WEBVTT 00:08.580 --> 00:09.660 SSL. 00:10.780 --> 00:10.910 In. 00:12.910 --> 00:13.480 Until now. 00:13.480 --> 00:18.520 Whatever you've been doing until now, that's been like three weeks already. 00:18.910 --> 00:21.610 You've only been working with which VPN? 00:21.640 --> 00:22.480 IPsec VPN. 00:23.810 --> 00:24.740 Epicyclic gear, right? 00:25.880 --> 00:28.520 If you remember IPsec VPN, what layer VPN is? 00:28.520 --> 00:29.300 What was it? 00:34.240 --> 00:34.720 Entry. 00:36.950 --> 00:38.390 Why was it an L3 VPN? 00:38.900 --> 00:39.890 Because. 00:41.910 --> 00:42.330 Exactly. 00:42.330 --> 00:47.430 You had an internal header, an internal IP address. 00:48.060 --> 00:50.880 Then on top of this, you had. 00:56.660 --> 01:00.260 So it was protecting your packet from layer three onwards. 01:01.070 --> 01:03.970 So you may have UDP here or ICMP here. 01:03.980 --> 01:05.060 It did not matter. 01:06.960 --> 01:08.710 Leipzig, it did not matter. 01:08.720 --> 01:14.750 We saw all the different varieties of IPsec VPN, but all of them were starting from layer three onwards. 01:15.890 --> 01:16.100 Right. 01:18.380 --> 01:19.430 With SSL VPN. 01:19.460 --> 01:20.780 This is the difference. 01:22.500 --> 01:25.980 SSL VPN does not work on layer three. 01:30.060 --> 01:32.340 The encryption actually happens on layer seven. 01:32.910 --> 01:35.280 The encryption happens on layer seven. 01:35.280 --> 01:44.250 So it's like when you're sending traffic from 151 .3. 3 to 151 dot 20 dot two. 01:45.560 --> 01:46.610 Source port. 01:46.640 --> 01:47.090 X. 01:47.090 --> 01:48.110 X x. 01:48.140 --> 01:53.060 The destination port for SSL VPN is going to be TCP. 01:53.090 --> 01:53.450 What? 01:55.360 --> 01:56.680 443. 01:58.010 --> 01:59.060 Heard about it before. 02:01.370 --> 02:02.540 Https. 02:03.780 --> 02:03.980 Mr.. 02:04.410 --> 02:04.920 It's not. 02:05.220 --> 02:07.710 It's not actually Https, it's just Http. 02:07.740 --> 02:09.030 This SSL makes them. 02:10.340 --> 02:12.110 Makes Http into AWS. 02:12.820 --> 02:14.530 It's actually a VPN. 02:15.400 --> 02:19.930 Whenever you're opening your Facebook page, you're opening your Gmail page, you're actually opening 02:19.930 --> 02:21.160 creating a VPN. 02:21.190 --> 02:24.130 You don't realize it, but you're actually doing it. 02:25.580 --> 02:25.970 Right. 02:25.970 --> 02:28.070 And whatever is inside here. 02:29.640 --> 02:30.540 Is encrypted. 02:33.050 --> 02:39.680 All your information, your credit card details, everything else, wherever you're entering, is here. 02:41.350 --> 02:42.700 And it is secure. 02:44.030 --> 02:45.830 Right and famous. 02:47.110 --> 02:49.320 Much more famous than IPsec VPN. 02:50.170 --> 02:54.910 One of the reasons why is because it uses this port number of. 02:57.020 --> 03:06.230 443 very well known out there and there is very seldom chance that any router or any other firewall 03:06.260 --> 03:09.230 out there would stop this traffic. 03:09.410 --> 03:12.990 Nowadays, it's quite virtually impossible because everything works on four. 03:14.760 --> 03:16.960 If you stop this, people go to their rooms. 03:16.960 --> 03:20.650 They cannot use what they cannot use Facebook, Gmail, all those things. 03:20.650 --> 03:23.680 They'll complain about it and you'll have to make sure that this works. 03:23.680 --> 03:30.370 But with IPsec would usually has happens as a problem is say for example you go to a hotel room. 03:33.430 --> 03:35.860 You go to a hotel, right? 03:37.460 --> 03:42.410 And it's connected through a router to the Internet. 03:45.080 --> 03:47.840 Right now this router because it's a small hotel. 03:48.380 --> 03:51.020 This router can be a very cheap one. 03:52.660 --> 03:57.820 Right, which by default will not allow ESP packets to go through. 03:59.820 --> 04:05.490 If you go to this hotel and you try to connect up your Internet, maybe you wanted to create a connection, 04:05.520 --> 04:07.320 a VPN connection to your company. 04:08.970 --> 04:09.350 Right. 04:09.360 --> 04:11.580 When you try to do it, it doesn't go through. 04:11.610 --> 04:12.240 Why? 04:12.270 --> 04:13.890 Because the router doesn't allow it. 04:16.060 --> 04:19.300 ESP is a protocol which not a lot of people know about, right? 04:19.600 --> 04:24.610 I mean, for a layman, he wouldn't know what ESP is and what SSL is. 04:24.760 --> 04:27.960 But what he would know is Facebook has to be allowed through. 04:29.590 --> 04:29.790 Right. 04:29.800 --> 04:31.390 That's why https. 04:34.370 --> 04:35.900 Which is for 43. 04:37.430 --> 04:40.340 Is quite famous because it's more common. 04:41.000 --> 04:43.640 So people people prefer this over IP. 04:44.650 --> 04:47.040 He has for site to site connectivity and everything, no doubt. 04:47.070 --> 04:48.930 IPCC is very nice, very good. 04:49.050 --> 04:51.030 But remote access VPNs. 04:51.940 --> 04:54.190 When I say remote access, I'm talking about what? 04:54.550 --> 04:56.710 I'm talking about a server. 04:58.250 --> 05:01.430 Through the Internet and are a client sitting at home. 05:01.760 --> 05:02.900 Remote Access VPN. 05:04.110 --> 05:05.550 You access your sites remotely? 05:06.890 --> 05:11.900 But for that implementation, SSL is gaining more popularity than. 05:14.720 --> 05:15.140 Even. 05:17.360 --> 05:17.630 Of it. 05:17.840 --> 05:19.670 Plus then you can do other stuff later. 05:19.670 --> 05:21.880 You can combine it with a secure ID server. 05:21.890 --> 05:28.340 You can combine it with OTP servers for OTP for RSA tokens and all those different things. 05:29.150 --> 05:29.620 Right. 05:29.630 --> 05:33.230 Let's have a look at how this actually happens, how this actually works. 05:34.220 --> 05:36.520 There's a handshake just like IPsec had. 05:36.530 --> 05:41.330 What It had those nine packets, phase one, phase two, then all those modes. 05:41.330 --> 05:43.190 Quick mode, aggressive mode, main mode. 05:43.370 --> 05:43.820 Right. 05:43.820 --> 05:44.900 Just like that. 05:45.820 --> 05:48.460 SSL also creates a handshake. 05:49.710 --> 05:51.660 It's called an SSL handshake. 05:52.080 --> 05:53.220 A SSL handshake. 05:53.550 --> 05:54.960 So you have a server. 05:58.840 --> 06:00.040 And you have a client. 06:04.880 --> 06:09.800 You have a server and the client like they want to communicate to each other, right? 06:09.830 --> 06:10.910 The first thing. 06:10.910 --> 06:12.500 Who initiates this connection? 06:13.730 --> 06:19.190 Always the client in remote access VPN, it's always the client using a message we call it. 06:21.370 --> 06:22.060 Client. 06:23.640 --> 06:23.970 Hello. 06:25.730 --> 06:28.340 The client sends out a message saying, Client, Hello. 06:28.340 --> 06:29.840 Now what does this message have? 06:29.870 --> 06:37.070 It has all the policies that the client is going to use for encryption, for hashing, all that. 06:37.740 --> 06:41.730 Just like your IPCC had all the policies that they were going to use. 06:41.730 --> 06:44.370 Now in SSL VPN, also you have choices. 06:44.370 --> 06:46.050 Do you want to use as 128. 06:46.080 --> 06:48.030 Do you want to use as 256? 06:48.060 --> 06:49.530 Do you want to use three days? 06:51.000 --> 06:52.230 It is still symmetric. 06:53.640 --> 06:54.840 It's still symmetric. 06:55.230 --> 06:57.150 The encryption decryption is symmetric. 06:57.210 --> 06:59.910 But how do you how do you negotiate it in the. 06:59.910 --> 07:00.210 Hello? 07:01.380 --> 07:04.470 I'm also going to say which version of SSL am I going to use? 07:04.470 --> 07:07.020 Now, there are certain versions out there. 07:07.140 --> 07:11.580 SSL version 1231.02.03.0. 07:11.760 --> 07:14.060 Then it was replaced, not replaced. 07:14.070 --> 07:21.990 They both work together, so sometimes you may see TLS 1.021.21.3 is under. 07:22.020 --> 07:26.430 They just released the draft for it for 1.3 in this month. 07:26.460 --> 07:31.770 Beginning of this month they release the draft of 1.3, but right now 1.2 is the latest one. 07:32.910 --> 07:34.700 So that's what the client also says. 07:34.710 --> 07:36.750 It says, okay, I support Virgin. 07:36.750 --> 07:38.670 Let's say it supports these two Virgin. 07:39.770 --> 07:44.090 So it says, these are the versions I support and these are the set of policies which I want. 07:44.120 --> 07:45.380 Let's say three days. 07:46.490 --> 07:47.040 And Shah. 07:49.670 --> 07:50.630 Sends it also along. 07:50.630 --> 07:51.230 Where? 07:51.230 --> 07:51.890 In the client. 07:51.920 --> 07:52.190 Hello. 07:54.120 --> 07:54.440 Okay. 07:54.450 --> 07:55.410 Simple packet. 07:55.560 --> 07:57.490 The server will accept the client. 07:57.510 --> 07:57.990 Hello. 08:01.840 --> 08:06.280 Choose the highest one that it supports among the ones which the client supports. 08:06.280 --> 08:10.720 So if the client supports 1.2 and 1.0, the server only has 1.0. 08:10.750 --> 08:13.570 They will go down to 1.0, both of them. 08:14.870 --> 08:19.310 Right, Whichever is the most highest compatible between them, they'll choose that. 08:19.310 --> 08:21.770 So the server will reply with. 08:23.410 --> 08:23.980 This version. 08:23.980 --> 08:29.260 Let's say they choose on TLS 1.0 depending upon the browser and all those things. 08:29.290 --> 08:31.330 A lot of things then. 08:32.310 --> 08:34.550 He was supporting three days a year on all those things. 08:34.560 --> 08:37.980 Out of that, I support three days and. 08:38.830 --> 08:39.100 Yeah. 08:41.350 --> 08:43.180 This packet is known as server. 08:47.590 --> 08:48.340 SQL Server. 08:50.260 --> 08:50.400 It. 08:51.740 --> 08:53.540 Then it waits again. 08:54.200 --> 08:56.240 The client doesn't send it's not 1 to 1. 08:56.240 --> 08:57.830 So you send one and the client send one. 08:57.950 --> 08:58.310 No. 08:59.330 --> 09:00.680 The client has sent a packet. 09:00.920 --> 09:03.350 It's the server's job to send. 09:06.550 --> 09:09.520 B k i certificate. 09:10.600 --> 09:10.960 Remember. 09:14.240 --> 09:19.250 Remember I was with you at your public key signed by the server. 09:19.610 --> 09:23.180 Once you have those signed keys, then you can use it for identification. 09:23.450 --> 09:30.290 We used it in IPsec VPN, but the only one reason why we use this was for forward validation. 09:31.560 --> 09:33.270 We never use that key, right? 09:33.540 --> 09:37.170 Do you remember last time the key size that we created was 5.2 bits? 09:37.320 --> 09:39.440 Because I told you that we are not going to use the key. 09:39.450 --> 09:44.850 The only thing that we are going to use is the I see who signed this key that was more important at 09:44.850 --> 09:45.540 that time. 09:45.690 --> 09:47.490 But here the key will matter. 