{"id":1192,"date":"2014-06-11T18:24:52","date_gmt":"2014-06-11T18:24:52","guid":{"rendered":"http:\/\/tomaskalabis.com\/wordpress\/?p=1192"},"modified":"2016-03-09T09:01:03","modified_gmt":"2016-03-09T09:01:03","slug":"ipsec-ike-nat-t-l2tp-ipsec","status":"publish","type":"post","link":"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/","title":{"rendered":"IPSec, IKE, NAT-T a L2TP over IPSec"},"content":{"rendered":"<p><strong>IPSec<\/strong> \u2013 tedy Internet Protocol Security, je skupina protokol\u016f, kter\u00e1 slou\u017e\u00ed pro zabezpe\u010den\u00ed IP komunikace mezi dv\u011bma klienty, zaji\u0161\u0165uje obousm\u011brnou autentizaci a vyjedn\u00e1v\u00e1 kryptografick\u00e9 metody. IPSec pracuje na IP vrstv\u011b \u2013 tzn. Layer 3 OSI model, kter\u00fd dopl\u0148uje protokol IPv4 (protokol IPv6 je povinnou sou\u010d\u00e1st\u00ed protokolu, je tedy nativn\u00ed). Jedn\u00edm z\u00a0prvn\u00edch \u00fakol\u016f protokolu IPSec je to, \u017ee za\u0159\u00edd\u00ed, aby si ob\u011b strany autentizovaly a pot\u00e9, \u0161ifruje ve\u0161kerou jejich komunikaci pomoc\u00ed p\u0159edem domluven\u00e9ho algoritmu. Strana, kter\u00e1 komunikuje, se naz\u00fdv\u00e1 peer.<\/p>\n<p><strong>Re\u017eimy a funkce<\/strong><\/p>\n<ul>\n<li>Host-to-host \u2013 Transport &#8211; M\u00e1 za \u00fakol za\u0161ifrovat pouze data, hlavi\u010dka paketu se ponech\u00e1 a je dopln\u011bna pouze IPSec hlavi\u010dka. Klienti Windows podporuj\u00ed pouze transport mode (L2TP\/IPSec)<\/li>\n<\/ul>\n<ul>\n<li>Network \u2013 Tunnel Mode (v\u00fdchoz\u00ed) &#8211; M\u00e1 za \u00fakol za\u0161ifrovat cel\u00fd paket v\u010detn\u011b hlavi\u010dky a n\u00e1sledn\u011b dopln\u00ed novou hlavi\u010dku paketu. Z\u00a0komunikace nelze odhalit adresu klienta.<\/li>\n<\/ul>\n<p><strong>Protokoly<\/strong><\/p>\n<p><strong>AH<\/strong> \u2013 Authentication Header \u2013 jeho \u00fakolem je zajistit integritu a autentizaci dat, vyu\u017e\u00edv\u00e1 hashovac\u00ed funkce jako jsou ( MD5, SHA1) a spole\u010dn\u00fd kl\u00ed\u010d na kter\u00e9m se domluv\u00ed hned na za\u010d\u00e1tku. Hlavi\u010dka obsahuje po\u0159adov\u00e9 \u010d\u00edslo paketu.<\/p>\n<p><strong>ESP<\/strong> \u2013 Encapsulating Security Payload \u2013 jeho \u00fakolem je zajistit d\u016fv\u011brnost, autentizaci a integritu zdroje dat. Pro sv\u00e9 fungov\u00e1n\u00ed vyu\u017e\u00edv\u00e1 \u0161ifrovac\u00ed metody na b\u00e1zi (MD5, SHA1, DES, DES3, AES,) vyu\u017e\u00edv\u00e1 protokolu IP \u010d. 50<\/p>\n<p><strong>SA<\/strong>\u00a0 &#8211; Security Association \u2013 skupina algoritm\u016f, kter\u00e9 poskytuj\u00ed parametry pro bezpe\u010dnou komunikaci pomoc\u00ed ESP a AH. SA vyu\u017e\u00edv\u00e1 tzv. ISAKMP Framework\u00a0 &#8211; Internet Security Association and Key Management Protocol a v\u0161em dob\u0159e zn\u00e1m\u00fd protokol IKE \u2013 Internet Key Exchange pro vyjedn\u00e1n\u00ed atribut\u016f, kter\u00e9 obsahuj\u00ed informace o metod\u011b \u0161ifrov\u00e1n\u00ed, dob\u011b platnosti kl\u00ed\u010de, kompresi a zapouzd\u0159en\u00ed, je nutn\u00e9 podotknout, \u017ee ve\u0161ker\u00e1 komunikace prob\u00edh\u00e1 \u0161ifrovan\u011b.