IPSEC VPN Tunnel on MikroTik | Maher Haddad | Skillshare

Playback Speed


  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

IPSEC VPN Tunnel on MikroTik

teacher avatar Maher Haddad, IT Trainer

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

27 Lessons (3h 33m)
    • 1. Course promo

      1:26
    • 2. 1 What is VPN Intro

      2:07
    • 3. 2 What is VPN Explanation

      9:15
    • 4. 3 What is IPSEC Intro

      1:37
    • 5. 4 What is IPSEC Explanation

      9:01
    • 6. 5 IPSEC Protocol suite explained

      5:06
    • 7. 6 IPSEC modes of communication Transport vs Tunnel mode

      8:07
    • 8. 7 Types of Encryption Symmetric vs Asymmetric

      5:48
    • 9. 8 Security over the internet using IPSEC

      14:38
    • 10. 9 Encyption Protocol (DES 3DES AES Blowfish Camellia RSA DH)

      15:21
    • 11. 10 Data Integrity Hashing Algorithms (MD5 SHA1 SHA256 SHA512)

      8:43
    • 12. 11 IPSEC Authentication (Pre shared key vs Certificates)

      8:38
    • 13. 12 IPSEC Negotiation Protocols (AH vs ESP)

      8:01
    • 14. 13 IPSEC Negotiation Process Introduction

      1:00
    • 15. 14 IPSEC Negotiation Process and choices of IPSEC interesting traffic

      8:55
    • 16. 15 IPSEC IKE Phase 1 (ISAKMP Tunnel)

      8:31
    • 17. 16 IPSEC IKE Phase 1 (Main vs Aggressive mode)

      5:33
    • 18. 17 IPSEC IKE Phase 2 (IPSEC TUnnel)

      6:53
    • 19. 18 IPSEC Data Transfer

      2:50
    • 20. 19 Difference between IKEv1 and IKEv2

      5:36
    • 21. 20 Introduction to the IPSEC LAB

      1:27
    • 22. 21 Pre configuration of the IPSEC Tunnel

      16:18
    • 23. 22 Configuring site to site IPSEC tunnel using IKEv1 and IKEv2 Part1

      20:51
    • 24. 23 Configuring site to site IPSEC tunnel using IKEv1 and IKEv2 Part21

      6:54
    • 25. 24 Introduction to IPSEC IKEv2 Remote Access

      1:30
    • 26. 25 Creating Certificates for remote access IPSEC

      14:29
    • 27. 26 Configuring IPSEC IKEv2 remote access

      14:23
  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.

69

Students

--

Projects

About This Class

What you'll learn

  • Understand what is VPN
  • Understand what is IPSEC
  • Understand the 4 features of IPSEC
  • Understand why IPSEC is a protocol suite
  • Understand the Protocols used in the IPSEC features
  • Understand IPSEC modes of communications
  • Understand IPSEC Transport mode
  • Understand IPSEC Tunnel mode
  • Understand what is Symmetric key encryption
  • Understand what is Asymmetric key encryption
  • Understand how DH works to share the secret key in a secure way
  • Understand the encryption protocols such as: DES, 3DES, AES, Blowfish, Camellia, RSA & DH
  • Understand Data Integrity using Hashing algorithms such as: MD5, SHA1, SHA256, SHA512
  • Understand the types of IPSEC authentication: Pre-shared key vs Certificate
  • Understand IPSEC Negotiation Protocols: AH vs ESP
  • Understand the IPSEC negotiation process
  • Understand what is the initiator to start the IPSEC VPN
  • Understand IKE Phase 1 (ISAKMP)
  • Understand the difference between Main and Aggressive mode on IKE Phase 1
  • Understand IKE Phase 2
  • Understand what is PFS Group
  • Understand the difference between IKEv1 & IKEv2
  • Configuring IPSEC site-to-site using IKEv1
  • Configuring IPSEC site-to-site using IKEv2

Requirements

  • Have a TCP/IP knowledge
  • Have an experience with networking
  • Ideally have an MTCNA certificate

Description

Internet Protocol Security, or what is known as IPSEC, is a VPN protocol suite widely used nowadays in our network to connect 2 or more offices securely to each other using the public internet service, and this will save for companies a lot of cost and time instead of using dedicated leased lines between their offices.

However, configuring IPSEC correctly is a challenge because IPSEC is considered as a Framework protocol which has many sub-protocols and phases under its umbrella.

I have designed this course to help you to understand how IPSEC works, that means that big part of this course is going to be a theoretical part explaining in details all parts of IPSEC. During this course, I will explain also about a lot of security terms that we always hear and is used on IPSEC such as: Encryption, Hashing, Authentication, Deffie-Hellman, Symmetric and Asymmetric keys, etc.....

After the theoretical part, I am going to do LABs where I will show you how to configure correctly IPSEC on MikroTik Routers and we will test it to see if it works good. The LABs will include both versions of IPSEC which are IKEv1 and IKEv2.

That's in brief what I am going to do in this course, of course more details will be shown in the lessons.

I can't wait to see you in my course .

Who this course is for:

  • Students who want to learn and understand how IPSEC works and know how to configure it on MikroTik RouterOS
  • Engineers who want to apply IPSEC tunneling protocol in their networks

Meet Your Teacher

Teacher Profile Image

Maher Haddad

IT Trainer

Teacher

Hello everyone. My name is Maher Haddad with a very long experience in the IT sector. I hold a Bachelor in Computer Communications and a Master in Computer science.

I work as a trainer and I hold the following certificates: CCNA, CCNA Security, CCNA Voice, CCDA, CCNP R&S, CCDP, Microsoft MCP, Microsoft MCSA , MikroTik MTCNA & MTCRE, MTCWE, MTCUME, CWTS, GVF Level1, GVF level2, GVF Level3 and much more.....

My experience in IT goes to year 2003 and I have been working all my life for international Internet Service Providers (ISP's) in different countries in the world.

You can visit my Facebook page as well as my Youtube channel where I set a lot of online labs.

I hope you will enjoy watching my courses.

See full profile

Class Ratings

Expectations Met?
    Exceeded!
  • 0%
  • Yes
  • 0%
  • Somewhat
  • 0%
  • Not really
  • 0%
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.

