Journal of Computer Science Research | Volume 03 | Issue 01 | January 2021

Journal of Computer Science Research

https://ojs.bilpublishing.com/index.php/jcsr

ARTICLE
Secure Remote Access IPSEC Virtual Private Network to University
Network System
Gajendra Sharma*
Department of Computer Science & Engineering, Kathmandu University, Dhulikhel, Kavre

ARTICLE INFO ABSTRACT

Article history With the popularity of the Internet and improvement of information
Received: 28 December 2020 technology, digital information sharing increasingly becomes the trend.
More and More universities pay attention to the digital campus, and the
Accepted: 19 January 2021 construction of digital library has become the focus of digital campus. A set
Published Online: 31 January 2021 of manageable, authenticated and secure solutions are needed for remote
access to make the campus network be a transit point for the outside users.
Keywords: Remote Access IPSEC Virtual Private Network gives the solution of remote
IPSEC access to e-library resources, networks resources and so on very safely
through a public network. It establishes a safe and stable tunnel which
VPN encrypts the data passing through it with robust secured algorithms. It is to
Network establish a virtual private network in Internet, so that the two long-distance
Communication network users can transmit data to each other in a dedicated network
channel. Using this technology, multi-network campus can communicate
Data
securely in the unreliable public internet.
Encryption
Integrity authentication
Remote access
University
Security
Server
Client, Peer

1. Introduction departments under the universities implement a mecha-

nism that uses encryption and tunneling protocols to make
With the wide availability of public connection like the communication between the central site (university)
Internet, most universities are willing to provide their stu- and remote clients (students or staff members) secure.
dents and staff member access to centrally located servers This secure mechanism in general, is termed as Virtual
and database remotely. In more specific cases, instructors Private Network or in short VPN. A VPN is an IP based
are willing to perform and guide lab activities remotely. model that makes use of encryption algorithms and tun-
However, the use of internet increases network security neling protocols and the entire connection can be a viewed
threats and challenges. Due to these reasons, campus and as a secure pipe carrying encapsulated data over public

*Corresponding Author:
Gajendra Sharma,
Department of Computer Science & Engineering, Kathmandu University, Dhulikhel, Kavre;
Email: [email protected]

16 Distributed under creative commons license 4.0 DOI: https://doi.org/10.30564/jcsr.v3i1.2730

 Journal of Computer Science Research | Volume 03 | Issue 01 | January 2021

network like internet [1]. (2) Will this system deliver robust secured connectivity
The first and the easiest decision for every organization to remote users?
is to implement VPN for remote communication, however, (3) What type of security algorithms will this system
there are several queries that needs to be addressed before use for the encryption of entire IP Packets?
its deployment. It needs to be understood on how many
ways VPNs can be implemented and which one should be 2. Literature Review
chosen depending on the requirements. An IPSEC provides
2.1 Evolution of Private Networks
permanent and always-on VPN access requirement [2]. It
provides full access to all network devices, servers and Before the emergence and popularity, virtual private
other resources located on central site. networks have gained as a secure and cheaper medium
Internet Protocol Security provides secured commu- for sensitive information to be accessed and transmitted
nication between network-network, host-host, and net- between two or more corporate network over a public net-
work-host by authenticating and encrypting each IP pack- work such as the internet, other network technologies have
et of a communication session [3]. It uses the cryptographic been innovated and used to connect within business sites
keys to negotiate and protect communications over IP net- and across to other sites that are miles away from each
works. It supports authentication, data integrity, data con- other [5]. The analog phone lines were permanently wired
fidentiality [4]. People are still unaware of internet threats to the sites and were specially selected lines (called con-
due to lack of sufficient knowledge in this technology of ditional lines) that were specifically built for full time use
secured protocol IPSEC VPN. by companies; these lines are different from regular phone
Mainly, there are two types of IPSEC VPNs; Site-to- lines. This technology ensured full bandwidth and privacy
Site IPSEC VPN and Remote access IPSEC VPN. These but this came at a great cost, i.e. payment is expected for
two types of VPN can be utilized on the basis of require- the full bandwidth even if the line was used or not. It is a
ments. The name of Site-to-Site VPN itself indicates the Virtual Connection (VC) form of WAN packet switching
implementation of VPN between one site to another site. which logically separates data streams. With this function,
It is mostly used in those companies which have different the service provider is able to send as many point-to-point
branches situated in different location. An example of it VCs across a switch network infrastructure, depending
can be a real life implementation of banking networks be- each endpoints have a device that facilitates communica-
tween head office to its branch offices. Similarly, Remote tion in the site. The components for setting up this kind
access IPSEC Virtual Private network is another VPN of technologies involved the use of customer IP routers
type which can be used when company resources need to (customer premise equipment, or CPE) interconnected in
be accessed anywhere and anytime. a partial or full mesh of frame relay or ATM VCs to other
CPE devices, in other words less equipment are needed
1.1 Research Objective for its set up.
With the advent of the internet and its wide use in ev-
The following are the main objectives of this study:
eryday transaction, businesses have adopted the technolo-
(1) Implementing RAIVPN by creating LAB environ-
gy for transmitting and accessing data across various sites
ment in Packet Tracer or GNS3
by implementing a VPN connection, which is relatively
(2) Provide remote access to only authorized personnel
cheap, flexible and scalable, between both sites in order
to various Networking devices located within the periph-
to secure the data that are sent across the insecure internet
ery of University
from being tampered by unauthorized persons.
(3) Mitigating the overhead of sharing files and confi-
The use of public telecommunication infrastructure to
dential data using the internet from both sides by provid-
provide secure communication between members of cer-
ing remote access to remote users tain groups (like company headquarters and its branches),
1.2 Research Questions maintaining privacy by the use of tunneling protocols and
security procedures instead of dedicated physical con-
Based on literature review and the present scenario of nection, is known as Virtual Private Network or in short,
secured connection deployment in an organization to ac- VPN [1].
cess the resources remotely and securely in Nepal and the A VPN gateway which can be a router, VPN Concentra-
current requirement to enhance the system. tor or other Security Appliance is used to encapsulate and
(1) What will be the cost and benefits in the deploy- encrypt all outbound traffic over the VPN tunnel through
ment of this technology in comparison to older system? the internet to the VPN gateway at the remote target site.

