MicroNugget: IPsec Site to Site VPN Tunnels Explained | CBT Nuggets
HTML-код
- Опубликовано: 12 сен 2012
- Start learning cybersecurity with CBT Nuggets. courses.cbt.gg/security
In this video, CBT Nuggets trainer Keith Barker takes a look at the concepts behind how IPsec site-to-site VPNs work. Keith uses a protocol analyzer to show you the before and after picture of a packet that's been encrypted and transmitted.
Sending packets in the wild can be dangerous. The Big Bad Internet is just waiting for you to send sensitive or important information so it can be sniffed out and exploited. So any time you send a packet out there, it's a good idea to give it some protection. IPSec lets you do that
Imagine a company with two geographically separated offices. They want full data networking between the two sites. All the servers and resources of both should be shared fully between the two.
With high-speed connectivity at both sites, the impulse might be to just send it all over the internet. But that can pose a security risk.
An IPsec VPN site-to-site tunnel can provide a number of things. First, confidentiality thanks to encryption. Also, integrity - IPsec can confirm that no bits were manipulated in transit. It can even provide authentication and anti-replay support.
See the benefits of IPsec VPN tunnels and what the packets themselves look like before and after transmission.
0:25: When you might need a VPN tunnel
1:00: The risk of using the Internet
1:45: What are IPsec’s claims to fame?
2:40: How does it do it?
3:55: Two perspectives of what the VPN looks like
5:10: Side-by-side comparison of the encrypted packet
6:40: Overview
🌐 Download the Free Ultimate Networking Cert Guide: blog.cbt.gg/i297
⬇️ 13-Week Study Plan: CCNA (200-301): blog.cbt.gg/on5i
Start learning with CBT Nuggets:
• Intro to Networking | courses.cbt.gg/tuv
• MPLS Fundamentals | courses.cbt.gg/u7u
You have a remarkable gift for teaching in plain language; I have watched a few of your videos on YT and gained in understanding, even though I am not an IT novice - I sense you enjoy what you do: thanks for taking the time to assist others.
You teach amazingly well. I can see the hard work you put into first explain the theory and then back it up with a practical example.
This was incredible. Simple, clear, well-paced, sticks to the subject, practical use-case. Just very well done.
This stuff was pure gibberish before I started studying Cisco; now it's pure gold. Thank you very much CBT Nuggets.
Hello Ashwin-
Yes, you've got it. The outside IP header will have the source IP of the VPN gateway sending the packet, with a destination IP header of the remote VPN gateway who will be receiving the packet over the internet. When the receiving router gets the packet, it will de-encapsulate and throw away the old outside header, decrypt the contents (which include the initial IP header addresses the client was using) and continue to route the packet.
Keith
Your enthusiasm made this much easier to understand
Best of the best! Super simplified nugget, this is the best explanation of IPsec I have seen, very informative and useful. Thank you so much, Keith!
You are very welcome Samer!
Best wishes,
Keith
Simple. Easy to Understand. Straight to the point. Awesome!
great job by keith barker and one of the best trainer on the internet
Thanks for the vid Mr. Barker...you take complicated topics and explain them so i can understand, keep up the great work!!
Thanks. Been doing site to site VPN for years now. Still is reliable for small and medium sized businesses :)
The way you explain it makes it seem so easy to the point where it becomes funny!!, thank you
Hi Keith, thank you for taking the time and answering my question. Great video!
Your style of explaining is second to none. 👍🙏🙏🙏
Amazing! I'm blown away. Thank you for the intelligent explanation.
AH would've been good to mention as well. You do teach very well Keith!
Great description and even I got. :)
Very good voice to match the video tutorial. Thanks Keith!!
This is one of the coolest explanations I've seen ..You've got talent.. Kudos
Excellent, learned something new. thanks for showing packet tracer working in the background
Man you're way of teaching is just awesome.. pls keep on doing what you're doing..
شكرا للدكتور هيازع البارقي خبير امن نظم المعلومات
Thank you for not having a monotone voice!
Awesome video, love your enthusiasm! :)
I hadn't realised how old this vid is until I saw the Windows XP Start button! Still good, though, thanks.