Transcripts

1. Course promo: Hi there. This is Mark, her dad, and I'm going to be the trainer of discourse in this course. I'm going to speak about the Internet Protocol Security or what we call it IP set. Before I speak, what we are going to do in this course. Let me just give you a brief idea about myself. I'm a trainer and a whole certificates from different vendors such as Cisco, Huawei, microstate, click wav, and much more. In this course, I'm going to go in details about IP shock. So this course will have a big part which we are going to speak about the theoretical part of IPSec. Then we are going to apply that on labs. Ipsec is a very complex tunneling protocols. So it is part of the VPM thalamic protocols and to be able to configure IPSec correctly on mycotic routers. We have first to understand how IPSec work. So we are going to pass through all the days of IPSec, such as what is the confidentiality? What are the data integrity? What is the protection and what are the faces on IPSec? What is the difference? Mode and IPSec? What are the negotiation modes that are available in IPSec? And much, much more things you are going to study all those together. And then when we understand all the theoretical part, we can put them all together. And then we will able to configure it on the micrograph, the show when we configure IP second mitotic router with auditory that we have on our background, then it's going to be very easy for us to configure it. 2. 1 What is VPN Intro: Hi there. Did it? Smart had in the first part off this course I have to start talking about the critical part off piece by piece. Check is a very complex tunneling protocol that is available. It is an upper standard. That means you can find I recycle my critic. You can find it on Cisco Raptors. You can find it on what? We're out there. You can find it on many, many branch that are available on the market. But to ableto configure I per sec correctly, you have to understand that first. Okay, so I'm going to go through this scores to make peace a collective positive, every video and every lecture. It's like part of the puzzle. So at the end, we put all the piles together, and then we have a clear picture on when we have a clear picture. Then we can apply what we have studied on the critical part and make it on the love and then you receive while you understand, I protect our torch directly. Then toe apply that on the lab. It's gonna be very easy. And then you will understand what we have learned on the critical part. So they are coming. Lecture. I'm gonna start speaking about what is repaired and why VPN is important. I percent is a darling particle. That means it's a virtual private network. You may a virtual private network between two networks. On that, you can send your data from one side on the other side in a very confidential way on To be able to understand, I basically have to first understand what is repaired. So why it is important to have you can and what are the characteristics that are available on VPN. And then we would get in their depths on the I P sec critical. And then we can start there. They can it part by part to understand it, to be able to configure it later on the Michael Carter. So this one I'm going to do in the upcoming election, I'm going to start with expanding what is VPN and why it is important to use repent and why we should use the pen in place off other than type or for wind connection. And I will show what are the advantages that are available on VPN, and after that we will start extending more about. So this is what I'm going to do with the upcoming lecture. If you already let's go and start 3. 2 What is VPN Explanation: I then did the smart had that here again. In this first lecture, I'm going to speak about the VP and its chef. So what is do virtual private network and you can see here we have additional scenario. We have one rather here on having the server and another rather here having a DPC over here . And we have Internet between. So let's imagine that this side here is a headquarter office. So a company which has a headquarters office in a location and it has also another office, which is branch office, is in another location, so there are geographically far from each other. So that is the branch office. Okay. Now, both off the officers, they are connected to the internet. And nowadays we know that the Internet is needed for every company to be able to do their words. They have to send emails after the video conference. They have to do many things using the Internet. All right, so the whole idea is that we want that this B C over here is able to reach toe this server over here, which is in the headquarter office. So that is the whole idea. We need to send the data to be secure in order to be sent from the PC. Togo fear the Internet and to go to the server. When we say via Internet, the Internet is a public network. That means inside the Internet you can have a lot of people, and also you can have the intruders or the packers or the crackers, whatever you like to call them. That means that if we shan't our data via the Internet without being in a secure way, then it can be intercepted and they can see the data that we are sending. So think off something like a credit card, the transaction. So they will be able to see what is D credit card number, and they can use it maybe in the future. So that's something we need to avoid. So in this case, what we can do as both of the officers are connected to the Internet, we can use something we call the tunneling. So the tunneling is nothing more that I create a tunnel between those two routers and I will send the data vice versa. So from from the Russia office to the headquarter and from headquarter to the branch office , but I would send them in a secure way. So you have to think like we make a tunnel inside the Internet. And this time I will encrypt the data. Toby very secure. And I was sent all my data via that so we can use the Internet in order to be able to send the data from the branch office to the headquarter and vice versa. Onda as we are already connected to the Internet, that means we don't pay anything extra so we can just create the repent connectivity. And then we can send the data encrypted inside this tunnel. So that is the main idea off the Libya. So what are the characteristics off the VP? First, it's a cheap connection. So as we are already connected to the Internet than that, it's just cheap connection. Otherwise, in the older days, people were still used a lot of companies to do that. So they get something. We call it a least line. That means we have ah headquarter here. We have a branch office over here, Onda and they speak to their IAS peace and they said we need toe have at least line That means a line between our brush office and our headquarter office. We want to have a lease line for us and this line. It's not going via the Internet, just like you have to think. If, like, a connection or a cable from one office to another office, then they can send the data from one side to another, and it is dedicated for them that no one, it will be ableto use it. Okay, so that's ah, possible. But that's not the cheap solution like on when we speak now on the VPN because that's a very, very, very expensive so well, cos they have to pay a lot of money every month in order to ableto have this solution. OK, so that's one off. The thing that repent is a cheap connection do is always available as long as Internet is available. So as VPN is gonna be used on the Internet and again, as I said, all companies at this time they have Internet connection, so they need the Internet to be able to do their work. So as we have Internet, then in this case we can use the VP ends. Okay, so you may have somewhat in here. For example, he's working from home so that this house here on he has Internet service connected Internet and he's working from home. So from his specie he can do VPN to be able to reach toe the headquarter a router here and to be able tow reached with server Alright, So as he has Internet, he can make the VPN tunneling and then he is ableto reach toe the server which is at the headquarter to be able to do his work. All right, so that means that as long as you have Internet, you can still use VPN and now someone can say But if we don't have Internet, then you don't have VPN. But normally you have Internet everywhere. Even in the in the roller places, people need tohave internet to be ableto do that work. So Internet nowadays is available everywhere. So when you have internet, you can use repair. The third bond is that the weapon is very secure using encryption algorithm and this scores I'm gonna stop to you about what are the encryption algorithm that we're going to use or we can see in the I P sec. But just to say that when you formed this tunnel inside the Internet. So this week, Pantanal then you send your data encrypted and there are a lot of Al Gore ism that makes encryption for your data, and we're going to see them during this course and some off the aggressive, they can be cracked. That's something we don't have to use. But most off the other algorithm are very, very, very strong, and they cannot be cracked. So that means if you have any true, they're sitting here on the Internet. Then if we capture our traffic that he will not understand anything because the data is encrypted, then he will not see what you are sending as data toe the other side. Okay, so that third characteristic, which is that the encryption that we're using the algorithm encryption in the VPN is very secure and would allow your data Tobie sent from one site on other side without being worried that it will not arrive to the other side. And now the last point is that we can have many connections. So let me just clear and riveted the picture so we can add more draw so that means in this case that and he would have the branch office and we have the headquarter office, as we have said. But if we want to have another office, so another branch office, so that is here. We connected to the Internet and there is a for example, the network here on did send off us. So that's also another branch office that want to connect to the headquarter. Okay, then with the repair and it's possible that you can, this office allowed him to connect to the deep end. You can just make the configuration needed, and then they will be able to connect toe the pen, which is on the headquarter, to be able to reach toe this server. And that's what this means is that you can have many connections. You can have, for example, a remote user sitting at his home and he want to connect toe the headquarters server. And then, in this case, he can also from his busy make VP and to reach to that server Now, in the old days again, if you have, for example, like we were talking here on the lease line, then if you have another office then the judiciary have quarter, which had at the distant branch office. And if here we have another branch office, so in this case also, he needs to make another list line. Then again, you have to pay for another dedicated line, and then he has toe wait for the insulation toe happen because it doesn't happen very easy , and it takes too much of timeto have this working. And also I have to say something more here that even if you are paying for the least line, so you pay one for the least line. But then, in this case, do you have to pay for the Internet because you still need to Internet for the users to do that work, you still need to be letting the customer or the users of the clients connected to the Internet. And in this case, you are paying for two services, which is the least line very expensive. And the Internet. Why here? You are already connected to the Internet. You don't pay for the baby and you just configure it on your routers and then that's it. That's how it watch. OK, so these are the four good characteristics to explain what is difficult. So again the Venice to create a Tom who between the two officers and this tunnel would be sending the data in using the encryption toe, not allow the data to be seen when it sent to the Internet. And also we have seen what are the characteristics off the deep end that we have Just discuss it before characteristics. So that is what I wanted to explain in the first lecture. Just a brief idea off what the VPN is because I pay check this part off the VP. And so we have to understand what is depend to be able to later understand what this I p shake and how to configure it on the micro. Take collateral us. So that is what I wanted to show in the first lecture. I hope that he enjoyed it and I will see you in the upcoming election. 4. 3 What is IPSEC Intro: Hi there. I didn't smile at that here again after we have learned about the victor and the characteristics or Phoebe. And it's time now to start speaking about IBIs, IBIs check ISS, the Internet protocol security and it is one off determining protocol that we use nowadays . You know that to make tunneling between to size for between the remote access user and a side. So we have in the market many talented protocols such as P PTP, alto TPS, STP, open VPN and money mortem protocols. But I protect is one off the best, and it's one of the most used funny protocol when it comes to began. I P sec is a very complicated and complex protocol that needs to be studied part by part in order to understand how the SEC think and work to be able to configure it correctly on our mike, the Carters in the upcoming election. I'm going to start speaking about what is I be sack. So we have to understand what is the real function off the I P sac and then I'm gonna start explain to you what are the features off beside, such as the confidentiality, the integrity the are complication on the interior play. So I'm gonna speak about all those Explain them, and this will be the first part off i p sex. And as I said in the previous lectures that I p sec is gonna be like apostles, that we have to put them all together. You know that you have the whole picture off. I per second understand it. Well, then we will be able to apply on the my click falters, doing the configuration. So in the upcoming lecture, I'm going to start thinking about the SEC and the features off the I P. Sec. Let's go now directly and start with the lecture. 5. 4 What is IPSEC Explanation: Neither did this man have that here again. Now we have to start speaking about the I p sac and what is exactly I beside so just as an idea, I p sec is a totally protocol to be able to do a VP and connectivity full stop. Okay, so now we know what is the VPN. So I protect is one off the tally protocol that we can use to be able to do VPN That's one point. The seven point that is very important to understand is that I p sec is a protocol suite. So what does it mean, A protocol street? So we know that we have the desipio i p correct this C p i p is also called a protocol street. So what does it mean? That means that the protocol or the framework which is TCP I p has inside of it many other sub protocols. For example, on despite the you can use UDP, you can Eustis ipi that's on the transport layer you will use. I be when you want to do the network layer and then you can also you have to use here the layer two Mac address When you are working about the layer to you have to physical physical . You have the applications, you have the post off the application you can use 4 21 for FTP, about 53 for the N s and so forth. So that's the protocol suite, as you can see. But the problem off the desipio e i p as particle street is dead. It's not encrypted because when you want the scent traffic from one side to another, you have to use the I p traffic. You have to use this API. I pee in this case but disappear. I be by itself it's not a security protocol is not a secure but course. Sweet. So that's why they have created I Pitak to be a also protocol suite. But that's ah to be able to protect the data which is sent from one side or another. So that's why I say here I per second protocol street to protect the I p traffic. So it has a function to protect the I P traffic. Now what does it mean? That I possess is a protocol street? Let me clear here and then let me explain it. So what it means that I p sec is a protocol street. That means that also on the eyepiece I So we have this framework which is called EPC, which is made to protect the data or the I P traffic from to be sent from one site to another. Inside of it, you have also different. Normally, we'll see that in the upcoming lecture that you have different bosses. Okay, so those are one for the encryption. One for authentication, one for the integrity, one for the negotiation off the protocol. So we're going toe see that all All together. And that's means that I think is a practical sweet. That means, in case in the future, say, on the encryption they use now the study as a estos type of encryption. If there is a new encryption algorithm that this coming, you can add it on I p sac and then you can also use it. So that means that I pay check. It is not really a critical which can end up like, for example, I p version four on the despite be, you have the full botch that they can give I p addresses and when they are full. The I P version four cannot be used anymore while I Pee Shack is not the case. You can always add more features and mawr boxes that say on the eyepiece act that can be used in the future. So there's something I'm gonna dig on it on the upcoming lecture. But just for now to know and to understand that I p sec is a protocol suite or we also call it a framework. And this function is to protect the I P data to be sent from one side to another side. And of course, in this case, we can form the VPN connection. Now, if you want to go more to the I p sac feature so what are the features that are available on our website? One is the confidentiality. So when you use I p sec, then you have confidentiality. What does me confidentiality that in i b sec, you use encryption in order to increase the data, so only the sender and the receiver can read the data. If we have this case here, that is a headquarter, and it is here, a branch office and we have telling between each other, so the data which is sent from this computer toe, reach to the server and vice versa. It is encrypted. That means it go via the this tunnel encrypted. And in case anyone who is sitting here as an intruder and he can catch the the packet that I'm sending and you want to understand it and read it, he cannot because it is encrypted and the only person who can received and read it as this one here, this one, we will be able to read it because he's using the same encryption that the center is using . So that is one off the future that is available on I protect the confidentiality. What number do, which is important. And I p sec also as a feature is that in case you use, I protect, you have what we call it Integrity and integrity means that no one can change the packet that we are sending okay by using what we call the hashing algorithm. And that's also something I'm gonna explain it more in detail in the upcoming lectures when we use harshing organisms such as Shahwan or, for example, MD five, than in this case, no one can change the bucket that is sent from one site to another. So if we say that it's a bucket and then in what we can do, we can apply on this packet hashing So this hashing will be having this form, and then this will be sent together with this packet. Then when it comes to here, toe the rather over here, this start also will apply on the same data and the same hashing argued in that he's using . And if the hash which is received is equal to the hash that this router is doing than if they are the same than this router, he knows that the data has not been changed. And then he knows that he has received the exact that that that what the center has sent to him. So that's the second point, which is important, which is the integrity in the I. P. Sec. The third point that I want to speak about it in the features off I P sect is the authentication. When you are using I P site to make repair in the connection, what will happen is that the sender and the receiver authenticates each other. So in this case, this author over here, off the headquarter and this water over here, off the branch office, they authenticate each other. Authenticate means that they know exactly that. This is the rather that is from the other end off my VP and is doubted that I need to make the plan connectivity with him on also routed to knows that the other outer from the other and which is out the one is the water that I need to do VP and connectivity with him. So they authenticate each other and we're gonna see also, what are the types off complication that we can use Then they know that the other ant is really the one which I need to make repent connectivity with them using eyepiece A and they can start sending data to each other. And the last point that I want to speak about it is on the high protector features is the anti reply. So at the rate is very important and definition is giving over here, even if a packet is encrypted and authenticated, that means if it is having the confidentiality, it is encrypted and it is authenticated even though that it's encrypted and it's also authenticated on attacker because we're sending this through the Internet so they may be an attacker. So an attacker could try to capture these packets and send them again so he can capture this traffic and send them again. Then what the i percent do? He used what we call it the sequence number. So you sequence number than I be SEC will not transmit any duplicate Pakistan. He will not rush meant any complicated pocket toe the receiver. And that's also a very important feature, which is an I P sec, which is anti replay with those four features we know and we see now that I P sect is somehow different from the other tonic protocol. It has a lot of good features in order that we know that in case we use I P Shack, we are securing very well our data to be sent from one side toe another. So that is the first part that I started speaking about. I protect again. I p sec is a protocol tweet. It's a framework and it is off course open standard. That means you can use I P sec in different routers and different firewalls such as Cisco, such a Zawawi such as Michael Take and many other branch. And then it has a lot of features. The main four features that are available on the I P. Sex, confidentiality, integrity, authentication and play. And I have explained to you each off these features. So that is what I wanted to explain to the first part off I p sec again. As I told you before, I'm gonna go through theory off i p sec to make them piece by piece, and then we put them all together and we understand the whole picture off. So this is what I wanted to show you in this lecture. I hope it was informative for you and I will see you in the upcoming election. 6. 5 IPSEC Protocol suite explained: Hi, Dad. This man had that here again in this lecture. I'm going to speak about the framework off the I. P. Sex. So what are the protocols that are available in I protect that we can use based on the features that we have already learned. So as you can see here, this is the I P. Sec from or we have the IBIs check protocol negotiation. You have the confidentiality, integrity, authentication and difficult. So those are the features that I have already explained in the previous lectures or what? Each of the features that means that I protect. As you can see, it has a variety off protocols that there to be able to implement the feature that we have already learned. For example, while you want to configure, I protect you. Say OK, What? I dissect protocol negotiation am I going to use Am I going to use a edge or I'm going to use the SB so off course, I'm gonna speak later about each of the one. What the edge and what is he S B. So there's something I'm gonna spend about them later. But just as an idea here just to show you that how it is being a framework The i P sec. So here you decide if I want a edge or a want E s p If you want the SP, that means you want to use the encryption. Then here you go to confidentiality. You say which encryption I want to use. I want to use DS three DS or a as Maybe I would choose a s. Okay, then you will go to the integrity you say Okay, I'm gonna use the SB. I'm gonna use a eso for the integrity. Am I going to use the hashing as empty five or shop than you? In this case, you, for example, choose to use shop and then for the authentication, which I'm gonna use here, I'm gonna use DPS Kors a So, for example, used appreciate it key the ps k. And then and then and you say, for the deaf in Helmand on what I'm going to use which level, if you have 1 to 5 or more than maybe you say I want to choose the travel number five. So as you can see here, the I P sec protocols is not just like one protocol. It has a lot off sub protocols under it where you can choose which off each of the future you want to use. So if you want to think of it, if, for example, the critical which is P P. P. Point to point protocol want upon protocol has only as authentication algorithm, it has popped and it has chopped Okay, so you can use one off the two, and that's it. That's what the DPP on that That's why PP at the end. It's gonna be outdated because those to put the coast later maybe old and the people will not use that happened chapas for authentication while on the eyepiece shack. You can, for example, as being a protocol to less forever for the confidentiality. Maybe there is a new algorithm coming later. And then this is a box here they say, Okay, this is new encryption algorithm is gonna be named, for example, ABC, which is stronger than a SNC DS and DS, then people in the future what they want to use a i P sec, they can say, Well, I'm not gonna use anymore. Yes, I would want to use ABC encryption. It may happen that, for example, on the integrity, there is a new algorithm also for hashing. Then there is this books which would be added here on this is, for example, in a hashing name. We can name it, for example, D e f. And that's for hashing that people will not use any more shar. They've said, Well, let's take the e f. It is stronger. So as you can see I protect is a framework that means it has a lot off sub protocols under it. And there is an ability that the i p shake you can add Maurin the future encryption algorithm or integrity or authentication or DeVry Harmon. So, as you can see, it's not really a static protocal, but much more can be adjusted in the future. So this is very important. And remember this slide because when you want to come figure I on the Democratic router, we're going to check that. Okay, on the I P Shack Protocol, what are we going to use? Are we going to use a S or es be on on the confidentiality? What are we going to use the encryption than we have to choose one of the encryptions that are available on the My click router on the integrity. Um, I'm going to use empty five or shot. So that's something we have to choose when we want to make the configuration and so on. So it's very important that we remember that we have to choose The separate goes to implement the features that I have already explained about it in the previous slide. So that is what I wanted to explain in this lecture. It's more about the eyepiece like frame, or so what is the sub protocols that are available on ipads. And based on that, now we know the features. We know the the framework off I picture. And now we have toe also dig Maurin on more so I protect to understand how I Piszczek war on. After that, we're finished all the critical part. We will be able to make the configuration on the Michael Crowder. So that is what I wanted to show you in this lecture. I hope it was informative for you. And I will see you in the Afghani lecture 7. 