- Shopping Bag ( 0 items )
The solution is a virtual private network: a collection of technologies that ...
The solution is a virtual private network: a collection of technologies that creates secure connections or "tunnels" over regular Internet lines -- connections that can be easily used by anybody logging in from anywhere. A number of products now exist to help you develop that solution.
This book tells you how to plan and build a VPN. It starts with general concerns like costs, configuration, and how a VPN fits in with other networking technologies like firewalls. It continues with detailed descriptions of how to install and use VPN technologies that are available for Windows NT and UNIX, such as PPTP and L2TP, Altavista Tunnel, Cisco PIX, and the secure shell SSH.
New features in the second edition include SSH, which is a popular VPN solution for UNIX systems, and an expanded description of the IPSec standard, for which several vendors have announced support.
Provide a low-cost, secure electronic network for your organization. With 228 pages of instruction, this concise text teaches you how to build and plan a virtual private network. It examines PPTP, Cisco PIX Firewalls, SSH and the IPSec standard. It also explores practical issues, such as cost and configuration.
Unlike a firewall or proxy server, where you may set it up once and not touch it for months, your VPN is a more dynamic security mechanism. The main reason for this is that users rarely realize that they're interacting with a firewall or a proxy, while logging into a VPN server may take some interaction on their part. Users with various types of equipment may access your VPN from any point on the Internet at any hour or day. Anyone who has ever run a remote access server knows the various problems dial-up users can have. Many of the same problems that apply to remote users also apply to remote access VPN users. Remote sites that are connecting to a corporate LAN might require less maintenance, however, because with a LAN you often need to set them up once, have them dial in, and that's it. In this chapter, we'll go over the problems that can occur and look for possible debugging information and solutions, as well as list what you should be armed with when working with an ISP on VPN issues.
While this chapter can't address the specifics of your network, we can give you some general security suggestions. It's important to remember that no level of authentication or encryption can protect you if you don't have a sound security policy in place. We briefly touched on this in Chapter 1, Why Build a Virtual Prive Network? Private Network? And Chapter 2, Basic VPN Technologies.
Finally, you'll want to keep up with the latest trends, standards, and security holes in VPN technologies, so that you can ensure that your VPN is up-to-date. We'll go over a list of resources you can use at the end of this chapter and in Appendix B, Resources, Online and Otherwise.
Another consideration for a reliable VPN is a quality of service (QoS) guarantee. This is an agreement between a customer and an ISP that guarantees a certain amount of availability and bandwidth on an ISP's network. Typically QoS guarantees a certain amount of latency for your traffic on the ISP's network, typically measured in tens of milliseconds. Most national ISPs guarantee 99.5% availability on their network. QoS guarantees will appear in your ISP's service level agreement (SLA),with you.
There are also VPN services that ISPs are selling, including GTE, UUNET, and others. With these services, they operate and manage your VPN for you, Prices are variable, and are typically based on the number of sites and the total amount of bandwidth used.
Chances are that any one of the problems discussed in this chapter-authentication, connectivity, or routing-is caused by a configuration mismatch on your equipment, the ISP's equipment, or the equipment on the far end of the connection. The routing problem, however, could also be due to any one of the numerous connection points on the Internet backbone between you and the destination. You, and your ISP, will have little control over these problems, but it's nice to know where the problem is so that you can report it to the proper people.
In Chapter 5, Configuring and Testing Layer 2 Connections, in the section "Troubleshooting Problems," we mentioned two useful utilities for testing routes: ping and traceroute. Both of these tools can be used to troubleshoot problems on other VPNs as well. ping is a utility found on Unix, Windows 95/98, and Windows NT systems. It sends packets to a given destination and awaits a return. It doesn't tell you what route the packets take, but it does tell you if they get there at all and if there's any packet loss. Traceroute is a program on Unix systems. The Windows 95/98/NT equivalent is TRACERT. Traceroute will actually show you the path packets take to their destination. This information can be useful to pinpoint exactly where a problem is occurring.