<\/p>\n<p><strong>IKE<\/strong><\/p>\n<p>IKE \u2013 tedy Internet Key Exchange, se vyu\u017e\u00edv\u00e1 na sam\u00e9m za\u010d\u00e1tku komunikace IPSec, kdy vyjedn\u00e1v\u00e1 SA \u2013 Seciruty Association. IKE pou\u017e\u00edv\u00e1 pro komunikaci port UDP 500 a pro autentizaci certifik\u00e1ty \u010di PSK pre-shared-key. U IKE prob\u00edh\u00e1 v\u00fdm\u011bna kl\u00ed\u010d\u016f pomoc\u00ed metody Diffie-Hellman (kdy je vytvo\u0159ena SSS shared session secret a z\u00a0n\u011bj se pot\u00e9 odvod\u00ed \u0161ifrovac\u00ed kl\u00ed\u010de. Ve\u0161ker\u00e1 komunikace je \u0161ifrovan\u00e1 a m\u016f\u017eeme ji pou\u017e\u00edt jako \u010d\u00e1st autentizace. Existuje tak\u00e9 verze IKEv2. F\u00e1ze IKE lze rozhodit do 2 f\u00e1z\u00ed, p\u0159i\u010dem\u017e: \u00da\u010dastn\u00edci se autentizuj\u00ed a vyjedn\u00e1v\u00e1 se IKE SA \u2013 diffie-hellman, d\u00edky tomu je vytvo\u0159en bezpe\u010dn\u00fd kan\u00e1l pro vyjedn\u00e1v\u00e1n\u00ed komunikace ve f\u00e1zi 2. kde IPSec vyjedn\u00e1 SA parametry a nastav\u00ed odpov\u00eddaj\u00edc\u00ed SA.<\/p>\n<p><strong>NAT \u2013 T<\/strong><\/p>\n<p>Jak jsem ji\u017e uvedl v\u00a0p\u00e1r v\u011bt\u00e1ch naho\u0159e, pakety kter\u00e9 jsou pos\u00edlan\u00e9 skrz IPSec jsou chr\u00e1n\u011bny hashem, aby jejich obsah nemohl b\u00fdt naru\u0161en. Pokud se v\u00a0cest\u011b vyskytne NAT, kter\u00fd modifikuje jeho hlavi\u010dku, jak jist\u011b v\u00edme, paket je znehodnocen a pot\u00e9 zahozen. \u0158e\u0161en\u00edm tohoto probl\u00e9mu je NAT-T, kter\u00fd dopln\u00ed novou UPD hlavi\u010dku. Ve\u0161ker\u00e1 komunikace je na port\u011b 4500 UTP a ozna\u010duje se jako IPSec over UDP \u010di IPSec over NAT-T.<\/p>\n<p><strong>L2TP over IPSec<\/strong><\/p>\n<p>Layer 2 Tunneling Protocol tedy \u2013 L2TP je protokol slou\u017e\u00edc\u00ed k\u00a0tunelov\u00e1n\u00ed VPN. Jeho \u00fakolem je vytvo\u0159it tunel, celkem \u010dasto se pou\u017e\u00edv\u00e1 dohromady s\u00a0IPSec, kter\u00fd jak u\u017e v\u00edme, zaji\u0161\u0165uje d\u016fv\u011brnost a autentizaci. Tohle \u0159e\u0161en\u00ed pot\u00e9 naz\u00fdv\u00e1me jako L2TP\/IPSec. Proces navazov\u00e1n\u00ed spojen\u00ed skrze IKE m\u016f\u017ee prob\u00edhat:<\/p>\n<ul>\n<li>Z\u00a0parametr\u016f Security Association \u2013 SA \u2013 se nav\u00e1\u017ee na IP \u0161ifrovan\u00e1 komunikace v\u00a0ESP transport m\u00f3du<\/li>\n<li>Pomoc\u00ed IKE se na UDP portu 500 vyjedn\u00e1 Secirity Association \u2013 SA \u2013 a pou\u017eije certifik\u00e1ty \u2013 serverov\u00e9 a klientsk\u00e9) \u010di PSK.<\/li>\n<li>Nejprve se vyjedn\u00e1 a pot\u00e9 je vytvo\u0159en tunel L2TP mezi klienty, kdy komunikace prob\u00edh\u00e1 p\u0159es UDP 1701, kter\u00e1 je ov\u0161em zabalen\u00e9 v\u00a0IPSec.<\/li>\n<\/ul>\n<p><strong>Kontrola znalost\u00ed<\/strong><\/p>\n<ul>\n<li>ESP nab\u00edz\u00ed \u0161ifrov\u00e1n\u00ed, kde jako AH nen\u00ed &#8211; TRUE<\/li>\n<li>IKE vyjedn\u00e1v\u00e1 spojen\u00ed a v\u00fdm\u011bnu kl\u00ed\u010dov\u00e1n\u00ed materi\u00e1l &#8211; TRUE<\/li>\n<li>IKE je ru\u010dn\u00ed v\u00fdm\u011bna \u0161ifrovac\u00edch kl\u00ed\u010d\u016f &#8211; FALSE<\/li>\n<li>Re\u017eim tunelu je podobn\u00fd VPN br\u00e1ny do br\u00e1ny &#8211; TRUE<\/li>\n<li>P\u0159i \u010dich\u00e1n\u00ed IPSex pakety, je snadn\u00e9 ur\u010dit, provoz v oblasti re\u017eimu &#8211; FALSE<\/li>\n<li>AH &#8211; A\u0165 u\u017e v tunelu nebo v re\u017eimu dopravy &#8211; je zcela v rozporu s NAT &#8211; TRUE<\/li>\n<li>SA je dohoda mezi dv\u011bma branami na datum v\u00fdm\u011bn\u011b securetly &#8211; TRUE<\/li>\n<li>IPSec pou\u017e\u00edv\u00e1 pojem p\u0159idru\u017een\u00ed zabezpe\u010den\u00ed. IPSec pou\u017e\u00edv\u00e1 IKE nebo IKEv2 nastavit tyto bezpe\u010dnostn\u00ed asociace &#8211; TRUE<\/li>\n<li>AH se pou\u017e\u00edv\u00e1 k ov\u011b\u0159en\u00ed &#8211; ale nikdy \u0161ifrov\u00e1n\u00ed &#8211; IP provoz &#8211; TRUE<\/li>\n<li>MD5 a SHA1 jsou p\u0159\u00edklady ov\u011b\u0159ov\u00e1n\u00ed a \u0161ifrov\u00e1n\u00ed &#8211; TRUE<\/li>\n<li>\u0160ifrov\u00e1n\u00ed