6 IPSEC modes of communication Transport vs Tunnel mode: Hi, Dad. That the smart had that here again. In this lecture, I'm going to speak about the most off communications that are available on the eyepiece sack. So we have two months off communication. The 1st 1 is the transport. More than the 2nd 1 is the Dynamo. So I'm gonna discuss about the difference between those two Moore's, because when we want to configure, I be sick on the mic, the clatter We have to choose which of the month we want to use the fish. More that we're going to speak about is the transport month. So the transport more is as following you have the data that in this case you want toe make it that sent without within the i P sec tunnel. Then it will add an E S B header over here. So what will happen here is that everything which is from the transport layer and above, would be encrypted. So we know we have the ozone layer on on the ozone layer. We have seven large application presentation session transport and that network data link physical. Okay, so when you use the transport mold on my P sec, everything from the transport layer and above will be encrypted. Okay, That means that the layers three which is the network layer on layer to which is the data link and the physical will be left on encrypted. So you hear, what will happen is that if someone is using the transport more, then if someone is intercepting your traffic, you will be able to see what the I P O are using for example here. But he's not able to see the dizzy people. Sure you did, people. She's not able to see all the data that you are sending because those are encrypted. So as you can see here on the transport more, what will happen is that you have the SP. So everything from here to here. So let me take another color. This will be encrypted. So the data and the SB here would be encrypted the I P and the layer two. And of course, the physical which has been then here is left unencrypted. Now can someone say, but yeah, where should we use this one? The transport mode is mainly used when you want to have it. I'd be sick inside your land. Okay, so inside the lan, you can use the transport more. So that means that if you have here someone which is in an employee of working for you But he just have skills to know how toe intercept markets. Andi, He would like to make, for example, attack to your network because you may have a lot of cases and we have seen in a lot of studies that most off the cyber attacks they come from inside your networks. So making VP and I protect family inside your network is a good idea, using the transport more. But what we can hear he can do here, he can intercept the topic. If you are using, I protect. But the only thing that he can she is the i. P. And the photo is not important to see the I p because he's already connected inside your network. And you know already what is the i P, But he will not be able to see here the data which are the most important part when we want to send traffic from one side on everything here will be encrypted. So again, the transport month is making encryption for the transport layer and above. So from layer fourth toe layer seven. So everything will be encrypted and the the I p and layer two and a physical would be left unencrypted and it is used inside your land. The second i percent communication more that is available. So there's determined and that's what we always use all assailants. What we mostly use. Okay, Onda, In this case, what will happen is that if you want to send the data from one side to another doctor we have here we have two point and we're sending the traffic on a public network and in this case, which is the Internet and here is very important that you used the tunnel more so the difference between the town of more than the transport Mort is death. If you're if we go back here, toe the layer seven that we have on 1234567 that the encryption will start from the layer three. So from the network layer. Okay, So everything from the network layer which means the I P and above would be encrypted. OK, everything will be encrypted here, and the only thing which is left unencrypted is the layer two and layer one. All right. But on the time Or what will happen is that a new I P. Heather would be added. So let me explain to you what will happen here. So we should hear that the i p and the data That's from Les Astri on two layers seven everything would be encrypted. And this TSB Heather here, which is added So everything here is encrypted. Okay, Now, what would happen here is that if you want, for example, to send the data on the tunnel so we have here the tunnel, then it is to have an I p. Because when the pocket arrived toe the I S p here on it doesn't have an I p Then that I asked, you will say, Well, this packet coming without an I p had So how can I use it to send it to somewhere else so he will discard it. So what would happen in this case that on the dollar mode and new i p harder would be at a tree can see this I p harder the one which is inside. So the land I p heather, which is on this interface this will be encrypted. What will be added here is the i p other, which is the public one. Let me just clear here a little bit so you can see more clearly what I'm trying to explain . So here we go again. British, the i p here for the internal, which is on addition to face on the router. Okay, so that means Dylan inside the land, so all the inside line would be encrypted. Azzawi said here. So this will be encrypted and then the on the tongue and more. It will add a new I p heather. And this i p other is the public i p, which is on this interface, which is connected to the Internet, because again, when the packet has to arrive. So the Internet service provider, which is, ofcourse, a router here, it needs to say that what I am I as an i p. And where am I going? So there should be an i p heather over here. So that means that if there is any intruder sitting on the internet and he captured this traffic, then he will only see the public i p and the layer to which is okay, You can see them and the rest will be encrypted. So it's not problem to know what is the public i. P because that's a public. Anyway, it's a public I p on the other box off the the back it will be encrypted such as the I p off the inside network, the transport layer, the session, the presentation on the application where the ports this is the poor shot there the TCP the application on every important data is on that part. Okay, so then in this case, what you want toe have a site to site their repair. We always have to use the tunnel more and again most of the time, when we used the VP and I p sec, we use it on the side to side who can use it on the internal land. That's also possible. So in this case, we used to transport more, and you have something like a VPN network inside your network. But there, most of the time, the Libyan is being used when we want toe send data over a public network and when we want to use it over the Internet. So in a brief the difference between the transport mode and the Talamona. Both they are communication modes. An I P. Sec one It will encrypt from the layer four and above. And that the 71 is it will encrypt from the laser and above. And it will add an I P header which is the public i p address to be able to send it through the data from one side to another over the public Internet service while on the transport more, it is used normally inside the network. So that is what I wanted to explain to you in this lecture. I hope that it was informative for you and I will see you in the upcoming election. 8. 7 Types of Encryption Symmetric vs Asymmetric: Hi, Dad. Did this. Might have that here again In this section, I'm going to explain about the types off encryption. So what is encryption exactly? Encryption means that if you have, for example, in this case two rows you want to send data from from this router, you want to send it toe this rather and you want that the data is arriving in in a very secure way. So what you can do, you can assign some encryption on the data. That means you will scramble the data to be looking something different than how it is that when you send it via the Internet, because we want to do the I percent. We do it. We have the Internet that if someone catch the data, he doesn't understand that because it's scrambled. But when it received toe, they're out there on the other side. Then he will understand that because he has the same encryption methods. So the encryption is nothing more than mathematical algorithm, which is understood from both off the routers than when they didn't arrive from one side to another that he would able toe understand the data and decrypted when he when it arrived to the other side. So encryption fall into If we go back to the framework here, it fall in tow. The confidentiality so confident Sheltie means that you send the data from one side and it is received exactly the same at the other side. So we use encryption to do that. And I have explained to you and the previous lecture above that you have different type of encryption such as DS are gonna than sweetie as a as and much more than that. Okay, on my click, you have also more than those three protocols. So that's what is an encryption. Now we have two types of encryption. We have what we call it the symmetric encryption. And we had the axiomatic The difference between each other is something I'm gonna explain in destruction. First, the symmetric the symmetric means that it's router used the same key to encrypt decrypt the data, which is recall it shared secret key. Okay, so what does it mean here? What is a key? A key is nothing Maura again than the mathematical algorithm. So then the data which needs to be sent from this router via the Internet on the IPE sect or the other router. It will be decrypted using this key, so it will be scrambled business key. So this key is on this router is the same as Disc E, which is on this rather so both off. The writers have the same key. That means in this geometric the data would be encrypted on this key. And then when it goes toe, the other rather and this offer has this sank E, then he will be able to decrypt it, okay, And then he were ever to read the data. So symmetric means that both off the writers, you are using the same key. Now there are advantages and disadvantages off using the same key, but I'm gonna spend it in a moment. But this for now, that is what symmetric means. So it's rather has the same key to increase and decrypt the data. And a schematic means that around to use one key to encrypt and another key to decrypt. So that's what we call the public and private key. You can see here the shelter has won one key WTO include and one key to decrypt. Same here. He has one key to increase on one key to decrypt, so it's not one key which is used. There are two different keys in this case. Now how this happens. That's something I'm gonna explained in the upcoming lecture, when we speak about how the keys are shared between between the two beers, using the public and private keep or what we call it, also the deaf Bahama. So there's something I'm going to spend in the upcoming election. But just for now to understand that when you use ash metric, you have two keys on each other, one key to in Crete and one key to decrypt and also on the other side as well. Now the good difference between both of them is that this here is faster because you are using one key than off course when it wants to include it. It will use some resources from our superior memory and to decrypt as well. But because you are using the same key, it's much faster, while on the asymmetric it is slower, it is slower and it's much slower as well. So that's why on the I P sake, you will see that we will use the combination off both than a dead end. It's gonna use more the symmetric and this is in the upcoming election. I'm gonna explain how this happened. So here is slower because it takes a lot of resources from your CPU. Okay, Now, here on the the the symmetric key, it is less secure because you are using the same key. Then in this case, it is less secure. If someone has the same key that you have, you can decrypt your data while here it is more secure because you are using two different types off keys one public and one private. So it is more secure. Okay, now an I p set They used both again in order first to use the asthmatic toe, let the other rather has the symmetric key. And then every complication will use these symmetrical. I know that you may look at me now and say what he's saying now. It's not very clear, I understand. But in the upcoming election, directly after this one Afghan ish minute in details so you can understand it just for now . What I want you to understand is that you have to type of encryptions. You have this symmetric and you have the symmetric. The somatic used the same key to encrypt decrypt the data the Aston Matic. They used to keys in each of the router, one for encryption to make the encryption, and one for the decryption at same on the other side. So that is what I wanted toe explain. In this lecture, it's again about the confidentiality, which is part of the I percent that you have to know about it. And then in the upcoming lecture, I'm gonna explain also about more things that are on the I P sec framework. So you understand it to be able again to make the lab correctly without any problem. So this is what I wanted to show in this section. I hope it was informative for you, and I will see you in the upcoming election. 9. 8 Security over the internet using IPSEC: Hi, Dad with a smile had that here again After we have learned about the symmetric and the asymmetric encryption. It's time now to explain where we have to use the symmetric and asymmetric on the I P. Sec. So we take this example Now imagine that we have those two rathers that they want to connect eyepiece like VIP Anton into each other. Okay, they say that the route a one is the one which needs toe. Start sending the traffic for the VP and communication. Then he will issue a shared secret key. So that means here we are talking about this symmetric key. Okay, so it's just shared. Keep. Now, if we want that to be sent to the Internet, then in this case, what will happen that this key from Rather one is gonna be sent to the Internet and it's gonna be sent toe router to then routed to will have the same shared secret key as we have on our outer one. And then in this case, what will happen is that both routers, they have same shared secret keep So in case we encrypt the data using the shared secret here off Ratwatte and Roger to has the same key, then it can decrypt it and vice versa. But this is a big problem that we have here because if we go back here and the key is being generated from rather one, then this chart secret key is sent as clear text to the Internet and to restore rather toe . So when it goes to the Internet and it's clear tax, if we have an intruder on the Internet, he will capture the secret key, which is a mathematical are good with them, so he has it, and then any communication that will happen for another 12 rather two or vice versa. He can decrypt them and read what's happening. So in this case, we have a big issue because if we use shared secretly on the I P. Sec, then it is a big problem for us. That's why we have to find a second solution, which is to use the hash metric E with a shared que that Mr Automatic and automatic together because if we use only the geometric, then it is good a security, but it becomes very slow. The VPN connection for us So again that is not the solution to use only shared secret key on you when using i p sec. So we have to use it in a combination with the schematic. This I'm going to explain to you in a moment how to do that. So that is the right example. What happened on my PC? So we said that we have the shared secret key and it's very important that this shared secret key. We wanted that routed to also get it. But we wanted to get it in a very secure way. That means that in case there is an intruder on the Internet and the shed circuit key, which is from rather one splashing, fear the Internet to reach the router to in case you catch it, then nothing will happen because it's gonna be in corrected. And here what we need to do is to use what we call the asthmatic key, which is defeat Hellman. So you can see the age. That's something. You see it Ah, lot on the Arctic rattle when you want to configure the I P side. So the edge is Diffie Hellman, that's type off. Ask symmetric keys. That means it has a public and the private keys. Okay, so what would happen here is the following wrapped in one issue the the public and the private keys which are formed if you haven't and router do also. So let's imagine that the shared secret is also generated on water one and the other one is the one which is going to start the VP and communication was rather toe. So the first thing that rather one will do it would take his defeat. Hammam Public e So we take his publicly which is public clear tax, No problem. Okay. And then he will send it from his router to the internet and it will arrive toe rather toe . So rather to receive the different Helmand public key off Rather one and down router to will send his defeat. Hammond Public key. So you sent his public e to the Internet to rather one and then routed one has did defeat Hellman public e off water to so they shared to each other the public. And remember we said when we were talking about the axiomatic that the data which is encrypted with the public, he would be decrypted with a private key and vice versa. Anything which is encrypted with the private key is decrypted with a public key. So now what's what we have Now we have the different Hellman or Franta one It's for already on route to and the defeat Hellman off router to the public. He is already on rather one the private keys on rather one and on a rather two days still there on the right routers because there are private Trotter will keep his private keep to himself. So what would happen here is the following. Rather one will take his shared secret Keep because you want to send this shared security to the other side to rot of toe. So we take his shared secret key. And this shared secret key would be encrypted with the defeat helmet, public key or fracture toe again the chassis pretty off. Rather one will be encrypted with a definite Helmand public e off router to Okay, So in this case, what will happen is that the church could key. Now it's encrypted. And who can decrypt this shared secret key? The one which having the private the difficulty private, which is on the out of you Okay, So now what would happen is that the secret key which is encrypted with the deaf in Helmand , publicly off route or two. That we go from here from rather one to the Internet. Two rather to air. It comes to here on the out of Duke. Now, rather, too, has the difficulty of private key. Then with this ski, he will decrypt it. And then what we will have now is that the broader two has the shared secret key and, of course, rather one. He also have the shared secrets because he already generated so both of them they have the shared secret keys than in this case, any traffic that it's needs to be sent from one route, it another. It is encrypted with shared secret key, and it's sent from one daughter to another. So that's how I basic work. That's what a Xishan said at the beginning, that we have to use the symmetric and the schematic together, you know, to let the I P. Shack work in a way that we sent the secret key in a secure way to the other side, and then everything later will be used by the share secrets. Now there are a lot of questions that student may ask here. The first question is okay. We understand the idea that the rockers they share to each other the defeat Harmon public keys and then with the Rather, which is generating the VPN. You encrypt the shared secret key with the different public here, and then he was sent to other side, and then the other side would decrypt it Then. Both brothers have the shared secret key, so we understand the idea. But one, the shared secret kiss encrypted and it's sent to the Internet. It's encrypted using the difficulty of public e. So when it's go, it goes to the Internet. Then if there is an intruder, because at the beginning, when they shared the definite Hammond public, the intruder may have captured the defeat him in public, then the key, which is sent to the Internet, which is encrypted with the difficult man public. So when it reached the Internet, he can't decrypt it is that hey has the public it and he can decrypt it. Then the answer is no. He will not be able to decrypt it because the only one who can decrypt the shared secret key, which is encrypted by the different Hammond public. He is the one who has the private, different Hellman Key, and in this case, the only one who has the private is this router this? Rather, he has the different form of private key, and that's the only one who can decrypt and the she Dickie. OK, so that's one question that a lot of students ask of it. A question about it. So that is the answer that the intruder, he may have the different Hammond public. You were captured because it's clear tax anyway, but he will not be able to decrypt the key because he needs to have the private key. So that's the same park off the symmetric. If he has the public, it doesn't have the private, then he will not be able to decrypt it. Descendant question that also students ask about. They said, OK, let's put aside the shared secret. You we don't want share secrets. You that just put this aside and let's say that Router one has the different helm in public , and if you have a private and outer toe, has difficulty in public and different Hellman Private. So they have cookies. Why don't we use the US symmetric in a way to be ableto encrypt the data? Okay, so you understand what I mean. That means that they share the the definite helm of public keys on Ben. Everyone will be encrypting by the difficulty of public the data sent to the other side and the other side would decrypted with the defender Private, for example. Let's say rather one about to the shandy difficult public e this for after 12 on did this for outer one. And then any data which needs to be sent it is encrypted with a definite harming public key on the data sent to hear and then hear it stink decrypted. So why can't we use this without we talk about the share secret e? Why should we use the shared secret key if we can use on lee the symmetric keys? So the answer is it is possible, but and they're here. I can say through your lines under the But when you use the symmetric algorithm this it's very, very heavy on your CPU and your memory. That means that it's the VP and will not work because it is really 100 to 1000 times more heavier than if you used to share secret keys. So normally, the different helmet at the STM, a symmetric keys are used to will be able to let the sheriff secret key go from one writer to another. And then everything else will be encrypted by the shared secret key. And even this work tohave the shared secret key. Going from one doctor to another, it's to have you on the road. So how come in case you want to encrypt every pocket and every data by using the symmetric keys, that's would be too much intense on your CPU on Rather Andi, I can say the repair will not work. So that's why we have to use the combination off both. We used the symmetric key to be able to send the share secret key from one side to another on then all the data would be using later the share security. So this is also another question that comes now. The third question that also students ask about it if you put back the shared secret keys here on each of the rather. So let's say that they shared. They sent to each other to share that secret keys, and everything is okay. And we have an intruder over here on the Internet. Okay, So this intruder who received the the public keys from defeat Hellman And then they get also a copy off the encrypted shared secret keys when it was sent from, or rather to another. Okay, so then let's say that this intruder has millions off computers and they're going to be run for 400 off years in order to be able to crack the the encryption that defies common has made on the share secret keys. And and somehow he has d share secret keys. Let's imagine that that he could get the shared secret chief just to put here in two parent pieces till now, it's not possible to crack the Shafi secret. Please. When we are using it with Diffie Hellman, you need really like 1,000,000 of here to baby toe crime. But let's imagine that did this possible? Okay, so then, in this case, the intruder has to share a secret key and any theta which is going and coming from the VPN he was able to see it. So do we have a solution here and here? I can say yes. There is a solution because the share secret keys it has some limitation on the time and it has some limitation or some limitation on the kilobyte that you sent. For example, when the VPN is disconnected just when they depend is finishing disconnected. The share secret key is gone, and then when it's connected again, there is in it will issue and you share secret key. So that means the internal review Since the all share a secret key, he will not be ableto see the traffic because there is a new share secret G which has been generated. That's 12 in case the secret key is still available. It has limitation on the time, and it has a limitation on number off kilobyte. Okay, at the time, I think it is something like 86,400 seconds. So every 86,400 seconds, this shared secret key is expired and then another shared secret key would be coming up. And that's something you can put it on the my critic. You can You can say that I want this to be on this. It's 6400 seconds for jumping. You may change also the time as you want, but also you can use it on kilobytes. You can say every, for example, 3000 kilobytes. I'm not sure if it's kilobyte megabyte, but that's a on based on capacity. So every 300 or 3000 kilobyte we want to share secret key toe to be expired and then another shed secret e will be issued. So in this case, in case the true there has the writer shared secret key. Then in the case, thes chances with you will be changed and then they will not baby, I'm a want to see the traffic. So that is what I wanted to explain in this lecture again, as you can see, a lot of theory, but it's very, very important because we are going to see the different helmet. We're going to see the appreciate key. So we have to understand what is this exactly? To be able to configure it correctly on the mic sick router. Okay, So again, as you can see, we are going to use both the symmetric and asymmetric when you want to use I percent repair interconnectivity between two routers in order first to send the share secret key, insecure way toe the other router. And then all the data will be encrypted using the share secrets. So that is what I wanted to show you in this lecture. I hope it was informative for you. And I'll see you in the upcoming election. 10. 