Traceroute information can sometimes be confusing. Be sure to read up on what the various latencies mean, as well as asterisks, exclamation marks, and other symbols. A good TCP/IP networking book will explain how to read traceroute's output, as will its manual page on a Unix system. Also keep in mind that an ISP or company may be blocking traceroute's UDP packets at their firewall for security reasons, so you -may want to contact them and find out if this is the case. If the problem appears to be with a backbone provider, the best thing to do is still to contact your ISP. They can then contact the backbone provider and see what the problem is.
Make sure your ISP is someone you trust. During the course of the troubleshooting session you may have to give them security information about your network, or set up a test account for them to attempt to dial into. Here are some suggestions for finding a trustworthy ISP, or building trust with your current one:
Network Address Translation (NAT) is a protocol many routers support that allows machines to access the Internet even though they have internal IP addresses (set aside in RFC 1918) that are not usable on the wider Internet. Essentially, each machine is given a nonroutable address, while the router has a routable IP address. When each of the machines behind the router wants to access the Internet, it pretends to have the IP address of the router.
If you want to use NAT, we suggest a double-router setup, as shown in Figure 10-2. It shows a gateway router to the Internet and a perimeter network with Internet-routable IP addresses. On the perimeter network is a NATcapable router multi-homed to have interfaces to both the perimeter network and the internal network. The machines on the internal network have only non-Internet routable IP addresses. The VPN server is also multi-homed between the perimeter and internal networks, and will route only VPN traffic to and from those networks. . . .
Contents of This Book;
Conventions Used in This Book;
Comments and Questions;
Chapter 1: Why Build a Virtual Private Network?;
1.1 What Does a VPN Do?;
1.2 Security Risks of the Internet;
1.3 How VPNs Solve Internet Security Issues;
1.4 VPN Solutions;
1.5 A Note on IP Address and Domain Name Conventions Used in This Book;
Chapter 2: Basic VPN Technologies;
2.1 Firewall Deployment;
2.2 Encryption and Authentication;
2.3 VPN Protocols;
2.4 Methodologies for Compromising VPNs;
2.5 Patents and Legal Ramifications;
Chapter 3: Wide Area, Remote Access, and the VPN;
3.1 General WAN, RAS, and VPN Concepts;
3.2 VPN Versus WAN;
3.3 VPN Versus RAS;
Chapter 4: Implementing Layer 2 Connections;
4.1 Differences Between PPTP, L2F, and L2TP;
4.2 How PPTP Works;
4.3 Features of PPTP;
Chapter 5: Configuring and Testing Layer 2 Connections;
5.1 Installing and Configuring PPTP on a Windows NT RAS Server;
5.2 Configuring PPTP for Dial-up Networking on a Windows NT Client;
5.3 Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client;
5.4 Enabling PPTP on Remote Access Switches;
5.5 Making the Calls;
5.6 Troubleshooting Problems;
5.7 Using PPTP with Other Security Measures;
Chapter 6: Implementing the AltaVista Tunnel 98;
6.1 Advantages of the AltaVista Tunnel System;
6.2 AltaVista Tunnel Limitations;
6.3 How the AltaVista Tunnel Works;
6.4 VPNs and AltaVista;
Chapter 7: Configuring and Testing the AltaVista Tunnel;
7.1 Getting Busy;
7.2 Installing the AltaVista Tunnel;
7.3 Configuring the AltaVista Tunnel Extranet and Telecommuter Server;
7.4 Configuring the AltaVista Telecommuter Client;
7.5 Troubleshooting Problems;
Chapter 8: Creating a VPN with the Unix Secure Shell;
8.1 The SSH Software;
8.2 Building and Installing SSH;
8.3 SSH Components;
8.4 Creating a VPN with PPP and SSH;
8.5 Troubleshooting Problems;
8.6 A Performance Evaluation;
Chapter 9: The Cisco PIX Firewall;
9.1 The Cisco PIX Firewall;
9.2 The PIX in Action;
9.3 Configuring the PIX as a Gateway;
9.4 Configuring the Other VPN Capabilities;
Chapter 10: Managing and Maintaining Your VPN;
10.1 Choosing an ISP;
10.2 Solving VPN Problems;
10.3 Delivering Quality of Service;
10.4 Security Suggestions;
10.5 Keeping Yourself Up-to-Date;
Chapter 11: A VPN Scenario;
11.1 The Topology;
11.2 Central Office;
11.3 Large Branch Office;
11.4 Small Branch Offices;
11.5 Remote Access Users;
11.6 A Network Diagram;
Emerging Internet Technologies;
Resources, Online and Otherwise;
The Trade Press;
Networking and Intranet-Related Web Sites;
In this chapter:
Until now there has always been a clear division between public and private networks. A public network, like the public telephone system and the Internet, is a large collection of unrelated peers that exchange information more or less freely with each other. The people with access to the public network may or may not have anything in common, and any given person on that network may only communicate with a small fraction of his potential users.