Distributed under creative commons license 4.0 DOI: https://doi.org/10.30564/jcsr.v3i1.2730 17

 Journal of Computer Science Research | Volume 03 | Issue 01 | January 2021

Once the remote VPN gateway receives the TCP/IP traf- model. IPSEC can protect virtually all application traffic
fic, it strips the header, decrypts the packets and relays it to because protection can be implemented from Layer 4
the destined hosts in its network [6]. Before the introduc- through Layer 7. IPSEC is especially used to implement
tion of IPSEC, there were widespread problems with IP Virtual Private Networks and for remote user access. One
address spoofing and data integrity, authenticating and of the big advantages of IPSEC is that, security arrange-
guaranteeing confidentiality of information. IPSEC is ment can be handled without the requirements of much
generally considered a “means by which to ensure the hardware and software in remote user PCs.
authenticity, integrity, and confidentiality of data at the
network layer of the Open System Interconnection (OSI) (1) Confidentiality
model. In other words the IPSEC protocol was developed Confidentiality is achieved using different encryption
to ensure that users could communicate more securely over algorithms. The degree of security depends upon the
the internet [7]. length of the key of the encryption algorithm used. The
following are some encryption algorithms and key lengths
2.2 Authentication, Authorization, and Account-
that VPNs use [10].
ing (AAA)
Limitations with passwords remain the simplest form (2) Asymmetric Encryption
of authentication. Cisco devices can be limited using a It is used when private keys are used to decrypt data,
login name and password on console, vty and aux ports. while public keys are used to encrypt data. First public
However, these are considered as least secure means of keys, which are mathematically similar to the private
security. Password only logins are considered even more keys, are exchanged. These public keys are used to encrypt
vulnerable to brute-force attacks, an attack which involves data which is sent to the individual. The individual may
the entry of all possible combination of password in order then use their private key to decrypt the data. This form of
to find the correct one [6]. encryption is considered more secure [7].
2.3 Internet Protocol Security (IPSEC) (3) Security Key Exchange
IPSEC is the framework of open standards for a set of Any method in cryptography, by which cryptographic
Internet Protocols (IP) responsible for secure communi- keys are exchanged between users allowing the use of
cation. It relies on existing algorithms to implement the cryptographic algorithm, is known as Secure Key Ex-
encryption, authentication and key exchange [8]. Cisco has change method. The Diffie-Hellman (DH) algorithms is
been the leader in proposing and implementing IPSEC as one of the cryptographic algorithms used to provide public
a standard (or set of standards and technologies) for Re- key exchange method for two peers to establish a shared
mote Access VPNs [9]. secret key that only they know even if they are commu-
nicating over an insecure channel (Microsoft TechNet,
Authentication Header (AH)
n.d.). To put simply, DH is typically not used to encrypt
AH is also known as IP protocol 51 and is implemented data, but in VPN implementations, they are used to share
when confidentiality is not required or permitted. It pro- keying information securely, such as DES, 3DES, AES,
vides authentication for as much of the IP header as pos- SHA, MD5 and other symmetric keys as described above
sible, as well as for upper level protocol data. But some in this section, across an insecure public network, like the
IP header fields may change in the transit and the value internet. Figure 2.5-1 describes how DH algorithm works.
of these fields may not be predictable by the sender. Such It uses six distinct steps to share symmetric keys across an
values of the fields cannot be protected by AH. Thus, the insecure network [11].
protection provided by AH is only partial in many cases.
AH can be implemented alone or in combination with En- 2.5 Internet Security Association and Key Man-
capsulating Security Payload (ESP) [9]. agement Protocol (ISAKMP)
Internet Security Association and Key Management
2.4 The IPSEC Framework
Protocol (ISAKMP), protocol defines the procedures for
IPSEC works at the Network layer, and is responsible authenticating a communicating peer, creation and man-
for protecting and authenticating the IP packets between agement of Security Associations (SAs), key generation
participating IPSEC devices (peers). Earlier, security mea- techniques, and threats mitigations [12]. It defines proce-
sures were implemented on Layer 7 of the communication dures and packet formats to establish, negotiate, modify