09:48.890 --> 09:50.260 The key will matter here. 09:50.270 --> 09:51.530 The AC is the same. 09:51.800 --> 09:56.630 So what the server will do is create a section, create a set of keys. 09:57.850 --> 09:59.110 A public and a private. 10:00.130 --> 10:01.120 Get the public key. 10:01.150 --> 10:01.870 Signed by whom? 10:07.860 --> 10:08.480 By the CIA. 10:08.490 --> 10:11.220 The CIA will sign it with the CIA's private key. 10:12.000 --> 10:14.340 It will be signed with very private key. 10:14.790 --> 10:18.420 Then when the client is asking for a connection, the server offers him. 10:18.420 --> 10:18.720 What? 10:20.470 --> 10:21.280 The certificate. 10:22.590 --> 10:24.960 It will be valid only if. 10:27.430 --> 10:30.820 The client trusts whom The CA server. 10:32.330 --> 10:36.710 If the client trusts VeriSign, you will get the green mark. 10:38.010 --> 10:38.850 On your browser. 10:39.600 --> 10:46.350 If the client if the if your browser does not trust your server if you signed from. 10:49.670 --> 10:52.070 Anywhere else let's say gopalan.com. 10:54.430 --> 10:56.200 Got it signed from gopalan.com. 10:56.800 --> 10:57.340 I don't know. 10:57.340 --> 10:57.910 It's just a name. 10:59.230 --> 11:06.220 Now in your car, in your Chrome browser or any browser which you're using, you wouldn't have the root 11:06.220 --> 11:07.100 certificate of home. 11:07.480 --> 11:11.530 Gopalan If you don't have the root certificate, you don't trust Gopalan. 11:11.620 --> 11:16.210 So when he shows the server, shows you the message, you get a red icon. 11:17.440 --> 11:21.670 On the top left corner which says proceed at your own risk. 11:23.290 --> 11:26.500 You want to proceed at your own risk because we don't know this server. 11:26.500 --> 11:31.390 So whatever information you might send to him, there is a possibility that he might be able to see 11:31.390 --> 11:31.660 it. 11:34.720 --> 11:39.550 Okay, so that's what the server does and you will not move further in SSL. 11:39.850 --> 11:41.590 If this is green, it's all right. 11:41.590 --> 11:42.430 You'll move further. 11:42.580 --> 11:46.090 If it's not, it will be stuck unless you say yes. 11:48.360 --> 11:49.830 Unless you proceed, it'll be stuck. 11:49.830 --> 11:50.170 Where? 11:50.190 --> 11:50.670 Here. 11:50.670 --> 11:51.600 At this stage. 11:53.730 --> 11:57.570 At the third packet where the server sends a certificate. 11:57.690 --> 12:01.530 Once he does such a certificate, you do accept it all. 12:01.650 --> 12:04.920 Also remember the certificate also has what the public key. 12:05.600 --> 12:07.010 It can be 1024 bits. 12:09.410 --> 12:11.270 Inside the public key is there. 12:11.840 --> 12:13.910 Now, once this is done. 12:16.320 --> 12:18.060 Now in general cases. 12:19.680 --> 12:24.330 Once you send the certificate, the server will send another packet which is known as server. 12:25.730 --> 12:26.420 Hello. 12:27.830 --> 12:28.060 Then. 12:31.680 --> 12:34.200 To the client basically saying, I'm done. 12:34.230 --> 12:35.910 You accepted my certificate. 12:35.940 --> 12:37.020 Well, and good. 12:37.260 --> 12:37.740 I'm fine. 12:37.740 --> 12:38.820 I've done my job. 12:39.810 --> 12:40.700 It's your job now. 12:40.710 --> 12:42.630 I mean, the ball is in your court. 12:43.790 --> 12:47.750 Now it's the client client's responsibility to move the handshake further. 12:48.170 --> 12:49.580 How does the client do it? 12:50.480 --> 12:56.810 The client will send out, we call it a pre shared pre master key, not pre shared. 13:02.920 --> 13:06.340 Now they both agree on an encryption standard, right? 13:06.520 --> 13:08.950 Say, for example, they both agreed on three days. 13:13.100 --> 13:14.540 And they both agreed on. 13:16.300 --> 13:16.430 That's. 13:17.080 --> 13:21.280 But they still need the key in IPsec, who provided the key. 13:23.050 --> 13:23.470 Be it. 13:25.110 --> 13:28.770 The exchange automatically provided the key here. 13:28.800 --> 13:33.960 The client is going to create the key, not the complete key. 13:34.530 --> 13:35.460 Half of the key. 13:37.500 --> 13:41.190 With some random numbers is going to create that part of the. 13:43.110 --> 13:44.160 And send it back. 13:44.160 --> 13:44.670 To whom? 13:46.290 --> 13:47.490 To the server. 13:48.180 --> 13:49.290 But you might ask the question. 13:49.290 --> 13:51.090 I mean, you're sending it across. 13:52.600 --> 13:53.920 You're sending it across. 13:53.950 --> 13:55.210 Isn't that dangerous? 13:55.240 --> 13:56.950 Sending it across the public environment. 13:57.730 --> 13:58.240 Encrypted. 13:58.240 --> 13:58.930 Using what? 14:02.690 --> 14:03.020 No, no. 14:03.020 --> 14:04.520 That's what they're going to use. 14:05.980 --> 14:08.650 If I even encrypt it, how will the server decrypt it? 14:08.680 --> 14:09.670 He doesn't have the key. 14:10.920 --> 14:11.970 I will encrypt you. 14:11.970 --> 14:13.140 Right when you say you encrypted. 14:13.140 --> 14:14.430 But not with that. 14:14.460 --> 14:16.140 What will I use to encrypt it? 14:17.600 --> 14:18.380 The public. 14:19.530 --> 14:20.430 The public. 14:21.300 --> 14:26.010 The 1024 bit key which you received earlier, you will use that to encrypt this pre-shared key. 14:27.850 --> 14:28.510 Pre-mastered. 14:29.840 --> 14:31.610 And then send it to the other side. 14:31.640 --> 14:32.750 Why is this good? 14:32.780 --> 14:36.650 Because this encryption 1024 bits is huge. 14:36.980 --> 14:39.800 And most of the times now you don't even use 1024 bits. 14:39.830 --> 14:41.060 Now you use 2048. 14:42.110 --> 14:43.640 And you remember the video, right? 14:44.480 --> 14:47.270 Billions and billions of years to crack that. 14:49.370 --> 14:50.970 The server will be sending a public. 14:52.530 --> 14:52.800 Hello? 14:53.460 --> 14:54.000 Along with. 14:54.720 --> 14:56.280 No, the server wouldn't do that. 14:56.400 --> 15:05.040 The server only sends the public key which is signed by the key is the certificate in the certificate 15:05.040 --> 15:05.670 is the key. 15:06.480 --> 15:07.080 The public. 15:13.750 --> 15:16.510 Yeah, it'll be signed by the private of the very sign. 15:16.690 --> 15:17.690 That's a separate thing. 15:17.710 --> 15:18.880 That'll be the thumbprint. 15:19.270 --> 15:20.140 That's a separate thing. 15:20.170 --> 15:22.540 It will also have if you check. 15:22.570 --> 15:23.620 Let's open a website. 15:35.980 --> 15:36.760 Let's check here. 15:37.390 --> 15:38.190 Facebook, right? 15:39.560 --> 15:40.550 If you go to connection. 15:43.980 --> 15:45.060 We'll go to the connection. 15:48.490 --> 15:53.410 You see what it's using is and it's not using Sha, it's using Ecdc. 15:53.800 --> 15:54.580 Ecdc. 15:54.610 --> 15:58.120 This is elliptical curve and it's a new variation of it. 15:58.390 --> 16:00.670 It's using TLS 1.2. 16:00.820 --> 16:02.980 If you go to the certificate which was given to you. 16:04.790 --> 16:06.170 This is the certificate, right? 16:07.690 --> 16:10.060 Eventually in the certificate will also have. 16:11.170 --> 16:11.890 A public. 16:13.750 --> 16:16.960 Right now they're using EQ curve something. 16:17.590 --> 16:19.030 It's a new thing, I think. 16:19.270 --> 16:19.510 Yeah. 16:20.170 --> 16:24.910 So what we are going to be using is RSA 102420482. 16:25.090 --> 16:26.680 You can use these. 16:26.680 --> 16:31.900 You can use the newer ones I showed you yesterday, if you remember right, the newer versions have 16:31.900 --> 16:32.860 been included in there. 16:33.130 --> 16:34.120 This is what it is. 16:34.600 --> 16:37.660 So you have the name should be here somewhere. 16:39.070 --> 16:39.460 Yeah. 16:39.460 --> 16:39.830 There you go. 16:39.850 --> 16:40.360 Digicert. 16:40.540 --> 16:44.020 But you're able to see it because it has already been decrypted. 16:44.920 --> 16:46.020 How did you decrypt it? 16:46.030 --> 16:47.860 You have the public key you use that decrypt. 16:47.860 --> 16:49.240 That's how you can see the certificate. 16:50.660 --> 16:50.960 Right. 16:50.960 --> 16:54.050 The important part of the certificate is the public key. 16:54.410 --> 16:55.820 Earlier we never used it. 16:55.850 --> 16:57.020 Now we are going to use it. 16:58.480 --> 17:01.920 So we'll decrypt encrypt the Pre-shared master. 17:02.530 --> 17:03.090 Right. 17:03.130 --> 17:05.650 We'll encrypt it using this and send it to whom? 17:05.770 --> 17:07.150 To the server. 17:07.510 --> 17:12.100 The only one person in the world who can decrypt this is the one who has the private key, which is 17:12.100 --> 17:13.630 only with the server. 17:15.660 --> 17:18.030 So the server will give out the public key. 17:19.410 --> 17:20.460 We'll go back. 17:21.990 --> 17:23.790 And send this key to the other side. 17:23.790 --> 17:25.350 So when you see the server. 17:27.060 --> 17:30.180 Eventually the server will do is. 17:35.860 --> 17:37.180 It was encrypted, right? 17:37.360 --> 17:38.950 It will use its private key to. 17:39.800 --> 17:40.340 Decrypted. 17:46.180 --> 17:47.410 Client key exchange. 17:47.830 --> 17:48.970 I think I have a document. 18:00.580 --> 18:01.000 Server. 18:01.030 --> 18:01.340 Hello. 18:01.390 --> 18:02.140 First is client. 18:02.140 --> 18:03.460 Hello from the client. 18:03.490 --> 18:06.760 Now he's considering this site to be the client and this site to be the server. 18:06.760 --> 18:09.640 So you have SSL version supported ciphers. 18:09.640 --> 18:12.830 And what is the specific data coming back? 18:12.850 --> 18:13.990 You just choose on what? 18:14.020 --> 18:20.200 What version of SSL I've chosen selected cipher is or three days. 18:20.290 --> 18:24.430 Then you have session specific data and server certificate sent by whom? 18:24.880 --> 18:26.920 The server sends out a certificate. 18:26.950 --> 18:32.290 Then it says that hello has been hello is done pre master secret sent by. 18:32.650 --> 18:33.420 Send by whom? 18:33.430 --> 18:35.510 The client to the server. 18:35.530 --> 18:37.240 Now there may be cases. 18:37.630 --> 18:44.500 There may be cases out there where the server also asks from a certificate from the client. 18:45.860 --> 18:47.690 For high security mode in the company. 18:47.690 --> 18:52.960 What you would usually do is you would have the server and the client both negotiate on certificates. 18:52.970 --> 18:57.980 So the server will give out a certificate, but it will also ask for a certificate from the client. 