A private network is composed of computers owned by a single organization that share information specifically with each other. They're assured that they are going to be the only ones using the network, and that information sent between them will (at worst) only be seen by others in the group. The typical corporate Local Area Network (LAN) or Wide Area Network (WAN) is an example of a private network. The line between a private and public network has always been drawn at the gateway router, where a company will erect a firewall to keep intruders from the public network out of their private network, or to keep their own internal users from perusing the public network.
There also was a time, not too long ago, when companies could allow their LANs to operate as, separate, isolated islands. Each branch office might have its own LAN, with its own naming scheme, email system, and even its own favorite network protocol - none of which might be compatible with other offices' setups. As more company resources moved to computers, however, there came a need for these offices to interconnect. This was traditionally done using leased phone lines of varying speeds. By using leased lines, a company can be assured that the connection is always available, and private. Leased phone lines, however, can be expensive. They're typically billed based upon a flat monthly fee, plus mileage expenses. If a company has offices across the country, this cost can be prohibitive. Private networks also have trouble handling roving users, such as traveling salespeople. If the salesperson doesn't happen to be near one of the corporate computers, he or she has to dial into a corporation's modem long-distance, which is an extremely expensive proposition.
This book is about the virtual private network (VPN), a concept that blurs the line between a public and private network. VPNs allow you to create a secure, private network over a public network such as the Internet. They can be created using software, hardware, or a combination of the two that creates a secure link between peers over a public network. This is done through encryption, authentication, packet tunneling, and firewalls. In this chapter we'll go over exactly what is meant by each of these and what roles they play in a VPN; we'll touch upon them again and again throughout the book. Because they skirt leased line costs by using the Internet as a WAN, VPNs are more cost-effective for large companies, and well within the reach of smaller ones.
In this chapter, we'll also talk about intranets as the latest trend in corporate information systems, and how they were the impetus for VPNs.
What Does a VPN Do?
A virtual private network is a way to simulate a private network over a public network, such as the Internet. It is called "virtual" because it depends on the use of virtual connections - that is, temporary connections that have no real physical presence, but consist of packets routed over various machines on the Internet on an ad hoc basis. Secure virtual connections are created between two machines, a machine and a network, or two networks.
Using the Internet for remote access saves a lot of money. You'll be able to dial in wherever your Internet service provider (ISP) has a point-of-presence (POP). If you choose an ISP with nationwide POPs, there's a good chance your LAN will be a local phone call away. Some ISPs have expanded internationally as well, or have alliances with ISPs overseas. Even many of the smaller ISPs have toll-free numbers for their roaming users. At the time of this writing, unlimited access dial-up PPP accounts, suitable for business use, are around $25 per month per user. At any rate, well-chosen ISP accounts should be cheaper than setting up a modem pool for remote users and paying the long- distance bill for roaming users. Even toll-free access from an ISP is typically cheaper than having your own toll-free number, because ISPs purchase hours in bulk from the long- distance companies.