18 Distributed under creative commons license 4.0 DOI: https://doi.org/10.30564/jcsr.v3i1.2730

 Journal of Computer Science Research | Volume 03 | Issue 01 | January 2021

and delete security association. It also defines payloads 11) versus higher number of nodes (11-15), time difference
for exchanging key generation and authentication data. when delivering the packets differs considerably; but for
These formats provide a consistent framework for trans- the extra time, all users in the network can get authentica-
ferring key and authentication data which is independent tion service for all data packets in ad-hoc network. When
of the key generation technique, encryption algorithm and comparing the time difference with ESP implemented and
authentication mechanism. ISAKMP typically utilizes without ESP implemented data packets, the time differ-
Internet Key exchange (IKE) for key exchange [13]. Se- ence varies slightly. Their findings showed compared to
curity Association and Internet Key exchange are briefly AH, ESP has more timing overhead and the time difference
described in the following sub-section. between ESP implemented packets is higher than AH im-
plemented packets. However, the service provided with
2.6 Transform Sets ESP implemented packets is more than AH implemented
A combination of individual IPSEC transforms de- packets.
signed to enact a specific policy for traffic is known as Qu et al. [16] have presented the results of the sub-proj-
transform set. The peers of VPN use particular transform ect within the Secure Active VPN Environment (SAVE)
set for protecting a particular data flow during the ISAK- project conducted at Dalhousie University. The principal
MP IPSEC SA negotiation that occur in IKE process. objective of the paper is to avail the design and imple-
Transform set consists of combination of AH transform, mentation of a secure wireless LAN based on the IPSEC
an ESP transform and the IPSEC mode (either transport or VPN tunneling protocol and explore its performance to
tunnel). The IPSEC SA negotiation uses the transform set render inherently vulnerable wireless communication
that is defined in the crypto map entry to protect the data more secure, VPN technology was used in this project. An
flows that are specified by Access lists of that crypto map IPSEC-compliant VPN was constructed and the traffic
entry. The command that invokes crypto-transform con- between the wireless node and the IPSEC gateway was
figuration mode is [6]: protected in the IPSEC tunnel. PGP certification, an in-
stance of the PKI referral method, was used to provide a
Standard Access Lists strong binding between the public key and its attributes so
the receiver could verify that the sender was as claimed to
Standard Access Lists range from 1 to 99. They allow be without asking the sender. For the completeness of this
or deny traffic from specific IP addresses (i.e. based on solution, the relationship of a packet filter firewall and an
source). These are used to filter traffic based solely on lay- IPSEC gateway was deployed on the basis of FreeSiWAN
er 3 source of information [6]. and IPCHAINS on the Linux operating system with ker-
2.7 Firewall nel 2.2.x. The whole system made the wireless communi-
cation effectively secure.
A system or a group of systems that enforces an access Sun [17] deliberated the comparison analysis between
control policy between networks is known as a Firewall. IPSEC & SSL VPN from the aspects of benefits, working
A Firewall can be implemented in different ways but all layers, security, access control and deployment. Analysis
firewalls have some common properties. For example: has indicated some pros of SSL VPN in security, flexibil-
(1) A firewall must provide resistance to attacks ity, and cost reduction which have become the reasons
(2) It must be the only transit point between the net- of selection of it as the remote access way in HengShui
works i.e. all traffic must flow through the firewall University. On the other hand, the differences between ac-
(3) A firewall should enforce the access control policy cess-control, working layers and encryption from client’s
Split tunneling also has a major disadvantage if im- web browser to the web server behind the VPN server, no
plemented, the VPN will be vulnerable to attacks as it be need of VPN client software, and deployment of IPSEC
accessible over public network i.e. (Internet) through the and SSL VPN has been shown the best approach with re-
same endpoint device [14]. spect to SSL VPN.
Dhall et al. [15] have proposed a working principle Apart from positive aspects of IPSEC VPN, this paper
implementation of IPSEC in various network devices has concluded in the favor of easy working process by
(hosts and routers). Their research was focused on AH SSL VPN for remote access. It has been shown that SSL
implemented and ESP implemented data packets. When VPN has become better option for remote access while
comparing the time difference with AH implemented and IPSEC VPN has become well suited for site-to- site VPN.
without AH implemented data packet for variable number Lee et al. [18] have stated the secured connectivity to
of nodes, compared to a lower number of total nodes (3- corporate networks for IPV6 mobile users remotely and

Distributed under creative commons license 4.0 DOI: https://doi.org/10.30564/jcsr.v3i1.2730 19