9 Encyption Protocol (DES 3DES AES Blowfish Camellia RSA DH): Hi, Dad, That this might have that here again After we have learned about the type of encryptions that we can have, which are the symmetric and the asymmetric encryption. It's time now to start speaking about what are the protocols that are used on the symmetric and on the symmetric encryptions. So as you can see you, I have listed some off the protocols and those protocols that are also used on my critic. Okay, so the first particle type is the symmetric one we're going to see what are the algorithm and the protocols that are used in the symmetric. Remember when Before we start being about those particles, symmetric is the one which used the same secret secret key. OK, so we have seen that when we were talking here about the symmetric and asymmetric. So the somatic means it's hard to use the same key to encrypt and decrypt the data and then the automatic they used to, which is the public and the private keys. Okay, so now I'm going to speak about the protocols which are in the symmetric encryption algorithm. OK? The first geometric protocol is called the ES. The S has recreated a long time ago. So in 1970 by IBM, and it has on the 56 Big Key. So that's a very older protocol. It's any encryption, symmetrical protocol, and it has only 56 bit key and this was cracked and it was correct. In year 1999 it took for the company which made the crack for this key. Took 22 hours and 15 minutes to crack it. Okay, so after 22 hours and 15 minutes, they could correctly and that's on 1999. So that's 20 years back. So that means that the nowadays, with the more powerful computers that we have, it may happen that we can crack the DS much faster. So that's why I put here Do not use it. So please, when you want to use on the Tuesday here the encryption agreement that you want to use for the symmetric than don't use DDS and if we go here to the my critique router Onda and inside, for example, the profiles here so you can see that we can choose the encryption algorithm and they put for us that you can choose DS. So again I said to you, Please do not use the DS, and that's feel the congregation that we're going to do on. I decide, as you can see the SS shown here. So if you check it, that means you can use the S and from the other side. You have also that to be able to use the SS well, if you want to do side to side. So that's why I always recommend Do not use the DS. The second symmetric encryption protocol is three D s. So what is the difference between the S and three years? Because the S is weak, then they have created three DS and three DS. It makes on each block off that it used three D s keys. That means if you have a data here coming so there is three keys key one key to and kiss three. So what will happen is that the date that would go for the first key and it is encrypted by the first key, which is 56 bit. And then this will be encrypted again with a second key, and this will be encrypted again with a certain key. So that's why it is here saying that it's create 168 but because that's 56 times three, then it makes 156. Okay, so it is much better than the the eso. If you want to choose between the S and C. D s, I would recommend that you use three D s. Okay, now, the third symmetric algorithm encryption with scold E s and A s is very strong and efficient algorithm. Okay, so you will see that there most of people who want to use VP and they always choose a is very strong, very efficient, algo them. And it is up to now uncrackable. And it has keys off. 1 28 1 92 and 256 bit keys. So that means you can choose which bit keys you want to use. And, of course, if you use for example, 1 92 it's stronger than 1 28 and 256 is stronger than 1 92 Now, off course, when you use the more keys than it becomes slower, Okay, So the more you use the keys to more the encryption become, the more the scrambles become, but also the pain will become slower now The A s has been adopted by the US government and it is now used worldwide. So the U S government, they said OK, did this deep protocol that I'm gonna use for the encryption I adopted on the After that the A s became very used worldwide. Now someone can say OK from 1 28 here we have on a S 1 28 bits and on three d s, we have 1 68 So that means that three DS in this case is stronger than a yes. Now the answer is no. It's not stronger if you use, for example, in h 1 28 But even though that number off bits, it's less. But the algorithm by itself is much complex and much stronger than three ds. And remember three ds. What is doing? It is three keys and it's every time doing encryption with one of the key. Also, you have the date off fully encrypted one. It finished on the certainty. So that means one key relay on the other while on a yes, it is just one mathematical algorithm that has wanted the a bit and it is having a very strong encryption. Now, can someone say Okay, then, if I want to choose between 1 28 192.256 So if I go to 56 that's double 1 28 So, yeah, Then why should it be slow? It's gonna be fast. So here I have to say something that when you have, for example, 1 28 bit, if you add only one bit just one bits, that means you have won 29 bit off encryption by adding only one bit. That means you are doubling the work off the encryption, so the encryption is doing double work. So if you add, for example, another bid, then it becomes 1 30 bit key encryption than it is double double. That means four times work that that the encryption algorithm has to work that makes more intense on our CPU. So, for example, in this case, if you go from 1.8256 so that's double double, double, double double, so you can imagine how big it is then and how much contest could be on the CPU. That's why it's not really correct, that from 1 28 to 5 sixes only doubled the work. It is really many times doubled the work on. But that's why when you want to choose between 1 28 256 then you have to consider what CPU you have on your router on the memory. And then you have to think if it's efficient to use which off the A s s, it's 1 28 or 19 toe or toe 56 And if I go here to the mic, the crowder on the on the profiles, you can see here the algorithm here there is a yes and you can see a S 1 28 a as 256 and A s 192 So you can see that you can choose which one you wanna use. Okay, Now, most off the routers that we can see the market other than my critic, they mainly have those three OK, but my critic, there is something more off course. I'm not saying old, the routers, most of them, they have those three. Those are really found everywhere on any router. But there are Matic. There is also another type of encryption that we can usually is symmetric Westell and talk about the symmetric encryptions, which is blowfish. And if we go to the mic, the Kratter here, we can see that there is here. You see, Blowfish, you see that one? So there's also another type of encryption that you can use it on the my critique rattle when you want to set up the I p sec VPN. So what is Blowfish? Blowfish is an algorithm. Also encryption. I'll go them and it is part off the symmetric algorithm and it's designed in 1993 as a replacement off the as So because DS was designed on your 70. So this one came after it on 93 to be replaced and it used valuable lands off keys from 32 to 44 Now someone can say, what shall I use them, the S or Blowfish? Then my answer is non. So don't use DVDs And don't use blowfish because if you can use a s, why should he use the S or blowfish? Then please use the A s because it is much stronger. And the last the encryption protocol This symmetric encryption for the court that you can see on the micro take router is Camilla. Camilla was developed by Mitsubishi and an anti and has a security compatible to a eso. Camelia is as good as a eso In this case, if you want to use between s and Camilla then that it's possible you can say what I want a yes or about camellia But again I always recommend that you could use a s because a yes, you can find it on most off the other branch. In case you're doing I be second activity. Will another brand then micro think But if using for example to my critic than both of them have. Commander, you can also still use camera on also Tess Keys from 1 28 192 and 256 So it's as strong as a s And if we go to the my critique router here Onda we can have a look here we can see the disc, Amelia. So it is committee a 1 28 to 56 on 192 So you can choose any off those if you want. If you don't want to use a yes, for example, so again. When we talk about the symmetric, we have two good protocols that you can use A s and camera. Okay. And the rest. I recommend that you don't use them. So now I have spoken about the symmetric encryptions that are available on my critic. So again, symmetric means that one key will in crib and the same key will decrypt. Okay, Now let's talk about the symmetric algorithm that are available on my critic. The geometric protocols encryption protocols that are available are one Irish A. So I say is ah reversed Tamir other man, That's what s a means. So those are the names off the people who created this particle. It was public on years 2000 and it is mostly useful application encryption such as SS age, and it can have 5 12 768 and one mag bit or larger. So what Russia has as a function. So let's say if I go now toe the microchip Crowder Andi, I will do, for example, a cessation of the my click louder. So I opened pretty and from here I put 10 00 but one that's the i p off my my critique router and I select as a sage. And once I open, you see it will get here and alive. And it's saying the service husky is not cashed in your registry. So there is a key that you need to use. And then here is saying that this is Dickie S S h r s A. And it is using 2048 bit key. So you can see that when I want to use ssh to the mike trout. There is some exchange off keys, and that's from the US symmetric. And that's what I'm saying that I don't say is used for missile unions application like, for example, as a search. Now, when I say yes, then this key would be resisted on my computer. Then I can do as a search toe the micro take router. Okay, then I can open this session to the metric club. So this is the main usage off our ESA. Mostly you can see it when you want to do is miscellaneous application that you want to connect toe via application to the my click router. That's where you can see our say. Another thing that I want to speak about our say that is very strong. Also, so, I say is a strong and up to now is unbreakable. So that means that you want to connect a cessation of the My click router. Then if you choose, for example, like in my case, it says you want to use 2048 bit key, then it is very strong, and you know that your Ssh connection to the micro clatter is secure and all the data will be sent secure. When you want to do the common line on SS Age, the second organism, which is a symmetric that you can find on my click as well as on the other breath, it's DS Diffie Hellman Defeat. Hellman is public also in the year 1997 and it's commonly used in VPN connection. So you see in VPN, connection means on I p sac to trust for security to share secret keys. And those are the bits 7681 Mac, 1536 made or larger. So the main function off the different mama is what I have explained. When I was speaking about this slide when we were talking and the slide about here to security over the Internet to securely send the shared secret key from one side to another . And that's where different Harmon work on day share. First, the definite Harmon Public e. And then, in this case, the shot Security is being encrypted with the public defender monkey to be sent to the other side. So this is where you have to use different Hamma when you want to come figure I'd be sack. So again, Jeffrey Hammond is a very secure brought a goal. It's a symmetric encryption. I go to them and you can find it also the micro counter here when we are going to create the profiles. So here you can see this is definite. Helmand group on you can choose based on what the bit you want so you can see you have the smallest bit that you kept goat upto here with. We goto 8192 Big key, and that's very, very strong. Okay, so normally, what you can choose is 1024 or 2048. That's strong enough to be able to change the scene. Share secret keys to be sent from one router to another so you can see that old. This level here is for the fear out. So with this Leicester point about the family have explained to you what are the encryption protocols that you can see? Whether you are easy, Mac trick or other brands? Because those protocols there are seen everywhere. Andi also I have told you what? What is the best option to choose protocols. So if you want to use the symmetric but because I highly advise to use a yes on in case you want to use Camelia, that's also possible and then off course. Here you have only the one option which is the difficulty in on the action, Mataric. And that's to sending the share secret key from one side or another securely so you can use definite Alma. It's very secure and in case you go higher by the big key, then it becomes even more secure. But again, remember, it becomes slower. So this is what I wanted to explain in this lecture. I'm just showing you all the days because now it's more grief for you when you want to configure the I P Second Mike Linklater you say? OK, now we're using symmetric. Oh, and schematic. I use maybe a yes, that's the best. And then when you want to put the automatically say, Oh, they're Bahama is what I'm going to use So then you have a better idea of what you are doing on the configuration. So you be able to do the conflagration correctly on the mic six other. So that is what I wanted to explain in this lecture. I hope it was informative for you, and I will see you in the upcoming election. 11. 10 Data Integrity Hashing Algorithms (MD5 SHA1 SHA256 SHA512): Hi there. Do this. Might have that here again. In this lecture, I'm going to speak about the data integrity on my PC. So if we go back to the lecture When I was talking here about the I P sec framework, I said that the eye protection framework has different functions, as you can see here. So we spoke about the confidentiality and that the encryption I spoke about the somatic that somatic the types of encryption on. We spoke about the deaf in Helmand Over here. Now we have to speak about the integrity, which is data integrity. Okay, so what is data integrity? Exactly if we go back to the slide here, it says that the data integrity means that the data which is sent from one i p sec pier is not altered. Onda received the same to the receiver. I protect here. So what does it mean here? This means that let's say that this is an I P sec be router one. And it is an I p sec Pierre router to. So in case that you won't want to send a data, So that is the data. Okay? And you want to send it toe router toe. Then we said that I P sec it's a few Pantanal in so that means it has to go to the Internet even if it has encryption. But if it goes to the Internet, someone can intercept it, for example and he can change it. Then it comes to rapture to and routed toe doesn't have the same data that waas initially sent by rather one, and that's a big problem. So even though that the hacker will not understand what is in the data. But if you change it and the receivers receive something else, that's something we don't want. So what the that and a pretty do is they use what we call the hashing algorithm. So we are sure that the data which is sent from one pier, it is received exactly the router toe as it was sent. So it was not altered or changed on the wave when it was going from rather one toe router. So that is the main idea off data integrative. And to do this goal, we have to use what we call the hashing go to them. So we have different types of debt algorithm which are 25 shock. Okay, those are the types that are available on my critic. And if you want, we can go here to the my critique router on you. If you go toe i p i p sac On we go toe the profile here. You can see that in the hash algorithm here they say you have. You can use empty five you can you show on you Can you shut? 256 And you can use sharp 5 12 So those are the hashing algorithms that are used in the data integrity. But now someone can say, What does it mean? Hash? How does it work? How can we ensure that the data which is sent from one i p sec beer? It is exactly received the same to the other here. So here I have to show you this on this life. What the hashing algorithm is So just the idea off the hashing, whether you are using empty five or Sha, this is the same. So what would happen here is that if we say we have the data here that needs to be sent from rather one at this to go toe rather to, and we need to ensure that this data is the same. So what would happen if, in case we're using, for example, Shah, one are good of them on a rather one. Then the data will go inside. We can call it something like a mixture if you want. So we have something like a mixture here, and the data go inside this mixer and then it comes out with the with some we call them Digest. Okay, so something like 1543 b a the and so forth. So this is what we call a dodges or the hashing duchess. OK, so this one would be added to the data. So at the end, this hashing will be added here, the data on it and this will be Shante via the internet. It will receive two rather toe. Now, outer do is also using shahwan. Okay, so he's using the same protocol. So what the rather to do? He would take also the data and he will apply on it the sharp one algorithm than in case the Dodgers that he has. It is exactly the same as the one which was here. So which one, the one which was made on the outer one. So if there are similar, there is no any change between them then the router to knows that this data that he has received is correct and that it was not changed. So this is the constant off the hashing which we normally use it on the data integrity. So it's nothing more than mathematical. I'll go to them as a mathematical formula that it is made. It is irreversible, Onda It is one way. And then what the rather to would do is that he will do again the calculation. And if the Dodgers is exactly the same that he has as the one he has received, then he knows that the data has not been changed and he knows that in this case she can receive the data on without any problem. So that is the whole idea. Off the hashing now what are the hashing organism available on my critic off course way have on the market, many hashing ongoing. But on my critic for eyepiece act, we have 25 25 years, 1 28 bit hash and it is considered a week cash. I'll go them so it was good before. But nowadays it becomes weak. So that's why I always recommend If you want to use hashing, I go Then please choose shot because it is now much matter. The 2nd 1 is shower and it has three different version. First is Shahwan. It used 1 60 bit hash. The second is shot to 56 which use off course to 56 potash and the third is shot with 5 12 and used 5 12 bit shot. So the shot to 56 and sharp five to have. Normally they call them sharp too. Okay, so if you use more bits than it is more secure as well. But just to say that the hashing I'll go to them. For example, If you say for data, you say one and you apply on it, The hashing shower shall say that you can get the this street. So this string that you get is equal Whether you say one or you say ABC or you say november all, you say whatever you want. The string size is always the same. Okay. And it is something I can show you now directly, I have here a website and on this website is change here that OK, you can use the MP five and Sha one hash generator for text. So let's say here we write something like It is a good day. So you can she it is on empty. Five are applying MD five So this is detaches that 25 can give us Okay Even though if I they take day out you see decisis is always the same Look, that is decides if we can take out the day So the size has not changed off the hashing algorithm, the string hashes still having the same size Of course it has changed in the content. So it's has something different now as so here you catches 4609 at the end. But if we write day, it is that they add 1704 But the size is the same. So that is what the algorithm shows on the hashing with when using 25. If we use Shahwan, you can see it becomes longer because you are using more best if we go. If we use shot 256 then it's even longer because you also are using more bits. So again it's up to you what you want to choose. But I always recommend you to use, at least so on, because that's a very good hashing algorithm nowadays. So that is what I wanted to explain in this lecture. So again, daytime think beauty is very important because we want that the data which is sent on I p sec, it is received exactly the same as it was sent. To do that, we have to use what we call them The hashing algorithm. Andi have showed you that you can use Mt. Five. We can use Shahwan and you can you shot to which are the shot to 56 and sharp 5 12 And I have showed you what is exactly the hashing how it works. So the idea is that it takes the data and will get out of it. A string which is the hashing string and it will add it and then sent to the other side on the other side would do the same calculation if the Dodgers the hashing touches is the same on both sides than the receiver. Now that the data has not being changed when it was sent from the Send a tow the receiver. So that is why I wanted to show you in this lecture. I hope it was informative for you and I will see you at the upcoming lecture. 12. 11 IPSEC Authentication (Pre shared key vs Certificates): Hi there Did this might have that here again. In this lecture, I'm going to speak about another function on the I P. Sec from work or the I P SEC protocols. Sweet. And it's called the Authentication. So if you go back here toe the slide where I was just explaining about the different parts off the I p sac. So we have already spoken about the confidentiality. So that's something we spoke about it the symmetric systematic each. We spoke about the integrity using the nd five and char. We spoke about the different Hellman. So now I'm going to speak about the authentication. So on authentication, we have two different types off complication that we can use on my P sec. So what is authentication exactly? Authentication means that one off the I P sec Pierre will authenticate the second I protect here, and the Sinai protect the appear will authenticate also the first i p sector. So in this case, if we want to do with the integrity, want to do the encryption and we want to do everything, so if we don't do authentication first, So all what we have done on the I P shack as integrity as confidentiality. It's not enough because we have to first know that the data that we are sending you are sending it to the right device to the right. I p sect here in this case, we have to say that route a one is one I upset here and out of two is the second I p sect here and here. What it needs to be done is that are out. The one knows for sure that routed to is the I P sec pier, which is the right one to send the data to it via the I P sec tunnel and routed to needs. Also, to know that route a one is the right eyepiece act here to send the data to it. We are the second now on the authentication. We have two types will have first depreciate key. So what does it mean? Appreciate key In this case, we used the same key on issues off the VP and periodically authenticate each other. So what you can do, we can go toe a router. One we can say, OK, I'm going to use the appreciate key for as an example 123456 Just that's an example. Okay. Off course. When you want to use appreciate key, you have to make it. They're more complex than 123456 But just for now, as an example, I'm just putting this simple appreciate chief and the same pressure Kiwi put it here on out of the 123456 So what will happen here is that one. The routers want to send each other the the date of your I p sac tunnel. Then the appreciate key, which is from rather one. It's sent toe router to and then routed to with check. Oh, that's the right appreciate key that is sent to me. Andi knows that the other side is the right i p sector, but also rather to send the same the appreciate key that he has to rather one, which is 123456 on the other one will check. They said, OK, then it is the right appreciate key than in this case. Both routers are are complicated. Now someone can say, But if you send the appreciate key, you're sending this via the Internet than in this case. If someone received appreciate key, then he can be like a man in middle here. Put the router and he has the people the right, the appreciate key. And then he can form the tunnel with the other one. That's right. But the appreciate keys are not sent to create text there. Appreciate skis when they are sent, there are made using the hashing algorithm, so they are hashed and the hashing is sent to the other side. And the other side also would do the same calculation off the hashing. And then, if it's confined than the hushing, are similar down the day. Know that Dickie is simmer. So that's why we do not have to worry if you want to use appreciate keys, so it's possible to use it in order to authenticate one. I protect peer to another and then vice versa. Another type of authentication that we may have also is using certificates. So here we have an example off two routers out of one or two so we can use pressure. Key is very easy. We just put it on each of the router, the same appreciate key on then it works fine but demanding that you have tens off hundreds off routers that you want to make depend to each other. Then it becomes very hard work for us to use appreciate keys and in case you want to change , appreciate. He would have to change it on all the routers. So that's a lot of work. So what we can use instead, we can use something we call certificates. So what is the certificates it up with their definition and certificate. Me is a chartered receive a certificate from a trusted certificate authority, which we call it C A. And they authenticated each other using the certificates. So what does it mean? This means that we have, like a server. We call it a certificate authority. And this certificate authority can be serving can be a router, and they can Sinus certificates. And then it will each off the rather will install a certificated, which is coming from the same certificate authority. So the certificate authority is nothing more like an authority to scientific eight. Then what will happen that no structures when they want to communicate each other without the one was share his certificates rather too, then routed to we check up on the certificate and he will see this stamp than you say. Oh, that's coming from the same certificate authority that I have it. Then he will authenticate the router. And also rather too, will send his syndicate to rather one and not that one. Also check. You will see the right stamp on which is from the right, a certificate authority and then he will authenticate it. So you have to think off the certification something like, for example, the driving license that you have. So you get the driving license. That's what we're like a certificate from an authority, which is the government. So the government is the authority, the trusted authority which gives you the driving licence. So in case you are stopped by the police, for example, you can just show your driving license and then he will see that it is issued from the authority, which is the government. Then it distrusted. Then they can be sure that the information which is on the driving glasses is correct. OK, so you have to think of it like this. Engage someone, get a fake driving license. That's ah driving lessons without being from a trusted authority. Then he will be having a problem. And the same occasion. If you don't have the the right to certificate from the right certificate authority, then you're Otto will not be authenticated from the other peers. So that is the idea off the certificates. Now, if you want, we can go toe the my critique router here. And if we go toe I b i p sec and we can go toe identities here and make plus when we want to work on the I P. Sec. Here, there is this beer we have to put, and here you can see authentication metal. So you have appreciate key. This one you have a digital signature on, you have, of course, ap AP Rogers. That means that if you are using a server like a radius server, you can use that. So here is the shaky the signature hybrid. So the most important here that you can see that that you are able to use the pressure key and the surgery case. What you want to use the I p SEC configuration on the Michael Crowder? So this is what I wanted to extend in this lecture. It's about the authentication so again during the integrity, doing the confidentiality, doing all those things on the I P sex without having the right authentication means that we are communicating with the right i p sec peer or peers than in this case we are not doing anything. So authentication is very, very important toe be used. And to be done on Dhere, I have to say something that if you want to use on the i p sec, the certificates on my critic, the rather can be on the certificate authority and you can issue certificates from the my critic router itself. So you can, for example, say that this rather is that they're out of which signed the certificates and from this, rather, you can issue the certification, send them to the wrappers that that needs to be using certificates to be able to be a complicated. So that's something the my critic Crowder can provide us on. But it's also for free, so you don't need toe go and buy safety case from a trusted certificate. Authorities, which are on the Internet. You can use the my critic itself to make this for you. So this is what I wanted to explain in this lecture. I hope it was informative for you. And I will see you in the upcoming election. 13. 