In many cases, long-haul connections of networks are done with a leased line, a connection to a frame relay network, or ISDN. We've already mentioned the costs of leasing a "high cap" leased line such as a T1. Frame relay lines can also give you high speeds without the mileage charges. You purchase a connection to a frame cloud, which connects you through switches to your destination. Unlike a leased line, the amount you pay is based more on the bandwidth that's committed to your circuit than distance. Frame connections are still somewhat expensive, however. ISDN, like the plain old telephone system, incurs long-distance charges. In many locations, the local telephone company charges per minute even for local calls, which again runs expenses up. For situations where corporate office networks are in separate cities, having each office get a T1, frame relay, or ISDN fine to an ISP's local POP would be much cheaper than connecting the two offices using these technologies, A VPN could then be instituted between the routers at the two offices, over the Internet. In addition, a VPN will allow you to consolidate your Internet and WAN connections into a single router and single line, saving you money on equipment and telecommunications infrastructure.
The Rise of Intranets
By now you've probably heard of Intranets and the stir they've caused at many businesses. Companies are running TCP/IP networks, posting information to their internal web sites, and using web browsers as a common collaborative tool. An example of an Intranet application is a customer database accessible via the Web. Salespeople could use this database to contact current customers about new product offerings and send them quotes. The database could have a HyperText MarkUp Language (HTML) front end, so that it would be accessible from any web browser.
The rise of Intranets was spurred on by the growth of the Internet and its popular information services, commonly known as the World Wide Web. It was as if the corporate sector had finally caught on to what the Internet community had been doing for years: using simple, platform-independent protocols to communicate more effectively. No matter how much marketing hype you hear, an Intranet is simply Internet technology put to use on a private network.
How VPNs relate to Intranets
Virtual private networks can be used to expand the reach of an Intranet. Since Intranets are typically used to communicate proprietary information, you don't want them accessible from the Internet. There may be cases, however, where you'll want far-flung offices to share data or remote users to connect to your Intranet, and these users may be using the Internet as their means of connection. A VPN will allow them to connect to the Intranet securely, so there are no fears of sensitive information leaving the network unprotected. You might see this type of connection also referred to as an "Extranet."
Using our previous example of the customer database, it's easy to see how a VPN could expand the Intranet application's functionality. Suppose most of your salespeople are on the road, or work from home. There's no reason why they shouldn't be able to use the Internet to access the web server that houses the customer database application. You don't want just anyone to be able to access the information, however, and you're also worried about the information itself flowing unencrypted over the Internet. A VPN can provide a secure link between the salesperson's laptop and the Intranet web server running the database, and encrypt the data going between them. VPNs give you flexibility, and allow practically any corporate network service to be used securely across the Internet.
Security Risks of the Internet
The risks associated with the Internet are advertised every day by the trade and mainstream media. Whether it's someone accessing your credit card numbers, prying into your legal troubles, or erasing your files, there's a new scare every month about the (supposedly) private information someone can find out about you on the Internet. (Not to mention the perceived risk that you might happen upon some information that you find offensive, or that you might not want your children to see.)
For corporations, the risks are even more real and apparent. Stolen or deleted corporate data can adversely affect people's livelihoods, and cost the company money. If a small company is robbed of its project files or customer database, it could put them out of business.
Since the Internet is a public network, you always risk having someone access any system you connect to it. It used to be that a system intruder would have to dial into your network to crack a system. This meant that they would have to find a phone number connected to a modem bank that would give them access, and risk the possibility of the line being traced. But if your corporate network is connected over the Internet and your security is lax, the system cracker might be able to access your network using any standard dial-up account from any ISP in the world. Even unsophisticated users can obtain and use automated "security check" tools to seek out holes in a company's network. What's worse is that, chances are, you'll never know that it's happening.