 Journal of Computer Science Research | Volume 03 | Issue 01 | January 2021

securely through the means of IPSEC VPN under the con- management perspective of IPSEC and SSL VPN technol-
sideration of near future. They have proposed the efficient ogies. They have briefed the general overview of all the
communication procedure by considering two cases for layer 2 VPN technologies which have got no encryption
mobile user’s VPN access. One case is for the internal mechanism, and so, IPSEC and SSL VPN has been the
home agent that exists in VPN domain and the other is the topic of discussion in this paper. Some weakness and
case for external home agent which is away from VPN do- issues of IPSEC that has been mentioned are dynamic ad-
main. dressing,
The paper approached that the communication packets NAT/PAT, opened ports of 50(ESP), 51(AH), and
within the private network doesn’t need to be protected as 500(ISAKMP) for IPSEC needed to be allowed in com-
VPN tunnel cares for it and the communication packets parison to only 443(HTTPS) for SSL, tunnel establishment
which is not in the private network needs to be protected of N(N-1)/2 tunnels with N sites, flexible and granular
by establishing IPSEC tunnel. Finally, it has made the access control to network resources.
conclusion on efficient communication with mobile nodes SSL VPN is strong security protocol from the aspects
and VPN gateway by the use of IKEv2 initial exchange of security, mobility, and management in comparison to
and IKEv2 informational exchange. IPSEC VPN presented in this paper has made the decision
Kim et al. [19] have addressed the problem of disruptions to go ahead for SSL VPN in future.
to applications due to IPSEC tunnel re-establishment It has been revealed that IPSEC VPN even though the
during the mobility of MobileIP and so made some gener- greater solution for security has become resource intensive
al modifications in an IPsec implementation without com- and cost prohibitive such as requirement of client-side
promising its security parameters. software, public key infrastructure deployment, technical
They have experimentally shown by removing the complexity, and more infrastructure overhead when de-
dependence of identifying a Security Association on the ployed across large enterprise.
outerheader destination address so that the same security It has been indicated that even though IPSEC has got
parameters can be used even in the new network. Two new several issues in comparison to SSL VPN, it is a solution
private messages are added to ISAKMP to enable the re- to large problems as it can be deployed incrementally,
quired signaling to update new tunnel endpoint addresses. ability of dictating the requirement of current antivirus and
Routing Table of new mobile host has been updated for firewall software and to ensure the operating systems are
existing IPsec tunnels which need to be sent through a patched virtually eliminating the risk of malicious intent,
new network. and the requirements of VPN client software reducing the
Removing the dependency of tunnel destination ad- risk of security breach.
dress for locating SA without affecting the normal IPsec
operations, and adding two messages to ISAKMP to com- 3. Methodology
municate the address changes of mobile hosts, prompting
3.1 System Overview
proper updates to Security Associations Database (SAD)
have been presented to mitigate the issues of interruptions Since there is a lack of system in place which is capa-
in network applications for MobileIP. ble of providing access to the resources for students, pro-
Lakbabi et al. [20] presented the differences between fessors, and staffs from universities to its affiliated colleges
protocols strengths and weaknesses from a security and of Nepal, a system design has been proposed regarding the

Figure 1. Remote Access IPSEC VPN

20 Distributed under creative commons license 4.0 DOI: https://doi.org/10.30564/jcsr.v3i1.2730

 Journal of Computer Science Research | Volume 03 | Issue 01 | January 2021

design and implementation of remote access IPSEC VPN acting as a DHCP Server which provide IP addresses to
through the public network to access the resources secure- VLAN_B dynamically.
ly and remotely. R1 consists of 3 Fast Ethernet interfaces fa0/0, fa1/0,
This section is about the lab implementation of Remote fa2/0 in which one of its interface fa2/0 is further divid-
Access IPSEC VPN Server performed in Graphical Net- ed into two sub interfaces fa2/0.5 and fa2/0.10 which are
work Simulator (GNS3) emulator emulated along with connected as two local area networks VLAN_A for the
the internet for the universities/colleges. This system has campus servers and VLAN_B for other representatives
been designed and built in GNS3 software connected with of a campus respectively whereas other two remaining
Internet. The main scope of this research is to demonstrate interface fa0/0 and fa1/0 are connected to internet and one
the access to the enterprise resources remotely and secure- remote user respectively. In order to access the inside net-
ly. Since it is needless to have physical lab setup for the work of a campus for users, they need to cooperate with
implementation of this system, it has utilized the GNS3 VPN Server first with correct security parameters. If it
tool and Virtual Box. corresponds to the configured parameters at R1 then only
This study mainly describes about providing network authorized users and devices will get access to the private
access to Universities’ resources from outside network i.e. networks.
internet securely. All the traffic before entering to inside
network is encrypted and encapsulated first at client side. 3.2 System Specification
There after it is sent to VPN Server over the internet and
upon receipt, it decrypts the content and relays the packet Deployment of this system needs the hardware and
toward the target host inside its private network only when software on the basis of minimum requirement of enter-
the security parameters matches between VPN Server and prise networks. VPN Routers and Switches can be taken
VPN Client. The main purpose of this demonstration is to from other vendors too which is capable of supporting
provide the access to universities stuff located inside the RAIVPN. In order to make user friendly and ease of this
server to only rightful personnel remotely and securely. system installation and deployment, following network
This Network System has been designed based on Lo- devices and applications have been used for the configura-
cal Area Network (LAN) and Wide Area Network (WAN) tion of RAIVPN.
which means inside and outside network of a campus re- (1) VPN Server is a 7200 router (VXR) that runs Cisco
spectively. In this system, Figure demonstrates Router R1 IOS Software Release 7200 Software (C7200-ADVIP-
is playing a role of VPN Server which performs its job of SERVICESK9-M), Version 15.2(4)S5, RELEASE SOFT-
securing the access to inside network from undesirable WARE (fc1). Cisco Routers 800, 1700, 1800, 2800, 3600,
network traffic coming from outside network. It is also etc. are also supported by VPN Server with IOS release of