Subscribed thanks to this video. You sound so happy talking about this lol. Thanks for the vid!
This was so well illustrated and explained. Thanks
This is just so fun, thanks man!!
Thank you sir...You know exactly how to teach things..wonderful video
Thanks so much, really simple and clear explanation.
thanks for this detailed explanation with the actual ping request!
To check the data integrity of the packets as they are sent means they undergo tests like CRC (cyclic redundacy checking).
Brilliant video...simple and practical example ...loved it.
Made it so clear and easy! Great job!
Excellent. You did a great job. Simple to understand. Thanks!
How can someone thumb down this video, fantastic explanation.
Bro I loved this video. Thank you so much haha you have a gift at teaching simply
Great tutorial man! Great work, Great examples!
This series is awesome.
Great Explanation in Simple Language
Good Job Keith!
Brilliant.. Thanks a lot for simplifying it.
Excellent teacher!!! Thanks.
Dear Sir, you teach very very nice "super nice" than the other
Great explanation! Thank you!!!
The the crypto ACL says any-any, there are 2 challenges. The two peers will need to agree on that to bring up a tunnel, and then secondly, all traffic leaving the VPN peers would be sent to the peer on the other side. There may be some corner cases where something similar to that would work, but for general site to site VPNs it would be a configuration/design error.
You are amazing! I've never heard someone explain something so well! Brilliant!
Thank you so much, so well explained
This was great! :D
Man! You mad helpful! So glad I found ya!
Keith that was amazing .. many thanks :)
Ahmed Abduljabar Thanks for the feedback! It is appreciated.
-Keith
Keith Barker
My best instructor
thanks. good one. well explained. short and to the point.
Thank you for such a great explanation.
Thank for this video!
Superb! Got it exact
very professional video. thanks!
Thanks for the video, what did you use to draw on the screen? Is that a pad you can hook up to a computer?
Excelente !!!!!!!!!!! Congrats!!!!!!!!!!!
Thank you. Awesome work
viraj ayachit 🎒😈🍯👨👦👚👨👦👦♥️U.K.
Your channel enlighten some dark spots i had in networking, I'd like to thank you I have my network security exam at the end of this month.
Otherwise, would you tell me what software are you using for the facilitation of the course?
You Deserved 5 star ⭐ believe me
Hi Keith..What tool are you using in creating your topology? and also the tool you use to capture the packet
The VPN client installed in our home machines will do the ESP encapsulation at machine itself before it sends to our ISP ? Is that right ? In this example you said Router R1(ISP's router) is doing it.
Hi Keith,
I have a short question. Why do we not use SSL universally/predominantly for VPNs but use IPSec? One good reason to use SSL as opposed to IPSec is the popularity of port on which it works (443). The positive is that it's open everywhere! Am I missing something?? Maybe one similar question should be - What prevents us from using SSL instead of IPSEC protocol suite in Site-to-site tunnels?
Hi Keith,
At around 3:05 you say the packet is going to be encapsulated. Does this mean that the Packet basically has 2 Destination and 2 Source IP adresses, from which only 1 Destination and 1 Source Address are visable when the packet is send over the Internet?
Hello CBT, This was quit a great one. Could you please share a simulated one with packet tracer or GNS3 what ever ... Please. it will be very helpfull begginers as me :D
Great video :) Thanks again!
How were you able to capture the packets sent from machine to router? Then router to web?
Nice explanation. What i'm missing is: Who to do this? How do i create R1 and R2?
After all, it's about. How to get this to work.
My pleasure! Glad you liked the video.
Keth
IPSec or OpenVPN, which would you suggest in terms of security?
Awesome video, thank you so much!
Hi, I just wanna ask. What will happen if I use an access-list with permit ip any any in Ipsec VPN? Will the network be able to browse the internet?