Before we put our private data out on the Internet, we'd better make sure a VPN is robust enough to protect it.
What Are We Protecting with Our VPN?
The first things that come to mind when you think of protection are the files on your networked computers: documents that contain your company's future plans, spreadsheets that detail the financial analysis of a new product introduction, databases of your payroll and tax records, or even a security assessment of your network pointing out holes and problematic machinery. These files are a good starting point, but don't forget about the other, less tangible assets that you connect to the Internet when you go online. These include the services that you grant your employees and customers, the computing resources that are available for use, and even your reputation. For instance, a security failure can cause your vendors' email to bounce back to them, or prevent your users from making connections to other sites.
The easiest dung would be to isolate, tabulate, and lock down your private data. Well over half the data you manage and distribute might call for some sort of security. Just think, even something as innocuous as customer records and addresses could be used against you in a negative advertising campaign; this might hurt you far worse than a negative campaign aimed at a random slice of the population.
Unfortunately, in the client-server world of telecommuters, field sales agents, and home offices, it's not so easy to keep all private data locked down in a single, protected area. The chief financial officer of a company may need to access financial information on the road, or a programmer working from home may need to access source code. VPNs help alleviate some of the worry of transmitting secure files outside of your network. In Chapter 2, Basic VPN Technologies, we will examine possible threats to your network and data, and explore the technologies that VPNs use to avoid them.
How VPNs Solve Internet Security Issues
There are several technologies that VPNs use to protect data travelling across the Internet. The most important concepts are firewalls, authentication, encryption, and tunneling. Here we will give them a cursory rundown, then go into more detail in Chapter 2.
An Internet firewall serves the same purpose as firewalls in buildings and cars: to protect a certain area from the spread of fire and a potentially catastrophic explosion. The spread of a fire from one part of a building is controlled by putting up retaining walls, which help to contain the damage and minimize the overall loss and exposure. An Internet firewall is no different. It uses such techniques as examining Internet addresses on packets or ports requested on incoming connections to decide what traffic is allowed into a network.
Although most VPN packages themselves don't implement firewalls directly, they are an integral part of a VPN. The idea is to use the firewall to keep unwanted visitors from entering your network, while allowing VPN users through. If you don't have a firewall protecting your network, don't bother with a VPN until you get one - you're already exposing yourself to considerable risk.
The most common firewall is a packet filtration firewall, which will block specified IP services (run on specific port numbers) from crossing the gateway router. Many routers that support VPN technologies, such as the Cisco Private Internet Exchange (PDO and the 3Com/U.S. Robotics Total Control, also support packet filtration. Proxies are also a common method of protecting a network while allowing VPN services to enter. Proxy servers are typically a software solution run on top of a network operating system, such as Unix, Windows NT, or Novell Netware.
Authentication techniques are essential to VPNs, as they ensure the communicating parties that they are exchanging data with the correct user or host. Authentication is analogous to "logging in" to a system with a username and password. VPNs, however, require more stringent authentication methods to validate identities. Most VPN authentication systems are based on a shared key system. The keys are run through a hashing algorithm, which generates a hash value. The other party holding the keys will generate its own hash value and compare it to the one it received from the other end. The hash value sent across the Internet is meaningless to an observer, so someone sniffing the network wouldn't be able to glean a password. The Challenge Handshake Authentication Protocol (CHAP) is a good example of an authentication method that uses this scheme. Another common authentication system is RSA.
Authentication is typically performed at the beginning of a session, and then at random during the course of a session to ensure that an impostor didn't "slip into" the conversation. Authentication can also be used to ensure data integrity. The data itself can be sent through a hashing algorithm to derive. a value that is included as a checksum on the message. Any deviation in the checksum sent from one peer to the next means the data was corrupted during transmission, or intercepted and modified along the way.
All VPNs support some type of encryption technology, which essentially packages data into a secure envelope. Encryption is often considered as essential as authentication, for it protects the transported data from packet sniffing. There are two popular encryption techniques employed in VPNs: secret (or private) key encryption and public key encryption.
