MicroNugget: IPsec Site to Site VPN Tunnels Explained | CBT Nuggets

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
how I pee SEC site-to-site VPN tunnels work before we send a packet out on the big bad internet we may want to give it some protection and to do that we can use IPSec in this micro nugget you and I will take a look at the concepts of how it works we'll also take a before and after picture with a protocol analyzer to take a look at the details of what actually happens to a packet after it's encrypted I'm excited about you joining me let's jump in let's say that you and I work for small to medium sized companies and this will be the company I work at here on the left and you can work at the one on the right if you feel really strong about it and you want to work at the one on the left that's fine too we could swap so one day our bosses the owners of the company decide that they want to have a merger of the two companies and there'll be one company with two sites and they say what we'd like to do is have full data networking between the two sites between any servers and resources at either site and they'd like us to do it so how do we do it well one answer is we could you leverage the internet if we have high-speed connectivity to the internet from both sites already why not logically just create a bridge across the internet to forward our traffic I say bridge in a loose term a conduit as a mechanism to move packets one reason we might not want to do it is security if we're sending data across the internet and it's sensitive documents data for our companies we don't want the eavesdropper to get a hold of it and be able to read it and understand what we're talking about so to protect that we could use something called an IPSec Virtual Private Network in this case it would be a site-to-site VPN tunnel if IPSec was given a microphone and we said mister IPSec tell us what you do he would say I do two primary things number one I provide confidentiality and that confidentiality becomes because I encrypt packets so as those packets go over the Internet they're just ciphertext the payload is unmeaning phul doesn't have any meaning to somebody who used drops on the data it's all encrypted the second thing I do is I have data integrity data integrity verifies it no bits have been twiddled or manipulated in transit from r1 to r2 or from r2 to r1 it also has the ability just amazing authentication as well and it also just has the ability to do anti replay support for people who trying to playback an authentication session for example it won't buy into it but the two major elements are confidentiality and integrity so what we can do is we can leverage something called an IPSec VPN over the Internet to keep our data safe so that's IP sex claim to fame is confidentiality and data integrity how it does it do it oh we're going to hearing like this one check it out with IPSec let me clear the screen here with IPSec it simply says the routers say you know what mr. router 1 I'm going to take any traffic that source from this network if is destined to this network over here and instead of just forwarding it like making a route lookup and forwarding the packet what I'm going to do is I'm going to encrypt the data to scramble it to make it ciphertext I'm going to rien capsulate it and the internet it's going to see a packet from my address to our Tuesday dress so maybe this PC here is sending a packet over to this PC here that's the actual traffic that's really happening but the router gets it looks looks at where it's going and where it's coming from encrypts it encapsulates it sends it to r2 and the internet just sees 1300 1 going to 2300 - and the payload the original packet is completely tucked away and encrypted our to decrypt it when he gets it forwards it on to the PC - and those 2 pcs had no clue what even happened they just sent packets and they went but we're leveraging the internet for the backbone of that communication so that's how it does it it takes packets encrypts some ships them to appear and the pair decrypt it what I like to do is give you a perspective to different perspectives of what those packets would look like with a packet tracer I'm going to show you what the packets look like right here when I'll say Bob is sending a packet to Lois and I'll also show you the packet the same packet after it's gone through our one who has encrypted it encapsulated and sending it over to our - just so you can see the exact same packet before and after the encryption takes place so let's first verify the pieces this is our PC right here the IP address is 1 say 2 16 0 not two and we're going to ping out to this guy's IP address we should hit the router he should encapsulate it send it over to r2 as an encapsulated IPSec packet our two should be encapsulate it and four it on to PC - that's the theory anyway let's go ahead and launch it I have the captures running and we're setting for pings let's go take a look at the packet captures so let's take a look at these packet traces this one right here on the left is the packets that were captured between the PC and r1 and over here this is packets that were captured after our one sent them out to the internet encrypted so let's just as an example let's look at the very first packet it's a ping request says right here and it was sent from 1 to 2 1602 that's this PC destined for 192 168 0.20 that's this guy when that packet hit this router it said oh my goodness this is a packet I should encrypt from the local network to the remote network it encrypted it encapsulated it and shipped it to its peer so this is the pack at the Internet seized they see a packet from 1300 1 which is the outside address of r1 destined to 2300 2 which is the outside rest of our - it's using ESP which is protocol number 50 at layer 4 of the OSI reference model and if we look at the payload I highlighted the encapsulating security payload that's the protocol look at the contents they are all encrypted so the original contents was a ping request from this IP address to that IP address the original IP headers and the content which was the ping request Plus this padding here where a ping can verify that it has the ability to do the alphabet all of that hidden and it scrambled in this content right here so anybody looking at the packet over the Internet will simply see ciphertext r2 and he receives this packet will appropriately decrypt it and forward it so the packet we would see right here on this network segment would look like this right here the layer 2 addresses would be different we'd have a source layer to address of our - and a destination layer to address of the PC but everything in layer 3 and higher regarding the source and destination IP addresses the ping request the ICMP and everything else would be as if encryption never happened so the encryption is only happening over the Internet and that my friend is how IPSec can protect packets as they go over that dangerous little network called the Internet in this micro nugget we've identified some major features of IPSec including the ability to encrypt data to make it protected or confidential and also to verify the data integrity of packets as they're being sent how does it do it it's simple a router being configured as a VPN gateway when it receives traffic that should be encrypted it does the encryption it Rhian caps lates it and shoots that packet over - its VPN peer on the other side who decrypt it we also took a look at what the packets would look like before they're encrypted and after they're encrypted as they go over the Internet I hope this has been informative for you and I'd like to thank you for viewing
Info
Channel: CBT Nuggets
Views: 323,156
Rating: 4.9235392 out of 5
Keywords: cbt nuggets, virtual private network, routing protocols, computer based training, ipsec vpn, ipsec tunnel, ipsec vpn tunnel, ipsec tunnel mode, ipsec explained, ipsec site to site vpn, ipsec network, ipsec explained in detail, ipsec network security, ipsec vpn site to site, ipsec keith barker, computer based training ppt, computer based training software
Id: CuxyZiSCSfc
Channel Id: undefined
Length: 7min 28sec (448 seconds)
Published: Thu Sep 13 2012
Related Videos
What is IPSec?
Palo Alto Networks LIVEcommunity
140K
MicroNugget: What is MPLS and How Does it Work? | CBT Nuggets
CBT Nuggets
444K
MicroNugget: How to Negotiate in IKE Phase 1 (IPsec)
CBT Nuggets
35K
VPNs Explained | Site-to-Site + Remote Access
CertBros
118K
SSL, TLS, HTTP, HTTPS Explained
PowerCert Animated Videos
1.4M
IPsec VPN Introduction - Video By Sikandar Shaik || Dual CCIE (RS/SP) # 35012
Sikandar Shaik
125K
Cisco ASA Site-to-Site VPN Configuration (Command Line): Cisco ASA Training 101
soundtraining.net
273K
MicroNugget: What is Multi-Protocol Label Switching (MPLS)?
CBT Nuggets
124K
VPN - Virtual Private Networking
Eli the Computer Guy
2.1M
CCIE Routing & Switching version 5: IPsec- IKE phase 1
Sikandar Shaik
72K
Subnet Mask - Explained
PowerCert Animated Videos
88K
ipsec overview
Mile2 - Cyber Security Certifications
131K
Understanding AH vs ESP and ISKAKMP vs IPSec in VPN tunnels
Ryan Lindfield
267K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.