18:58.010 --> 18:59.390 That is done here. 18:59.420 --> 19:03.980 When the server is sending the hello, right when he sends out a certificate, he will also send out 19:03.980 --> 19:05.360 a certificate request. 19:06.370 --> 19:12.400 And the client after the pre master secret will also give out what its own certificate. 19:13.290 --> 19:14.040 For validation. 19:14.040 --> 19:14.520 That's it. 19:16.250 --> 19:18.230 Only to validate the client Is. 19:18.470 --> 19:20.540 Is this actually who he says it is? 19:21.740 --> 19:23.030 Usually done in production. 19:24.220 --> 19:24.700 Okay. 19:24.700 --> 19:29.020 Then both of them will create their keys since they already have everything else. 19:29.020 --> 19:31.210 So they will create their set of keys. 19:31.370 --> 19:33.220 Then I don't think this is complete. 19:34.820 --> 19:42.000 Once they complete the keys, they have the client will have the client send this right. 19:42.020 --> 19:45.230 After that, the client will send out another packet. 19:45.230 --> 19:46.400 We call it change. 19:49.480 --> 19:50.050 Cipher. 19:52.050 --> 19:52.620 Sweet. 19:54.050 --> 19:54.830 And then. 19:55.730 --> 19:56.870 Encrypted message. 19:58.810 --> 19:59.410 Client. 20:00.790 --> 20:01.050 Done. 20:02.810 --> 20:08.060 Chain cipher suite means after this, whatever message I'm going to send is going to be encrypted. 20:08.940 --> 20:13.890 Because since both of them have the key client change, cipher means less change to the cipher. 20:15.150 --> 20:16.020 After this. 20:16.050 --> 20:18.990 Let's change to the cipher suite. 20:19.140 --> 20:21.690 And then the last message that you send is encrypted. 20:22.200 --> 20:22.950 After that. 20:24.710 --> 20:28.130 Which is done basically saying handshake is done from my end. 20:28.250 --> 20:30.590 You're sending that encrypted because you have the. 20:31.040 --> 20:34.280 The server will do the exact same thing the moment he receives this. 20:34.310 --> 20:37.490 The server will send its own chain cipher suite and. 20:38.900 --> 20:39.230 Seven. 20:41.020 --> 20:42.940 The chain cipher suite and server. 20:44.260 --> 20:44.590 This. 20:44.590 --> 20:45.820 The server sends it back. 20:47.230 --> 20:47.670 Okay. 20:47.680 --> 20:49.330 Just a quick overview again. 20:52.870 --> 20:56.550 Now, this one right now, the one which you are using is RSA. 20:56.560 --> 20:58.090 We're using RSA, remember? 20:58.090 --> 20:59.050 We're not using. 21:00.800 --> 21:01.640 To exchange the keys. 21:01.640 --> 21:03.160 We are using RSA. 21:03.200 --> 21:06.800 How I'm sending the public key is encrypted using the public key. 21:06.830 --> 21:07.790 Sending it back to me. 21:08.060 --> 21:11.090 There is possibilities where you can use TLS. 21:11.120 --> 21:15.380 Sorry, you can use VH, you can use elliptic curve. 21:17.480 --> 21:17.850 Right? 21:17.900 --> 21:20.420 SSL by default only supported RSA. 21:21.290 --> 21:26.220 Dlss supports the use of HDR and all those other different things. 21:26.240 --> 21:29.630 They're more working on TLS now rather than SSL. 21:31.510 --> 21:33.460 Do you know who created this SSL? 21:34.600 --> 21:36.550 How did it come into existence? 21:37.590 --> 21:38.650 You remember that browser? 21:38.650 --> 21:40.480 Netscape, Netscape Navigator. 21:41.440 --> 21:45.930 They are the ones who actually created SSL VPN for. 21:46.240 --> 21:50.980 They wanted to protect the Http sessions, so they created their own version of Https. 21:51.610 --> 21:54.340 Later it became common and people adopted it. 21:55.310 --> 21:57.230 It was them, the browser which no one uses. 22:03.000 --> 22:03.450 Right. 22:05.220 --> 22:10.110 What was the first packet which goes through from from which size does the first packet originate from 22:10.110 --> 22:10.740 the client. 22:11.010 --> 22:12.090 Which is what? 22:12.330 --> 22:12.690 Client. 22:12.720 --> 22:13.070 Hello. 22:13.080 --> 22:15.870 With all the policies the server replies with his. 22:15.870 --> 22:16.350 Hello. 22:16.350 --> 22:18.240 So this is packet number one. 22:18.360 --> 22:19.380 Packet number two. 22:19.410 --> 22:20.820 Packet number three from the server. 22:20.820 --> 22:21.840 Again saying what? 22:22.230 --> 22:23.730 This is my certificate. 22:23.760 --> 22:25.140 This is my public key. 22:25.170 --> 22:26.100 Please accept it. 22:26.550 --> 22:27.470 You accept it. 22:27.480 --> 22:30.480 It might also ask for another certificate from the other side. 22:30.510 --> 22:33.090 Then the fourth packet is server. 22:33.090 --> 22:33.360 Hello. 22:33.360 --> 22:33.660 Done. 22:33.660 --> 22:34.440 I'm done with my. 22:34.440 --> 22:35.010 Hello. 22:35.040 --> 22:35.970 My job is done. 22:35.970 --> 22:39.690 Now it's your turn the client sends. 22:41.070 --> 22:44.220 Three Master key encrypted using the public. 22:45.760 --> 22:47.020 Encrypted using the public. 22:47.140 --> 22:53.530 Then we call it client key exchange, then sends a chain cipher suite and client. 22:53.560 --> 22:54.070 Hello. 22:56.370 --> 22:57.390 The server will do the same. 22:57.390 --> 23:00.840 So this is packet number five, six seven. 23:00.960 --> 23:02.340 The server will do the same. 23:04.410 --> 23:05.670 Jane Cyphers returned. 23:07.800 --> 23:08.340 Server. 23:08.820 --> 23:09.180 Server. 23:12.710 --> 23:13.910 Your handshake is complete. 23:16.530 --> 23:17.010 Okay. 23:18.490 --> 23:19.120 Good enough. 23:20.030 --> 23:25.370 Now, again, if this is how it happens, let's have a look at the topology that I'm going to use. 23:27.630 --> 23:28.800 This is my topology. 23:29.850 --> 23:33.540 My router to here is going to be the SSL VPN. 23:35.840 --> 23:36.290 Gateway. 23:40.400 --> 23:41.510 And my client. 23:41.510 --> 23:43.430 Here is the loopback of my PC. 23:44.210 --> 23:47.390 The loopback is trying to create a connection with R2. 23:48.830 --> 23:51.080 Now this connection will be. 23:51.910 --> 23:52.540 Through SSL. 23:55.580 --> 24:00.110 Before we go there, we have to understand the different implementations. 24:00.710 --> 24:01.820 Of SSL VPN. 24:01.910 --> 24:04.550 There are three main implementations of SSL VPN. 24:04.580 --> 24:05.870 Can anyone guess what? 24:09.640 --> 24:10.990 There's one called Thin Client. 24:14.130 --> 24:14.400 Sorry. 24:14.400 --> 24:15.840 The first one will be called. 24:18.100 --> 24:19.000 Client list. 24:21.590 --> 24:22.940 Second is thin client. 24:24.830 --> 24:26.810 The third is thick. 24:30.100 --> 24:38.130 Client Clientless is a way where you configure the VPN so that the client doesn't have to do anything. 24:38.430 --> 24:42.780 All the client would require to connect up to the VPN Gateway is a browser. 24:43.710 --> 24:46.560 If you have a browser, you can connect to the VPN. 24:47.160 --> 24:48.030 Clientless. 24:49.090 --> 24:52.150 But as you guessed, it does not support all the protocols. 24:53.270 --> 24:58.670 So it won't give you the flexibility of IPsec VPN, but it's easier on the client. 24:58.670 --> 25:02.990 You can send traffic like http ftp. 25:05.660 --> 25:06.830 Cifss. 25:07.810 --> 25:08.230 True. 25:10.680 --> 25:11.160 Who that? 25:12.560 --> 25:16.970 So the CTP becomes a Https, FTP becomes Sftp. 25:18.780 --> 25:19.920 Because you're sending it through the. 25:21.580 --> 25:23.620 Your actual protocol will still be Http. 25:23.830 --> 25:27.370 It's just that because it will go through the tunnel, it will be protected. 25:29.410 --> 25:29.890 Okay. 25:30.130 --> 25:32.890 Doesn't support a lot of protocols. 25:34.600 --> 25:37.600 Thin client is a Java based application. 25:39.020 --> 25:44.000 Where you can extend the scope, the scope of these protocols. 25:44.120 --> 25:49.550 So earlier where you had only Http and Https and FTP. 25:49.760 --> 25:51.500 Now you can go to Telnet. 25:54.330 --> 25:56.010 You can go to Smtp. 25:57.400 --> 26:01.930 All the all the protocols that require well known port numbers, you can use them. 26:03.780 --> 26:04.640 Through a thin line. 26:06.470 --> 26:07.670 Through a thin clients. 26:07.670 --> 26:10.430 So it gives you a very good, very good amount of flexibility. 26:10.430 --> 26:11.810 It's a Java based client. 26:12.050 --> 26:13.730 A lot of vendors support it. 26:15.410 --> 26:17.240 Thin client, right? 26:17.360 --> 26:20.210 Still not as flexible as what? 26:20.810 --> 26:22.520 As your IPsec VPN. 26:22.830 --> 26:26.810 The only one thing that is as flexible as that is the thick client. 26:26.840 --> 26:33.050 Thick client gives you complete control, just like your IPsec would do, so protecting you from layer 26:33.050 --> 26:33.640 three onwards. 26:35.300 --> 26:37.190 These ones still work on layer seven. 26:39.520 --> 26:40.630 Left 4 to 7. 26:41.050 --> 26:42.940 Your thick client works. 26:44.790 --> 26:48.720 Giving you full control over your private IPS, your public IPS and all those things. 26:49.550 --> 26:50.930 We will have a look at this. 26:50.930 --> 26:56.030 But when we're looking at the thick client, we will not look at it on your router. 26:56.060 --> 26:57.440 We will look at it at the. 27:00.820 --> 27:01.180 Why? 27:06.890 --> 27:11.810 The this one is these two are these two are applications just like easy VPN client. 27:12.110 --> 27:13.610 These two are also applications. 27:15.230 --> 27:15.350 I. 27:16.980 --> 27:19.650 So what I was saying is. 27:21.160 --> 27:21.790 Remember. 27:23.130 --> 27:25.940 This device called Pix. 27:28.300 --> 27:31.480 Becks was Cisco's first firewall. 27:32.930 --> 27:37.760 Very, very famous in the market, worked for a long time, gave a lot of benefits. 27:39.350 --> 27:41.810 It was considered to be a luxury device at that time. 27:42.530 --> 27:49.220 Pigs Right now, with time, what happened was other vendors came up with their own versions and this 27:49.220 --> 27:51.350 SSL became famous along the way. 27:51.920 --> 27:56.090 So they had other vendors having very good implementations of SSL. 27:56.090 --> 27:57.440 VPN picks. 27:57.440 --> 27:59.810 Also tried to do it, but they failed miserably. 28:01.400 --> 28:01.550 Right. 28:01.580 --> 28:02.630 So what did they do? 28:03.170 --> 28:04.760 They bought this company called. 28:04.760 --> 28:05.120 What? 28:08.690 --> 28:09.140 VPN. 28:10.100 --> 28:10.810 Concentrator. 28:15.530 --> 28:18.150 There was a device called VPN concentrator. 28:18.170 --> 28:21.080 What it would do is it was only there for SSL VPN. 28:22.780 --> 28:29.860 The whole purpose of this device was as they merged it with pix to form. 28:29.860 --> 28:30.310 What? 28:33.480 --> 28:33.870 Is. 28:36.700 --> 28:42.820 So the SSL VPN that we are going to do on the router is think of it as obsolete. 