Lab09 simple VPN 2019 09 29 11 08 16 325 PDF

Preview

Summary

123...

Description

Lab09: Simple VPN Tunnel Configuration Due: 09:00am, 11/28/2018

1. Learning Goals    

Create a Virtual Private Network (VPN) tunnel to bypass the normal traffic route and learn the basic behavior of communication over a VPN tunnel. Distinguish between a client-gateway tunnel and a gateway-to-gateway tunnel and study their applications in an enterprise environment. Distinguish between TCP-based and UTP-based VPN tunnels. Measure the performance overhead of VPN tunnel.

2. Lab Environments

Figure 1. Task 1 Host-to-Host Tunnel Configuration

Figure 2. Task 2 Client-to-Gateway Tunnel Configuration

Figure 3. Gateway-to-Gateway Tunnel Configuration (中間加 router 不影響-r IP address 因為都被 tunnel cover 住, VM1C : ping –r 172.126.2.10) Note: do the lab design with different IP addresses from the lab handout.

11/21/2018

Lab09 (Simple VPN)

Page 1 of 10

3. Lab Procedure of Simple VPN Tunnel All three tasks require two physical hosts, and each hosts has one or two VMs.

3.1 Task 1: Host-to-Host Tunnel Configuration (TCP) Task 1 requires two physical hosts and each host has one VM. Step 1: On VM1, download simpletun.c from the SEED project and then compile it. Name the object simpleton. a.

download http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Networking/VPN/files/simpletun.c or wget www.cis.syr.edu/~wedu/seed/Labs_12.04/Networking/VPN/files/simpletun.c

b.

Compile the code

Step 2: Repeat the above step on VM2. Step 3: On VM1, start simpleton as the server and use port 11111 to create a new VPN interface (tun0)

You may stop/kill the process with CTL-C. Step 4. On VM1, create a new terminal session, and configure an IP address on the VPN interface.

Step 5: On VM2, start simpetun as the client and connect it to the server (VM1) on port=11111.

192.168.1.101 192.168.1.101 su Step 6: On VM2, Create a new terminal session and configure an IP address on the VPN interface tun0.

Step 7: Verify the VPN connection

11/21/2018

Lab09 (Simple VPN)

Page 2 of 10

Step 8: Use wireshark to capture the VPN tunnel traffic a. b.

On VM1, start wireshark and filter the traffic for TCP port 11111 on the physical interface. On VM2, send one ICMP packet with 1024 bytes to host1 via the VPN tunnel.

c.

On VM1, observe the traffic captured on the physical interface.

Screenshot 1-1: Wireshark of host-host VPN

Note the TCP payload is 1052 bytes = 1024 (ICMP payload) + 8 (ICMP header) + 20 (IP header) Original IP Packet: TCP Payload = 1,052 bytes VPN IP Packet: 1,118 – 14 (802.3) = 1,104 bytes Step 9: Conduct performance analysis to study the VPN overhead on RTT. Use different packet sizes of 64, 128, 256,512,1024, 1280, and 1418 bytes.

Screenshot 1-2: RTT Performance

packet size = 1024 bytes RTT = 11.1 ms (VPN tunnel)

packet size = 1024 bytes RTT = 0.817 ms (no tunnel)

Note: the RTT measurement shows significant performance overhead of VPN tunnel implemeneted by simpletun.c. Step 10: Use iperf to measure throughput. On VM2, start “iperf –s” On, VM1, start perf –c.

11/21/2018

Lab09 (Simple VPN)

Page 3 of 10

Screenshot 1-3: Throughput Performance

Throughput of VPN Tunnel: 36.9 Mbps

Throughput on physical interface: 917 Mbps

3.2 Task 2: Task 2: Host-to-Host Tunnel Configuration (UDP) Step 1: Download simple-tun.c from https://github.com/aoak/Simpletun/blob/master/simple-tun.c note: download the code on both VM1 and VM2 Step 2: Compile the code and learn the command syntax.

note: do this step on both VM1 and VM2. Step 3: Run VM1 as the VPN server

11/21/2018

Lab09 (Simple VPN)

Page 4 of 10

Step 4: Run VM2 as the VPN client

and then open another terminal session to configure the VPN interface (tun1). Step 5: [Very important] on VM2 (client), ping VM1 (Server). [VM2] ping 10.0.0.10 # the client pings the server After the first ping from VM2 to VM1, you can test the connectivity from either direction. Note that if the first ping is from VM1 to VM2, the VPN tunnel will crash. Step 6: On VM2, send ICMP traffic to VM1 (ping –c –s 1024 10.0.0.10) On VM1, use wireshark to capture the traffic on UDP port 2222

Screenshot 2-1: UDP Tunnel traffic

Step 6: performance test of RTT.

Screenshot 2-2: RTT Measurement (UDP tunnel)

11/21/2018

Lab09 (Simple VPN)

Page 5 of 10

Step 7: performance test of throughput State iperf –s on VM2 and then run iperf –c on VM1.