Seznam metody pou\u017e\u00edvan\u00e9 IPSec &#8211; DES, 3DES, Blowfish, AES<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>IPSec \u2013 tedy Internet Protocol Security, je skupina protokol\u016f, kter\u00e1 slou\u017e\u00ed pro zabezpe\u010den\u00ed IP komunikace mezi dv\u011bma klienty, zaji\u0161\u0165uje obousm\u011brnou autentizaci a vyjedn\u00e1v\u00e1 kryptografick\u00e9 metody. IPSec pracuje na IP vrstv\u011b &#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[34],"tags":[116,115,117],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>IPSec, IKE, NAT-T a L2TP over IPSec - tomaskalabis.com<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/\" \/>\n<meta property=\"og:locale\" content=\"cs_CZ\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"IPSec, IKE, NAT-T a L2TP over IPSec - tomaskalabis.com\" \/>\n<meta property=\"og:description\" content=\"IPSec \u2013 tedy Internet Protocol Security, je skupina protokol\u016f, kter\u00e1 slou\u017e\u00ed pro zabezpe\u010den\u00ed IP komunikace mezi dv\u011bma klienty, zaji\u0161\u0165uje obousm\u011brnou autentizaci a vyjedn\u00e1v\u00e1 kryptografick\u00e9 metody. IPSec pracuje na IP vrstv\u011b ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/\" \/>\n<meta property=\"og:site_name\" content=\"tomaskalabis.com\" \/>\n<meta property=\"article:published_time\" content=\"2014-06-11T18:24:52+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-03-09T09:01:03+00:00\" \/>\n<meta name=\"author\" content=\"Tomas Kalabis\" \/>\n<meta name=\"twitter:label1\" content=\"Napsal(a)\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tomas Kalabis\" \/>\n\t<meta name=\"twitter:label2\" content=\"Odhadovan\u00e1 doba \u010dten\u00ed\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minuty\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/\",\"url\":\"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/\",\"name\":\"IPSec, IKE, NAT-T a L2TP over IPSec - tomaskalabis.com\",\"isPartOf\":{\"@id\":\"https:\/\/tomaskalabis.com\/wordpress\/#website\"},\"datePublished\":\"2014-06-11T18:24:52+00:00\",\"dateModified\":\"2016-03-09T09:01:03+00:00\",\"author\":{\"@id\":\"https:\/\/tomaskalabis.com\/wordpress\/#\/schema\/person\/8e7e83f618a561ed3734a38cef4cf1d6\"},\"breadcrumb\":{\"@id\":\"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/#breadcrumb\"},\"inLanguage\":\"cs\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/tomaskalabis.com\/wordpress\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"IPSec, IKE, NAT-T a L2TP over IPSec\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/tomaskalabis.com\/wordpress\/#website\",\"url\":\"https:\/\/tomaskalabis.com\/wordpress\/\",\"name\":\"tomaskalabis.com\",\"description\":\"my personal blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/tomaskalabis.com\/wordpress\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"cs\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/tomaskalabis.com\/wordpress\/#\/schema\/person\/8e7e83f618a561ed3734a38cef4cf1d6\",\"name\":\"Tomas Kalabis\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"cs\",\"@id\":\"https:\/\/tomaskalabis.com\/wordpress\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9f7e4796b38d5720e8a07b918f423311?s=96&d=retro&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9f7e4796b38d5720e8a07b918f423311?s=96&d=retro&r=g\",\"caption\":\"Tomas Kalabis\"},\"sameAs\":[\"https:\/\/x.com\/tomaskalabis\"],\"url\":\"https:\/\/tomaskalabis.com\/wordpress\/author\/kalabis\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"IPSec, IKE, NAT-T a L2TP over IPSec - tomaskalabis.com","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/","og_locale":"cs_CZ","og_type":"article","og_title":"IPSec, IKE, NAT-T a L2TP over IPSec - tomaskalabis.com","og_description":"IPSec \u2013 tedy Internet Protocol Security, je skupina protokol\u016f, kter\u00e1 slou\u017e\u00ed pro zabezpe\u010den\u00ed IP komunikace mezi dv\u011bma klienty, zaji\u0161\u0165uje obousm\u011brnou autentizaci a vyjedn\u00e1v\u00e1 kryptografick\u00e9 metody. IPSec pracuje na IP vrstv\u011b ...","og_url":"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/","og_site_name":"tomaskalabis.com","article_published_time":"2014-06-11T18:24:52+00:00","article_modified_time":"2016-03-09T09:01:03+00:00","author":"Tomas Kalabis","twitter_misc":{"Napsal(a)":"Tomas Kalabis","Odhadovan\u00e1 doba \u010dten\u00ed":"4 minuty"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/","url":"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/","name":"IPSec, IKE, NAT-T a L2TP over IPSec - tomaskalabis.com","isPartOf":{"@id":"https:\/\/tomaskalabis.com\/wordpress\/#website"},"datePublished":"2014-06-11T18:24:52+00:00","dateModified":"2016-03-09T09:01:03+00:00","author":{"@id":"https:\/\/tomaskalabis.com\/wordpress\/#\/schema\/person\/8e7e83f618a561ed3734a38cef4cf1d6"},"breadcrumb":{"@id":"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/#breadcrumb"},"inLanguage":"cs","potentialAction":[{"@type":"ReadAction","target":["https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/tomaskalabis.com\/wordpress\/ipsec-ike-nat-t-l2tp-ipsec\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/tomaskalabis.com\/wordpress\/"},{"@type":"ListItem","position":2,"name":"IPSec, IKE, NAT-T a L2TP over IPSec"}]},{"@type":"WebSite","@id":"https:\/\/tomaskalabis.com\/wordpress\/#website","url":"https:\/\/tomaskalabis.com\/wordpress\/","name":"tomaskalabis.com","description":"my personal blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/tomaskalabis.com\/wordpress\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"cs"},{"@type":"Person","@id":"https:\/\/tomaskalabis.com\/wordpress\/#\/schema\/person\/8e7e83f618a561ed3734a38cef4cf1d6","name":"Tomas Kalabis","image":{"@type":"ImageObject","inLanguage":"cs","@id":"https:\/\/tomaskalabis.com\/wordpress\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/9f7e4796b38d5720e8a07b918f423311?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9f7e4796b38d5720e8a07b918f423311?s=96&d=retro&r=g","caption":"Tomas Kalabis"},"sameAs":["https:\/\/x.com\/tomaskalabis"],"url":"https:\/\/tomaskalabis.com\/wordpress\/author\/kalabis\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/tomaskalabis.com\/wordpress\/wp-json\/wp\/v2\/posts\/1192"}],"collection":[{"href":"https:\/\/tomaskalabis.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tomaskalabis.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tomaskalabis.com\/wordpress\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tomaskalabis.com\/wordpress\/wp-json\/wp\/v2\/comments?post=1192"}],"version-history":[{"count":1,"href":"https:\/\/tomaskalabis.com\/wordpress\/wp-json\/wp\/v2\/posts\/1192\/revisions"}],"predecessor-version":[{"id":1194,"href":"https:\/\/tomaskalabis.com\/wordpress\/wp-json\/wp\/v2\/posts\/1192\/revisions\/1194"}],"wp:attachment":[{"href":"https:\/\/tomaskalabis.com\/wordpress\/wp-json\/wp\/v2\/media?parent=1192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tomaskalabis.com\/wordpress\/wp-json\/wp\/v2\/categories?post=1192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tomaskalabis.com\/wordpress\/wp-json\/wp\/v2\/tags?post=1192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}