Skip to content

afshyna/networking-projects

Repository files navigation

Networking Projects

Welcome to the "Networking Projects" repository dedicated to advanced networking projects !

This repertory is a collection of network architectures & solutions, that showcase comprehensive network setups, including VPN setup with site-to-site and remote-access architectures with automatic failover solutions.

Portfolio of personal projets:

  • Network engineering
  • Cybersecurity
  • Routing & switching
  • Security architecture

This project is about the design and deployment of an IPsec VPN tunnel to interconnect two distant LANs over the public Internet, located behind NAT, in a secure way.

Technical Configuration & Architecture:

  • VPN Type: IPsec Tunnel Mode (LAN-to-LAN)
  • Key Exchange Protocol: Internet Key Exchange Version 2 (IKEv2) via strongSwan
  • Encryption & Integrity: Advanced cryptographic suite using AES256-GCM
  • Authentication Scheme: Initial Pre-Shared Key (PSK) phase, migrated to a robust Public Key Infrastructure (PKI) with X.509 digital certificates (using PKI CA)
  • NAT Management: NAT-Traversal (NAT-T) implementation to handle encapsulation over UDP ports 500/4500 through local routers
  • Packet Filtering & Security: Advanced Stateful firewalling using Linux Netfilter (UFW)

This project is about the simulation of an LAN-to-LAN IPsec VPN tunnel between two Cisco routers, using traditional IOS mechanisms,crypto map, transform set, and ACL‑based traffic selection, within a simulated GNS3 environment.

It demonstrates how legacy Cisco routers implement secure LAN-to-LAN connectivity over an untrusted network such as the public Internet.

Technical Configuration & Architecture:

  • VPN Type: IPsec Tunnel Mode / Policy-Based IPsec (LAN-to-LAN)
  • Key Exchange Protocol: IKEv1 (ISAKMP), the traditional negotiation model
  • IPsec Phases:
  • Phase 1 (ISAKMP/IKE SA): Authentication, DH key exchange, protection of the control channel
  • Phase 2 (IPsec/ESP SA): Creation of the encrypted data tunnel
  • Encryption & Integrity: AES‑256 for confidentiality, SHA‑256 for integrity, DH Group 14 for key exchange
  • Authentication Scheme: Pre‑Shared Key (PSK) between both Cisco routers
  • Security Policy: Implementation of "Interesting Traffic" via Extended Access Control Lists (ACLs)
  • Verification & Troubleshooting: analysis of Security Associations (SA) and SPIs using Cisco IOS diagnostic commands

This micro-project focuses on the design and deployment of a resilient VPN infrastructure combining OpenVPN site-to-site connectivity and WireGuard remote-access VPN services.

The architecture simulates a realistic enterprise environment with multiple branch offices, a primary server site, a disaster recovery site, nomad users, Internet exposure through NAT/PAT, and automated failover mechanisms.

It demonstrates how secure VPN services can be deployed, monitored, and maintained in production-like conditions while ensuring business continuity during outages.

Technical Configuration & Architecture:

  • VPN Technologies: OpenVPN (SSL/TLS) for Site-to-Site connectivity and WireGuard for Remote-Access VPN
  • Architecture Type: Multi-site VPN infrastructure with Primary Site (Paris-Montrouge) and Disaster Recovery Site (Aubervilliers)
  • Remote Offices: Tokyo and New York branch networks connected through routed VPN tunnels
  • Site-to-site: OpenVPN & WireGuard VPN for LAN-to-LAN communication between server's LAN and client's LAN.
  • Remote Access: WireGuard VPN access for nomad users (laptops and smartphones)
  • Authentication Scheme: X.509 certificates and TLS authentication for OpenVPN, public/private key cryptography for WireGuard
  • Routing Design: Static routing, CCD files, iroute directives, route propagation and inter-LAN communication
  • High Availability: Automatic failover between primary and backup VPN servers using multiple remote endpoints, keepalive mechanisms and dynamic route switching
  • NAT & Internet Exposure: NAT/PAT, port forwarding and MASQUERADE rules for VPN connectivity behind residential routers
  • Firewall & Security: Linux iptables filtering, forwarding policies
  • Network Services Validation: ICMP, HTTP and traceroute testing across VPN tunnels
  • Troubleshooting & Analysis: Packet-level analysis using Wireshark and tcpdump, routing-table verification, failover testing and incident simulation
  • Automation: Bash scripting, system-timers monitoring and dynamic route replacement for network resilience

Packages

 
 
 

Contributors

Languages