Hi Keith,
Can u help with something. I have this network that I'm working on packet tracer. I have two sites site A and B. Site A is ASN 10 and B is ASN 20. In the middle is an ISP router on the ASN 50. I use OSPF for the interior routing on my two sites and bgp has been configured successfully on all three routers and I managed to get IP connectivity from hosts on site A to B and vice versa. The thing is when I implemented the IPsec VPN tunnel, the hosts on site A can reach until the router that connects the destination hosts but never reached them. The thing is the pings from a host in A reaches all networks inside site B except the network of the destination host. Like if 192.168.1.0 / 24 is the source network in site A and 192.168.2.0 / 24 is the destination network on B, the hosts on A can reach all networks except the network on which my destination hosts live. Pls help me understand what could have gone wrong
Thanks. But how do you connect two routers with each other? Do you use Public IP addres forwarding to each Router? For Example....How can i RDP from 172.16.0.2 to 192.168.0.20 ?
ipsec uses 2 protocols ESP for encryption and AH for authentication . using sha1 sha2 or md5 and using aes for authentication
awesome video thank u so much !
Amazing! Thank you!
Our pleasure! Glad you were able to find value in this video! :)
I don't get it with the source ip adresses. The router would change the source private ip address anyway if it is ipsec or not if it goes through the internet. It also encapsulates the whole packet with HDLC or whatever protocol the router is using to connect to the ISP router. No one could ever see the private ip address even if ipsec is not used. Could you please elaborate on that one?I really don't get it
So.. the routing table of R1 is supposed to contain the entire range of IPs of PCs under R2, or else how does it understand which of the requests are to be encrypted and sent to R2's IP ???? (and vice versa)
Great Stuff!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
hi , thanks for your nice video but, software did you use??
if I get the videos on your CBT Nuggets, would subtitles in my language?
what ports? and IPsec uses what kind of routing paths? bgp? and how do they open sessions with eachother? sorry
Does Ipsec add latency to voip calls because it has to encrypt the message? When would I turn on or off ipsec? Any help would be appreciated.
Great facilitated! thanks
Glad it helped!
What I never understood is why a VPN is necessary at all - why not send a regular IP packet with encrypted payload?
But I am getting the feeling that this is *exactly* what VPN (or rather IPsec) is doing. It always seemed to me that the encapsulation part, which was always presented as one of the two critical components of a VPN (the other being encryption), was a VPN-exclusive thing, but I guess when two PCs in their respective local networks talk to each other, encapsulation is *always* present - is that correct?
Hi dear teacher. As always, an amazing teaching video, and thank you! Beginning VPN self-studying, why so many companies selling VPN connections? Can't we set up VPNs from both sites using just internet connections of two routers? Thank you!
Danke Bre
Muchas Gracias! implementar una VPN.
Great video on VPN tunnels. I was trying to setup S2S VPN in AWS and what I did not understand is role of Inside IPv4 addresses (typically 169.254.0.0/16 range). It would be great if you could help me understand what these inside IPs are, why they are used, are these actual IPs?
This is a year late but that looks to be APIPA range. Just google that and I think you'll be good to go
THANK YOU !!!!!!!!!!!!!!!!!!!!!!!
awesome dude. thx
Great explanantion. Am new to networks and have a (stupid) question.
Doesn't HTTPS communication provide this (Encryption/Security) already ?
If so then why do we need a tunnel? why don't we just use SSL protocol for communication.
+Alok Gupta If your doing it from your work pc to say VPN to your home pc as you cannot establish a connection from your pc directly that approach would work. If you are however wanting to connection two different offices together the proper way to do it is via a LAN LAN or DMVPN as it gives flexibility that is simply not available if things are being routed via a https connection
right on one can see your private ip address and what about your data
is your data is secure on the network ipsec does it for vpn
When PC1 pings 192.168.0.20, how does router 1 know that private IP is at site 2 rather than any other company using the same private address for a host? I mean it's on the internet right? it could go anywhere, that has me confused. Can you please explain?
What if both PCs had the same IP address like 192.168.1.123 before setting up the VPN? Do the subnets have to be different at each site?
so helpful thx !
hi sir keith,
what is the difference between ipsec and ssl vpn?
thanks
SSL is clientless uses a browser and does not require any network information to create a secure tunnel
IPsec is client based and requires networking information (ip addresses) to create a tunnel
Very nice !