12 IPSEC Negotiation Protocols (AH vs ESP): hi there. That this man had that here again. In this lecture, I'm going to speak about the i p sec negotiation protocols that are available. And it is the less part off the Biesecker Street that we have discussed about. So if we go back to the slide where I was speaking here about the parts off the I p. C. So we have already spoken about the confidentiality, the integrity, authentication, different, Irma. So we still have the last one, which is the i p sec protocol. So that is the negotiation protocol. As you can see, we have two choices whether we use a s over UCSB. So in this lecture, I'm going toe, discuss about the edge and the TSB. Before I start speaking about the H and the S B, let me just accept you. What is the I p sex negotiation protocols? So normally we said that we have two routers here on that are connected to each other, will be on the internet and they want to make a VP Anton in using, I'd be check So we will see the upcoming lecture that what will happen here that the I P sec would go through what we call them faces. So there is. First, it's gonna happen the like a e face one on the i k e fish one wishes Internet key, a change there. The queues of will be a chance that this is something that I'm gonna explain about it in the upcoming election. So this is called the Camp Donald. So there is a problem which is gonna happen here. Then, after this is finished, then there will be some exchange also off the I k e face number two So and I can't you face number two. This is called the I P Sector. So it's a tunnel inside the tunnel and there it makes everything ready for the data to be sent. So here the data will be sent the data off the VP and would be said after both the faces are finished. So this data that are sent will send inside those two. Thomas, did I get you want and I k e two. But the data is not encrypted, and it's not secure. So here we need to use this case, one of the two options on the death level. We want to use either a h all we have to use tsp. So here we can decide that we want to use. If you want to use H, then we use it and he will have to decide if we want to use Yes, people use it. So what would happen that they will change in this level on the data. So there will be those protocols the I P sec negotiation protocols that will be exchanged between the two routers And then they would agree. Okay, we can use a edge or we can use yes beef than in this case that that I will start to be sent. So this level where we have to choose the ash and the SP then what will happen also with inside this exchange? They will also say if you want to use the eternal or we want to use the transport. And that's something I have explained here. When I was speaking about the tunnel and the transport, I think it is somewhere here. So here we spoke about if we used the transport model, the Dunham also in this level, when the data is agrees, whether you want to use a hotspot then they also agree if they used the complication more, whether the transport all the time. Okay, Now we just have an idea again. I'm gonna go in D days through the faces A i k e one face one and I can t face to And then the data and all. What happens in the background on the I P sect? That's something I'm gonna discuss about it in the upcoming lectures. But just to let you know that where a. H and the S B stand when they want to do the negotiation between each other. So if you choose, for example, you want to use the authentication heather the edge, then what will happen here that only the authentication, which is appreciate key or certificates and that ended integrity, which is the hashing so like MD five or Shahwan or Chateau that those would be used. That means when you have the two routers again having VPN, then the data will not be encrypted so that if they agreed to use a edge so here that the rather will use a wedge and here the router would use a edge, then the data would be having the authentication and the integrity which is the hashing. And then the data will be sent include ash, but it will apply the data integrity on the authentication. Okay, so there's something normally we never have to use it unless you are using this inside your network. So, for example, in your that you don't get too much about the encryption, then that's fine. You can use a edge or whether you are using this on a private network. That's also possible. But again, still, in those cases, I don't really advice to use a edge because you don't have encryption. So all the idea off the i P. Sec, then they want to use it then because if you don't have encryption so that there will be sent without encryption and that's something we don't want three. So I can say to you that I really rarely you see that people use s so you can see 99.99999% off the time people use E S P. Now he s P is in calculating security Payload. That's what SPS here. They use the authentication on the secret integrity. But in addition, the encryption is being used. So again, if we have here two routers and they want to do I present prepared to each other, then the data would be having encryption. That's for example. They're using A S. It's encrypted. They use authentication. So appreciate your certificates, that integrity hashing. So in this case, you are securing, really? Do your data to be sent from one site to another again, Those two brothers, they need to agree to UCSB. So you have to set this on your configuration on the my critique latter, that disrupt alleges ESPN disorder is using SB. If you say this ESPN this age so not the eSpeed, then the the negotiation protocols would not agree then your VP and will not work. So you should have both PSP on both brothers. Now we just get the idea that he s be used the encryption. In addition, off the debt integrity and the authentication wild on the authentication Heather with the issue only used the data integrity and authentication. So let's now have a look on the my critique water where we can see that. So if we go here toe, I'd be I p sec. And when we are going to work on the policies here, then here is so the most important part off the congressional off the I P sec who you can say, OK, in this case, the action off. What I want to do here is to encrypt on what is the I P sec particle you want to use so you can see you can choose? Yes, b, you can use a edge. But of course, it's always recommended that you used the yes beef. Then you do the same on the other side, also on the rather. So in this case you are securing all the data which is sent from one my critique route or via the Victor Antal toe the other side. So with this last slide off the basic framework, I have just explained about the I per second negotiation particles. So if we go back here, So this slide here, we can say that everything now is being explained about the I P sec framework. Andi, everything is clear for you now, So that means that this whole section is finished and now we have to start a new session and this new section is going to speak about what happens when the eyepiece act has to start working. That means how they will stop. The router will start from outside, negotiate with the other daughter on about the faces and about the encryption and about all this. So what we have learned here, this is gonna be showed in the upcoming lectures. When I'm going to speak about the faces which are available on the I P. Sec on after we finished the faces, then we understand how I protect thinks. Then, in this case, we can do the lab and you will see that when we do the lab, everything will be easy because we already have understood exactly how I p sec works. So I did this. What I wanted to explain in this lecture I hope it was informative for you. And I will see you in the upcoming election. 14. 13 IPSEC Negotiation Process Introduction: Hi there. Did this man have that here again after we have studied about the i P sec framework on the parts which are inside the I P SEC engine, and I have discussed in details about each of the parts. Now it's time to start speaking about how I p sake work. So we have to understand how I be sec, think. And then, in this case, we are able later to configure it correctly. What you want to do the lab on the micro take router. So I protect hands five paces. So every time we want to make a victory and I protect family, this will pass through five faces. So in the upcoming lecture are going to start speaking about those five places we take one place by one and that we discuss all the tastes about it. And then at the end, when we finish the five faces, then we understand exactly how I protect work. Then I'm gonna do the lab in this snap. I'm gonna show you how you can configure I P site on the Michael Carter. So that is what I'm going to do in the upcoming lecture. If you already let's go directly and start doing it 15. 14 IPSEC Negotiation Process and choices of IPSEC interesting traffic: Hi there Did this might have that here again. Now, in this lecture, I'm going to speak about the I p sec process or the negotiation processes that happen in I protect. So as you can see here we have five processes. The 1st 1 It is interesting traffic to trigger. That means if we have here after one and out of two connected to the Internet and we want to do the ban I percent darling between each other, then they should be some interesting traffic for Devi Pento get triggered that missed for the repent to start, for example, you configure, you say Okay, I want that any traffic which is going from 10 to 000 2172 for example, That 16 00 slash 24 he slash 24. So anything which is going from this network to that network, then here I want to send it by the i p sec vp. And so that means that there is a video here happening for the people and process to start . Okay, so in this case, off course, you have to do with the two way. So you have to say from here from this network to this network. But also, you have to say from this network, toe that network, because again, I p sec is going to be a mutual process to work between the two routers. So that what that what is the interesting traffic? I'm gonna go in tow each off the coast wants one by one. But just as a global idea, I'm gonna give you just that. What means each of the points, the second process. It's called I k e Face number one. So what happened in this face? What happened is that in this face they will negotiate, and there will happen the sharing off the shared secret key. So that means if they use a s, then in this case, they share it to each other. The secret key, the shared secret. So this happened. I e face number one. That means they make a call in this case and they share the share secret keys. Then on the I can t face number two. Then there is another tunnel inside the push tunnel and hear what happened is that it makes ready for did later. Toby sent. Okay, so this is called here I p sec, I'd be sick face and here is called ice a camp. So that's if you see that that means you. You understand that when you they say I should camp. That's face number one and I k e face number two. That's I p sec. And after those three faces are finished, then the data will start being transferred and it is where the data is transferred. And then at the end, when the Pantanal is formed and it's not used for some time, then it scopes the light idle time. Then it is tear down that music will get disconnected. So those are the five faces which are the important faces on I per second. That's every time you want to make an I P sec connectivity. It would pass through all those five faces. So this first take the 1st 1 which is the interesting traffic to trigger repair and discuss about it. Okay, so now we are speaking about the interesting traffic for repair, and that means there is some traffic that needs to be sent to trigger Difficult to say that we want to start sending making the VIP and tunnel on I p sec with the other here and here we have three choices. The first shows is to encrypt everything using I per second for tunnel. That's I basically ban saying one is to send everything in clear tax. The 3rd 1 is to discard the traffic. What does it mean here? This means that you can say again here that I want everything which is 10. That zero. That's zero the zero slash 24 Onda here the network Let's say it's 1 72 that 16 00 slash 24 . So everything which is coming from $10.0 digital zero going toe one centered at 16. 00 and vice versa. Everything we needed to be sent via the I P sector Toby encrypted. Okay, so that's something you define it on the my critique router and you say that anything which is coming from this network, that network and vice versa. Then we want to be encrypted. So that is the 1st 1 That is the choice. Number one. You can have another choice, which is descending clear text, for example. Let's consider that the destructor here is connected toe on I SP toe the Internet. And you want on this router that everything, which is from $10.000 to stay working on the I P sex will be sent. So the this network v i p sec. But if you have another, for example, network here, which is 10 the 030 slash 24. You don't want that. Also, this network to go v I p. Sec. You just want it to go to the Internet than what you can do. You can say that this network has to go in clear text and then to go to the Internet. We don't want it to send it via the pan, and that's what we call it. Normally split tunnel. That means that you have one tunnel is for one network and the second network that we have , we don't want it to go via this tunnel. We wanted to go the and the Internet and a lot of people that what they do normally they do with everything would go via the i p sec tunnel on. Do you know when you are using the I P. Sec than its small overhead to go to the other side And if those guys here, they want to go to the Internet, then in this case, what happened is that this router has Internet. Then they go via the tunnel on, then toe the router here to go to the Internet. That's overhead over overhead. So what you can do, you can specify. You can say that my choices that this network has to go from from your text from here to go to the Internet and this network has to go. If you have the VP and then in this case, it is much better then the last one, the last jobs that you can have is what we call it the discard the traffic. That means you are discarding the traffic. What does it mean? Here? Let me just make here clear for this to show you what does it mean? So this car traffic means that if we say OK, everything from 10 000 going toe wants them into that 16 00 has to be encrypted. OK, that's what we have done at the first point. Then this router here he received at some packets from 10 000 slash 24. But they are not encrypted that just coming toe this rather as clear stash. Why this Rather say that Based on the configuration that anything coming from tender zero the Jews the zeros slash 24 on the I P sector needs to be encrypted. But he received them unencrypted. Then, in this case, he knows that there is somebody spoofing the bucket and sending him spoof pocket. So what you can do here, you can apply this. What is called this card? The traffic. That means we discard the traffic and any traffic coming which is a new encrypted from the network which needs to send you the packet as encrypted. Then he will discount. So those are the three choices that we have when we speak about the first bond, the interesting traffic for VPN. Now, if you want to check that on the my critique louder, we can go here to the router. We go toe i p i p sec and on policies here. So we have a default one. But of course, you can create more policies as Aziz you want. So let's say create a new world, for example here and you will say Okay, for the pier we mentioned, which is the pier. So we are making me panto that beer. Okay, the second here and here. It's the interesting traffic we have to mention from which source to which destination. So from where is coming, for example, from tender Jill, the Children zero slash before goingto going to one side to the 16.0 then the action. What we want to do here, the action is to encrypt or discard or non so if you say this card, that means if we receive anything from from 1 70 that 16 00 we will be discard. But we wanted to be encrypted. Then he was saying in crypt. And of course, the level here we say require Andi again. When you want to use encryption, you're using E S P and not a edge. Okay, so you can see this is where you can mention when you are talking about the interesting traffic so we can create more than one. Andi, As you can see, we have to kick click on plus and then they make more than one if you want. So that is what I wanted to exclaim about the interesting traffic to trigger the VPN. And again, once this is done, then we go toe face number one, which is the camp face. And this is what I'm going to explain in the upcoming lecture about the I k e Face number one how it works. And then we understand it. And then after it, we go to the face number two and someone under we cover the whole process off the I P sec. So that is what I wanted to explain in this lecture. I hope it wasn't for money for you and I was here in the upcoming election. 16. 15 IPSEC IKE Phase 1 (ISAKMP Tunnel): Hi, Dad. Did this smile had that here again? In this lecture, I'm gonna speak about the second part off for the five parts that we have seen that the object has to go pass through, which is recalled it face one Ike phase one or also we call it Isa Camp. So what happened here after? We have already said about the interesting traffic. So there is some interesting traffic. The trigger. The panto worked. I protect the panto work. Then what would happen? We goto the Ike face number one also scold Isa Camp Tunnel. So what happened here in this level, what will happen is that the two routers will it change to each other and we'll negotiate about the following rehashing the authentication, the different Harmon Group, the encryption andan lifetime. Of course, we already know about what is the hashing. So they will negotiate about hashing, which is that integrity, the authentications or whether they use appreciate he or certificates the deaf in Helmand group. So which level off difficult mint is gonna use the encryption whether they are going to use the three DS or A s or any other type of encryption on the lifetime means how long this tunnel, which is the on the face one will last. Okay, so that's something. They will negotiate each other off course on each of the router. You can configure the face one on a different provides. So you can say, Okay, I would do the first policy. I would say on the first policy. I'm gonna use MD five as hashing. I'm gonna use authentication. Appreciate key. I'm gonna use definite Hamel. Level number five. I'm gonna use encryption A s. I'm gonna use Lifetime, for example. One day so didn't do this. The first policy you can do 2nd 1 you can say well, in this case to the same one I'm going to use Shahwan. I'm gonna use specific eight. I'm gonna use level three off different Hellman. I'm gonna use something else and something else. So maybe you don't see that from from me now on on the video. But I'm just saying that you can create mawr than one portion. Of course, here you have two great on both starters on this shelter and on that route that you have two great those policies. So, in order for the two routers to agree about which of the policy that one he was, whether one or whether to They have both routers to agree on that to be the two policies the same. So if you hear they choose, for example, rather toe on Route one that they're going to use the first policy, then both of them, they should have empty five. They should have a P S K defeat Hammond, Level five A s and one day as left time. So they have toe have exactly the same policy that is created on issue of the writer in orderto agree on that. And then they can form the tunnel, which is the ISA Camp Donald. Now the collection off those information here. Normally it's called Security Association. So this is when they exchanged those. This is called security Association. That's why the like face number one is called Eisa Camp, which is Internet Security Association and key management protocol, because they will negotiate the Security Association, which are the list off the things that I have just explained about them but also this level on this face. They will exchange the keys, and that's something we'll see it when we go on step number, toe. So again, on the this first face, the first thing they do they negotiate about the security association. They should be similar on both sides and then they agree that they are going to use those one. Then they would go to step number two, which I'm going to speak about it now. In a step Number two, we are still in the same face, which is the Ike face number one. There is what we call the deaf in Ellman key exchange. So after the negotiations. So once the negotiation is finished, the Pierce know which publicity usedto the agree which of the policy is going to be used again. The policy should be on both daughters and they should be match. Then the negotiated defeat Harmony group will exchange the keys and as a result, both peers will have the chef's secret. So remember, from the lesson when I waas speak about the deaf in Hama that they will share the public key and other result. At the end, they will. Most off the routers will have the same shirt, secret key. So that's something I have already explained about it. So here. It happens on this race. So again their first will negotiate about the security association. Once done, they will exchange the keys using the definite Homa. And then the less part here is on this faces the authentication. So after the negotiation, our complication, the two beers authenticates each other. So here, when they say okay, we're going to use the appreciate key on the authentication, for example, then here would happen. So on step three, this router will get authenticated by router to and routed to will get authenticated by rather one. So once the two routers are authenticated, that means they know that the form in the camper tunnel with the right that Donald then in this case, the tunnel would happen. So that is you can see here the ICT face. Now one tunnel is being formed between the two routes. So within is what happened on I face number one or also what we call it. The camp. First again, they would negotiate the security Oscar stations, and once they agreed, they will here go to the defeat Helmand. They will share the public keys on the different Harmon and then at the end of each of the rather has the same share secret key. And then at the at the end, they will upon ticket each other the rather and then the Ike face number one is being formed, and now it's ready for the Ike fish to to start. Okay, now, this is very important to understand, because we have to configure this on the my critique louder. But before I show you how our where you can configure it on the micro, the cloud. But of course I'm gonna show it again when I do the lab, just to mention here that there are two months that you can use for the face one Ike face one. And those two most of gonna explain about them in the upcoming lecture. So the I face one is not yet finished. There are two mode that they use, and the upcoming lecture I'm gonna explain about it is very short video. But just because I need to show you what are the most that can be used on my face Number one. Now we goto my critique crowder, and if we go toe i p I'd be sec on Dhere. We have to go to profiles. So we have a default one, you can create another one. And here you can name to profile. You can say, OK, I'm gonna use Shahwan or 25 or shot 56 and so forth. The encryption, You choose it the difficulty and you choose it. The lifetime you can see it is by default one day so you can make it the shorter you can make it a longer show. It's up to you. And here you put that the life bites. So if you want, you can as well that the like face number one, you can use it based on the life bites. So how much much it will it will use on. Then it will get expired afterward. So this is where you can make the configuration off the I fish number one. But of course, we still have the authentication, and that's something I will show it to you here on the identities. So here we can use. Do you, for example, the appreciate occasion way can put the secret over here. Okay, Now the I face one again. There are two most that you can use on AC face a number one which are the main and the aggressive on that. That's something I'm going to explain to you in the upcoming lecture. What the do, Davina? So that is what I wanted to explain in this lecture. Did this Ike phase number one or what we call it Isa Camp Tunnel on. I have explained to you what happened and this face on the way we saw that they would negotiate the security association together The rather's to agree on one which is similar on both routers. Then what will happen is that the defeat Harman will work. And also what will share the keys in orderto have at the same shirt secret key. And then the routers will get authenticated. And then the Ike face number one tunnel would before and the second phase will be ready. So start. So that is what I wanted to explain in this lecture. I hope it was informative for you. And I'll see you in the upcoming election. 17. 16 IPSEC IKE Phase 1 (Main vs Aggressive mode): I then did the smart had that here again. We are still now speaking about the Ike face number one, which is the ISA Camp Donald. I have explained the in the previous lecture about it. So how it works and what are the steps that it goes through the face number one. Now I have also said in the less lecture that Ike face number one has to mode or you can use to more than if you can use what we call it the main mode. All you can use the aggressive more those two months is when you are using the Ike version number one again. Those moles for the Ike face number one is used when you are using ICQ version number one. So you have two types off like that's the type of which is called Ike. Version number one on Ike. Version number two all what I have already discussed Now about the camp. We are speaking about the Ike version. Number one on there is the new version, which is I'd version number two, and normally this doesn't goes through this most that I'm now explaining. So if you want to use, I'd version number two on the my critique. Louder. And I'm gonna expand about that later in this course. Then this what I'm now explaining about the most. They will not be there. OK, so if you are using the Ike version number one, then those more will be shown that and I'm going to show that do you later And now in utter the end off this lecture. So I will go to the my critics router, and I show you that you can use version number two. Now if we're using the version number one. So we have the year step, which is the like face one, the as a camp on Dhere, we can choose whether we want to use the main mode or we want to use the aggressive more. So what is the difference? Actually, those moles are nothing more than when the negotiation is happening between the two routers on the Ike face number one. Then if you are using the option one, which is the main more, then there is six messages going between the route A one and a lot of two, and vice versa. So this will happen in six messages that means you when we are speaking about what is the security association they want to use. So they hashing the encryption, the definite Harmon Group and so forth. And then also when we are speaking here about the different harmonic change keys and speaking about the authentication. So this happens with six messages. If you are using the main more now, the main mode is considered a secure mode. OK, so if you'll open wash shock and you will see that because a lot of things are encrypted, especially when it comes with the identification it's encrypted. Then it is a secure more, but it is a bit slower than the ACA support, so this option is secure Now. The part number three on the main mode is that the identification is encrypted. So when the authentication is happening than it will encrypt the idea off their outer. So that means if someone is intercepting the messages, then he doesn't see that. Okay, so did this. The main mode. If you choose the main month, so remember it is more secure, but it's a bit lower than the aggressive more, but it is more secure if you want to use the aggressive more then in this case, instead of you having six messages that goes between the two routers, you have here three messages So three messages to establish the security association. And it is quicker than the main. More because you are using three messages on Lee between the routers, then it is quicker, and here the problem is that the identification is sent. Ask your tax. That means that we showed the identification off the router when it's trying to send the message toe the other Rather. So that's something you have to consider whether you want to use the main mortar, whether you want to use the aggressive more. So based on those options, you can say Well, it's better to use the main road, which I recommended because it is more secure and it makes the encryption on the identification. Then it's better to choose the main again. The main mode and the aggressive old are used on the I version number one. Okay, now, if you want, we can go toe my critique crowded here and from here if we go toe, I be I be sec Onda. We can go to piers here so you when you want to. Ah, put the pier and that's something we want to do it and the configuration, the others and so forth. So here you have the exchange mode. You can see you have aggressive and you have made Maine is the default one of the micro. The clatter you can use aggressive you can use. I do, which is like version number two, which is totally different than demand and the aggressive. Okay, so now I just explained about the men and the aggressive. I conversion number two. I'm going to speak about it later. All right, So this is a short video just to explain to you that on the Ike fish number one, you have to most that you can use to exchange the messages between the two brothers. You can use the main mode, which is more secure than the 2nd 1 which is the aggressive Mort, which is quicker. So it's up to you now to choose which of the more you wanna use when you want to set up the I P sec face number one politic. So that is what I wanted to explain in this lecture. I hope it was a for money for you. And I will see you in the upcoming election 18. 