Figure 2. Remote Access IPSEC VPN System

Distributed under creative commons license 4.0 DOI: https://doi.org/10.30564/jcsr.v3i1.2730 21

 Journal of Computer Science Research | Volume 03 | Issue 01 | January 2021

Table 1. Prerequisite Commands to Configure VPN

Feature Requirement Configuration Example

Router(config)# ip http secure-server

Router(config)# ip http authentication local

Router(config)# line vty 0 15

Secure access SSH and HTTPS
Router(config)# login local

Router(config-line)# transport input ssh

Router(config-line)# transport output ssh

Router(config)# ip http server

Router(config)# ip http authentication local

Router(config)# line vty 0 15

Non- Secure access Telnet and HTTP
Router(config)# login local

Router(config-line)# transport input telnet

Router(config-line)# transport output telnet

User privilege level 15 Router(config)# username admin privilege 15 secret 0 admin

12.2 (9) T or later. ing hardware from multiple vendors which supports in
(2) Cisco Layer 2/3 Switch for configuring LAN net- emulating the real behavior of real network and is free
works as well. It can be connected with real network too which
(3) Cisco Configuration Professional (CCP) v 2.6 means the networking devices configured on the GNS3
It is Graphical User interface based application to login can connect with Internet. The version of this tool is 1.3.11.
and configure the routers. Command Line Interface (CLI) Following
can also be used to access the routers through: are some minimum requirements to install this software
(1) Putty (for both console and telnet) in PC.
(2) Secure CRT (for both console and telnet)
(3) Hyperterminal (for console) Table 2. PC Requirements to Install GNS3
To run Cisco CP, a router configuration must meet the
Windows 7 (32/64 bit) and later, Mavericks (10.9)
requirements shown in Table 1. OS
and later, Any Linux Distro - Debian/Ubuntu
(1) Cisco VPN Client Software
(2) Web Browser, Java Runtime Environment (JRE), Processor Core 2 Duo and later release
and Flash Player
(3) Several Web browsers are supported by CCP Memory 2 GB RAM
Internet Explorer 6.0 and later versions
(4) The following JRE is supported by CCP 1 GB available space for installation and store
Storage
Java version “1.6.0_11” networking hardware’s OS
JRE Settings for Cisco CP
It is a network emulation software which is used to (5) PC System Requirements
design and build the networks without the requirement of Table lists the system requirements for a PC running
hardware. It runs the operating system (OS) of network- Cisco CP

22 Distributed under creative commons license 4.0 DOI: https://doi.org/10.30564/jcsr.v3i1.2730

 Journal of Computer Science Research | Volume 03 | Issue 01 | January 2021

Table 3. PC requirements for Cisco CP

System Component Requirement

Processor 2 GHz processor or faster

Random Access
1 GB DRAM minimum; 2 GB recommended
Memory

Hard disk available

400 MB
memory

Any of the following:

(1) Microsoft Windows 7-32 and 64 bit
(2) Microsoft Windows Vista Business Edition
Operating System
(3) Microsoft Windows Vista Ultimate Edition
(4) Microsoft Windows XP with Service Pack 3-32 bit
(5) Mac OSX 10.5.6 running Windows XP using VMWare 2.0

Screen Resolution 1024 X 768

3.3 IP Addressing Table 6. IP Address assignment to LAN and VBOX PC

In this network topology, Internet Protocol (IP) Ad- 192.168.100.11/24

WAN_A (LAN
dressing has been distributed statically and dynamically (DHCP)

to LAN and WAN networks. Table shows the IP Addresses Adapter) GW: 192.168.100.1
assigned to router, host PCs, and Internet Cloud.
10.10.10.1/24
Table 4. IP Address assignment to Router R1 IP
DISTRIBUTION_WANs WAN_B (VirtualBox_

IP DISTRIBUTION_R1
(DHCP)
LAN Interface (Inside) WAN Interface (Outside)
192.168.56.1)