28:43.060 --> 28:44.740 You wouldn't be using it ever. 28:45.610 --> 28:46.870 But why is it important? 28:46.870 --> 28:48.340 Because the concept is important. 28:49.970 --> 28:50.180 Right. 28:50.180 --> 28:52.790 So it does not again, it works with Java. 28:52.790 --> 28:59.090 And some of you might be knowing Cisco's Java, I mean, whichever Java version they use, it's ultimately 28:59.630 --> 29:03.110 it can eat your head right to find the perfect version of Java. 29:03.110 --> 29:04.570 Which one works, which one doesn't work. 29:04.580 --> 29:05.330 It's a headache. 29:05.630 --> 29:08.120 It took me a long time to find the perfect one for me. 29:08.120 --> 29:10.250 And trust me, this one is a high chance. 29:10.250 --> 29:11.240 It won't work on you. 29:12.740 --> 29:13.040 Right. 29:13.040 --> 29:15.560 So that's what it has. 29:15.920 --> 29:18.430 Sometimes it works, sometimes it doesn't work. 29:18.440 --> 29:20.680 And the thick client has issues. 29:21.390 --> 29:22.830 With Iowa's VPN. 29:23.820 --> 29:27.690 We'll be doing this on the RSA, which will be tomorrow. 29:27.930 --> 29:29.880 Today we'll do it on the iOS. 29:29.910 --> 29:34.920 Now, for those of you who have not done RSA, you don't have to worry about it because it will just 29:34.920 --> 29:36.000 be another device. 29:36.240 --> 29:38.550 We will not be configuring any RSA features. 29:38.550 --> 29:40.730 We will not be configuring any firewall features. 29:40.740 --> 29:46.950 We will just be configuring features for the SSL VPN, just like you would do on the device iOS. 29:46.980 --> 29:50.120 You would do the same on these same configs. 29:50.130 --> 29:50.460 Nothing. 29:50.460 --> 29:50.940 Nothing. 29:50.940 --> 29:51.570 Nothing new. 29:53.160 --> 29:53.360 Okay. 29:53.520 --> 29:54.720 We'll have a look at that. 29:55.960 --> 29:56.560 So. 30:03.310 --> 30:05.020 See now when they negotiate, right. 30:05.050 --> 30:06.460 They had the pre master key. 30:06.670 --> 30:09.040 Now they know which kind of algorithm they're using. 30:09.310 --> 30:11.230 So now they have the key already. 30:11.650 --> 30:13.150 Both of the sides have the key. 30:14.050 --> 30:15.850 When they have the key now the packet comes in. 30:15.880 --> 30:19.600 They will encrypt using this key, using the mechanism which you've already chosen. 30:19.930 --> 30:23.650 You've chosen 128 is 128 encryption from here. 30:23.680 --> 30:27.520 The other side goes and decrypts this one symmetric. 30:28.180 --> 30:29.500 The only the exchange. 30:29.500 --> 30:30.850 You cannot have asymmetrical. 30:31.030 --> 30:32.380 There will be too much. 30:33.440 --> 30:36.560 Check out your sister since you're using asymmetrical and such. 30:36.590 --> 30:37.910 How slow do they become? 30:39.220 --> 30:41.350 I cannot do do it here. 30:41.350 --> 30:42.510 So it's you. 30:42.550 --> 30:43.980 Most of the times it's always symmetric. 30:46.650 --> 30:50.550 Client list is what we are going to talk about now. 30:51.810 --> 30:56.280 Before we do that, let's configure it because we know how the handshake takes place, right? 30:56.760 --> 30:58.290 We now have the handshake takes place. 30:58.290 --> 31:00.900 So we'll have a look at it and we'll see how it works. 31:00.900 --> 31:02.850 Then we'll know how the tunnel is created. 31:04.580 --> 31:06.050 To configure client list. 31:09.020 --> 31:10.370 You'll go to R2. 31:10.400 --> 31:13.880 Right now, the first thing again is to make sure connectivity is up. 31:13.880 --> 31:14.510 So. 31:16.450 --> 31:17.740 This is my setup. 31:17.920 --> 31:21.220 These are going to be the internal servers that I want to access from home. 31:22.490 --> 31:29.330 Like for Http access, let's say, because I said, as I said through the client list, only two protocols 31:29.330 --> 31:29.750 can go. 31:29.780 --> 31:35.900 Most of the times you don't usually use what are those two protocols Http or FTP? 31:40.870 --> 31:41.680 Whereas what used. 31:47.520 --> 31:48.690 That's what you're using. 31:53.800 --> 31:56.140 In the enterprise network, you don't use client list. 31:56.250 --> 31:58.750 You usually use the thick client in Enterprise. 32:00.680 --> 32:06.510 But if you have to deploy something like if you have an Http server, you want to deploy it as an Https 32:06.560 --> 32:08.390 server, this is what you would do. 32:08.810 --> 32:09.490 This is a remote. 32:11.510 --> 32:12.080 Chemotaxis. 32:14.250 --> 32:15.720 This is an Http server, right? 32:15.750 --> 32:17.850 I want to deploy it as Https. 32:18.630 --> 32:21.930 The job given to you is this is Http deployed as Https. 32:21.960 --> 32:22.830 How will you do it? 32:23.040 --> 32:23.940 This is how. 32:26.370 --> 32:31.560 You want to deploy this Http server on the public internet as an Https server? 32:32.450 --> 32:33.590 It's actually Http. 32:33.620 --> 32:35.150 It's always going to be Http. 32:35.750 --> 32:37.580 Eventually it's going to be Http. 32:37.940 --> 32:40.160 Behind this router is going to be Http. 32:40.190 --> 32:44.240 But for the public Internet, it's going to be acting as what, https? 32:44.270 --> 32:47.750 Because they're going to create a tunnel from their end until R2. 32:49.690 --> 32:50.260 You'll see. 32:50.380 --> 32:50.930 You'll see. 32:50.950 --> 32:51.520 Give it time. 32:54.480 --> 32:59.190 I'll go back to the loopback and give it the address so that I can communicate. 33:01.960 --> 33:04.330 151 dot 30 dot. 33:05.390 --> 33:05.690 Three. 33:07.370 --> 33:09.280 Next up will not choose the next. 33:11.970 --> 33:13.710 But I'll also do is. 33:20.200 --> 33:24.430 I'll add it out to 151 .23.2. 33:27.430 --> 33:28.780 251.30. 33:46.170 --> 33:46.680 Kidnapping. 33:46.710 --> 33:47.040 30. 33:51.160 --> 33:52.810 I don't think I've configured this part. 33:55.190 --> 33:56.270 Should I be with? 34:22.530 --> 34:23.730 This should be 30.3. 34:25.800 --> 34:27.690 Rollback should be 30.25. 34:37.410 --> 34:37.800 That out. 34:41.110 --> 34:42.040 Be happy that. 35:14.400 --> 35:16.860 Should be able to bring one 51.22. 35:18.130 --> 35:18.210 Was. 35:18.270 --> 35:19.630 One 5122. 35:19.660 --> 35:21.160 My SSL VPN Gateway. 35:23.410 --> 35:23.920 I'm bringing. 35:25.580 --> 35:25.940 I do. 35:25.940 --> 35:26.510 From where? 35:26.630 --> 35:27.590 From the back. 35:27.620 --> 35:28.250 First thing. 35:28.490 --> 35:29.270 Main condition. 35:29.270 --> 35:29.990 Connectivity. 35:30.740 --> 35:32.030 Once I have that. 35:33.900 --> 35:37.950 What I want to do next is to configure the gateway, which is our. 35:39.060 --> 35:40.320 How do you configure it? 35:42.000 --> 35:42.870 We'll go to our to. 35:46.480 --> 35:47.290 I'll call it. 35:54.100 --> 35:54.640 SSL. 35:59.680 --> 36:00.040 Gateway. 36:06.120 --> 36:06.570 Okay. 36:08.110 --> 36:09.790 Now, the way you do it is. 36:12.560 --> 36:13.220 The VPN. 36:15.580 --> 36:17.800 Gateway and you name it. 36:21.130 --> 36:23.800 To create a VPN gateway and you name it. 36:23.830 --> 36:24.250 Now name it. 36:24.250 --> 36:24.910 Anything you want. 36:24.940 --> 36:28.300 Now, this name has no significance to anything at all, anywhere. 36:28.660 --> 36:31.690 So you can call it anything, right? 36:31.870 --> 36:33.640 You can call it Rob. 36:38.320 --> 36:39.160 What does it do? 36:39.790 --> 36:42.370 Generate 1024 bit keys. 36:42.760 --> 36:43.330 Why? 36:43.360 --> 36:44.620 Because it requires it. 36:44.770 --> 36:46.150 The public set of keys. 36:46.180 --> 36:49.120 Now you can get them verified, right? 36:49.150 --> 36:49.900 How? 36:50.020 --> 36:51.970 You have a way to get them verified. 36:55.980 --> 36:58.620 Using SSL so you can say SSL trust point. 36:58.890 --> 37:04.380 If you have a server pointed to the server, you will go and get itself signed by default. 37:04.380 --> 37:05.250 I will leave it as it is. 37:05.250 --> 37:10.740 So it will be self signed, its own sign on the certificate, right? 37:12.050 --> 37:14.050 What else do I have I need to configure. 37:14.060 --> 37:15.620 The most important part is the IP. 37:16.970 --> 37:21.890 Either you can use based on the interface or you can specify the address of the gateway. 37:22.160 --> 37:25.190 The address of the gateway for me is going to be the public address. 37:26.370 --> 37:29.300 And the port number that I'm going to be using is the default port. 37:29.310 --> 37:30.570 What is the default port? 37:32.280 --> 37:33.180 440. 37:38.730 --> 37:39.120 Okay. 37:39.570 --> 37:42.870 So what I what you're basically saying is. 37:45.030 --> 37:46.260 The VPN Gateway. 37:47.310 --> 37:48.420 Name it anything. 37:49.140 --> 37:53.490 IP address is 151.23.2 and the port is. 37:54.510 --> 37:55.290 The default one. 37:55.290 --> 37:55.560 Which you. 37:57.330 --> 37:59.970 What you also do here is the important part. 38:01.620 --> 38:02.680 Call it in service. 38:02.700 --> 38:05.610 In service is nothing like no shutdown anything. 38:07.020 --> 38:07.920 Remember, No, shut down. 38:08.370 --> 38:10.320 We used it a lot of times. 38:10.560 --> 38:10.950 Right. 38:10.950 --> 38:16.110 You configure something in the end, you specify a server if you remember, configured it in the Env 38:16.110 --> 38:16.440 service. 38:16.470 --> 38:16.710 What? 38:16.740 --> 38:17.070 No. 38:17.220 --> 38:18.420 No shutdown here. 38:18.450 --> 38:21.060 No shutdown is called in service enabled the gateway. 38:21.510 --> 38:23.610 The moment you do that, the gateway is enabled. 38:24.330 --> 38:27.210 You can also specify the encryption mechanism which you want to. 38:27.920 --> 38:30.880 Now here it gives you a set, not you cannot choose it. 38:30.890 --> 38:33.410 Encryption separately and hashing separately. 38:33.410 --> 38:39.050 You choose a set S or Sha or C four or MD5 three dozen Sha. 38:40.370 --> 38:40.670 Right. 38:40.670 --> 38:41.480 It's a combo. 38:43.460 --> 38:43.910 Will come. 38:44.660 --> 38:45.140 Right. 38:45.140 --> 38:49.910 But the only difference is here, you don't have the new ones available. 38:50.540 --> 38:53.180 That entirely depends on what iOS you're using. 38:54.590 --> 38:56.750 Get a new iOS, you'll have more options here. 38:58.960 --> 38:59.320 Under. 39:00.540 --> 39:01.770 Right now. 39:01.770 --> 39:03.120 Let's leave it at default. 39:04.990 --> 39:06.640 It is done. 39:06.820 --> 39:07.840 You would also require. 