In secret key encryption, there is a shared secret password or passphrase known to all parties that need access to the encrypted information. This single key is used to both encrypt and decrypt the information. The data encryption standard (DES), which the Unix crypt system call uses to encrypt passwords, is an example of a private key encryption method.
One problem with using secret key encryption for shared data is that all parties needing access to the encrypted data must know the secret key. While this is fine for a small workgroup, of people, it can become unmanageable for a large network. What if one of the people leaves the company.? Then you're going to have to revoke the old shared key, institute a new one, and somehow securely notify all the users that it has changed.
Public key encryption involves a public key and a private key. You publish your public key to everyone, while only you know your private key. if you want to send someone sensitive data, you encrypt it with a combination of your private key and their public key. When they receive it, they'll decrypt it using your public key and their private key. Depending on the software, public and private keys can be large - too large for anyone to remember. Therefore, they're often stored on the machine of the person using the encryption scheme. Because of this, private keys are typically stored using a secret key encryption method, such as DES, and a password or passphrase you can remember, so that even if someone gets on your system, they won't be able to see what your private key looks like. Pretty Good Privacy (PGP) is a well-known data security program that uses public key encryption; RSA is another public key system that is particularly popular in commercial products. The main disadvantage of public key encryption is that, for an equal amount of data, the encryption process is typically slower than with secret key encryption.
VPNs, however, need to encrypt data in real time, rather than storing the data as a file like you would with PGP. Because of this, encrypted streams over a network, such as VPNs, are encrypted using secret key encryption with a key that's good only for that streaming session. The session secret itself (typically smaller than the data) is encrypted using public key encryption and is sent over the link. The secret keys are often negotiated using a key management protocol.
The next step for VPNs is secure IP, or IPSec. IPSec is a series of proposals from the IM outlining a secure IP protocol for IPv4 and IPv6. These extensions would provide encryption at the IP level, rather than at the higher levels that SSL and most VPN packages provide.
IPSec creates an open standard for VPNs. Currently, some of the primary VPN contenders use proprietary encryption, or open standards that only a few vendors adhere to. Rather than seeing IPSec as a threat to their current products, most vendors see it as a way to augment their own security, essentially adding another interoperable level to their current tunneling and encryption methods. We'll go into detail about the power, politics, and use of various encryption techniques in Chapter 2.
Many VPN packages use tunneling to create a private network, including several that we review in this book: the AltaVista Tunnel, the Point-to-Point Tunneling Protocol (PPTP), the Layer 2 Forwarding Protocol, and IPSec's tunnel mode. VPNs allow you to connect to a remote network over the Internet, which is an IP network. The fact is, though, that many corporate LANs. don't exclusively use IP (although the trend is moving in that direction). Networks with Windows NT servers, for instance, might use NetBEUI, while Novell servers use IPX. Tunneling allows you to encapsulate a packet within a packet to accommodate incompatible protocols. The packet within the packet could be of the same protocol or of a completely foreign one. For example, tunneling can be used to send IPX packets over the Internet so that a user can connect to an IPX-only Novell server remotely.
With tunneling you can also encapsulate an IP packet within another IP packet. This means you can send packets with arbitrary source and destination addresses across the Internet within a packet that has Internet-routable source and destination addresses. The practical upshot of this is that you can use the reserved (not Internet-routable) IP address space set aside by the Internet Assigned Numbers Authority (IANA) for private networks on your IAN, and still access your hosts across the Internet. We will look at how and why you would do this in later chapters.
Other standards that many VPN devices use are X.509 certificates, the Lightweight Directory Access Protocol (LDAP), and RADIUS for authentication.