Fa 2/0.5 Fa 2/0.10 Fa 0/0 Fa 1/0

GW: 10.0.2.1
192.168.1.254 192.168.2.254 192.168.100.254 10.10.10.254
/24 /24 /24 /24 Dynamic NAT with overload for single public IP ad-
dress has been implemented on the VPN router in order
to minimize the cost by utilizing only single public IP ad-
Table 5. IP Address assignment to host PCs
dress Internet connection to the LAN hosts. The following
table shows the NAT configuration done in VPN Server
PC 1 192.168.1.5/24
R1.
LAN_A The following table illustrates the IP address transla-
PC 2 192.168.1.10/24
(SW 1) tions after a host 192.168.2.1 reaches www.google.com.
IP DISTRIBUTION_ If we observe the Internet Control Message Pro-
PC 3 192.168.1.15/24
LANs tocol (ICMP) from the table above, the inside global
address of the host that just issue a ping command, is
PC 4 DHCP
LAN_B 192.168.100.254. This is the IP address to which the out-
(SW 2)
PC 5 DHCP
side network is addressing the particular inside host, even
though its exact IP address is the inside local 192.168.2.1.

Distributed under creative commons license 4.0 DOI: https://doi.org/10.30564/jcsr.v3i1.2730 23

 Journal of Computer Science Research | Volume 03 | Issue 01 | January 2021

Table 7. Output of NAT Translations

SERVER#show ip nat translations

Pro Inside global Inside local Outside local Outside global

udp 192.168.100.254:4501 192.168.2.1:14503 192.168.100.1:53 192.168.100.1:53

icmp 192.168.100.254:1024 192.168.2.1:17169 202.166.193.159:17169 202.166.193.159:1024

icmp 192.168.100.254:1025 192.168.2.1:17425 202.166.193.159:17425 202.166.193.159:1025

icmp 192.168.100.254:1026 192.168.2.1:17937 202.166.193.159:17937 202.166.193.159:1026

icmp 192.168.100.254:1027 192.168.2.1:18193 202.166.193.159:18193 202.166.193.159:1027

icmp 192.168.100.254:1028 192.168.2.1:18449 202.166.193.159:18449 202.166.193.159:1028

All the hosts are in this way provided access to the internet
using one public IP address 192.168.100.254.

3.4 System Verification

This section presents the verification of different prop-
erties of IPSEC VPN Server for the proposed system. It
has been further divided into two sub categories to verify
the secured network connectivity established from the
clients to the VPN server through VPN tunnel. The ver-
ification of this system has been done from two sides of
this system which are server and client side. The demon-
stration of this system verification has been presented
after one of the client has been able to connect to the VPN
Server and sending and receiving the network packets
through VPN Tunnel successfully.

3.5 VPN Server Figure 4. VPN Tunnel Connectivity between VPN Server
and Remote Client
In the above figure, the responsibility of VPN server is
playing by Cisco router named asVPN server. It is con-
3.5.1 IPSEC User Authentication, Accounting, and
nected to one switch which has been distributed to two
Authorization (AAA)
LANs. One is at the network of 192.168.1.0/24 whereas
other is at 192.168.2.0/24. Since the servers of enterprises Before going to look after IPSEC VPN establishment,
have to be secured, they have been separated from other
it needs to define authentication credentials for the remote
networks. It is connected to the Internet through Fa0/0
users who are associated with the company. It has defined
interface. All the PCs in inside networks has access to the
two users who are Ram as a student and John as a profes-
Internet even servers too. The main scope of this section
is to show the secured connection established by remote sor who has been associated with two group student and
users through VPN tunnel. professor respectively. Below table depicts the authentica-
Following figure represents the VPN connection be- tion credentials configured for remote user Ram and John
tween VPN server and Remote client. on VPN server.