39:07.840 --> 39:08.080 What? 39:10.320 --> 39:14.480 Because when people log in, they'll be logging in using a username and password, right? 39:14.490 --> 39:16.920 Facebook page, you have a username and password. 39:17.550 --> 39:18.870 Everybody does it like that. 39:19.350 --> 39:21.350 So you need to create that username and password. 39:21.360 --> 39:26.970 The only difference here is when you do that, you need to add a domain name. 39:29.070 --> 39:36.210 On a router for every different domain, you'll have a different SSL VPN page for admins. 39:36.210 --> 39:40.470 There will be a separate page for sales, there will be a separate page for marketing, there will be 39:40.470 --> 39:43.650 a separate page and the users will also be different. 39:43.860 --> 39:48.000 So marketing users will be somewhere else, sales users will be somewhere else and so on and so forth. 39:50.590 --> 39:52.210 You will have to configure that. 39:52.690 --> 39:56.020 So I'm saying sha, but at which domain admin. 39:56.890 --> 39:58.780 And password anything system. 40:00.250 --> 40:01.570 I'll create another one. 40:03.460 --> 40:03.710 Right. 40:04.090 --> 40:07.990 I'll call this cop at the rate of. 40:09.730 --> 40:11.350 Sales password. 40:11.820 --> 40:12.660 Cisco's. 40:13.610 --> 40:20.050 So to your users, Shai and Rob, these are two different users at two different groups. 40:22.970 --> 40:23.150 Correct. 40:23.930 --> 40:25.160 I also need to do it. 40:25.760 --> 40:26.690 Can you guess what? 40:32.030 --> 40:32.990 Triple A new model. 40:33.170 --> 40:35.420 Triple A authentication login. 40:37.260 --> 40:37.860 Call the list. 40:37.860 --> 40:38.550 Anything. 40:39.510 --> 40:40.170 Any name. 40:41.010 --> 40:45.690 Let's say Paris pointed to the local database. 40:46.050 --> 40:48.510 I'm using these names so that you know that these are. 40:48.990 --> 40:51.030 You can use anything at this point. 40:51.970 --> 40:53.980 Usually you would use company standards, right? 40:53.980 --> 40:55.210 So you would follow those standards. 40:55.210 --> 41:00.430 Right now it's just so that, you know, why do I need to point this to the local database? 41:00.430 --> 41:03.490 Because my username and password is stored on the local database. 41:03.490 --> 41:08.470 If it was a triple A server, which most of the times it will be, you'd be pointing it to a triple 41:08.470 --> 41:08.830 A server. 41:09.220 --> 41:13.210 So saying that this username came in, check it against the Ldap group. 41:13.240 --> 41:14.930 If he's there, allow him to get. 41:16.280 --> 41:18.980 That's how you would have Facebook will not have everything. 41:18.980 --> 41:22.610 All the 202 billion users stored in one one PC. 41:23.270 --> 41:24.830 It'll be somewhere huge. 41:27.970 --> 41:28.750 Username password. 41:28.750 --> 41:29.470 You won't do it here. 41:29.470 --> 41:30.480 You'll do it on the Ldap. 41:32.050 --> 41:32.610 On the triple. 41:37.640 --> 41:38.110 This. 41:38.120 --> 41:39.110 Which this part. 41:39.290 --> 41:40.160 Which exchange. 41:40.990 --> 41:41.240 Thinking. 41:42.220 --> 41:43.180 That's after. 41:43.510 --> 41:45.760 That's after the handshake has taken place. 41:46.180 --> 41:48.540 Handshake will take place the moment you open. 41:48.550 --> 41:49.720 Open any page. 41:49.720 --> 41:49.930 Right. 41:49.960 --> 41:51.010 Handshake is done already. 41:52.240 --> 41:55.180 Once you get the display page, that means the handshake is done. 41:55.810 --> 42:00.700 Then you enter the username and password, which is already encrypted because the handshake is. 42:07.360 --> 42:10.480 Save the dates before you register. 42:11.620 --> 42:13.990 Once you register, you're registering to the Ldap server. 42:14.620 --> 42:15.580 So your entries. 42:15.980 --> 42:16.540 Yes. 42:17.020 --> 42:18.940 You do that, right? 42:18.940 --> 42:19.420 Sign up. 42:19.420 --> 42:20.500 What does sign up mean? 42:20.920 --> 42:24.790 You're signing up to the Ldap database, so you're putting your information, which is going to that 42:24.790 --> 42:25.480 database. 42:26.740 --> 42:29.740 And then later you access it, you automate it. 42:29.760 --> 42:31.840 Also obviously automatic. 42:32.950 --> 42:35.350 You enter it here, it goes straight away to your database. 42:35.350 --> 42:37.930 So later when you come, you just access your account. 42:40.260 --> 42:40.500 Right. 42:41.280 --> 42:44.760 So triple authentication login. 42:44.940 --> 42:46.700 That's what I need for now. 42:46.710 --> 42:47.220 Right now. 42:47.220 --> 42:47.760 That's fine. 42:48.250 --> 42:50.740 And what I'll also do is web VPN. 42:51.220 --> 42:53.690 Now, first of all, you specified all of this. 42:53.710 --> 42:54.730 Let's do this. 42:57.750 --> 42:58.290 I did this. 42:58.290 --> 42:59.640 I said in service. 43:01.790 --> 43:02.480 Then I also did. 43:02.480 --> 43:02.900 What? 43:04.410 --> 43:05.290 Username. 43:05.310 --> 43:05.880 I said. 43:08.140 --> 43:08.800 I didn't use it. 43:08.800 --> 43:11.800 I kept it as a default password. 43:13.070 --> 43:14.360 Analysis that username. 43:16.760 --> 43:18.860 Rob at sales. 43:21.100 --> 43:21.410 Password. 43:21.550 --> 43:21.900 Cisco. 43:23.440 --> 43:24.130 I said triple A. 43:26.100 --> 43:26.970 Authentication. 43:27.480 --> 43:28.140 Login. 43:29.180 --> 43:29.570 Barry. 43:30.590 --> 43:31.190 When you put that. 43:34.130 --> 43:36.200 Now you have to create those pages. 43:38.510 --> 43:40.520 The pages you create now. 43:40.790 --> 43:41.930 What pages? 43:43.770 --> 43:44.820 It's called context. 43:45.510 --> 43:46.260 For each. 43:46.290 --> 43:47.490 For each domain. 43:47.490 --> 43:48.300 A different one. 43:49.110 --> 43:50.460 And you'll name it something. 43:50.460 --> 43:52.980 Now, this also, the name does not matter. 43:53.460 --> 43:56.880 I'll call this admin content. 44:00.440 --> 44:02.360 Call this admin convex. 44:02.390 --> 44:07.340 Now here you have a lot of features which you can work around with many different things. 44:09.130 --> 44:09.600 Right. 44:09.610 --> 44:13.030 You can have port forwarding, you can have a policy. 44:14.720 --> 44:14.980 Right. 44:14.990 --> 44:17.510 You can have a login message logging. 44:21.060 --> 44:23.520 Many different things which you can configure if you want. 44:25.110 --> 44:30.780 Right of what we are going to be working with is we'll have, let's say, not the title. 44:33.780 --> 44:34.860 There's a function somewhere. 44:43.580 --> 44:44.920 Policy group. 44:44.930 --> 44:46.610 You're going to create a group policy. 44:46.880 --> 44:50.360 I'll call this group or I'll just call it admin. 44:53.210 --> 44:53.810 Policy. 44:55.480 --> 44:56.560 Here you have function this. 44:59.820 --> 45:00.560 Let me explain this. 45:00.570 --> 45:01.770 This is a little complicated. 45:01.830 --> 45:06.090 So when you do it here, Web VPN, Gateway. 45:06.630 --> 45:09.450 Sorry, Gateway context. 45:09.450 --> 45:10.410 I'll call this anything. 45:10.410 --> 45:11.340 The name doesn't matter. 45:11.340 --> 45:13.620 Again, I'm stressing this enough. 45:13.620 --> 45:15.660 The game name here has no significance. 45:17.130 --> 45:17.700 Under here. 45:17.700 --> 45:18.790 You have two things. 45:18.810 --> 45:20.190 You have a policy. 45:22.350 --> 45:23.090 Of group. 45:23.100 --> 45:24.730 We call it anything admin. 45:26.140 --> 45:26.540 Policy. 45:26.830 --> 45:31.000 Whatever changes you make in the policy are made to the policy only. 45:32.050 --> 45:33.490 Are applied only to the policy. 45:34.010 --> 45:36.460 They're not applied to the web context. 45:37.960 --> 45:42.490 To apply to the VPN context, you will later say default. 45:43.770 --> 45:44.310 Group. 45:46.320 --> 45:50.520 Policy and you will call that policy for this case. 45:50.520 --> 45:51.900 What is the name of that policy? 45:53.650 --> 45:54.200 Admin. 45:57.360 --> 45:57.510 I. 45:59.310 --> 46:04.110 The changes that you'll make will be making were under the policy, although it does come under the 46:04.110 --> 46:05.700 same subheading. 46:06.620 --> 46:09.320 Which is you're still working under the context. 46:09.320 --> 46:10.930 That is the weird part about it. 46:10.940 --> 46:13.040 So you'll have to cut that edge off. 46:13.070 --> 46:14.930 You'll have to remember that this is weird. 46:15.620 --> 46:20.660 You'll be configuring it where in this and the policy will be called under the same VPN. 46:23.400 --> 46:23.780 Okay. 46:23.790 --> 46:25.290 What are those policies? 46:25.440 --> 46:30.120 Functions to the users who come through admin who comes through. 46:30.120 --> 46:33.180 I want to give him the functions of file browse. 46:33.210 --> 46:36.100 Now let's have a look at the functions that you have available to you. 46:36.120 --> 46:37.080 You have file access. 46:37.080 --> 46:43.270 He can access files, he can browse files, he can enter files, leave SVC. 46:43.350 --> 46:45.240 SVC is the virtual client, the thick client. 46:45.450 --> 46:48.600 So I'll say he can only browse. 46:48.630 --> 46:49.550 That's all he can do. 46:52.010 --> 46:54.050 The guy who comes in can only browse. 46:54.050 --> 46:54.830 I'll exit. 46:54.860 --> 46:55.910 Go back where? 47:05.530 --> 47:06.400 I'll exit. 47:08.630 --> 47:09.680 And go back. 47:11.040 --> 47:12.510 To the default group policy. 47:12.900 --> 47:15.300 So I'm still under the same VPN context. 47:16.200 --> 47:22.050 I'm still working under the same within context, but here I'll say default group policy is what admin. 47:25.010 --> 47:26.240 I'm specifying why. 47:26.600 --> 47:29.210 Because tomorrow what you could do is you could create two policies. 47:31.040 --> 47:34.040 One here and other 1st May be for disaster management. 47:34.750 --> 47:39.520 So if you immediately wanted to shift, you could only have to change one command default do property 47:39.550 --> 47:41.320 policy is the other policy. 47:41.320 --> 47:42.940 So it would just shift to the other one. 47:45.840 --> 47:46.170 Okay. 47:48.150 --> 47:48.600 Done. 47:52.490 --> 47:54.330 You already have that? 47:54.350 --> 47:56.360 Yes, I'm already have a web page. 47:56.360 --> 48:03.470 I'm only letting the web page know that the admin guy, whoever is the admin, what functions is he 48:03.470 --> 48:03.860 allowed? 48:06.610 --> 48:10.560 You can change the I'll show you first the actual web page that you get. 48:10.570 --> 48:12.130 Then you can make changes to that. 48:13.430 --> 48:14.120 You can change that. 48:15.430 --> 48:16.210 Any questions? 48:18.310 --> 48:18.940 Until now. 48:19.360 --> 48:21.380 So you choose the default group policy. 