Screenshot 2-3: Throughput measurement (UDP tunnel)

ughput

3.3 Task 3: Client/Gateway VPN The purpose of Task-3 is to show how a client can use a VPN tunnel to get into an enterprise network The network diagram of Task 2 is illustrated in Figure 2. Step 1: VM2 is an Internet gateway and requires two network adapters. Configure network adapter 1 as “Host-only adapter” and network adapter 2 as “Bridged Adapter” Adapter 1

Adapter 2

Step 2: On VM1, configure the network adapter 1 as “host-only Adapter”.

Step 3: Follow Figure 2 to check and configure IP addresses on VM1 and VM2.

11/21/2018

Lab09 (Simple VPN)

Page 6 of 10

Step 4: Follow the same procedure as Task 2 to configure a VPN tunnel (over UDP) between VM2 (server) and VM3 (client). After that, configure an IP address on the tunnel interface. Step 5: Verify the VPN connection between VM2 and VM3.

Note: the first ping must from VM3 (client) to VM2 (Server)

Step 6: On VM2, enable IP forwarding and NAT. Note that NAT is enabled on the NAT interface (10.0.2.20).

Step 7: On VM1, sets the default gateway to VM2. On VM3, also set the default gateway to VM2.

Step 8: After that, VM1 and VM3 should be able to ping each other.

Screenshot 3-1: Proof of VPN ClientGateway Configuration

Step 9: RTT measurement.

11/21/2018

Lab09 (Simple VPN)

Page 7 of 10

Screenshot 3-2: RTT Measurement of VPN Client-Gateway Configuration

Step 10: you may also try to run a throughput measurement but you do not need to report it.

3.4 Task 4: Gateway/Gateway VPN Task4 is to simulate an enterprise of a headquarters and a remote location and we build a VPN tunnel to connect these two locations. Step 1: Follow Figure 3 to configure the IP address on the VM interfaces. VM1C

Host-only

VM1G (Gateway)

Host-only

Bridged

VM2G (Gateway)

Host-only

Bridged

VM2C

Host-only

Step 2: Configure IP addresses and default gateway on VM1C.

Step 3: Configure the local IP address and enable routing on VM1G (gateway)

Step 4: do the same configuration on VM2C and VM2G (as step-2 and step-3) Step 5: On VM1G (VPN gateway server), start the VPN tunnel server.

and then use a separated terminal session to configure the interface and set a new default gateway

Step 6: Follow step-5 to set the configuration on VM2G (VPN gateway client) Step 7: Verify the VPN tunnel between two gateways.

11/21/2018

Lab09 (Simple VPN)

Page 8 of 10

Step 8: On VM1C , ping VM2C and vice versa.

Screenshot 4-1: Proof of VPN Gateway-Gateway Configuration

Step 9: RTT Measurement

Screenshot 4-2: RTT measurement of Gateway-Gateway Configuration

4.

Lab Report 1.

Your name

Student ID:

2.

Lab Log: Lab Session

Date

Lab Duration (e.g., 1:30)

Comments (problems/accomplishment)

1 2 3.

IP Address Tables Table 1. IP Addresses of Task-1 & 2 Physical (bridged) Interface host1

VM1

host2

VM2

Tunnel Interface

Table 2. IP addresses of Task-3

11/21/2018

Lab09 (Simple VPN)

Page 9 of 10

bridged interface host1

VM1 (local)

Local Interface

Tunnel Interface

N/A

VM2 (gateway) host2

VM3 (client)

N/A Table 3. IP Addresses of Task-4 bridged Interface

host1

host2

VM1G (gateway) VM1C (local) VM2G (gateway) VM2C (local)

Local Interface

Tunnel Interface

N/A

N/A

N/A

N/A

4.

Proof of Work  Screenshot 1-1: Wireshark of host-host VPN traffic (TCP)  Screenshot 1-2: VPN performance (TCP) of RTT for packet size = 1,024 bytes  Screenshot 1-3: VPN performance (TCP) of throughput  Screenshot 2-1: Wireshark of host-host VPN traffic (UDP)  Screenshot 2-1: VPN performance (UDP) of RTT for packet size = 1,024 bytes  Screenshot 2-2: VPN performance (UDP) of throughput  Screenshot 3-1: Proof of VPN Client-Gateway Configuration  Screenshot 3-2: VPN Performance of RTT measurement for Client-Gateway Configuration  Screenshot 4-1: Proof of VPN Gateway-Gateway Configuration.  Screenshot 4-2: VPN Performance of RTT measurement for Gateway-Gateway Configuration

5.

Summary of Performance (note: the data must be consistent with the screenshots) Table 4. Performance Evaluation Tasks

RTT (ms) ICMP Packet Size=1,024 bytes

Throughput (Mbps)

No VPN tunnel (baseline) Task 1 (TCP tunnel) Task 2 (UDP tunnel)

6.

Task 3 (client-gateway)

N/A

Task 4 (gateway-gateway)

N/A

Lab reflection Describe if the lab learning goals are met and also any interesting observation from this lab exercise.

11/21/2018

Lab09 (Simple VPN)

Page 10 of 10...