular
    edited June 2008
    Yeah. Basically it lets a computer out there on the Internet pretend to be on the internal company network/intranet. It does this by establishing a (usually encrypted) tunnel - so from this perspective it actually does add a measure of security. For example, if I connect to some open wireless access point at the Airport or at Starbucks or something, anybody can snoop all my traffic, including the Starbucks or the airport. However, if I establish a VPN tunnel back to my company, all my traffic is routed through there, encrypted. It also lets me access internal servers that are behind the company firewall.

    DrFrylock on
  • Options
    PirateJonPirateJon Registered User regular
    edited June 2008
    They probably aren't going to ask you to define "VPN", they're going to want you to use/administer it. This depends heavily on the pieces - mobile clients, site to site, etc.

    You should find out what they use and start reading manuals. Example - we have an old Cisco 3000 vpn concentrator. Once we have some free time (ha!) we're going to be replacing that with a checkpoint flavor.

    PirateJon on
    all perfectionists are mediocre in their own eyes
  • Options
    RuckusRuckus Registered User regular
    edited June 2008
    We use checkpoint for most of our Site VPN gateways, but a good free VPN capable firewall is m0n0wall (yes those are zeros). It's essentially a bootable linux image that runs off a CD and Floppy disk, on any i386 platform computer with two or more network cards, turning pretty much any box into an instant firewall/router/VPN gateway.

    Ruckus on
  • Options
    PeekingDuckPeekingDuck __BANNED USERS regular
    edited June 2008
    I just use VPN to get on my company network from home. I don't think it is a big deal.

    PeekingDuck on
  • Options
    bowenbowen How you doin'? Registered User regular
    edited June 2008
    PirateJon wrote: »
    They probably aren't going to ask you to define "VPN", they're going to want you to use/administer it. This depends heavily on the pieces - mobile clients, site to site, etc.

    You should find out what they use and start reading manuals. Example - we have an old Cisco 3000 vpn concentrator. Once we have some free time (ha!) we're going to be replacing that with a checkpoint flavor.

    Cisco units fill me with unbridled rage! Seriously, even a nano-ITX chip can support a web-based GUI, get over yourself and make it easier on us overworked system admins. Bastards.

    But that aside, even Netgear and Linksys routers support VPN, and it's relatively easy to do Site-to-Site and client VPNs with them. Hell, Sonic-wall is easy to do it with (a lot of places I know prefer sonic-wall). The only one I can see you having trouble with are the older Cisco units (new ones are getting away from that it seems?) that we all know and love.

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    AtomBombAtomBomb Registered User regular
    edited June 2008
    We use Sonicwall so one of our remote locations can connect to our mail server and a IBM iSeries. You install a program on the client, assign user names and passwords and that's about it.

    AtomBomb on
    I just got a 3DS XL. Add me! 2879-0925-7162
  • Options
    bowenbowen How you doin'? Registered User regular
    edited June 2008
    AtomBomb wrote: »
    We use Sonicwall so one of our remote locations can connect to our mail server and a IBM iSeries. You install a program on the client, assign user names and passwords and that's about it.

    You need more than that? That's more than some VPN routers/firewalls give.

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    vonPoonBurGervonPoonBurGer Registered User regular
    edited June 2008
    I learned a bunch about VPN technology during my previous job. The first thing to realize is that there are two broad kinds of VPN connections:

    1) Client connections. This is where a single remote user (who can be anywhere; at home, in their hotel, at a wifi hotspot, wherever) connects to a VPN concentrator using a username and password. The actual client software may be installed on the user's PC, or it may be a web-based client, where the user navigates to a web page, provides their username and password, and a browser widget handles the encryption and transmission of tunneled traffic. Almost all of the configuration (e.g. the address pool from which the client gets an IP address, restrictions on their connectivity, split tunneling setting, etc.) is done on the concentrator.

    2) Point-to-point connections. Also known as LAN-to-LAN or site-to-site connections, depending on which VPN vendor is writing the documentation. With this type of connection, all settings are defined ahead of time, e.g. the two endpoint IP addresses, the network ranges that will be permitted to communicate via the tunnel, encryption settings, preshared key. Also, the settings must be defined on both sides before the tunnel work, and the settings have to match on both ends of the tunnel.