48:21.400 --> 48:23.080 There are still other things that you do. 48:23.710 --> 48:25.090 Triple authentication. 48:26.500 --> 48:27.160 List. 48:27.190 --> 48:28.660 What is the name of the list? 48:30.770 --> 48:31.160 Body. 48:33.760 --> 48:38.680 Or what you're saying is whoever enters the username and password that should be checked against Paris. 48:38.710 --> 48:40.180 Paris is what, local. 48:40.180 --> 48:42.580 So basically you're saying inside. 48:42.670 --> 48:43.750 Inside what? 48:45.140 --> 48:51.260 Inside the Gateway triple A authentication login. 48:51.290 --> 48:52.160 No, not login. 48:52.430 --> 48:55.880 Authentication list is, as you will also say. 48:55.910 --> 48:58.730 Triple A authentication domain. 49:02.610 --> 49:04.770 What domain users are allowed here. 49:06.380 --> 49:09.320 Based on what you have chosen here, which ones do you want to be allowed here? 49:10.580 --> 49:11.870 Admin or sales? 49:12.260 --> 49:14.290 For this case should be admin. 49:14.300 --> 49:15.470 So you'll say admin. 49:15.500 --> 49:17.570 Now this is where the symbol is important. 49:18.790 --> 49:21.700 The symbol differentiates the username and admin. 49:21.730 --> 49:23.500 You can use any symbol here. 49:24.070 --> 49:29.620 You could use a pound, a hash, anything, but you would have to use the same thing here also. 49:31.200 --> 49:31.500 Yeah. 49:36.350 --> 49:38.390 It's only people on that domain. 49:38.390 --> 49:39.680 So if Shah is here. 49:44.200 --> 49:44.530 No, no. 49:44.950 --> 49:45.400 Here. 49:45.400 --> 49:46.270 You're saying Paris. 49:46.270 --> 49:51.400 When you say Paris, you're saying that all the username and passwords are stored there on the local 49:51.400 --> 49:51.880 database. 49:55.140 --> 50:00.270 Yes, but you're also saying that the domain is limited, whatever is local, but his domain should 50:00.270 --> 50:02.280 be admin, so both things should match. 50:02.400 --> 50:03.120 So both. 50:05.090 --> 50:05.750 No, not both. 50:06.280 --> 50:07.250 Both has to match. 50:07.340 --> 50:08.720 It has to be local. 50:08.900 --> 50:12.620 Basically, when you're saying local is where to check, local is not you're not saying that these are 50:12.620 --> 50:13.300 the users. 50:13.310 --> 50:16.400 You're saying where to check, what to check is the domain. 50:18.860 --> 50:21.740 You check it in the local database the domain should be at. 50:23.350 --> 50:30.100 Okay, so we'll say triple A authentication domain should be at the rate. 50:31.880 --> 50:33.500 The differentiator between the two. 50:34.400 --> 50:36.260 You also have to link this. 50:36.410 --> 50:41.120 So if you, again, have a look at this, you have not linked it to the gateway. 50:42.500 --> 50:44.930 This is a context, but you have not linked it. 50:44.930 --> 50:46.940 To which gateway are you talking about? 50:48.020 --> 50:49.670 I have to link it to the gateway, so. 50:51.070 --> 50:51.580 Gateway. 50:51.910 --> 50:53.170 What was the name of the gateway? 50:53.810 --> 50:56.980 Rob And you have to specify the domain. 50:56.980 --> 50:58.330 Now, this domain is important. 50:58.360 --> 50:59.320 This domain. 51:00.520 --> 51:01.990 Earlier I said admin, right? 51:02.740 --> 51:04.390 I will only call it Add. 51:06.160 --> 51:08.530 Just so that you know where we actually use this. 51:10.600 --> 51:10.820 Just. 51:12.520 --> 51:14.340 Configure the gateway probe. 51:14.350 --> 51:15.820 I think it was capital. 51:17.120 --> 51:18.410 Eddie is just a name. 51:19.760 --> 51:20.240 Listening. 51:20.700 --> 51:22.850 I know significance of Add. 51:23.010 --> 51:25.220 I'll show you how where you use it. 51:25.520 --> 51:26.510 I'll call it Add. 51:26.600 --> 51:27.740 You cannot use Add. 51:32.450 --> 51:32.810 Okay. 51:33.470 --> 51:37.010 And finally, you have to bring up the context. 51:39.490 --> 51:40.360 So in service. 51:43.910 --> 51:47.210 Then you have Gateway is Rob. 51:48.190 --> 51:48.760 Domain. 51:51.460 --> 51:55.210 Is Eddie Sharp, Finally is finally you in service. 51:55.240 --> 51:56.140 Bring it up. 51:56.590 --> 51:57.520 No, Shut down. 51:59.140 --> 52:00.580 That's if you context is up. 52:02.180 --> 52:05.240 Your VPN is up when you do these things. 52:05.270 --> 52:06.710 Let's have a look at this again. 52:09.310 --> 52:14.890 The first thing that you would do is create that gateway, give it an IP address and bring it up. 52:16.180 --> 52:17.800 Create a username and password. 52:18.160 --> 52:21.610 Create an authentication list which points to that username and password. 52:22.770 --> 52:24.270 This if this is step one. 52:28.360 --> 52:29.650 This would be a step too. 52:32.030 --> 52:38.420 Step three would be creating the VPN context, one page for admins, one page for sales and stuff like 52:38.420 --> 52:38.790 that. 52:38.810 --> 52:42.830 So for admin you have two things which you have to be careful about. 52:42.830 --> 52:45.080 You have to create a policy, then call the policy. 52:45.530 --> 52:51.050 You create the policy where you say that he's only allowed to browse the files you call the policy, 52:51.860 --> 52:57.880 then point to the local database, point to the local domain, point to the gateway. 52:57.890 --> 52:58.490 You're done. 53:00.370 --> 53:02.580 If you really look at it, it's just very simple. 53:02.590 --> 53:03.460 Create the policy. 53:03.460 --> 53:08.650 Call the policy, point to all three domains, point to the local database, point to the domain and 53:08.650 --> 53:09.520 point to the gateway. 53:09.520 --> 53:11.980 You're done and bring the bring it up. 53:14.160 --> 53:16.380 Okay, let's capture packets. 53:20.160 --> 53:21.840 And establish the connection. 53:40.360 --> 53:41.680 How do you do that? 53:41.890 --> 53:43.600 It's already trying to do it. 53:46.700 --> 53:48.140 Did I have anything running here? 53:48.800 --> 53:50.510 How do you open https? 53:50.540 --> 53:51.800 Https. 53:53.130 --> 53:54.030 150. 53:57.220 --> 54:00.760 151 dot 20 dot https. 54:04.780 --> 54:07.960 Opens the best browser to open this would be. 54:11.200 --> 54:12.490 You could just proceed anyway. 54:12.490 --> 54:13.300 Anyways. 54:14.170 --> 54:15.450 Https. 54:17.630 --> 54:21.860 151 dot 20 dot if I just do this. 54:23.230 --> 54:24.370 What does he ask me? 54:25.000 --> 54:28.690 There's a problem with the website's security certificate. 54:30.160 --> 54:35.140 Would you like more information about it, or do you want to continue? 54:35.890 --> 54:37.660 I want to continue. 54:39.050 --> 54:41.090 So if you see, it will not open the page. 54:41.330 --> 54:42.050 Why? 54:46.200 --> 54:47.040 Not the client side. 54:47.670 --> 54:49.380 The handshake will be complete. 54:52.010 --> 54:53.300 Well, that is actually running. 54:53.300 --> 54:55.970 I'll just show you the handshake before we go any further. 54:56.180 --> 54:57.590 Check out the handshake. 55:00.090 --> 55:00.350 Client. 55:00.390 --> 55:00.810 Hello. 55:02.590 --> 55:04.350 I think you should be able to open it also. 55:08.710 --> 55:12.520 Clienthello is the supported methods that it can use. 55:12.910 --> 55:13.820 Cipher suites. 55:13.870 --> 55:19.780 12 suites that it can support the client right now can support all these 12 based on the browser. 55:19.780 --> 55:20.260 Right. 55:20.980 --> 55:22.450 It can support ecdsa. 55:22.590 --> 55:26.620 Imagine you can support all these different suites. 55:26.800 --> 55:30.980 All the guy has to do is choose, but the version that it can support is one dot. 55:33.220 --> 55:34.450 Cannot support 1.2. 55:35.270 --> 55:35.710 Correct. 55:36.540 --> 55:37.750 Sends it to the server. 55:37.770 --> 55:40.770 The server accepts, so the packet is smaller. 55:40.770 --> 55:42.960 133 is compared to 185. 55:42.990 --> 55:44.430 The server will accept. 55:46.170 --> 55:46.920 Maybe not. 55:46.920 --> 55:47.250 Okay. 55:47.250 --> 55:50.610 He has RSA with ease and Sha. 55:51.030 --> 55:53.160 They've already agreed upon that. 55:53.280 --> 55:55.100 Then you have server is done. 55:55.110 --> 55:56.550 Then certificate sent by whom? 55:57.570 --> 56:00.810 The server sends the certificate to the client doesn't listen. 56:00.810 --> 56:01.980 This is the certificate. 56:02.250 --> 56:03.600 Do you accept it or not? 56:04.350 --> 56:05.850 Self-signed certificate. 56:10.050 --> 56:10.770 I was signed. 56:11.640 --> 56:11.900 Remember? 56:12.060 --> 56:13.920 Then send the certificate. 56:13.920 --> 56:14.460 Done. 56:15.030 --> 56:16.830 Server says server servers. 56:16.830 --> 56:17.070 Hello. 56:17.070 --> 56:18.000 Is done. 56:18.000 --> 56:18.660 So server. 56:18.660 --> 56:19.260 Hello. 56:19.710 --> 56:19.920 Done. 56:20.370 --> 56:21.360 Then what? 56:21.450 --> 56:22.980 Client key exchange. 56:23.400 --> 56:24.870 The master key is sent. 56:26.730 --> 56:29.580 Plus, if you see that this will be sent as payload. 56:51.260 --> 56:55.310 So you have client key exchange change, cipher set and client. 56:55.340 --> 56:55.580 Hello. 56:57.980 --> 56:58.250 Not. 56:58.250 --> 56:58.450 Hello. 56:58.460 --> 57:00.440 Client to client handshake. 57:00.440 --> 57:00.640 Done. 57:01.130 --> 57:02.810 Encrypted text. 57:04.290 --> 57:05.810 Chain cipher suite means what? 57:05.820 --> 57:08.490 After this, whatever I'm going to send is going to be encrypted. 57:08.490 --> 57:10.980 And this is the pre master key being sent. 57:11.220 --> 57:12.270 RSA encrypted. 57:12.270 --> 57:13.230 Pre master key. 57:16.050 --> 57:17.070 RSA encrypted. 57:18.720 --> 57:19.050 Okay. 57:20.400 --> 57:21.540 This goes to the server. 57:21.570 --> 57:23.490 The server replies with server. 57:23.490 --> 57:23.730 Hello. 57:23.730 --> 57:24.090 Done. 57:24.910 --> 57:25.440 Sorry. 57:25.980 --> 57:26.550 Go down here. 57:27.360 --> 57:29.040 It got broken down here I think. 57:29.220 --> 57:29.910 Was it? 57:31.410 --> 57:32.830 Yeah, it got broken down here. 57:32.850 --> 57:33.480 They exchanged some. 57:37.450 --> 57:39.430 Eventually the server will also say. 57:41.120 --> 57:43.370 This is from the server chain cipher suite. 57:44.750 --> 57:47.450 Encrypted handshake and your full. 57:47.660 --> 57:48.920 Everything is done after that. 57:48.920 --> 57:50.060 Everything would be what? 57:50.090 --> 57:50.990 Encrypted. 57:51.080 --> 57:54.260 It was broken down because I could not open the page. 57:54.260 --> 58:00.110 Why I couldn't open the page is because, as I told you, we are doing it based on contexts. 58:01.270 --> 58:03.040 Admin has a different context. 