17 IPSEC IKE Phase 2 (IPSEC TUnnel): I did this mile had that here again after we have finished for the Ike face number one, which is the idea. Come down now. We have to speak about the Ike phase number two. So once the Ike face number one is done and the tunnel off that their faces down. Then in this case, the second step was start, which is the I face number two. So the I fish number two is also called i p sec. Donald. So what is the main function off this face here? The main function off I face number two is to protect the user data. That's why it's called the I P Sector Tunnel. So the main function is just that the data which is going to be sent within the eyepiece Iker panels which is also inside the Isa Cantona needs to be protected. So this face has only one more. So again, we are talking here about the Ike version. Once all our weren't expanding now on like, face wanted and I face to the are inside the version one like version one, because on my vision to its different. And I'm gonna do a slide to explain more about the Eid version toe. So the only more adduced on the Ike face to is the quick mart. So we don't have to. Most like we have seen on the Ike face one, we have the main and the aggressive on I care face to There is only one more, which is Dick quit more and it used three messages. So actually, if you want toe Jack those messages and then on my chart you will see that you will not understand anything because everything will be encrypted because I wish to is going inside the Isa Camp tunnel The tunnel which was made on my face one. Now what happened in this face? What will happen is that again the two piece will negotiate about information. Okay, so the negotiation there are also called. I'd be psyched transform several i p sec Security Association. Okay, so the two pictures negotiate about the following. The first thing is the I P SEC protocols. Shall we use a H or S B again when the I P sec tunnel, which is for face to, is formed, then it will not encrypt the data, so the data will not be encrypted. What include the data is if you use the a S P here than a Zipes. I critical That's what Chris did. So the tunnel by Isha doesn't do anything when you use DEA, the SB and the I P sec Critical. That's what makes the encryption off the data. OK, so it will choose whether we want to use HR Speedo. Those information will be shared between the two routers and after they choose whether Hosp , then the encapsulation mode where they're going to be transport or tunnel, we already know what is the transport and what is the time. I have already explained that in the previous slides, and again they will negotiate about the encryption. They will negotiate about the hashing or what we call it here authentication algorithm. So whether we use every five or Sha and there is an option here that you can renegotiate about the different Hellman if you use the B f s okay, you don't have to do it because already the defeat Haman was done on face number one. But for some, people want to have more and more security than you can enable that. But I highly recommend that you don't do it because this will take a lot off resources from your CPU because again, this is a symmetric keys and this takes a lot of resources, so you can if you want to let it enable on first number two. But you don't have to. And finally there is also the lifetime. The lifetime is very important to you. Why is it important? Because what you can do here, you can set for the lifetime whether on the days or the hours on the the minutes, so whatever you want. So what you can do in this case is that you can sit the time and on this time when it's finished, then at the again the shared secret key which was shared between the two brothers, it will be expired and another share secrets you will will be coming. So that means that if someone has already or shared secret key that in this case you have a new key than hey will not be able to do anything. Okay, so that's something we can use it on the lifetime. So after everything is agreed here that what you will have, you will have I face to done. Inside the is a canton, which is for the face number. What you can see. This is the tunnel inside, the first time in which was made on the the first place. So this is what happened on that the I face number two. So again, the main function off this face is toe protect the user data. There is only one more, which is the quick more using three messages. And again they will negotiate about the information that they want to use, which are the I p sec protocols encapsulation, more encryption hashing on the different Hammond which is optional and the lifetime. And then if everything is fine, it will make a new tunnel inside the Ike phase number 100. And here it will be ready for the data to start being sent within the Ike fish to down. So you can see the dinner will be sent inside the ichrist Uchenna, which is inside the the continent, which is four face one. Okay, so did this. What happened on the second phase? Now we have to go to the face off the data transfer where the data will be transferred and explained what will happen that now, before I finish this lecture, I just want to show you here on the my critic router. If we go toe i p i p sac and we can go to the, uh, for example, the proposal here. So here you can see the dusty a proposal. And this is where you make the compression for, like, face number two or part off the configuration so you can choose the authentication algorithm that you want to use the encryption. The lifetime now, at the end, is the PFS group that if you want to use again the defeat hammer on face number two, you can choose which different Hannah level you wanna use. But by default, it's left alone. And I recommend that you leave it to know. And, of course, for the i p SEC protocols negotiation. So that's something we have seen it here that you can choose a h o R s B. So once you finish the proposal, you assign it here. And then you say that I want to use encryption and I want to use the SB, for example, that in this case, or the data would be encrypted as well, having the data integrity at the authentication. So that is what I wanted to explain in this lecture. It's about the Eiffage number two. So we have already now the like face number one down I fish number two is also done. Then we'll see the upcoming lecture. What will happen for the data transfer? So I hope this lecture was informative for you and I'll see you in the election. 19. 18 IPSEC Data Transfer: Hi there. Did the smile had that here again? So after the I Phase one tunnel is formed either cantonal and the like fish to tunnel this phone, which is the I P sec tunnel. Then the data will be able to start flowing from one I p sec Pierre toe the other. So what happened here is that the data is transferred inside the Eisa camp and the eyepiece act on Also inside Ike phase one, an ike fish to tunnel using the A H or the SB. In case we choose a Ascher, use the H and in case we use the speed will use the SP Onda. As you can see here, that is what happened. So you have the Ike face one first the Donald. Then you have the eye Chris to tongue, which is inside the actress one. And then the data will go inside those two tons to go from one side to another. If we are using a TSB that it will be encrypted and that's what we normally you do. So again, this is what happened here that the data will be going from the one I protect peer to reach toe the other eye protection here. And the data would be very secure because, as I have already expect you if the process has gone via two faces and in the two faces that are a lot of things that happened, like encryption, like the integrity, like the different hammer and many, many more things on then, in this case, we are securing that Our data is being sent securely from one side, toe the other side. And here is the I P. Sectors working. And it is what we want that at the end, the i p shake Donald would work and we're sending the data security from one side to another. So if we go back here, I have already explained toe you about all the steps here. So the first interesting traffic, the trigger the V Panis already explained I faced one explained. I fish to explain the data transfer spent. And of course, the view panty down. I don't have to send it. That means that one you switch off the I P sec, you turn it off, then everything would go off, and then you have to enable i b sick again that it has to go through all those steps again . So that is the whole theory about the I project. There is one more slide that I have to explain about, which is the difference between the Ike version one and the Ike version two. So it's gonna be a brief lecture to explain what is the difference. And then you can understand if you want to use I've version one or version two, she will understand more about it. And then after that, I have to start doing the lab and I have to do the lab, which is for doing the side to side I p. Psych Donnelly between two Rather's and we'll see that they are all what way have learned in this course is gonna be applied on the lab. And then we understand what we're doing as configuration. So that is what I wanted to explain in this lecture. I hope it was informative for you, and I will see you in the upcoming election 20. 19 Difference between IKEv1 and IKEv2: Hi there. Did the smart had that here again? In this lecture, I'm going to speak about the difference between the Ike version number one, and I'd version number two. So you have already maybe seen a lot of people talking about that they're using. I version for PC. Version two is nothing more than a new version to use i p. C. So here is a table which shows the difference I visual want has been established on year 1990. Show around at that time while I Vision to was established in 2000 and five. So you can see it's a newer than version one, and it was developed by Cisco on Microsoft for a reason to be a successor for version one. So I vision to is just a successor for version one, a new version. Now someone can say that we still see a lot of cases that people are using ICT version one , which is true. I Version one is still used until nowadays, but also I'd version two. It is also widely used now, the second point on the difference between I version one and version two that on version one, it supports the Appreciate Keys and the chef Ikea. So that's the authentication that I have already explained about while on I version toe do support appreciate certificates, but additionally it support the AP authentication. So if you want, for example, to put a register ver therefore to do the authentication, then you can use E. I. P to do that. The third difference on Division one on I version two is that I version one. By each mechanism, it doesn't have a building, not travel. So while on my vision to adults so built in support for not reversal. So that's also a difference between my version one on diversion Toe number four is that, like version one on its face one. So remember we were talking about I face one. It has remained an aggressive more. That's something I have already discussed and extend and this course so I faced one. It has the main and aggressive more while on my version two it has the I s A in its so that's on fish number one. So that's also different. So there is no main and aggressive more on the Ike version two now on version one again the when we talk about the like. Face to the I fish toe has one more, which is quick, more than also have discussed about while on the hydrogen. Do it has the Ike underscore out. So that's authentication. That's for face to Okay, so I'm just explaining now the difference so you can see that it's not a big deal if you want to use I vision to instead of five Version one. So the configuration is almost the same. That is not a lot of difference if whether you want to use the aversion to all the Version one now, the good difference here is that on version one, it required more bad news for the time Toby form while on my vision to is required less bandits. So there's something also you have to consider in case you are doing a tunnel on a very small band with, so you may consider to use I vision to because it requires less man with Then I version one Now. At the end, I'd version one doesn't have a built and keep alive mechanism, while on diverted to it has a built in keep alive mechanisms. So what does it mean keep alive mechanism. That means that it will check with from one Peter the other on the I P sect here in Case said, the pen is dropped. Then it would do the reconnection again. That's on version toe while on my vision One, this doesn't happen so there is no keep alive mechanism on version one Now there are some other difference but those are the main difference that you can find between the eye Vision one and the version two on again You will consider when you want to configure your I p sake was Check what you want exactly and you will see Okay if I have less Man Wister, let's go toe I version to If I want to keep a line mechanism I'll goto version two If I, for example, the users who are connecting to me They have the software which worked on my vision toe So let me make the configuration on like version toe So all those things you have to take them into consideration when you want to choose between like version one and I conversion toe. So I just made this video to show you the difference between both the migration one and I vision to. And if we go to the micro, take router here on DWI Goto I p i beside I can show you here. When we work on the piers, you can see here the change more you can choose Here I two, which is Ike Version two Off course. We have the aggressive and the men that we have already seen. So you can see the configuration on the my critique router when you want to configure version two, it's not the big deal. It's not the big difference than if you want to configure like version one. So that is what I wanted to explain in this lecture. Just the difference between the version one and version two. So you see what are the main difference? And based on that, you will say, Okay, I will go for version one, or I would go toe I version, too. So you will check what are the difference and you will check what you have on your network , and then you can make the decision. So that is what I wanted to explain in this lecture. Did this the last lecture talking about the Terry on I p sec. We have already covered everything, Terry, on my paycheck. Now it's time to start doing the lab, which we're waiting for it during the whole course and that this lab based on what we have studied, was You see that that the love will be very easy to make the configuration for the I P Shack tunnel between toe democratique routers. So that is what I wanted to expend this lecture. I hope it was informative for you. And I will see you in the Afghan election. 21. 20 Introduction to the IPSEC LAB: How, then do this might have that. Here we go. Enough from theory on IBC back. I know that many off. You are saying that we are only talking about their own. I Besides, so when we are going to start doing that now So in this section, I'm going to do the lab for peace. I had to go sutera because how can I explain to you in the lab about face one or face to Are the aggressive or the main mode or the like a vision to or an order and order Or if I didn't do all this permission upfront? So I had to explain all the details off beside, you know, order to be able to do the lab off the I P. Sec. So in this section are going to do decide to side love for I p Sac Deception is gonna be on to pass the first part. I'm going to prepare for the I P sect. That means I have to have two raptors. I have to connect it on high speed router. I have to do that. Now that I have to do the route, I have to be able to from one daughter to be able to reach to the I P, which is off the outside I p off the other outer on vice versa. So that is the first part off the lab, then the lecture with chance after I'm going to do the configuration off the I P side. So I'm gonna go through all the things that we already have learned up to now and do the lap of I per second. Then you will see that it's gonna work for us the way that we have run. So this is why I'm going to do the first Russian if you already let's start directly with the first lap. 22. 21 Pre configuration of the IPSEC Tunnel: Hi, Dad. This my had that here again. In this lecture, I'm going to do the first lab, which is the pre configuration off the I P. Sec. So when we want toe confident I per sec, we have first toe have for the two routers connected toe the internet on their some congressional. We need to do like the nothing and like the route. So that's something. I'm gonna do it in this lab, and I will show you how you can do it. Of course, if you already know how to do that so you can skip this lab and goto the lab, which comes after, But I just would like due from scratch everything to show you how you can configure type aside from scratch. As you can see here we have five points, so it's not a very long lab. But before I start doing those bonds, let me just show you what we need to do in this lab. So that is our lab scenario. We have router one, which is one type insect beer, and we have out there three, which is another I P sect here. And between those two Rather's, there is the Internet, and in my case, it's a router. I'm gonna call it I s B. So what I need to do at the end is that the disruptive rather one is having a tunnel with drought or three via D I Espirito. So it's gonna be a by P sec normal. By the end of the lab, the PC which is here, is going to be able to reach to the server, which is here via the I P sector. Okay, Now, I'm not going to put the server here. What I'm going to do, I'm gonna make a bridge interface on rather three, which is like a simulation off a device off network device. So bridge interfaces nothing more than to say that there is something connected toe rather on that interface. Okay, so what I need to do now in this lab is just to put the I p addresses to do the not because Remember, when you are connected to the Internet, you have to do that. And then that has to be on the outside into faces off those two routers, and I have to do I peer out. So it's a different route also When you want to connect Internet, you have to say anything. Go to the Internet, go from this sized and anything got Internet go from that side from the other. Rather. So in this case, rather one at the end is able to reach through this interface I p. Others, because we need that. The other one reach to the outside of the face off artistry and also rather street to reach to the outside into face off rather one to be able to see the eyepiece to do the eyepiece acknowledged to each other. And if you are working on a really environment, those two interfaces needs to have a public. I pee on them. In my case, I'm not putting in public eyepiece because Justin Lab. But in your case, if you are doing a real scenario lab for I beside you need on those outside interfaces off the to I P sec Pierce routers, they need tohave a public. I pee on it off the interface, so that is what I'm going to do in this lab. Let's go directly and start doing the points part Number one. Check that the rather as version is 6.44. Plus, why is it important that the version off their outer as is on six points 44 plus? Because before that, there were another view off the hyper sexual it was a bit different. Are the one box I preside? Conflagration, Then when it is on the version 6.44 above. Okay, so I'm using here. As you can see, amusing version 6.45 point seven. That's the latest version up for today. So please, if you are doing this lab making upgrade for your rotter OS and make it on the latest version or on a version which is over £6.44 the difference is not too big between the oldest versions or rather as which is less than six points 44 on the the one which are more than 6.44. As for the I P SEC configuration, but because I'm doing the lab on the delayed this router as so, I would advise you that you also upgrade your vaporize to upgrade your rather as all you need to do is to go to system you go to package and here you can make check for upgrade. And once you make check for upgrade if there If your otter s is an older version, then it will get for you a new version and you can download it and install it. Okay, so in my case, I'm using 6.45 point seven. So let me is everything is fine on my site. What Number one is done? Point number two put the I P addresses on the routers interfaces as showing in the graph. Let me just put the graph here so you can see what I'm doing. So now we need to put the i P addresses s photograph. So first the PC, The PC has an I P address. If we look here on the bigger picture, it has an I P. Address off one I do once excited to move so she can see I put here toe and then don't too . So this is the iPad is off the PC. I already have the I bother set on the PC. Now we need to put it on Internet one off route A 1192 Once he said that too one. So we go to the router on that we go. We say I be others At this moment I don't have any cooperation on all the $3. Okay, so there is no any complications. A blank configuration. Let's put first thy brother's off one night to on the router one which we said here 19 to 16 a. True that one slash 24. And that's on the Internet. One interface if you want. You can put the comment here and you can say that this for the land Onda That's it. Now 40 outside interface. It's one night to want Say that one toe that want this look to the picture. So we have to put all the I brothers is one item. Once you say that, want to that one slash 24 that's on the interface It in a tool we can hear Make a comment and we say one. So did this rather one is done. We goto the I S P router. Also, there is no any configuration on this router. The SP daughter. We have to put the knife mattress off 19 to 168 that one toe to slash 24 on That's on Internet, too. And here we can say this one is to brought the one Onda. Uh, we have to put the knife brothers off one night to once. He said 23 dot through slash 24. And that's gonna be on Internet three. And the comment is to prouder three on That's it. So we have finished also the eyepiece on the I S P router. And if you want, we can just to be sure thing from the IRS, speak through Toronto one Oneto once it's a good one toe that one on being his working this fire will still have to do now the your artistry. So we go to Roger Street and on doctors three. The one in the face, which is Internet story. So we say I be others one night to what she said the 23 slash 24 that's on Internet three. And here I have to put the common I will say one. So that's connected to the I S P. Andi, that's it. And the last one is the one which has the server. In this case, I don't have connected to the server. What I can make I can create a bridge interface. So you just click on bridge, you create a bridge interface. That's it. It's created here. And now we can put the night on the bridge interface and this, I p is gonna be see those 3 to 3 to three on that. This is gonna be on the bridge interface. And if you want, you can put here server. Of course, here we have to put slash 24. Don't forget it. And he would say that's for as a server. And okay, so that's already configured. Let's check if rather streak and see the I S. P. Then we say being 19 to 1 the two streets do, It's fine. So all the others are set correctly and everything is working fine. As we want both. Number two is done. Both number three now on the outer one. We need to make not and we need to do a different route. So remember, if we go back to the picture when you are connecting to the Internet, you need that the old users which are here, the inside users to go to the Internet and that's you need to do in at okay, And that's not You have to do it on the router one on also on the other three, the users which are here inside. Also, we need to configure, not toe make the translation from the Internet. Like others toe the external i p address. Okay. And plus, you need to do a routing so right thing to say to the router that if you want to go to anywhere, go from here to the Internet and also from rather see, you have to do a different route. So if any traffic is going toe anywhere is just send it from the outside interface to go toe the I S P router. So that's what we need to do on the both daughters. Let's start with their out of one. We go to rather one on the other one. Now we have to first make the not to do the net. We go toe i p five all and here you have not. Then you make plus and from here you have to say source Not so That's the chain, the social at anything which is going outside from my outside interface, which is Internet too. Looked at the picture outside interface off Rather one is the did not do That's the one interface. Then the action is to make masquerade. That's it. That's what you need to go first for the net. And now we need to do the I p routes so we can hear go and say I'd be And then we can go here Routes. So to go to anywhere go to the get way which is the gateway in this case, the gateway for other one. If you go here back to the picture the router one, it's get way s the the next hope which is the I p on the I S P router which is one night to once you say that one toe dot too So that's the next hope others So we do here Saturday gets way is one night to once xx but want to go to Andi I will say Okay, she's reachable Onda. Now this is done on the router one we go to rock history Now again this route this tree we go toe i p goto firewall we go to nap and we say source nad which is going out from the out interface off rather three. Is it industry? That's right. On the action is toe masquerade, and I will say OK, and then we have to do the route so I be and then out to go to anywhere, go to the get way in the Lenox Hope. In this case, it's one night to once inside the illusory, though please look to the picture. So that's the interface it in at three p, others off the Esperanza. And then I would say, OK, so that's what you need to do. And now both daughters. If you are really connected to the Internet, both shelters will be able to be connected. Toe the Internet. All chemistry is done. We made the night and a different route on Route A. One point number four is down. We made the same on the router. Three actually should be here about the streets and that, rather to we don't have rather to here and then finally, we have to check if rather one can reach the outside interface off rather too, and vice versa. So if we go back to the picture and I will clear here a little bit so we can see what we need to do now. So we have finished the configuration. What is important for us is that throughout the one can reach to this I p address off their artistry because he want to do the hypertechnical toe the router and he needs to reach the wine and defense off the rot Astri. And also rather three needs to reach the i p off rather one which is here. So we have to be sure now that the routers can see the interfaces off each other. If you are again, working on a really lab scenario should have public eyepiece on both off the routers. And of course, you are connected to the Internet, so they should be able to see each other. So let's check now. In my case, after I have finished the configuration, then rather, one can see the i p off Roger story, which is 1 90 rosado 23.3. Okay, let's check. We go to rock the one and from here we go toe terminal. We make think one night toe Once, he said, the 233 enter and here we go are out and one can see the interface off fraught history. The one interface. You can see it after make the Nat and we made the rounds. You can see it. But if we're big three, the street a street, the three which is the server, then it's snapped. Unreachable. Why? Because that's a network inside. And of course he cannot reach it than what we need to do. We have to make the I percent Norman. And after we finish the I p sectoral, we will see that there's rather but also the computer which is on the other one is able to reach that I p address. Okay, now, if you want, we can go to rock history. And from rather three I can go here and they think And now the one interface off rather one is one night toe once excited that want to adopt one. And here we go. Also, Dr Street can see throughout the 11 interface because again he want to form the I P sec tunnel. With that interface on the last thing that I would like to make this maybe we can go from the PC which is behind out of one which should be connected to the Internet. So this piece is connected to the Internet after one is connected to the Internet router, she's connected to the Internet. So why can't we try from this PC to Pink? The one interface off rather story because it's connected to the Internet. So we say, being one ICU 168 to see the three. And here we go, you can see it has a reply. So that means that the configuration that I have done, that it's working fine and the PC can reach the one in professional practice tree. That means not, and the iPad and everything that I have done is working the way it should. Point number five is done. And with this point, I have just finished the pre configuration off the upper sexual have prepared D'Leh tobe able toe now and they're coming lecture do with the lab off configuring the I P sac. OK, so as you can see this, I showed you from the scratch what you need to do if you want to repeat this lab at home, and you don't have, of course, public I p addresses. So that is how you can do it on again. I'm here using GNS tree with search our image. So if you want, I can show you that you can see that it is what I have now. So did this Janice tree. Andi it is with this year s our image. Let me put it again here on making small. So there's just a conflagration I have. This is my PC. The distant after wanted is that I speed this road street. So all what's happening now is happening on one pc. Okay, So you can also do the same if you want and use Genesis three in order to make this lab and then off course, be sure that you are using the search are the latest image that you can download it for free from the internet. So that is what I wanted to explain in this first lap. And then now it's a very exciting because the next lab is gonna be how to configure the eyepiece excite beside. I hope that this lecture was informative for you and I will see you in the upcoming election 23. 