Which UDP ports should be open on a firewall to allow traffic from a L2TP/IPSEC based VPN clients to a PPTP VPN server on the inside
UDP port 500 for IKE traffic, UDP port 1701 for L2TP communication between client and server and UDP port 4500 for NAT-T communication.
The keys are derived in IPSEC phase 2. The derived keys are used by IPSEC protocol ESP for encrypting the data.
ESP and AH include the sequence number fields in the respective headers. The values are used by the IPSEC peers to track duplicate packets. If a packet with an already received sequence number arrives, it would be rejected, thus providing replay protection.
A user connects to the internet using DSL broadband from his laptop. After browsing certain pages, the user connects to the corporate network using the ipsec vpn client installed on the laptop. After connection is successful, the user is unable to browse internet. But on disconnecting the vpn client, the internet resumes. What could be the cause?
a) ipsec does not support http ( browsing ) b) proxy is not enabled for the browser after ipsec client is connected c) default route is modified on the local PC d) This is the expected behavior, and cannot be resolved
Two remote sites S1 and S2 are connected using IPSEC tunnel mode configured on routers R1 and R2 respectively. S1 is located in India and S2 is located in Thailand. What type of route entry should be used by R1 to route the tunneled packets over the internet to R2.
a) Tunneling technology is point to point and does not require a routing protocol b) R1 should use a default static route to route all packets directly to R2 ip route 0.0.0.0 0.0.0.0 R2 c) Any type of route entry as per the network design would work perfect d) BGP should be used on both the routers
Which type of VPN would you use if data has to be encrypted at the network layer
IPSEC VPN encrypts data at the network layer whereas SSL encrypts data at the application layer.
What is IKE? It is a hybrid protocol that implements Oakley and SKEME key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. It defines the mechanism for creating and exchanging keys. IKE derives authenticated keying material and negotiates SAs that are used for ESP and AH protocols.
MESSAGE 1: Initiator offers Policy proposal which includes encryption, authentication, hashing algorithms (like AES or 3DES, PSK or PKI, MD5 or RSA). MESSAGE 2: Responder presents policy acceptance (or not). MESSAGE 3: Initiator sends the Diffie-Helman key and nonce. MESSAGE 4: Responder sends the Diffie-Helman key and nonce. MESSAGE 5: Initiator sends ID, preshare key or certificate exchange for authentication. MESSAGE 6: Responder sends ID, preshare key or certificate exchange for authentication. Only First Four messages were exchanged in clear text. After that, all messages are encrypted.
What is Authentication, Confidentiality & Integrity? Authentication – Verifies that the packet received is actually from the claimed sender. It verifies the authenticity of the sender. Pre-shared Key, Digital Certificate are some methods that can be used for authentication. Integrity – Ensures that the contents of the packet have not been altered in between by man-in-middle. Hashing Algorithm includes MD5, SHA. Confidentiality – Encrypts the message content through encryption so that data is not disclosed to unauthorized parties. Encryption algorithms include DES (Data Encryption Standard), 3DES (Triple-DES), AES (Advanced Encryption Standard).
What is Cisco Easy VPN? Remote Access VPN, when implemented with IPsec is called Cisco Easy VPN. The Easy VPN is easy to set up, with minimal configuration required at the remote client site. Cisco Easy VPN allows us to define centralized security policies at the head-end VPN device (VPN Server) which are then pushed to the remote site VPN device upon connection.
6. Client will send the Client Key Exchange message after calculating the premaster secret with the help of the random values of both the server and the client. This message is sent by encrypting it with the servers public key which was shared through the hello message. The server will decrypt the premaster secret with its private key. Now both client and server will perform a series of steps to generate session keys (symmetric) which will be used for encryption and decryption of data exchanges during SSL session and also to verify its integrity.
What is the SSL port number?
It is a bit of data from a bigger message which is transmitted over internet protocol. Data packets have headers that contain the routing information. In TCP/IP model packets are known as datagrams.
Whenever we send data it is encapsulated from the sender’s side and de-encapsulated at the receiver end.
The term used in both layers to represent encapsulated data.
| Term | OSI layer | TCP/IP layer |
| Data | Application | Application |
| Data | Presentation | |
| Data | Session | |
| Segment | Transport | Transport |
| Packet | Network | Network |
| Frame | Data Link | Data Link |
| Bits | Physical | Physical |
It is a process to give users access to perform some operations on the platform. For example, in order to login into Gmail, you need a google account and username and password.
What are the three main security services IPsec provides?
Generic Routing Encapsulation is a protocol for encapsulating the data packets.
Transport layer security is a protocol to provide privacy and data security over the internet. TLS is used to encrypt communication between web applications and servers and can encrypt voice over IP, messaging, and email.
Secure Socket Layer is an encryption-based internet security protocol that operates on presentation layer 6 of the OSI model.