58:03.070 --> 58:05.040 Sales has a different context. 58:05.050 --> 58:09.430 Right now, when I chose my context, I created it only for whom I. 58:10.510 --> 58:13.030 And this was important. 58:13.900 --> 58:18.730 Here what I'm saying is the gateway is going to be robbed, but the domain name is going to be a D sharp. 58:20.190 --> 58:25.830 So when you open this, you will open it as 20.2, but with Add. 58:27.430 --> 58:28.470 With the slash for aid. 58:32.500 --> 58:34.000 That is where this is important. 58:34.000 --> 58:40.840 Everything else, all the other names that you've used are useless except for this which links you to 58:40.840 --> 58:41.650 the domain. 58:42.010 --> 58:43.960 And ad right here. 58:43.960 --> 58:44.860 Which opens what? 58:46.510 --> 58:47.320 Opens the gateway. 58:47.830 --> 58:50.370 Now, most of the time you wouldn't have a weird name like this. 58:50.380 --> 58:52.210 You would usually have admin here. 58:53.510 --> 58:54.980 So when they open, they will open. 58:54.980 --> 59:00.920 What admin will say Gateway drop domain is. 59:10.680 --> 59:14.220 You have the domain as admin because it's easier for you to read also. 59:14.220 --> 59:15.150 So you'll say. 59:16.920 --> 59:17.040 The. 59:18.390 --> 59:21.720 15.11.1.2 slash admin. 59:24.030 --> 59:25.290 Hey, Ken. 59:25.320 --> 59:26.480 Sales Log in here. 59:26.490 --> 59:26.870 Rob. 59:29.460 --> 59:29.790 Can I? 59:31.200 --> 59:33.120 Although it is on the local database, it cannot. 59:33.150 --> 59:34.020 Who can log in? 59:35.190 --> 59:35.490 Shall. 59:41.450 --> 59:43.580 This is your SSL VPN gateway. 59:44.180 --> 59:46.250 This right here, the one which is loading. 59:52.390 --> 59:52.750 I it. 59:54.630 --> 1:00:00.120 Says that you've already gotten past where the gateway now the traffic that you're sending. 1:00:02.670 --> 1:00:05.280 Whatever traffic that you're sending now, application data. 1:00:09.200 --> 1:00:10.910 Uh, is going through. 1:00:10.940 --> 1:00:11.450 Right? 1:00:14.140 --> 1:00:16.270 But check out where is it getting assembled. 1:00:18.200 --> 1:00:21.230 There are 2 to 3.25 is your IP header. 1:00:21.530 --> 1:00:23.060 Then you have your port number. 1:00:23.090 --> 1:00:23.890 This is the reply. 1:00:23.900 --> 1:00:26.450 So the source port is 443. 1:00:26.480 --> 1:00:27.530 The server is replying. 1:00:29.640 --> 1:00:30.720 Not encrypted here. 1:00:30.720 --> 1:00:33.120 Also from layer four onwards. 1:00:33.150 --> 1:00:34.350 Encryption begins. 1:00:35.490 --> 1:00:40.500 So your actual traffic, if you have a look at this, going back to where we started from. 1:00:40.740 --> 1:00:52.500 Your actual traffic will look like this going from 151 .3. 25 going to 151 .2.2. 1:00:56.270 --> 1:00:57.260 Source port. 1:00:58.600 --> 1:01:00.460 X x x destination. 1:01:01.640 --> 1:01:02.570 443. 1:01:04.480 --> 1:01:05.200 Then. 1:01:07.100 --> 1:01:11.090 This will be your SSL and your encryption will be. 1:01:14.330 --> 1:01:14.540 Right. 1:01:15.720 --> 1:01:18.760 So your package is going up all the way up here from the. 1:01:20.420 --> 1:01:22.850 From your PC will look like this. 1:01:23.600 --> 1:01:28.670 So people will know you're talking to Https, but they will not be able to go in here because they wouldn't 1:01:28.670 --> 1:01:31.910 have the key to open this encryption. 1:01:33.560 --> 1:01:34.010 Okay. 1:01:34.010 --> 1:01:37.040 The question is, how do I access the servers? 1:01:38.500 --> 1:01:40.720 You're telling me I can encrypt, but how do I access? 1:01:40.900 --> 1:01:43.960 My main job is to access 10.11 point, 11.1. 1:01:44.140 --> 1:01:47.290 My other job is to access 10.11 point, 11.4. 1:01:47.290 --> 1:01:49.150 Where do I put that request? 1:01:49.570 --> 1:01:50.980 That request? 1:01:52.390 --> 1:01:53.130 Ghosn. 1:01:55.570 --> 1:01:55.810 Here. 1:01:56.930 --> 1:02:01.460 So inside here, when the router will open it, the router will open it. 1:02:01.460 --> 1:02:01.600 Right. 1:02:01.610 --> 1:02:03.650 Because it is meant to the router R2. 1:02:04.310 --> 1:02:06.440 When the router opens all of this information. 1:02:09.350 --> 1:02:16.530 When he sees the whole thing inside the Http part, he will see a message like this. 1:02:16.550 --> 1:02:17.840 I want to go to. 1:02:20.150 --> 1:02:20.690 Ten. 1:02:20.690 --> 1:02:21.470 11. 1:02:21.470 --> 1:02:22.400 11.1. 1:02:23.380 --> 1:02:24.280 You will see this. 1:02:26.760 --> 1:02:27.840 That outro will see this. 1:02:31.320 --> 1:02:34.980 It's a lone message without a source, without anything. 1:02:35.220 --> 1:02:38.430 It doesn't have anything but what the router will do. 1:02:38.430 --> 1:02:42.360 The kind router will forward this packet, not actually forward it. 1:02:42.390 --> 1:02:43.020 It will do. 1:02:43.050 --> 1:02:44.190 We call it a proxy. 1:02:45.780 --> 1:02:47.280 We call it a proxy. 1:02:47.520 --> 1:02:53.160 It will go to R1 on behalf of C1. 1:02:56.120 --> 1:02:57.200 On behalf of him. 1:02:57.230 --> 1:02:58.730 C1 will not be going. 1:02:59.030 --> 1:03:00.440 R1 R2 will be going. 1:03:00.470 --> 1:03:02.270 Using which source IP address? 1:03:03.170 --> 1:03:04.400 R2 is IP address. 1:03:06.310 --> 1:03:07.480 It'll be creating a connection. 1:03:07.480 --> 1:03:08.050 With whom? 1:03:09.280 --> 1:03:11.500 Whatever reply he gets from there. 1:03:12.940 --> 1:03:14.470 It's going to send it straight up. 1:03:14.470 --> 1:03:15.310 Who to whom? 1:03:16.160 --> 1:03:16.550 Back to. 1:03:19.140 --> 1:03:21.630 It is going to act as a proxy in the middle. 1:03:24.930 --> 1:03:30.090 If you remember when I configured it, if you were careful, I did not configure any default gateway 1:03:30.090 --> 1:03:31.140 on R1 and R4. 1:03:32.750 --> 1:03:34.160 Because I wouldn't need it. 1:03:34.760 --> 1:03:35.750 I own an R4. 1:03:35.780 --> 1:03:39.080 The only one person which they are communicating is R2. 1:03:39.110 --> 1:03:41.000 They're not going to be communicating with C1. 1:03:43.990 --> 1:03:46.120 Any questions in your heads right now? 1:03:49.620 --> 1:03:50.940 How do they keep track? 1:03:52.120 --> 1:03:52.900 You have to. 1:03:54.360 --> 1:03:55.090 Pieces. 1:03:55.110 --> 1:03:58.410 How does R2 keep track of port numbers? 1:03:59.590 --> 1:04:01.420 Based on the port numbers, it would keep track of. 1:04:01.420 --> 1:04:03.880 This connection belongs to this PC. 1:04:04.030 --> 1:04:05.700 The other connection belongs to this PC. 1:04:05.710 --> 1:04:10.900 So you'll see that even though I've not configured anything in my web VPN Gateway, you have this URL 1:04:10.930 --> 1:04:14.110 bar from this URL bar. 1:04:14.140 --> 1:04:16.660 I could say I want to go to 1011 11.1. 1:04:25.300 --> 1:04:25.990 What do I see? 1:04:26.800 --> 1:04:28.140 Https. 1:04:28.180 --> 1:04:28.990 To whom? 1:04:31.950 --> 1:04:34.140 If the certificate was signed, this would be green. 1:04:36.300 --> 1:04:37.230 Ktbs two. 1:04:47.730 --> 1:04:48.720 I don't have a route here. 1:04:50.550 --> 1:04:51.210 Debug. 1:04:52.230 --> 1:04:52.620 IP. 1:04:53.780 --> 1:04:54.620 PCB packet. 1:04:56.060 --> 1:04:56.270 Right. 1:05:00.090 --> 1:05:01.560 So I'll go here and I'll click. 1:05:04.440 --> 1:05:05.610 Check out the source. 1:05:06.720 --> 1:05:07.200 Ten, 11. 1:05:07.200 --> 1:05:08.220 11.2 and ten. 1:05:08.220 --> 1:05:08.430 11. 1:05:08.430 --> 1:05:09.420 11.1. 1:05:09.450 --> 1:05:10.590 Who's accessing me? 1:05:14.340 --> 1:05:16.650 1313529. 1:05:24.930 --> 1:05:26.640 Hoping where This is the one. 1:05:30.280 --> 1:05:30.880 Yeah, it is. 1:05:43.340 --> 1:05:44.570 Let's send some more data. 1:05:59.290 --> 1:06:00.190 All of this data, right? 1:06:01.420 --> 1:06:04.410 For all there's too many packets. 1:06:04.420 --> 1:06:05.800 49601. 1:06:07.520 --> 1:06:10.580 496014960149601. 1:06:12.990 --> 1:06:15.040 From 35 is 49601. 1:06:17.160 --> 1:06:17.880 So we should see. 1:06:19.630 --> 1:06:20.260 591. 1:06:21.800 --> 1:06:24.410 It's taking, but it will keep track of the other one. 1:06:26.100 --> 1:06:27.440 It changed from. 1:06:28.320 --> 1:06:28.500 Yes. 1:06:28.560 --> 1:06:29.730 From Yes. 1:06:31.730 --> 1:06:33.980 What you're saying is from here to here, right? 1:06:34.490 --> 1:06:37.630 What you're saying is, will it use the same port number from here to here? 1:06:38.210 --> 1:06:39.500 Will it forward the port number? 1:06:43.230 --> 1:06:43.650 He's not. 1:06:44.660 --> 1:06:46.160 That is using a different one. 1:06:46.910 --> 1:06:49.010 So he's but he's keeping track of them. 1:06:50.000 --> 1:06:51.800 So he's using a different port number. 1:06:51.800 --> 1:06:56.150 Source port used by this guy is different than the source port basically saying that this is a completely 1:06:56.150 --> 1:06:59.840 different connection between R2 and R1. 1:06:59.850 --> 1:07:02.480 Then whatever reply that he gets, he forwards it back. 1:07:02.480 --> 1:07:02.960 To whom? 1:07:04.460 --> 1:07:06.380 So if you have a look at the packet. 1:07:14.240 --> 1:07:15.320 Have a look at the pocket. 1:07:18.160 --> 1:07:27.820 I said, This is the packet going from 151 .33. 25 Destination 151 .23.2. 1:07:27.850 --> 1:07:28.390 Right. 1:07:28.960 --> 1:07:30.160 You're not actually going there. 1:07:30.160 --> 1:07:31.100 You're going somewhere else. 1:07:31.120 --> 1:07:34.120 XXX4 43. 1:07:34.150 --> 1:07:36.280 Your actual request is Http. 1:07:38.770 --> 1:07:39.070 Ten. 1:07:39.190 --> 1:07:39.910 11. 1:07:39.910 --> 1:07:40.780 11 point. 1:07:42.650 --> 1:07:43.340 Protected. 1:07:47.140 --> 1:07:52.060 Your packet goes across, reaches 20.2 is open. 1:07:54.610 --> 1:07:55.990 Is open for 43. 1:07:57.510 --> 1:08:00.720 And the SSL checks where you actually want to go. 1:08:00.750 --> 1:08:02.190 Goes on your behalf. 1:08:02.220 --> 1:08:04.170 Whatever reply that he gets. 1:08:05.650 --> 1:08:07.210 That reply is written here. 1:08:08.690 --> 1:08:09.290 And then again. 1:08:10.670 --> 1:08:13.890 And then again the packet is sent back to you. 1:08:13.910 --> 1:08:15.440 Source port of 443. 1:08:15.470 --> 1:08:17.480 Destination Port of what you came in with. 1:08:17.990 --> 1:08:18.950 So here it was. 1:08:18.950 --> 1:08:20.690 Four nine, 661 or something like that. 1:08:23.240 --> 1:08:25.880 How will you remember him by in 496612. 1:08:25.910 --> 1:08:29.090 What port number is going out and then coming back? 1:08:29.090 --> 1:08:29.990 He'll bind it back. 1:08:32.400 --> 1:08:38.220 Goes back to home, going from 20.2 to 30.25. 