24 Distributed under creative commons license 4.0 DOI: https://doi.org/10.30564/jcsr.v3i1.2730

 Journal of Computer Science Research | Volume 03 | Issue 01 | January 2021

Table 8. Username and Password Configuration in CLI deploying secured network system to the existing network
mode infrastructure of the Universities/Colleges and Enterprises.
This system has been realized in GNS3 emulator for the
EZVPN_SERVER#sh run | s username instance with three servers in one private network and
username ram@student privilege 15 secret others in another private network for professors, students,
5 $1$aHpU$lcOW3C6ITBIYDEmhsaJhg/ and IT admins. It is built with additional security to the
username john@professor privilege 15 secret 5 existing trends of network system in Institutional Organi-
$1$pfMe$nOk54rtQq35iGDk5j4rJt1 zation. The developed system is analogous to the current
network system of Universities. Considering GNS3 sys-
To hide the password, the password set for users has tem as the network system of Universities, the edge router
been encrypted. is the VPN server which is directly connected to the Inter-
net and two remote users, professor and student are con-
3.5.2 Peer Establishment Verification nected to the same Internet. It means that, with no VPN
It is to show that remote user has established VPN con- connection, any user whether the users from within the
nectivity by negotiating the security associations with University or outside only has access to visit the website
VPN server. The two figures mentioned below illustrates of University. Access to the file server and email server
that the remote peer 10.10.10.1 has successfully connected is restricted to anyone, except the IT admin for the pur-
to VPN server through VPN tunnel and the two commands pose of security. For remote users to access the file server
verify the currently established VPN tunnel from a remote through the Internet, they must have VPN user credentials
peer. which should be matched with VPN server to establish
VPN tunnel. Following results have been carried out after
Show crypto isakmp sa the establishment of IPSEC tunnel successfully:
(1) Remote User “Professor” has access to the file serv-
It shows the current Internet Security Association Key
er only and at the same time they have been provided ac-
Management Protocol (ISAKMP) Security Associations
cess to the Internet as well. All the traffic except the Inter-
(SAs) built between peers. In this figure, the output simply
net that is destined for file server will be traversed through
tells that an IPSEC tunnel has been successfully created
the VPN tunnel.
between 192.168.100.254 as the source tunnel point and
(2) Remote User “Student” doesn’t have access to the
destination 10.10.10.1 as tunnel end point. The state QM_
Internet and other servers except to the file server during
IDLE states that the tunnel is up and the IKE SA key ex-
the data traffic flow via VPN tunnel because of various se-
change is successful and is now actively ready to transfer
curity risks in order to secure the system from Trojans and
the data through the tunnel.
other viruses.
4. Discussion (3) The Network throughput is slightly lower for tun-
neled traffic in comparison to non-tunneled traffic due to
In this section, the discussions has been carried out in the overheads of encryption but not much variations was
the analysis of secure remote access IPSEC VPN during faced in the speed of data flow.
the implementation of it in GNS3 emulator. It also argues (4) Three virtual PCs have been deliberated as real serv-
on the problems and limitations in the designed system. ers for the system and access verification has been realized
This network system has been designed in one laptop through ICMP reachability, which performed successfully
machine where an emulator GNS3, CCP has been in- after the VPN connection.
stalled. This system has been designed based on the real (5) Finally, it has been concluded that user professor
time network in enterprises analogy. Here, the enterprise who has access to the Internet, and student that doesn’t
networks has been designed in GNS3 which works with have Internet connection during the VPN connection are
LAN adapter connected to the Internet through the laptop able to connect to the VPN server and File server remote-
machine. Two remote users have been assigned to connect ly and securely successfully which is the main goal of this
to the VPN server one from virtual PC where it has its research work.
operating system in Virtual Box and other is from another
laptop which is connected to the same Internet. 4.2 Contributions
The main scope of this system development is to con-
4.1 Summary of Results/Findings
tribute the secured remote access operations to enterprise
A secured system has been developed on the basis of network system from anywhere/anytime for only the

Distributed under creative commons license 4.0 DOI: https://doi.org/10.30564/jcsr.v3i1.2730 25

 Journal of Computer Science Research | Volume 03 | Issue 01 | January 2021

associated members of that organizations. Following con- ments and so on very securely from their home. It miti-
tributions have been deliberated on the deployment of this gates the risk factors of sharing confidential information
secured system: between professors and students publically. It solves the
(1) Everyone can access the organizational network technical problem of knowledge sharing and resource
devices and server remotely and securely from anywhere/ sharing, and really plays the library role in the sharing and
anytime depending on whom the authority has been pro- popularity of knowledge and resources in the whole soci-
vided in comparison to the current unsecured network ety.
system of Universities and Colleges Cisco Systems have provided customers with easy
(2) It is extremely strong in security for which no one to use software tools that assist system administrators.
has to hesitate in deploying this system Firewalls and VPN server configuration using Cisco CCP
(3) System Administrators can manage the internal sys- tool is smooth and simple. Most essentially, remote client
tem from anywhere/anytime configurations and setup is not much technical, so it can
(4) Professors can assign the class activities, upload the be easily configured by general user once the required au-
assignments, evaluate the performance of students from thentication information is provided.
home Internet
(5) Students who will be unable to show their presence References
in the class due to the personal problems can study, re- [1] Kajal, R., Saini, D., Grewal, K. Virtual Private Net-
motely access to the assignments and lab activities of that work. International Journal of Advanced Research in
day from anywhere/anytime securely Computer Science and Software Engineering. 2012,
(6) It offers no such vulnerabilities and risk factors 2(10), Retrieved from:
from the outside attacks like man-in-the-middle attack, http://www.ijarcsse.com/docs/papers/10_Oc-
DoS attack if configured properly with correct security tober2012/Volume_2_issue_10_October2012/
attributes V2I900209.pdf
[2] Sastry, A. IPSec VPN vs. SSL VPN: Comparing re-
4.3 Limitations
spective VPN security risks. 2011. Retrieved from
(1) It is required to have Cisco IOS software release TechTarget:
12.3 (11) T or later http://searchsecurity.techtarget.com/tip/IPSec-VPN-
(2) It needs VPN client software at remote users PC to vs-SSL-VPN-Comparing-respective-VPN-security-
authenticate and pass the security attributes to them risks
(3) Cisco Easy VPN IPSEC server works only for [3] Clayton, N., Pandya, H. M. VPN Over IPSEC. In
Cisco IOS Router, ASA, and PIX. It doesn’t work for the FreeBSD Handbook, 2016: 742. Retrieved from:
devices from other vendors https://www.freebsd.org/doc/handbook/ipsec.html
(4) The issues with IPSEC VPN are implementation [4] Kang, B., Balitanas, M. O. Vulnerabilities of VPN
issues, packet overhead, and processing overhead using IPSec and Defensive Measures. International
(5) The encryption and decryption services on the hun- Journal of Advanced Science and Technology, 2009,
dreds of megabytes of data flowing through the equip- 8: 9-18.
ment requires quite a bit of processing power and which [5] Ssycxz. Overview of VPN - Evolution of Private
leads to higher processing loads Networks, 2016. Retrieved from:
http://ssycxz.kinja.com/overview-of-vpn-evolution-
(6) It is time consuming for the system administrators
of-private-networks-1763248734
to configure individual and group access rules
[6] Cisco Systems. CCNA Security Course Booklet Ver-
(7) If it is lightly configured, meaning if no valid certifi-
sion 1.0. Indianapolis: Cisco Press, 2009.
cates are used, then it poses a huge security risk
[7] Powell, J. M. The Impact of Virtual Private Network
5. Conclusion and Future Work (VPN) on Acompany’s Network, 2010. Retrieved
from:
Remote Access IPSEC VPN allows remote users in http://digitalcommons.usu.edu/cgi/viewcontent.
different locations to establish secure connections with cgi?article=1056&context=honors
universities network. These users can access the secure [8] Singh, Y., Chaba, Y., Rani, P. Integrating - VPN and
resources on that network as if they were directly plugged IDS - An approach to Networks Security. Internation-
into the network’s servers. In the University, students can al Journal of Computer Science and Security, 2007,
easily access the e-library resources, class notes, assign- 1(3): 1-13. Retrieved from:

