VPN - Virtual Private Networking


Introduction.  Think of all the packets routing across the Internet.  You might think you could send your packets to just about anyplace and not worry about someone else tapping into the flow.  Reality is much different.  Particularly, when you think about competitive business environments you realize that tapping into other firm's data/information flows could be very informative.

We have talked a fair amount about internal network security at a fairly general level.  Now we need to talk some more about security associated with transmitting packets of information across the Internet.  VPN - Virtual Private Networking gets its name from the idea that certain things should be done to increase the likelihood that information gets to only where it should exactly as it was sent.  It is intended to help VPN users think/feel that they have a private network tunneled within the Internet.

A virtual network gives its user the sense of a direct connection to another location.  The privacy component of VPN is based on encryption of the data as it travels across a wider network.  Putting these together creates the VPN.  VPN can be configured to work through dial up connections or router to router connections on the Internet.

Tunneling.  In order to develop security in VPNs, a tunnel is created which is essentially a logical point to point connection that supports authentication and encryption of data from one endpoint of the tunnel to the other.

Tunneling hides the original packet inside a new packet called the encapsulation packet.  For purposes of ensuring the packet can still reach its intended destination a tunneling endpoint is  included in the containing packet header.   This containing packet header is called encapsulation header.  Since the original destination is still contained within the encapsulation, when the encapsulation reaches the tunneling endpoint it can be opened back up to reveal the original destination address.

Tunnels can be established at different layers of the OSI model.

Layer 2 Tunneling.  Most VPN configurations make use of tunneling protocols that operate at Layer 2, the Data Link Layer.  These protocols provide a virtual link from one point to another.  The PPTP - Point to Point Tunneling Protocol works at this level.  The L2F - Layer 2 Forwarding protocol also operates at this level.  L2F can operate over ATM and Frame Relay because it is not dependent on IP.  Unlike PPTP, L2F can support more than one connection.

Cisco developed L2F, which is supported by the IOS - Internetworking Operating Systems used by Cisco products.  In addition, Nortel and Shiva products support L2F.

L2TP - Layer 2 Tunneling Protocol combines elements of PPTP and L2F.  All of these protocols will be discussed in more detail in the next web page.

Layer 3 Tunneling.  Tunnels can also be developed at Layer 3, the Network Layer.  Thus they can be used for IP based virtual connections.  These connections work by sending packets within IETF specified protocol wrappers.  These wrappers likely make use of the following.

  • IPSec - IP Security
  • IKE - Internet Key Exchange
  • Authentication/Encryption Methods
    • MD5 - Message Digest 5
    • DES - Data Encryption Standard
    • SHA - Secure Hash Algorithm

IPSec can be used in conjunction with L2TP.  L2TP establishes the tunnel and IPSec does the encrypting.  IPSec is said to be operating in transport mode.  IPSec can also provide the tunnel when operating in tunnel mode.  IPSec Layer 3 tunneling can be used in situations where L2TP is not appropriate.

IPSec can provide encapsulation only for IP packets.  L2TP can provide encapsulation for IPX and other protocol packets across an IP network.  Since some gateways don't provide support for one or the other of L2TP or PPTP, then IPSec can be used to provide the tunnel from gateway to gateway.

Operating System Support.  Pretty much all modern operating systems provide support for VPN.  This enables VPN connections to servers as easily as those for dialup connections. 

Windows products after Windows 95 can function as VPN clients using built in components.  Windows 9x and Windows NT support PPTP.  Windows 2000 supports both PPTP and L2TP.

Linux supports supports the use of IPSec and PPTP.  You can also create a pseudo tunnel by running a PPP - Point to Point Protocol through SSH - Secure Shell.  SSH makes use of the RSA public key technology to authenticate and secure the connection.

Why Use VPN?  The first thing we want to do is discuss some different scenarios where VPN might well be useful.  The following outline about some different VPN scenarios should help.

  • Provide Remote Access to Mobile or Home Based Employees
    • VPN client must be able to make sue of the same protocols as the VPN server
      • tunneling
      • network
      • transport
      • encryption
    • After VPN components are installed the connection is established using the approach in the diagram.



  1. The remote access user dials a local ISP and logins.
  2. After the Internet connection is established the client connects to the remote access server that needs to be configured to accept VPN connections.  This establishes the tunnel.
  3. The user obtains access on the private network.
  • Virtual Private Extranets
    • portion of the organization's LAN available to external users
      • might have technical support
      • shared business documents
      • preferred pricing
      • etceteras
    • access is usually gained through a web browser
    • a web server is set up in the VPN configured subnet
    • some standards for easing development exist
      • HTML - Hypertext Markup Language
      • XML - Extensible Markup Language
      • cXML - commerce XML
      • OBI - Open Buying on the Internet
  • VPN Connections between Branch Offices
    • usually connect pairs of offices in router to router connections
    • these connections are also called gateway to gateway
    • the VPN router does the IP forwarding
    • the LANs at each end have routed connections to the Internet
      • dialup
      • persistent
    • the VPN can be configured so that one router acts as the client and the other acts as the server
      • one way connection
      • good for permanent connections
    • the VPN can also be configured so that either router can initiate the connection
      • two way connection
      • must have persistent connections
      • must be both LAN and WAN routers

The following table contains some advantages and disadvantages for using VPN in place of dialup networking.


Advantages of VPN Disadvantages of VPN
improves security for connection both ends must have an Internet connection in order to work
can connect through local ISP when traveling performance is slower than dialup
reduce number of incoming telephone lines for remote access  
some ISPs offer VPN connections