VPN

Basics

PPTP/L2P, and L2TP

Microsoft-created PPTP provides tunneling + compression + weak encryption. Cisco's L2F provides tunneling + authentication. Layer Two Tunneling Protocol is an IETF standard to supersed PPTP and L2F, and rides on top of IPsec. