exercises on virtual private networks...

Novembre 2005

AddressingIP - 1 Copyright: si veda nota a pag. 2

NetGroup – politecnico di Torino

TSR – Esercitazioni: VPN - 1

Exercises on Virtual Private Networks (VPNs)

Novembre 2005




Exercise 1Observe the following capture file, and answer the following questions, assuming an access VPN with a block of addresses 130.192.225.0/24:

1. Is the capture above complete, in terms of packets exchanged to establish a connection? Why?

2. What kind of authentication mechanism (if any) is used?3. What is the IP address of the VPN client (before opening the connection?).4. What is the IP address of the VPN gateway?5. Based on the information shiown above, is the VPN access centralized or distributed?

Why?6. Describe the path that is used by the HTTP packets.

Novembre 2005




Exercise 1 – solution (1/2)1. The capture file is complete, because it includes all

the phases required to open a VPN tunnel:PPTP (control channel)PPP – LCP (layer 2 configuration)PPP – IPCP (layer 3 configuration)

2. It is possible to see from packets 9 and 12, that the authentication mechanism used is CHAP

3. The IP address of the client is a private one 10.0.0.101 Il client access Internet through a NAT (otherwise the packetexchange would not be possible)

4. The IP address of the VPN Gateway is130.192.225.254

See the packets used to setup the tunnel

Novembre 2005




Exercise 1 – solution (2/2)

5. If we look at the fragment of HTTP interaction in the file we can see that:

packets are not encapsulatedThe HTTP server is in a network different from the corporate one. Hence the access is distributed

6. This the path followed by the HTTP packets:

corporate net. net 2

net 1

Novembre 2005




Exercise 2Observe the following capture file, and answer the following question, assuming an access VPN with a block of addresses 130.192.225.0/24:

1. Does the capture file include all teh packets required to setup a VPN tunnel?

Novembre 2005




Exercise 2 - solutionThe capture file is incomplete

The phase PPP – IPCP is missingHost A cannot receive an IP address of the corporate network

Novembre 2005





1. Comment the results of the tunnel setup procedure2. Does the capture file includes all the packets required to establish a tunnel?

Why?

Novembre 2005




Exercise 3 - solution1. The VPN is not established

In the cature file, it is possible to see that somethingwrong happens during the CHAP authenticationUsername and/or password are not valid

2. The capture file is a complete oneIt includes all the packets required to setup the tunnel (even if the procedure does not succed)The capture file includes also PPTP packets

Novembre 2005





1. Does the capture file include all the packets required to establish a VPN tunnel? Why?2. Is the VPN access distributed or centralized? Why?3. What is the IP address obtained by the client during the VPN connection establishment?4. Describe the path followed by HTTP packets, with an explicit indication of all the IP

addresses assigned to the parties involved.

Novembre 2005




Exercise 4 – solution (1/2)1. The capture is complete, because it includes all the phases needed to

establish a VPN tunnel2. Observe the following details in the capture file:

The VPN access is centralized, because the HTTP packets are encapsulated

3. The address is 130.192.225.203 (see previous capture details)

source IP host(privato)

IP gateway VPN encapsulation

IP address of the host (within the VPN)

IP HTTP server

Novembre 2005




Exercise 4 – solution (2/2)4. This is the requested schema:

corporate net

Net 1

Net 2

Novembre 2005




Exercise 5Assuming a centralized VPN access to Internet based on PPTP, and the topology of the figure below, answer the following qustions:

1. What is the format for the following packets (including the encapsulation headers, whenapplicable):

1. A PPTP packet exchanged during the PPP setup phase2. An HTTP GET packet sent by host A to the web server B3. The response packet, as it is sent by the server B 4. The response, as it is received at host A

2. Show the path followed by HTTP packets

Corporate net

Net 1

router 1(130.192.12.254)

router 2 VPN gateway

(130.192.16.254)

Host A(130.192.12.51)

HTTP server A(130.192.16.26)

130.192.12.0/24

130.192.16.0/24

Corporate DNS

DNS 1

Net 2

router 3 (130.192.18.254)

HTTP server B130.192.18.14)

130.192.18.0/24

DNS 2

Novembre 2005




Exercise 5 – solution (1/3)1. 130.192.16.2022. The format of the different packets is shown below:

Ethernet header

MAC src: host A; MAC dst: router 1

IP header

IP src: 130.192.12.51 (host A); IP dst: 130.192.16.254 (VPN gw)

GRE header

Protocol type: PPP

PPP header

Protocol: LCP

PPP-LCP header

1)

Ethernet header

MAC src: host A; MAC dst: router 1

IP header

IP src: 130.192.12.51 (host A); IP dst: 130.192.16.254 (VPN gw)

GRE header

Protocol type: PPP

PPP header

Protocol: IP

2)IP header

IP src: 130.192.16.202 (host A su VPN); IP dst: 130.192.18.14 (HTTP server)

TCP header HTTP header

Novembre 2005




Exercise 5 – solution (2/3)2. Continued:

Ethernet header

MAC src: router 1; MAC dst: host A

IP header

IP src: 130.192.16.254 (VPN gw); IP dst: 130.192.12.51 (host A)

GRE header

Protocol type: PPP

PPP header

Protocol: IP

4)IP header TCP header HTTP header

Ethernet header

MAC src: http server; MAC dst: router 3

IP header

IP src: 130.192.18:14 (HTTP server); IP dst: 130.192.16.202 (hosA in VPN)3)TCP header HTTP header

IP src: 130.192.18:14 (HTTP server); IP dst: 130.192.16.202 (hosA in VPN)

Novembre 2005




Exercise 5: solution (3/3)4. The path followed by HTTP packet is

shown below:

Corporate net

Net 1

router 1(130.192.12.254)


(130.192.16.254)

Host A(130.192.12.51)

HTTP server A(130.192.16.26)

130.192.12.0/24

130.192.16.0/24

corporate DNS

DNS 1

Net 2

router 3 (130.192.18.254)


130.192.18.0/24

DNS 2

HTTP requestHTTP response

Novembre 2005




Exercise 6 (without solution)Assuming a centralized VPN access to Internet and the topology of the figure below, answer the following qustions :

1. Write a possible IP address for host A after establishing the VPN tunnel2. Show the format of each of the following packets, including the encapsulation, when

applicable:1. HTTP GET packet sent from host A to HTTP server A2. The response packet, as it is generated by server A3. The resposne packet, as it is received at host A

3. Show the path followed by the HTTP packets

Corporate net

Net 1

router 1(130.192.12.254)


(130.192.16.254)

Host A(130.192.12.51)

HTTP server A(130.192.16.26)

130.192.12.0/24

130.192.16.0/24

corporate DNS

DNS 1

Net 2

router 3 (130.192.18.254)


130.192.18.0/24

DNS 2

Novembre 2005




Exercise 7 (without solution)Assuming a distributed VPN access to Internet and the topology of the figure below, answer the following qustions

1. Show the format of each of the following packets, including the encapsulation, whenapplicable :

1. An HTTP GET packet sent from host A to HTTP server B2. The response packet, as it is sent by HTTP server B3. The response packet, as it is received at host A

2. Show the path followed by the HTTP packets

Corporate net

Net 1

router 1(130.192.12.254)


(130.192.16.254)

Host A(130.192.12.51)

HTTP server A(130.192.16.26)

130.192.12.0/24

130.192.16.0/24

corporate DNS

DNS 1

Net 2

router 3 (130.192.18.254)


130.192.18.0/24

DNS 2

Novembre 2005




Exercise 8Let's consider the following topology:

Discuss the implications on the reachability of the HTTP server from host A, when one of the following events happens, and assuming that A hasestablished a tunnel with the corporate net:

1. Router 3 is out of order and access to Internet is distributed2. Router 5 is out of order and access to Internet is distributed3. Router 2 is out of order and access to Internet is distributed4. Router 4 is out of order and access to Internet is centralized5. Router 5 is out of order and access to Internet is centralized

Corporate net

Net 1

Router 1


Router 3 router 4

router 5

Host AHost A

HTTP server

Net 2

Novembre 2005





1. Router 3 out of order and access to Internet is distributed : no connectivityproblem

The packets do not traverse the corporate net, router 3 is not used.The traffic between A and the HTTP server is router through routers 1 and 5

2. Router 5 out of order and access to Internet is distributedWe got 2 possible cases

1. the corporate net does not allow transit traffic originated from outside, then connectivity islost

2. the corporate net does allow transit traffic originated from outside, then connectivity is notlost

3. Router 2 out of order and access to Internet is distributed: no connectivityproblem with the HTTP server

But the VPN connection cennot be used

Corporate net

Net 1

Router 1


Router 3 router 4

router 5

Host AHost A

HTTP server

Net 2

Novembre 2005





4. Router 4 out of order and access to Internet centralized: connectivity withthe HTTP server is lost

All the traffic is router through the VPNPackets from/to host A pass through:

VPN gatewayRouter 3Router 4 (next hop of router 3 to reach Net 2)

Since the last one is out of order, no connection is possible5. Router 5 out of order and accesso to Internet centralized: no connectivity

problems with HTTP serverAs seen before, packets are never routed through router 5

Corporate net

Net 1

Router 1


Router 3 router 4

router 5

Host AHost A

HTTP server

Net 2

exercises on virtual private networks...

Documents