22 Configuring site to site IPSEC tunnel using IKEv1 and IKEv2 Part1: hi there. That this man had that here again, we have reached now toe the lecturer, which is gonna be a lab toe implement all what we have studied in this course in this lab. So this step is going to be the site to site I P sec tunnel on all what we have studied during this course, you will see that everything would be applied in this lab. As you can see here, we have 12 points to do. But before I start doing those points that should go back to the lab scenario, Andi will explain what we have to do. So in the previous lecture, I have made the lab and I have showed you how to make the pre configuration off the eye piece. Hack a thons. So we have configured that the router one and rather three. There will be ever the Antos each other via the Ashby router. But also, the PC which is over here, can also see the artistry outside interface. So I have implemented the night and the routing and put I up the others and everything is working fine. So now what we need to continue is to do with the congregation off the I P sec normal So at the and what we need is to make here a tunnel between rather one and rotisserie VRT. I spit out the show via the Internet and in this tunnel. Then this PC, which is sitting behind the out of one, is able to go via this tunnel. Send these traffic tobe able toe reached Oh, this river and vice versa. Also, this river is able to reach the PC. So if you want now what we can do, we can go toe the comment prompt here on day we have checked already from the PC is able to reach the outside in the face off Rather story. We have made opinion the previous lecture. So now if I think from my machine 2313 The street the street which is the i p off the server which is behind the artistry you can see it's saying to me destination net unreachable. Okay, so after we complete the i P sec tunnel, we will be able from this PC to reach toe the three the street three industry. Okay, so let's go back now to the points and start with them both. Number one on the other one Goto eyepiece than I appreciate than profile and choose Shahwan A s 1 28 different ArmorGroup mode B which is 1020 year, four lifetime one day, any click? OK, so what we are doing now we are doing this is what we call it the phase one on I protect. Remember when I was saying about phase one? You have to make the encryption the that the integrity which is in this case, encryption? Yes, that at the gritty Shahwan, the different Hellman, they also put the lifetime. So that's something we have to do with on face one. That this part off the conversation on phase one. Okay, so let me put it here the pictures so you can follow what I'm doing. So we go to rather one that is out of one that we goto be eyepiece Act first what I have done also we have here policies. We have a default one and we have proposal Default one. Just make them disabled. I don't want any default settings on the I P sex, so I'm doing the compression on from scratch from zero also have done the same on the artistry. So now they said go to profile and on profile, I would create a new profile. And this profile, Let's give it a name. Profile one. So here, what is the hashing and greasy runner use? You want them? The five Shahwan shot 56 shot 5 12 already know all about those. So you they said to show on the encryption. What do you want to use the ass ready as a s committee are blowfish. So they said here that you have to use a s 1 28th So deaths again. Whether we are doing it's for the face one off the I P. Sec. So remember, we have placed one face to and we have before that we have the trigger off to make difficult working. That's something. I'm gonna do it in a moment. So this is what I'm configure now is the face one. Now, the difficult moment you have the here, the difficult minute groups level. So they said, OK, choose the moat P, which is 1024 lifetime. So how long the face one will stay until it will Will will refresh again. So that means the king will work again. That's one the Diffie Hellman. So that's something we have said. They're there to put it one day. So we leave it Lifetime one there. You can also make life bite if you want. But they said to make it one day as a lifetime. Okay, so that is the configuration. The same compilation that you doing here. It should be the same on the other route artistry. So again, if you select it s 1 28 That should be the same that you have to select it on route three when you create the profile. If you put your shahwan, don't put for example 25. It's not gonna work. You have to put Shahwan on the other router. Okay? And now I will say OK, so I have already created the profile. You see, it's not very difficult, the I percent configuration, but because you already know all the theory, you understand what we are doing now that you see that it's very easy. If you don't know that theory, you will see that it's very complicated to make the configuration off the I P sec part number one is done. Number two. Now we have to go to Piers and put the others off. One had to assay the to see industry provide Toby the profile one that we have created and the exchange more. They should be the man and click OK, so now if we go back to the picture here, the fear which is for router want So that is rather one. It's spear, the one which is going to be the i P sec one. It's the 1 to 1. Say the 23.3. Okay, so we have to say the rather one that's that's disappeared that you are going to make I p sect on over them. So go back to rather one. We go this time to piers and we make plus so here we can name it whatever you want, I will keep it to be one. The others off the pier is 19 to 168 that this industry All right Now the board Normally it's used sport 500 But you don't have to put it. You just keep it the as it is blank the local address is that something you can put it also you. You don't have to put it. But here's what is the important is to profile. You have to select that for disappear. The I face one that is gonna work with this beer is the one that I have created, which is provide one. Okay, remember, that's the I face one that it needs to speak to this pier and the exchange board. Remember, here we said we have on act for phase one. We can use main. We can use aggressive. We can use Ike version toe. I'm gonna do all of them. But now let's check the main ones. So we are going to use the main one, which is the more secure one. So we choose men from the other side. You have to put also the same. Do you have to put the man okay? And then I would say OK, so now we have the pier here is showing, and that's take Shane Moore, which is main. And with the profile, which is the profile one that we have created. What number two is down Point number three goto identity Select peer as be one with appreciate key that this is the secret key. 12345678 and click. OK, so now what we are going to do is to make the authentication. So we have to say that to authenticate with the other. Rather remember, we have authentication and the features off the I P sec. In order to authenticate the other I per sec outer, you have to use the appreciate key on the key which is you put in its 12345678 Of course, you can put more complex one, but as it is a lab, I'm just shooting December 1. So we go to rather one again and we go toe identity. We say plus now always disappear. So my peer with four other one is the one that I have created, which is Route Astri. What authentication mode are using the method. So here you can choose appreciate you can use also the the certificate. But because we're using now, I creche act version one so we can use any of those. But I make it I will use the pressure key. So the secret is 12345678 Remember this is needs to be also the same. When you put it on a route Astri because they need to authenticate each other. They should have the same Ki ok, It's the same secret you and then that's what you need to do in this side. And then I will say OK, all right. Now if we look to the active peers here so you can see that this router now the other one because we have put all the the things that is needed to for the face want to work. Then it is sending here saying it is the initiator. So it's sending toe the remote others, which is the artistry to be ableto form the Intersect. So it is the initiated. That's do one, which is starting the ICT sector. Okay, but of course, this is not gonna work because we didn't finish the conflagration on this router. But also we didn't do any configuration on the industry. Both laboratories done Point number four, we have to goto proposal to create a new one with Shahwan A s 1 28 lifetime this one day and the PFS Group is not so. This is the conflagration off face number to. Okay, so remember, we've when we finish face one, we have to do also the face number two. And that's how I protect work. So if we go to rather one, we go toe proposal. Andi, I create a new proposal. I'm here. The authentication algorithm is shall one. That's fine. That's what they want. The encryption are good at him is a S 1 28 That's okay. The lifetime. They should put it for one day. So we make it here 24 hours. That's one day PFS group. Remember, this is a few want on the face to also difficult minto work. But again, as I told you in the explanation that you can use also different Harmon on face too. So that's the symmetric and axiomatic kids to be exchanged. But this will take more resources on your CPU, and it's not necessarily that you do it. That's why you they should put the PFS group as known. That means do not use different Hellman on the face number two on that, it's also apply on I would say Okay, so again, remember, this proposal should be the same when you created on the rather three and then Okay, so phase one is done face to is almost also done. So we still have to say that what they want to use as E S p or a h. So that's something also as i p sec protocols that we want to use between the two routers. So we still have one step to do and we are down with the r P SEC configuration on the first Rafter Botham before is done both number five. Now we need to great the new policies by checking the tunnel on the sore shatters Toby one and two in sector to the zero destinations Regent Street at 30 Action is to encrypt and I p sec protocols CSB on the proposal, which is proposal one that we have created. So we go to Rotter one again. Now we go to the policy and we create a new policy. All right, so here I'm saying on this policy, I'm saying that I want to make a second with the beer which is pure one, which is what we want is their artistry one that don't say no to sit industry. So here they are, asking you How do you want to do it? You want to do a tunnel, so you want to do the transport? OK, remember the difference between the town more than the transport? More so if you check tunnel, which means you are doing the trans tunnel mouth. If you keep it in check, then you are doing the transport more. So I'm going to say I want to do the Alamo Donald mode. That means it will encrypt everything from layers three and above. Now the source Others. That means the repair that you are doing it they are doing from which source others to which destination? Others. If we go here to the picture, so the people and that we are doing it in this case or rather one the source address is gonna be this one night toe Once he said the 20 while the destination address is this one which is three the three, the three, the zero slash 24. Okay, so that's what is the connecting the two networks because he can't remember Route a one. It can be a router and brush office. And throughout history and headquarter, as we want that this PC which is on the Russian office to be able to reach the server, which is on the headquarter. So this is where you have to put the settings or the iPad dresses off the internal land off each of the sides. Okay, so we go to another one. We continue here, the source, others on the outer wall. It is. One night group wants to say that Good. At zero slash 24 on the destination address, it is ST or ST of ST zero slash 24. So that's the general top here. We say here that we want to make the policy with I p sac with the one tunnel sources the internal address, destinations readers See those three that zero slash 24 action. What do you want to do with this? Do you want to encrypt this card or known? Of course, in my case, I want to increase. Okay, So the level we require Uniqlo use I'll say, are required to encrypt everything. Now the I percent protocol You want to use a h or S B? Remember the difference that SB makes the same as s but makes in addition the encryption. So I'm going to say I want to use E S B in this case and the proposal is the proposed that I have already created, which is Proposal One, which will have already created the previous spot. Okay, and then I would say apply. So now we can check the status. So you see, it's no face to because we didn't finish yet the conversation on the other side. So that is the whole things that we need to come figure on the eyepiece act appear or Fratto won the same we have to do on the other side. So now you can see that it is saying here that no face toe And if we go here toe the active piers, you can see that this the initiator on trying to make eye per sec with this here. Alright. But number five is done now Point number six do the same About five points or five steps on the other seats. So the same what we have done on the other one. We have to repeat it on the artistry. Let's do that to go to route the street I go toe i p I Besides from here we have to start. First we create the profile and in the profile of say, Plus we dammit, Profile wind. That's fine. We used their shahwan. So you show one We used a s 1 28 We keep it. We used the, um ODP 1024. So we keep that one. We made it to Lifetime one day. So it is what we have done on the other side. So we do the same now After we do that, we create the beer on the people you name it. Be one we say here in this case, the pier off Rather three is now rather one which is one night toe. Once he said that one toe one. Okay, Now the profile is to provide that I have just grated and the exchange moment We keep it main because also on the other side we made it make and then I will say Ok, now the identity here are like plus the identity we have to use their depreciate key again which is B one on the secret We said this 12345678 And then I would say Ok, now if I look too active peers. You can see that this time this is working so you can see it's established because the other side is also having the same configuration. So the pier is established. So that means that face one is working. Okay, But we didn't finish yet for face to because the face was working in the eye per second work. But you can see now with the uptime, here's working. If we go to rock the one and we go to active peers also, it is established. But look here. It's still saying here if we go to the policies that no face to okay, because we didn't finish the congressional faced Oh, let's continue for the year out of ST we go to write the story again. Now we need to configure the proposal I'll make. Plus, we name it proposal which was shall on. That's fine. We use a S 1 28 CBC. That's also what we have choosed there the lifetime here we put it 24 hours. So for one day on the the PFS group, we leave it non and then I will say apply. That's fine. And at the end, we make the policies. So we create here the policy. So with the one we make tunnel in this case, the source address is fish inside. Okay, so in this case, I have to say three for three. The three zero slash 24 the destination addresses one night to once. It's a that too. But zero slash 24th. He's looked at the pictures. So you see those, like gathers is and then the action Mr Encrypt require Yes, be at the proposal. This proposal one and then I'll say apply. And now you can see that face to is showing that it is established. Okay. And if you want, I can make it big here and you can see here face to is established on. But that means the people and I p sec is working. And if we go to rather one, we go toe i p i p sac. You can see policies also, it is established. So now this is with the congregation that you need to do in order to establish the Biesecker panel between the tow Pearson. Rather part number six is down. So as the Ipecac tunnel is formed between the tour out there so points under seven. They saying, Can you pink from your PC to ST of ST a ST Astri? Let's try. So we go here from the PC and we open the common problem and I may think to three the ST of ST the Street. So this species is sitting behind rather one, which is forming a title with rocketry on. I'm thinking to ST the street so seriously, and as you can see, it's still saying Destination net unreachable. So they say, Why not? So why not? You're not able to think to ST a ST a ST Lucie. Remember when I was doing the configuration here on the eyepiece act when we were working on the piers here? I say that the exchange more is made. So remember main and aggressive are from Ike Version one again. Main and aggressive are from Ike version one and based on what we have to extend between the difference off version one on agg treasure, too. ID version one. Do not bypass the night and that's something I can show it for you here. When I was doing the comparision here, I said, somewhere here that here doesn't have a built in, not reversal. So version one does not have a nap reversal while I version two has a built in support for not not reversal. So the problem is that the i p sectors phone, but the pocket cannot pass from one side to another inside the tunnel because they cannot bypassed the not and that's the main issue that we have now. So again, if you go to the picture, what's happening now that the talent is formed between the two routers? So there is no problem with the time the I per second that is formed. But when the RBC here is trying to send the pocket to go to the server on the router, the other here has a nap on as we are using main mode, which is I'd version one then this packet cannot reverse the now, so we need to do something toe allow this packet toe traversed did not to go to the tunnel and then to be able to reach toe this server. So that is why you are not able now to reach the server. So let's see how we can fix this problem. What Number seven is down point number eight do the configuration needed to bypass the net on Rather one and on powder three. So I will stop here the election because you're already my past 20 minutes. So the last bunch I will continue them in the upcoming election toe show you how we can bypass dinner. But also, I'm going to do more things in the upcoming election. So that is what I wanted to show in this lab. Please did not leave. Let's continue the lab. It's good that you stay and you watch the upcoming lab because it's connected to each other . All right, so I hope this lecture wasn't formative for you, and I was hearing their election. 24. 23 Configuring site to site IPSEC tunnel using IKEv1 and IKEv2 Part21: Hi there. Did the smart had that here again? In the less lecture I have showed you on the point number seven Why the PC cannot being treated street A serial story Because we are using the main among the manic change more which is on I version one and version one doesn't have the capability to make not troversy . So we need to do a configuration on the router toe. Allow the packet to make math provincial to be able to go via the I p sec toe the other side and come back. So what number eight do the configuration needed toe bypass the net on the other one Anomeritis e So we go to a lot of one. All you need to do here is the following. You have to go toe I p goto five old. You go to that. So we already have denied that we have configured the the first lab when we were doing the pre congressional off the I P sex. Now we have to create a new more and again I would say the chain is source now. So any think on the other three coming from one NATO want 6820 slash 24 which is his land? OK, going to the destination three. Those trees are 30 slash 24 which is the land off rather tree. So anything coming from coming from a dish network going to that network, which is what we wanted toe allow on the eyepiece back then, In this case, the action is to accept. That's what you need to do in this case. And then you take it and you put it over the masquerade. Okay? Such what you need to do on the route or one again. Anything coming from the land off rather one going to the land off. Rather Sri accepted as a social. Now we go to rather street and again on after three. We do the same. But this time we have to say we go here five old Now you have to say also social at anything coming from three the street of 30 Okay, Because in this case, this the source the land off the rather three slash 24 going toe. 192 Once he said that 20 slash 24. Then the action is to accept also again. We check. That's all. OK, now and then I will say okay. And then we take it and we move it up. Okay? We put it over the U muscular. That's what you need to do to be able to allow the packet off the going toe via the I push Acto past. We are the router and travellers. The knock. Okay, What number eight is done? Both number nine is dipping. Working now from your pc to ST of ST are Seriously, let's have a look. It was not working in a moment. Let's check now again. If we make minus two to keep it up it And here we go. You can see now that I'm able now, after I made the bypass off the not I'm able now from my pc to reach toe the server. Actually, there's no server. There is a bridge interface on which is on track to see but it is something you have to consider like a network connected toe. Rather three at that means now that it is working, that is the eyepiece. I did this. That is really the eye perspective or what we have learned. We have applied it now and it is working. Okay, Both number nine is done. Both number 10 changed the exchange more from Maine. Too aggressive on Rather one is the I. P. Sex still working. So if you go back to the picture now we have the exchange Mt on the outer one is made on drought. This tree is made so they are saying Okay, now take this man out and put in place the aggressive. So we have aggressive from one side and main from the other side. We have to see if it's gonna work. So let's have it a try. We go throughout the one so the pink is still now ongoing She now we go throughout the world and from rather one I have to go close your d not And then I go toe i p i p sec on from here I go to appear on I changed exchange more too aggressive. Then I will say apply. Okay. So it changed What is aggressive? Let's have a look now for the pink. What's happening directly? The pink has stopped. Why? Because we have one side aggressive about the one on the other side is made that's again on Ike face number one. And if we have a look here on the active here, you can see that the Ike face number one now because the pier is not showing anymore. So she obsessional up time. So in this case, it's not working. Both number 10 is not. Point number 11 changed exchange more too aggressive on the battery. Is it working now? So we can still see that it's not working or we go to route the three. We go now to I p and we go toe I the shack on we goto piers and we changed this one from Maine and we put it aggressive. So we have rather one aggressive mode and round three aggressive mode and we said, OK, let's have a look now to the pink. If it's gonna come back and here we go, you can see, because both there are now on aggressive more than it is working. All right, so when you want to apply one off the motes, they change more. Whether main or aggressive, it should be the same on both sides. What number 11 is done and the last point that we have in this lab is to change the action in Moto two on both routers and the check of the pink is working. So again we are you now going to use I to which is a version to actually. Okay? And we have to see if the pink is still working. So at this moment, the both outer start on the aggressive moment. Okay, so we can see if you go back to the pink with my freedom. You don't see the three minus t on. This is that being is working now I will stop the pink. I will go to Rafter ones on the on the other one. I would change. You dio the exchange more toe to toe. So we have one side. I too and other side is aggressive and I will make think it's not working. You can see that at this moment because it's two different exchange more so it's not gonna work. So we go to router three now on on the industry. I would change it also to make it I toe. So we have both sides are to check here on. That is the active period shown up. Now if we go and try to make Think again. And here we go. You see, To make the confusion off Version two is not very difficult. So that's what you need to do. What number 12 is done. And with this point, I have showed you how you can configure scientist side. I perceptible you think everything that we have studied in the discourse so you can see or what? We have studied a lot of Terry, but it was needed to show you that. How easy you can configure I per sec when you will know the Terry off this protocol. So I hope that this lecture was informative for you and till next time 25. 