Virtual Private Networking

Virtual private networking

Definition: A VPN utilizes public telecommunications networks to conduct private data communications. Most VPN implementations use the Internet as the public infrastructure and a variety of specialized protocols to support private communications through the Internet.

VPN follows a client and server approach. VPN clients authenticate users, encrypt data, and otherwise manage sessions with VPN servers utilizing a technique called tunneling.

VPN clients and VPN servers are typically used in these three scenarios:

1. to support remote access to an intranet,
2. to support connections between multiple intranets within the same organization, and
3. to join networks between two organizations, forming an extranet.

The main benefit of a VPN is the lower cost needed to support this technology compared to alternatives like traditional leased lines or remote access servers.

VPN users typically interact with simple graphical client programs.

These applications support creating tunnels, setting configuration parameters, and connecting to and disconnecting from the VPN server. VPN solutions utilize several different network protocols including PPTP, L2TP, IPsec, and SOCKS.

VPN servers can also connect directly to other VPN servers. A VPN server-to-server connection extends the intranet or extranet to span multiple networks.

Many vendors have developed VPN hardware and software products. Some of these do not interoperate due to the immaturity of some VPN standards.

How To Set up VPN Connections in Windows XP

1. Open the Windows Control Panel.
2. Open the Network Connections item in Control Panel. A list of existing dial-up and LAN connections will appear.
3. Choose the 'Create a new connection' item from the left-hand side of the window. The Windows XP New Connection Wizard will appear on the screen.
4. First click Next to begin the wizard, then choose the 'Connect to the network at my workplace' item from the list and click Next.
5. On the Network Connection page of the wizard, choose the 'Virtual Private Network connection' option and click Next.
6. Enter a name for the new VPN connection in the 'Company Name' field and click Next. The name chosen need not match the name of an actual business.
7. Choose an option on the 'Public Network' screen and click Next. The default option, 'Automatically dial this initial connection' can be used if the VPN connection will always be initiated when the computer is not already connected to the Internet. Otherwise, choose the 'Do not dial the initial connection' option. This option requires that the public Internet connection be established first, before this new VPN connection will be initiated.
8. Enter the name or IP address of the VPN remote access server to connect to, and click Next. Company network administrators will provide this information.
9. Choose an option on the "Connection Availability" screen and click Next. The default option, 'My Use Only,' ensures that Windows will make this new connection available only to the currently logged on user. Otherwise, choose the 'Anyone's use' option.
10. Click Finish to complete the wizard. The new VPN connection information has been saved.

How to route an incoming VPN client back to LAN?

Most of us use the MMC to administer Windows 2000 RRAS. But what happens when you need to route an incoming VPN client back to the net and you're using NAT with private, non-routable addresses? Users of the company's VPN used complain about losing internet access while using VPN. The usual way to avoid this is to have the user go to the advanced TCP/IP properties of the VPN connection and uncheck the box that says Use default gateway on remote network.

Adding the internal interface to NAT puts an end to that issue (but does raise security concerns, so that has to be taken into consideration) and that's where the NETSHELL command can help.

If you take a look of the interfaces available under the IP routing section of the RRAS console on a Windows 2000 server, you'll generally see the NIC's listed, the loopback interface, and a card called the internal interface. That internal connection is the virtual interface that VPN clients connect to, and you'll notice that you can't add it to the NAT protocol via the GUI. Time for the command line.

Open the command prompt, type NETSH to open the NETSHELL program. Now type

routing ip nat add interface internal private

Done. You'll now notice that the internal interface is listed under the NAT protocol. At this point, VPN clients can now route to the net as well as your LAN. You can configure all RRAS functions using the netsh command.

VPN tunnelling

Virtual private network technology is based on the idea of tunneling. VPN tunneling involves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side.

For Internet-based VPNs, packets in one of several VPN protocols are encapsulated within Internet Protocol (IP) packets. VPN protocols also support authentication and encryption to keep the tunnels secure.

Types of VPN Tunneling

VPN supports two types of tunneling - voluntary and compulsory. Both types of tunneling are commonly used.

In voluntary tunneling, the VPN client manages connection setup.

The client first makes a connection to the carrier network provider (an ISP in the case of Internet VPNs). Then, the VPN client application creates the tunnel to a VPN server over this live connection.

In compulsory tunneling, the carrier network provider manages VPN connection setup. When the client first makes an ordinary connection to the carrier, the carrier in turn immediately brokers a VPN connection between that client and a VPN server. From the client point of view, VPN connections are set up in just one step compared to the two-step procedure required for voluntary tunnels.

Compulsory VPN tunneling authenticates clients and associates them with specific VPN servers using logic built into the broker device. This network device is sometimes called the VPN Front End Processor (FEP), Network Access Server (NAS) or Point of Presence Server (POS). Compulsory tunneling hides the details of VPN server connectivity from the VPN clients and effectively transfers management control over the tunnels from clients to the ISP. In return, service providers must take on the additional burden of installing and maintaining FEP devices.

VPN Tunneling Protocols

Several computer network protocols have been implemented specifically for use with VPN tunnels. The three most popular VPN tunneling protocols listed below continue to compete with each other for acceptance in the industry. These protocols are generally incompatible with each other.

Point-to-Point Tunneling Protocol (PPTP)

Several corporations worked together to create the PPTP specification. People generally associate PPTP with Microsoft because nearly all flavors of Windows include built-in client support for this protocol. The initial releases of PPTP for Windows by Microsoft contained security features that some experts claimed were too weak for serious use. Microsoft continues to improve its PPTP support, though.

Layer Two Tunneling Protocol (L2TP)

The original competitor to PPTP for VPN tunneling was L2F, a protocol implemented primarily in Cisco products. In an attempt to improve on L2F, the best features of it and PPTP were combined to create new standard called L2TP. Like PPTP, L2TP exists at the data link layer (Layer Two) in the OSI model -- thus the origin of its name.

Internet Protocol Security (IPsec)

IPsec is actually a collection of multiple related protocols. It can be used as a complete VPN protocol solution, or it can used simply as the encryption scheme within L2TP or PPTP. IPsec exists at the network layer (Layer Three) of the OSI model.