1:08:38.220 --> 1:08:39.690 So your information is here. 1:08:39.720 --> 1:08:41.490 The only problem is you're limited. 1:08:43.550 --> 1:08:46.020 The only one problem is that you're limited. 1:08:46.040 --> 1:08:47.600 You cannot do a lot of things. 1:08:47.600 --> 1:08:49.280 You can only do Http and FTP. 1:08:49.310 --> 1:08:52.700 Why http bar has been provided to you if you see right here. 1:08:53.660 --> 1:08:55.640 Http bar has been provided to you. 1:08:56.580 --> 1:08:59.280 So you just enter your information here and just print. 1:09:00.000 --> 1:09:05.040 And if the FTP is also there but it's not here, we'll have to do separately. 1:09:05.070 --> 1:09:06.810 You can basically do it using FTP. 1:09:08.270 --> 1:09:09.080 And enter the command. 1:09:09.080 --> 1:09:09.710 151. 1:09:09.890 --> 1:09:12.770 If you had an FTP server, you could go to an FTP server. 1:09:14.280 --> 1:09:19.350 Today you have one more thing which is not mostly used network file extension. 1:09:19.480 --> 1:09:21.060 Remember I said file browse. 1:09:21.450 --> 1:09:23.730 It requires an ms. server to run. 1:09:24.510 --> 1:09:26.820 So you would have to configure a different server. 1:09:26.820 --> 1:09:29.610 And there because when you browse, you browse on that server. 1:09:31.170 --> 1:09:38.400 So because I only gave him, which I gave the user what capabilities to only do what browsing so he 1:09:38.400 --> 1:09:43.110 wouldn't be able to access, he wouldn't be able to enter the files or do any changes, make any changes. 1:09:43.110 --> 1:09:45.840 He would be only too able to browse the files. 1:09:48.790 --> 1:09:48.990 On. 1:09:52.070 --> 1:09:52.580 On here? 1:09:52.580 --> 1:09:53.000 Nothing. 1:09:53.000 --> 1:09:54.470 You will need an nvme server. 1:09:55.280 --> 1:09:56.810 You'll be guided just like right now. 1:09:56.810 --> 1:09:58.310 I'm guided to an Http server. 1:09:58.310 --> 1:09:59.090 Right there. 1:09:59.090 --> 1:10:00.770 He would be guided to an nvme server. 1:10:03.380 --> 1:10:03.860 Right. 1:10:05.670 --> 1:10:07.200 Your SSL VPN gateway. 1:10:09.150 --> 1:10:10.800 Okay, we can play around with this. 1:10:10.800 --> 1:10:12.590 You can also go to the other guy if you want to. 1:10:12.610 --> 1:10:15.810 Http ten, 11, 11.4. 1:10:16.110 --> 1:10:16.740 The other guy. 1:10:21.060 --> 1:10:24.030 You may not unable to connect to the server at 1011 11.4. 1:10:24.060 --> 1:10:24.960 Let's check why? 1:10:27.130 --> 1:10:29.920 Tribe interface Brief show run section. 1:10:29.950 --> 1:10:30.460 Http. 1:10:32.840 --> 1:10:34.130 Because I have not enabled. 1:10:35.240 --> 1:10:36.050 IP http. 1:10:36.230 --> 1:10:38.930 So once you enable it. 1:10:44.320 --> 1:10:46.360 Ten, 11, 11, four should be able to open the. 1:10:49.260 --> 1:10:51.630 This is the thick client list. 1:10:53.430 --> 1:10:54.470 Clientless. 1:10:54.480 --> 1:10:56.160 You're not configuring anything. 1:10:57.360 --> 1:10:58.260 On the client side. 1:10:58.260 --> 1:10:59.150 This is the client, right? 1:10:59.160 --> 1:11:00.250 What am I doing on the client? 1:11:00.270 --> 1:11:02.760 Just logging in and doing what I want to do. 1:11:04.300 --> 1:11:05.260 I have access. 1:11:06.970 --> 1:11:08.590 You could also make changes to it. 1:11:09.850 --> 1:11:11.380 You could add a banner. 1:11:12.160 --> 1:11:18.970 Now that cosmetics and the changes are up to you, but you could also do is delete this. 1:11:19.270 --> 1:11:20.560 I could go to R2. 1:11:22.000 --> 1:11:23.110 Or the gateway. 1:11:24.040 --> 1:11:29.080 I could go to the web VPN context, then go to my policy. 1:11:31.240 --> 1:11:33.990 I have a banner I can say, Welcome. 1:11:35.970 --> 1:11:36.660 To the world. 1:11:40.260 --> 1:11:41.460 Where did I do this? 1:11:41.490 --> 1:11:43.830 Under the policy, the policy is already called. 1:11:46.000 --> 1:11:46.570 Isn't it? 1:11:48.230 --> 1:11:49.940 I just went into into the policy. 1:11:49.940 --> 1:11:51.050 I said banner. 1:11:57.960 --> 1:11:59.730 And then I went down here. 1:12:00.600 --> 1:12:02.940 What I'll do is I'll log out. 1:12:05.710 --> 1:12:06.760 I log back in again? 1:12:13.820 --> 1:12:14.720 Welcome to the. 1:12:16.250 --> 1:12:16.850 Banner pop. 1:12:19.840 --> 1:12:25.240 So all the changes now you make on the gateway, on the context will be reflected to you as the gateway. 1:12:25.870 --> 1:12:32.130 You can change pictures, you can add login photos, you can change colors, text, color, URL, file 1:12:32.140 --> 1:12:32.740 a lot of things. 1:12:32.740 --> 1:12:35.620 We'll see that we'll do certain things here and there. 1:12:37.020 --> 1:12:37.740 Clientless. 1:12:38.550 --> 1:12:39.620 Do you see the problem with client? 1:12:39.750 --> 1:12:41.580 You can only access the Http and. 1:12:42.270 --> 1:12:46.170 The other things are still around out there, but you can't access them. 1:12:47.660 --> 1:12:49.700 We'll be using thin client for that. 1:12:51.120 --> 1:12:52.260 What do I mean by that? 1:12:52.290 --> 1:12:56.490 Say for example, I wanted to access R1 for Http sorry, Telnet services. 1:12:56.490 --> 1:12:57.620 I cannot do that right now. 1:12:57.630 --> 1:12:58.770 I don't have the capability. 1:12:58.770 --> 1:12:59.880 How do I do this? 1:12:59.910 --> 1:13:02.130 The only access I have is to this page. 1:13:03.330 --> 1:13:04.860 How do I tell it from this page? 1:13:04.860 --> 1:13:05.580 I cannot. 1:13:07.550 --> 1:13:11.090 If I wanted to use Smtp R1 for Smtp services, I can. 1:13:12.290 --> 1:13:14.210 I can only use certain services. 1:13:19.360 --> 1:13:20.990 Good thing you don't have all this. 1:13:21.830 --> 1:13:22.580 We don't have all this. 1:13:25.210 --> 1:13:26.890 How you're actually. 1:13:27.340 --> 1:13:28.270 What are you accessing? 1:13:28.600 --> 1:13:30.580 When you open it, you're accessing Http. 1:13:32.250 --> 1:13:34.410 You're actually accessing Http now. 1:13:34.440 --> 1:13:39.390 If it was not encrypted, all your photos, pictures and everything that were going up and down would 1:13:39.390 --> 1:13:40.020 be open. 1:13:40.960 --> 1:13:41.640 Clear text. 1:13:42.610 --> 1:13:47.250 Now, when you're uploading a photo, you're uploading a profile picture or you're sending a message, 1:13:47.260 --> 1:13:49.600 it's encrypted all the way across. 1:13:50.860 --> 1:13:52.000 From you to the other side. 1:13:53.340 --> 1:13:54.430 But whether an English. 1:13:56.780 --> 1:13:57.230 Here. 1:13:58.200 --> 1:14:00.450 The Facebook page that you get for login is this. 1:14:02.430 --> 1:14:03.670 The one which you get right there. 1:14:03.690 --> 1:14:07.890 Username and password that's that's hard to hard to displaying his page. 1:14:08.190 --> 1:14:12.870 Once you log in your enter you already entered then you're here. 1:14:17.490 --> 1:14:17.700 Hey. 1:14:19.930 --> 1:14:21.370 You're actually accessing. 1:14:21.580 --> 1:14:25.180 If you remember, I think 3 or 4 years ago, Facebook was Http. 1:14:26.960 --> 1:14:28.490 They'd had nothing to do with this. 1:14:29.000 --> 1:14:33.650 Then they there was I remember there was a message which they sent to everybody that we're moving our 1:14:33.650 --> 1:14:35.660 servers to Https. 1:14:35.660 --> 1:14:38.100 So you will get that's with Http. 1:14:38.120 --> 1:14:40.010 Now I remember that happening. 1:14:41.930 --> 1:14:42.420 Then people. 1:14:44.280 --> 1:14:45.510 A lot of websites still are. 1:14:46.590 --> 1:14:47.170 Still are. 1:14:49.890 --> 1:14:52.200 Must have because it's quite easy to do that now. 1:14:52.740 --> 1:14:54.060 You just have to get a connection. 1:14:55.140 --> 1:14:56.430 You just have to get yourself paid. 1:14:56.430 --> 1:14:56.820 That's it. 1:14:58.950 --> 1:15:03.540 This pages are to these pages are to I think it might even say somewhere. 1:15:03.550 --> 1:15:04.520 What is it using? 1:15:04.720 --> 1:15:05.170 It doesn't. 1:15:08.080 --> 1:15:08.560 It doesn't. 1:15:10.600 --> 1:15:11.300 Depends. 1:15:12.160 --> 1:15:12.790 Depends. 1:15:13.240 --> 1:15:14.740 Certificates are usually expensive. 1:15:14.740 --> 1:15:18.370 I've never actually purchased it myself, but it should be expensive. 1:15:19.610 --> 1:15:23.900 You get an Https because if it wasn't, then everybody, everybody would be doing it. 1:15:25.310 --> 1:15:29.120 Hey, so you have to go through a protocol or something like that to get it. 1:15:33.810 --> 1:15:34.790 Host a web page. 1:15:34.800 --> 1:15:36.720 It can only host this web page. 1:15:40.610 --> 1:15:41.240 Ready to go. 1:15:44.810 --> 1:15:46.060 Can only host this web page. 1:15:47.730 --> 1:15:48.090 That's it. 1:15:49.120 --> 1:15:50.170 Then you said. 1:15:53.570 --> 1:15:55.810 That you can customize it. 1:15:57.100 --> 1:15:57.810 Can I make this? 1:15:57.930 --> 1:15:59.130 Yes, you can. 1:15:59.430 --> 1:16:01.030 You can change the logo here. 1:16:01.050 --> 1:16:02.490 You can change the font here. 1:16:03.510 --> 1:16:04.520 Yes, Yes. 1:16:04.530 --> 1:16:04.890 Yes. 1:16:04.890 --> 1:16:06.330 Yes, definitely. 1:16:06.720 --> 1:16:07.470 You can just upload. 1:16:07.470 --> 1:16:09.680 Usually what you have is Now this is Cisco. 1:16:09.730 --> 1:16:11.940 As I told you, I was not that famous. 1:16:12.120 --> 1:16:16.950 There's a lot of other vendors out there which give you customizable, complete, customizable page 1:16:16.950 --> 1:16:22.170 so you can upload your own set of page, you can upload your code for the page so you can have your 1:16:22.170 --> 1:16:24.900 full document for the whole page. 1:16:25.050 --> 1:16:27.390 It will look exactly like what you want it to. 1:16:27.390 --> 1:16:29.640 You can have logo wherever you want it to be. 1:16:29.640 --> 1:16:30.930 Complete customization. 1:16:32.600 --> 1:16:34.040 So here again, you can do it here. 1:16:34.040 --> 1:16:37.730 Also, if you want, you can remove all of this, but a little difficult because you'll be doing it 1:16:37.730 --> 1:16:38.560 from CLI. 1:16:40.140 --> 1:16:44.050 There you saw most of the time you'll use Juniper. 1:16:44.100 --> 1:16:47.820 Also, Juniper is also known for its SSL VPN, even check point. 1:16:49.230 --> 1:16:52.410 Also also also uses the same right, G1. 1:16:53.570 --> 1:16:54.560 Most of the times. 1:16:54.560 --> 1:16:58.010 But this gives you a good concept of how the whole process works. 1:16:58.040 --> 1:17:00.130 Once you get the process, then you configure it. 1:17:00.140 --> 1:17:01.280 It's quite easy. 1:17:01.670 --> 1:17:03.800 There is just a click here and a click there. 1:17:03.800 --> 1:17:04.280 You're done. 1:17:06.100 --> 1:17:07.630 Okay, let's take a break.