24 Introduction to IPSEC IKEv2 Remote Access: Hi, Dad did this month that here again, after we have learned how to configure I, Passaic, VP and Tony Foresight to sigh. It's time now to speak about the remote access I dissected pantalla de. So what does it mean? Remote access. Let's say that you have in your company that some people used that want to work from home. So if they want to get connected to your network, they need to connect toe TVP and and you can use the i p. Sec VP. And for this reason, so in this case you have to configure your my critique router toe, which is on your headquarter office toe except the connection coming from PC's. So that means that the users who are at home they are connected to the Internet. They use windows, for example, and on with those they can put the build and software, which is Windows bills there for I conversion to and that can connect with the iPad or to the headquarter offers, and they can't get through the network. So in the upcoming lecture, I'm going to show you how you can confident that, and I'm going to show you how you can do with using the certificates. So we are going to make the microchip Crowder as a certificate authority toe provide certificates and one of the certificates will go to the server and other one will go toe the client on. Then I will show you how you can configure the I P sec on the headquarter, rather in orderto except VP. And I protect honoring coming from remote access. So that is what I'm going to show you in the upcoming lecture. If you're already let's go outside ballot. 26. 25 Creating Certificates for remote access IPSEC: I that did the smart had that here again. And this lecture I'm going toe start working about how to configure the remote, actually, users to be able to connect toe the VIP and I biesecker router, which is on the headquarter. That means that users who are working from home want to connect toe the network off their company. They want to connect the VP and using I protect. So that's what the lab is about. So, as you can see here, we have five points to do. But before I start doing the response, let me just show you what we need to do in this life. So we are still on the same lab scenario. We have rather one over here, and in this case we have to think that everything from rather one and inside is, for example, home. Somebody working from home. And here is the headquarter or the office. And both routers are connected to their higher speeds. That means they have Internet connectivity. So as the routers are connected to the ESPYs than in this case, this PC is connected to the Internet. So before we were doing I P sec between two Raptors. But now what we need to do is that this charter I'm not gonna configure I per second it. So the router, which is from at home, we're not going toe configure any second. So what we need to do is to use this PC here, which we have to use the windows built and this application, which is there for version two. And on this application, I'm gonna connect directly from here to the router VR the i P. Sec. So that means as the PC is connected to the Internet, then why don't we do the remote access connectivity using eyepiece Acto the headquarter router, which is artistry so again, using I p. Sec? So that means that I'm gonna leave the configuration as it was before. I'm gonna show you what I have deleted on the configuration from the previous lab. So in case you want to do the same lab for for testing, you can do it also yourself. So let me directly show you what I have cherished on the configuration that we will start doing the lab. So if we go to rather one first, whether happened changed here Is that on? I be five wall on the nat. I remember Well did there when we were working on the side to side for the main and aggressive mode we have put here assortment at. And we have said that except to go from this source of this destination That's something I have removed it. I left the masquerade here on. Of course, the I B route is still there. So if we go toe, I peer out that that's also still there. Here, the default trout on there. I have also removed all the I P SEC configuration that we have done when we were doing the sights side That's round out the one you can see that it's black. So that's only what we have in the shelter is the I. P. There stood connected and we have the not and we have the I P route. If we go to rather three also, I have done the same on the other three. If you go toe I p five all have removed here the not that there waas social at From this I p two that I p would be accepted. That's I have removed it because I remember on version two There is not travel So And then what I have also done here is that I hear I we removed all the congregation on the ipe sexual because she there's no policy, no proposal, no piers, identity profile and everything is now black. And I have left off course the default route and the I p. So if you want what is important now for us, is that from the PC? I can think the one that you want say the do three the three, which is the i p off the headquarter one interface. So we make from my PC, which is inside there after one toe wantedto say go to ST Astri and I make enter. Then I can see that I'm able to pick it. That means now can from my PC connect toe i p sec after I make the configuration. So that's what I have done Now what we need to do in this lab, because I didn't yet explain what we need to do for this lab for this particular lab. If you go back here to the picture, what I'm gonna do is on route the three. I'm gonna make it a certificate. Authorities certificate authority. So I have to create three certificates. Certificate authority to sign the certificates. I'm a quantification for the server and one for decline. The one for declined. I will put it on this PC. So again, what is the certificates? Certificates for authentication. So when this router want to connect to Rather three to be authenticated, it is using these certificates. OK, so I'm gonna move this, suffocate here or copy and put it on the or or exported and put it on the DPC here on for the i P. Sec on this headquarter. Rather. Or rather three. I'm gonna use the server certificates. Okay, So in this lab, I just want toe greatly certificates to show you how you can create them on the my critique router. You can do it, and it is for free. So you don't need to buy certificates. You can do it on the Michael Crowder, you create this re certification the C A, the server and the client. You put the client on the PC on the server. You will be using it when you want to configure the i P sec on the rocketry. And that's I'm gonna show you in the upcoming. So in this lab, I'm going on Lee to show you how you can create the certification in orderto be use it in the upcoming lab. One want to configure the eyepiece eye cream on taxes? What Number one go throughout history and create the certificate authorities certificated and make it sign and trusted. So first we need to make the certificated. Or so all the work is going to be now on rather three. So let me put the picture, Onda, Let's do it. So we go to the artistry. This is your artistry. So first we have two Great this certificate authority Because with this centric eight, I can sign all other certificates which are distributor and the client. So from here, I have to goto system, we go to certificates and then I will create the first certificates on Let's call that she a You can put here the information. I don't need to do that. I just put here the common name on the subject. The old name I would say I p and we put the server I p which is one night to and say go to sleep this tree and then this certificate is going to be used for she are all sign. That's very important, Cheryl, sign that you need to be checked. And then what I need to do here. I have to say apply. So this has been created. Now we need to sign it of a click on sign. Andi here. This because it's going to be the certificate authority. Then you have to put here the c A c l host. That means the hospital where the citric eight is being created. So it is 100%. Or to see the street that's throughout the three again. On our say start at the progress here, you can see it is done. So this certificates is done now and that's how you can create this certificate authority. It's already trusted, and you can see here it has a k a l A. T. That means now the certificate authority is being created and it is trusted. And you can see here it is valid for 365 days. What number one is done? Point number two. Now we need to create one certificate for the server because it's gonna be used on the other. See as being I'd be sick server and then we have to create one for declines. Let's do first for the server created the service advocate. Make it side and trusted. Let's do that. We go again through tapestry and from here I will create another certificates. I will name its server. We put common name server Well, here we have to put the I P which is one night. 1682 speedboats, three on the key users For this certificates, I will take out everything. I just have to leave the DLS server because it's gonna be a server certificates and then I will say apply it has been created, Will make it signed is gonna be signed by the certificate authority that we have just curated, which is C A. And then I would say start progresses done. So this is done and at the end we make it trusted here and then I would say Ok, now this over certificate has bean created bowel habit to is done part number three, we have to create a client certificated and make it shine addresses. So the server is gonna be for the my critique router, which is gonna be the server eyepiece Iker VIP and rather. And then the client is gonna be installed and important to my PC, which is inside the outer one. So let's do that. We go to rocketry on from rather tree. I was great and you syndicate and we name it client the common name also client And here, subject out Name the I P. Address off industry. And here, of course, you can change if you want the days on the key size, But I will leave everything as it is. I will uncheck everything. And I would just leave the TLS client. You can see it over here, all right, And I will say apply before to sign enter to make it trusted you had toe make it on the common line. So that means when we had the older version off the rather OS, that's work. We had to make it on the comment line. Now is very fast. We can just say here, sign on, we make it signed by the Shi'a, and then we make it trusted from here. Check and that's it. So we have created now these three certificates that are needed to be able to configure the I P sec remote access. Part number three is done. Point number four export. The client certificated Put it in a folder. Self, the client certificate is gonna be installed on the PC, so we need to export it from the my critique router to be able to put it on the PC. So how to do that? Also, export was not possible before unless we used the comet line. Now it is possible using wind box. So we go to rather three. And from here we go to decline. That's what we need to export. And here you have export. Remember, when you want to export always always used the P K c as 12 because when you use that one, it will export the Shi A and will export also declined because it needs to export both of them. Okay. And that's for windows that you can use it p k CS 12. That's the type and you have to put export pass ratio password. I will make it simple. I will put 123 456789 Remember this past phrase because you want. You want to import it to the windows Microsoft Windows PC. Then you also need to put the same pass phrase. So from 1 to 9 and then I will say export. So once I say export, then in this case, this will show up here in the five. You can see it's there I have just created and it's there. So what you can do now you can just create a folder. I have already created a folder on my PC. I name it stratification so you can see certificate here. It doesn't have anything inside of it. This folder So what you can do? You can just drag and drop it and put it on this folder. And here we go. You can see the certificates now is there. And now I have to import it toe my PC because when we want to connect from the PC to the eyepiece X server, then the gonna use dis certificates as authentication. What Number four is done. So we have exported the client certificate and put it in a folder. Now we have to goto windows to DPC itself, and we have to go to run and write this comet said manager or sad M g r. Look, I'm as she and imported the certificated kind toe the PC. So I'll Goto run here and I will arrive here said Manager, do we just have to click on start and then write certain manager and then you click Enter Then you have this. You received this one, which is the manager off the selfie case. Okay, so what you need to do now is to go toe trust it if you make it a bit bigger. Here you go to trusted root certification authority and then you click on certificates. And then from here, you have to say right click and then all task on import. So what you want to import? I'll say continue. I want to import on Dhere. We are inside the desktop and the certificates. Okay. I want to import the certificate that I have created and which has this Extension B 12. So you have toe go now here toe p 12. And then it shows this one. So I would just double click on it. And it is there it is now on the import. Then I will say next the password And this is the pass phrase from 1 to 9 that we have put . So we put it now. 123456789 And then I was saying next. And now where do you want to put it? You can place it here, or you can say automatically. Select this traffic eight store based on the type of certificate. So let windows put it the place that he want. Andi, I will check this one and then I will say next. Andi, here we go. You can see now it is going toe import. And then I will say finish and the import was successful. So now the certificates off the client has been imported successfully toe my PC Port number five is down. And with this point, I have showed you how you can create certificates on the my critique router and how to make them signed and trusted. And then how you can export the client certificate and important to your PC. Because at the end, the one do we want from the PC to connect to the I P SEC server, which is rather three in this case, it needs to get authenticated, and the on top vacation in this case is going to be using the certificates. So that is what I wanted to show you in this lab in the upcoming lab. Our staff configuring the I P sec. And then I'm gonna do the remote access. So my PC connect to the my critics rocketry, and we will see that in this case wants my PC connect to the micro route to see as I protect if he's able to reach to the server, which is three. That's three. The three, the three, as you can see in the picture. So that is what I wanted to show you in this lap. I hope it wasn't for money for you, and I'll see you in their election. 27. 26 Configuring IPSEC IKEv2 remote access: Hi there. That the smart had that here again in this lecture, I'm going to show you how now you can configure the eyepiece ICR amount, access, VIP and tunneling. That means from DPC to connect toe the headquarter router in order to be able to reach toe the network, which is inside the headquarter office. As you can see, he would have tempers to do by before I started doing the response. Let me show you what we need to do in this lab. So we are still on the same scenario as you can see. View. We have already created the certificates and we have imported Declined dedicated to the B C . Now I need to configure the I P. Sake Ike version two on rather three. Why I version two? Because Windows support egg version toe. So I have to configure that on the outer three on After I finish the configuration, I need to go to my PC here and create the connection to be able to connect toe a router stevia. I'd version toe I p sec on. We are going to make a test and then this router he has this PC has to go. We have the Internet to the router and make the connection. If the VP and connectivity is good than in this case, the eyepiece act normal is open between my PC and router three on. Then this PC is able to reach to the server, which is sitting inside the outer three. So that is the idea off this lab. That is what we call it remote access. Because you are doing the VP of connectivity between a PC and the router and the previous love. I've showed you how to do the side to side with, which is between two routers but in this lab is gonna be between the PC, which is connected to the Internet and rather see which is connected to the Internet to form the eyepiece. I could be banned running. So did this one I'm going to do in this lab. Let's go now to the points and start doing them both. Number one. Go to rocketry and create a pool off I p off. Readers, readers. We got four until street the street. That's three, Doctor. So I could hear the picture. So what we need to do now if we go back here toe the graph. So I need to create a pool. Why? We need to create the pool. Because once the PC which is going to connect to the round of three V I p sec, it needs to get the night p on the I P Shack from the IBC crowd out of here. That's on this. After I created pool, I'll say, Okay, anyone connected to me as remote access Give him an I p from three. Those three, the three, not four until I will make it the 10. OK, because that's a love. You can make it bigger. So that means if the I p second activity is good between my PC and the router, this PC at that is gonna get a night off street the street. That's three. Not that. Most likely because Michael, it takes the highest number. And this case is going to be that then. So why it's street, the street, the street. That's something because remember the server here street the street, that three dots something. OK, so to be on the same something so this PC is able to reached with sugar and big, So let's do that we goto the Router Street that is artistry. And from here I have to go toe I pee on, I will go to pull greater pool. We name it, for example. High version two on I will show here three the street of ST us. In this case, they said the three until Freedom's real street We should before but here and until, like dash readers three. Let's read all of them. Okay, So because Streeto cedar, Cedar Street is for the server, then we take from four until that. And then that's it. That's the pool that I need to Great part number one is done. Now we need to start working on the I P SEC configuration on Water Street. We have two great I p sec on I pay check and more conflict with a pool that you have created. So we have to say to the router Street that in case someone connect to you, give him an I p from the pool that we have created. So how to do that? That's something I'm gonna show you. Now we go here on the artistry again, and from here we go, I pee wee Goto. I p Shack and we go to mark convict, Okay. And we create a new one. We never We keep it Conflict one, and we check on the responder. Okay, So that means that once someone connect to me as remote access than the respond and give him an I p from the pool that I have created, which is like version toe Onda here you can put, for example, the DNS. You can say give it the DNS off the system, or you can put the static. Dennis. In my case, I would just say system Dennis on. That's it. So this configuration that I have created, the more conflict is to provide the i p from the pool and get someone connect to me as you want. Access toe the prouder, which is not a street point. Number two is down part number three. We have to create a profile with the default settings. So we go toe rather three and again, we are doing out the same steps that we have done on the side. Besides, for face one and for Ike, first toe. Okay, they said first we have two. Great. The profile. We have a default one out. Great. Another one on We can name it. Provide one. I would leave everything as it is the default settings. Okay, so three d I say yes, that's fine. I will leave everything and remember here the night reversal should be checked because on aggression to it's possible toe. Have not reversal on this profile, which is named profile one. Let's make it here like version to just toe know that that's what I'm go doing for this configuration on the judges, the name and I will say here. OK, point number three is done. What number four great appear with a profile one or the profile one version two that I have created and exchange more like two and select buses. So we go now to rather three, and now we have to create the beer. But in this case, who is Deep Pier? Because we don't have site to site to know that the other beer is that I gathers. We have PC, which we don't know what is the pier there. Then in this case, we don't know what is that I'd be So what we can do here we can just click and say name Pierre address. We don't put anything on the others. You can put your local others because you know your I p which is one night to one side, the two street history. But it's not necessarily we keep it as it is. The most important is the profile they provide that I have just created, which is provide one. I've version two that I need to put and they exchanged. Won't remember. It wouldn't put it like to because we are going to use I version toe on here. You have to select passive and then you say Okay on In this case, I have created the pier because we need the great appeared to be able to do with the identity for the upcoming point. Number four is down both number five great identity and this time is gonna be with digital signature as authentication method because we're using in this case technique eight. And we have to select the certificate for the servant for the remote. On day, we have to put the right more configuration and the polls strict degenerate policy. So let's do that. We go toe the identity, we create a new identity and we say for this identity? The beer is Spear one. That's what we have created here. Okay, so the pier is pier one, The authentication. Remember, we are going to use certificates, so we put digital signature. Now they say, Okay, who is the certificates off this altar? In this case, we have to say for this router, because it's gonna be the I P. Sec. A router. And this is the upset. Appear rather. And then we say the server. The remarks indicate that means the one which is connected to me. We can keep it not, but I will put it here. Climb. Okay. No, the policy template group will leave it default. The idea would make it auto. And here, the most important, the mortar off configuration. That's what we have created here. Remember the conflict one then here. I have to say we have to select the conflict one and degenerate policy on here. We say pork strict on that shit. Okay, so that's what you need to do for the identity. What number five has done number six. We have to create the new proposal with the default setting. So now we're doing the like face to. So we go here and we go to the proposal. We create a new proposal, I will leave everything the same. I just name it here. I question to So I will leave everything the same. Three ds off course my Microsoft windows Understand? Support three D S O. It's for testing. So that's no problem. We leave this three ds in this case and Shahwan here algorithm for authentication on the PFS is known. And then I will say, OK, point number six is down. Point number seven Less thing we need to do is to create the policy. So we go to rot Astri on on policy I make Plus, he had they would say Okay with a big one. I want to make Donald the source, others and destination. Others would leave them. If you want us blank. I click on the template which is the default. So the group default. That's the one which is over here. So I will make a check like that on Dhere. Action is encrypt we use Yes, be proposal is to propose that I have created a collision Do proposal one and then I will say OK, so you can see the conservation is not very difficult. It's almost the same as we have done for the side to side. The only difference is that you have to use the more conflict here because it needs to give I p from the pool that we have created. And that's it. That's what we need to configure for the remote access on the I P sec headquarter. Rather, block number seven is done. Now we have finished from the headquarter rather or rather tree. Now we need to make the confirmation on the PC. We have to go to the PC and right VP an on ramp to create new victor and using equation toe . So we just select the around on the that is the start button and you can write on the VP. And so once you like veep and you get this windows Okay, so I'm using again Windows 10 if you are using all the version off windows or using a Mac, for example. So that's different here. But off course there is a place where you can create the depend on your PC. So here our trade at repair connection before I create the Rvp connection. Let's check again. But we can think the two street Astri because that's the I B that I need toe connect to it . That's the I P Off rather story. The one in the face from here. I have to say we plan provider. I will say when this built in connection name, Let's call it I version toe the server. In this case, it's one that you want ST the Illusory does three the repaired by. So I'm gonna use I'd version toe. You can see it's selected there. Now the signing in the authentication here, you have to select certificates and you say safe. Okay, so this has been created here. Part number eight is done. Both number line. Now let your PC look to the local certificates when using the version two connection. So we have created the egg version toe connection, but the B she doesn't look to the left certificate to do the authentication. To do that, we have to tell the PC to look to the certificate. So how to do that? We have to go here toe open network and Internet settings. Okay, on open networks and that settings we goto network and sharing center. From here we go toe change a doctor settings and this one is the one that I have grated. I'd version toe, we make right, click on it and we go to properties. Once we go toe property, we have here the security on the security top. That is the type of Japan. I'd version two and he would have to say use machine certificates, Okay, because it was before using the AP the Extensible authentication protocol. But we have to say here select to use the machine certificate. And then I would say, OK, so that's all you need to do on your PC. Point number nine is done, and the last point is to connect toe version two and check if it's working on. Let's do that. So we are here and then we put on it and then we say connect And here we go. You can see directly connected. There is no any problem. So it is connected Now. Let's try now. Toe Pink street. The street. That's the industry way. Make here think three's a street, the street of three enter and here we go. We are now able toe pink toe the server three The street. That's really what I want to do now is to make minus t so that is the pink is ongoing. Okay, I'll make it smaller. So the pink song here it's working. If I disconnect, let's see now it's destination that unreachable. If I connect again, the pink is back. So that means that my I p sec is working the way that we want and it is remote access. So you can see it's not a big deal. Toe configure Ike version to remote access. And you remember we didn't do any here. If we go to rather three or out the Yeah, that's right. Ashleigh, we didn't do anything here on the I be firewalled on the net. This did only not that we have the masquerade we didn't do Want to buy passion at Okay, Andi, if you want what we can do also we can do the treasure out Fresh off toe three. Does redistricting three. Andi, here we go. We can look now on the treasure out How many hops it takes to reach toe the street a tree destry destry So we can have a look now and That's it. It's one home. And if you want, we can also do. Here I become fake to see what I p that has received Onda. We look here, that's it. You can see on P p p adapter. I version tow. It has received three. The three, the three. But then And that's from the pool that we have created. What Number 10 is done on with this part. I have showed you how you can configure the I P Shack remote access so you can see it's not the big issue. Off course. A lot of people say it's not working. It's hard to configuration, but you can see it. If you know your rights steps, it works. And it works perfectly without any problems. So that is what I wanted to show you in this lab. I hope it was informative for you on the till Next time