26 Distributed under creative commons license 4.0 DOI: https://doi.org/10.30564/jcsr.v3i1.2730

 Journal of Computer Science Research | Volume 03 | Issue 01 | January 2021

http://www.cscjournals.org/ tocol. 2012 Second International Conference on Ad-

[9] Rouse, M. IPsec (Internet Protocol Security), 2010. vanced Computing & Communication Technologies,
Retrieved from TechTarget: 2012: 176-181.
http://searchmidmarketsecurity.techtarget.com/defi- Rohtak: IEEE. DOI: 10.1109/ACCT.2012.64
nition/IPsec [16] Qu, W., Srinivas, S. IPSec-based secure wireless vir-
[10] Rehman, M. H. Design and Implementation of Mo-
tual private network. MILCOM 2002. Proceedings,
bility for Virtual Private Network Users. Global Jour-
2002, 2, 1107-1112.
nal of Computer Science and Technology Network,
DOI: 10.1109/MILCOM.2002.1179632
Web & Security, 2013, 13(9): 34-39. Retrieved from:
https://globaljournals.org [17] Sun, S. H. The Advantages and the Implementation
[11] Deal, R. Key Exchange. Retrieved from The Com- of SSL VPN. 2011 IEEE 2nd International Confer-
plete Cisco VPN Configuration Guide, 2005: ence on Software Engineering and Service Science.
h t t p : / / w w w. f e n g n e t . c o m / b o o k / v p n c o n f / Beijing: IEEE, 2011: 548- 551.
ch02lev1sec4.html DOI: 10.1109/ICSESS.2011.5982375
[12] VelMurugan. What is ISAKMP, 2008. Retrieved [18] Lee, H., Nah, J., Jung, K. The Remote Access to IP-
from: sec-VPN Gateway over. The 7th International Con-
http://discuss.itacumens.com/index. ference on Advanced Communication Technology,
php?topic=32692.0 2005: 567- 569. Taejeon: IEEE.
[13] Maughan, D. Internet Security Association and Key
DOI: 10.1109/ICACT.2005.245934
Management Protocol (ISAKMP), 1998. Retrieved
[19] Kim, B.-J., Srinivasan, S. Simple Mobility Support
from:
for IPsec Tunnel Mode. 2003, 3: 1999-2003.
https://tools.ietf.org/html/rfc2408
[14] Oliver, P. G. Making Sense of Split Tunneling. Re- DOI: 10.1109/VETECF.2003.1285375
trieved from Infosec ISLAND, 2013: [20] Lakbabi, A., Orhanou, G., Hajji, S. E. VPN IPSEC
http://www.infosecisland.com/blogview/22859-Mak- & SSL Technology. 2012 Next Generation Networks
ing-Sense-of-Split- Tunneling-.html and Services NGNS. Agdal: IEEE, 2012: 202-208 .
[15] Dhall, Batra, Rani, a. Implementation of ipsec pro- DOI: 10.1109/NGNS.2012.6656108

Distributed under creative commons license 4.0 DOI: https://doi.org/10.30564/jcsr.v3i1.2730 27