A VPN is a conglomerate of useful technologies that originally were assembled by hand. Now the networking companies and ISPs have realized the value of a VPN and are offering products that do the hard work for you. In addition, there is an assortment of free software available on the Internet (usually for Unix systems) that can be used to create a VPN. In this book, we're going to look at some of the commercial and free solutions in detail. Which one you choose for your network will depend on the resources available to you, the platforms you run, your network topology, the time you wish to spend installing and configuring the software, and whether or not you want commercial-level support. We can't cover every vendor and product in this book; they change too quickly. Instead, we offer guidelines you can use on all networks and details on a few stable products that were available when we were writing this edition-we don't mean to imply that there's anything less valuable about competing products.
VPN packages range from software solutions that run on or integrate with a network operating system (such as the AltaVista Tunnel or CheckPoint Firewall-1 on Windows NT or Unix), to hardware routers/firewalls (such as those from Cisco and Ascend), to integrated hardware solutions designed specifically for VPN functions (such as VPNet and the Bay Networks Extranet Switch). Some VPN protocols, like SSH or SSL, gained popularity for performing other functions, but have since become used for VPNs as well.
In addition to products, ISPs are also offering VPN services to their customers. The tunneling usually takes place on the ISP's equipment. If both ends of the connection are through the same ISP, that ISP might offer a Service Level Agreement (SLA) guaranteeing a certain maximum amount of latency and uptime.
Quality of Service Issues
Running a virtual private network over the Internet raises an easily forgotten issue of reliability. Let's face it: the Internet isn't always the most reliable network, by nature. Tracing a packet from one point to another, you may pass through a halfdozen different networks of varying speeds, reliability, and utilization-each run by a different company. Any one of these networks could cause problems for a VPN.
The lack of reliability of the Internet, and the fact that no one entity controls it, makes troubleshooting VPN problems difficult for a network administrator. If a user can't dial into a remote access server at the corporate headquarters, or there's a problem with a leased line connection, the network administrator knows there are a limited number of possibilities for where the problem may occur: the machine or router on the far end, the telecommunications company providing the fink, or the machine or router at the corporate headquarters. For a VPN over the Internet, the problem could be with the machine on the far end, with the ISP on the far end, with one of the networks in between, with the corporate headquarters' ISP, or with the machine or router at the corporate headquarters itself Although a few large ISPs are offering quality of service guarantees with their VPN service (if all parties involved are connected to their network), smaller ISPs can't make such a guarantee - and there will always be times when the network administrator is left to her own resources. This book will help you isolate and identify the problem when something goes wrong on your VPN.
A Note on IP Address and Domain Name Conventions Used in This Book
The notation 1.0.0.01124 is commonly used in describing IP address ranges. It means "start with the address 22.214.171.124 and allow the right-most 8 bits to vary." The 8 is calculated by using 32 bits (the maximum for an IP address) minus 24 (the size specified after the "/"). So 126.96.36.199/24 means all addresses from 188.8.131.52 to 184.108.40.206.
We've elected to use the same IP address ranges and domain name throughout this book. For Internet-routable IP address ranges, we're using the blocks 1.0.0.01.255.255-255 (or 220.127.116.11/8) and 18.104.22.168-22.214.171.124 (126.96.36.199/8), which we subnet to suit our needs. These ranges were chosen because they are designated as Internet routable. but are reserved by the IANA and aren't currently being used. We hope that Using these ranges, rather than random-fly picking some or choosing them from active registered networks, will makes examples and figures easier to understand while protecting the innocent. We found that this helped us maintain our own sanity while writing the book.
For internal networks, we use the IP ranges set aside in RFC 1918 for use on private networks. These ranges are 10.0.0.0-10.255.255.255 (or 10.0.0.0/8), 172.16.0.0-172- 31.255.255 (or 172,16.0.0/12), and 192.168.0.0-192.168.255.255 (or 192.168.0.0/16). We also subnet these as we deem necessary for an example.
The domain name we use for our examples is ora-vpn.com. Within this domain however, we don't have a hostname convention, because we typically create hostname to match whatever solution we are writing about in a given chapter....