    The second thing to realize is that there are two phases to the standard VPN handshake process. In Phase 1, IKE (Internet Key Exchange) is negotiated. On the Cisco gear I worked with, success in Phase 1 IKE negotiation would result in a tunnel being created between the two endpoints. The IKE tunnel is only used for managing the keys that are used to encrypt the traffic, and it is only used so the two endpoints can securely communicate. Actual traffic between the two endpoints, and any clients/networks behind them, won't flow until Phase 2 IPSec (Internet Protocol Secure) completes.

    For clients connecting to a VPN concentrator, troubleshooting is usually pretty basic stuff. Can they ping the concentrator, is their account enabled, do they need their password reset, is there a free address in the IP pool they're using, etc. You can have all kinds of problems, but usually the message in the concentrator logs will point you directly to the solution, maybe with a little googling. Where it tends to get squirrelly is when you're troubleshooting connections between two concentrators/networks. It's actually pretty easy once you get the hang of it though, it mainly involves checking the logs to see if the connection is failing in Phase 1 or Phase 2. Once you know the phase where the problem is occurring, there's only a handful of settings related to that phase that you need to confirm. Your logs may point fairly directly to which particular setting is the issue, but don't count on it.

    For Phase 1, the vital settings I'd usually have to verify were:
    • IKE DH (Diffie-Helman) group, e.g. group 1, group 2, etc.; this is used to determine the size of the prime number (e.g. 768-bit, 1024-bit) involved in the key exchange
    • IKE Authentication algorithm, usually MD5 or SHA; this is the hash algorithm that will be used to ensure that packets haven't been tampered with or mangled during transmission
    • IKE Encryption algorithm, e.g. 3DES or AES-256; this is the encryption algorithm that will be used to encrypt the key exchange packets
    • the preshared key or RSA signature, depending on which the connection in question was using
    • aggressive vs. main mode; due to intervendor implementation differences, some remote peers preferred one or the other
    For Phase 2 problems, the pertinent settings to check were:
    • IPSec Authentication algorithm, again usually MD5 or SHA; does the same thing as the IKE Auth setting, but for the IPSec tunnel
    • IPSec Encryption algorithm; does the same thing as the IKE Encrypt setting, but for the IPSec tunnel
    • for a site-to-site connection, local and remote networks; my local network definition had to be their remote network definition, and vice versa, and those definitions had to match exactly
    • for a site-to-site connection, network ranges vs. individual hosts; some vendors allow you to specify network ranges, but when they do the IPSec handshake it actually creates tunnels between individual IP addresses. For those sorts of situations, there was an option in the Cisco gear to toggle this behavior.
    For most site-to-site connections, most issues were headed off ahead of time by sending a form to my counterpart at the remote site that basically said "my settings look like this, make yours look exactly like mine, or tell me what specific settings you'd prefer if you don't like mine". In my situation, I owned one end of the tunnel, so I was reliant on the guy on the other end to configure his stuff correctly, which could be frustrating. If you own both endpoints, things are far easier, since you can simply configure the two sides to match, and they'll probably be from the same vendor to boot, meaning no strange intervendor issues.

    So there you go, that's the vast majority of what I know about VPN troubleshooting, in less than 1000 words.

    vonPoonBurGer on
    Xbox Live:vonPoon | PSN: vonPoon | Steam: vonPoonBurGer
  • Options
    RobAnybodyRobAnybody Registered User regular
    edited June 2008
    Thank you so much guys! That is an amazing amount of knowledge there, and now I need to digest all of it over the next few days, hehe. The site links were especially good, and thanks vonPoonBurGer for giving me the impressive body of your experience so concisely.

    Wee learning new networking stuff! Thanks again!

    RobAnybody on
    "When a man's hands are even with your head, his crotch is even with your teeth."
    -Ancient Dwarfish Proverb
Sign In or Register to comment.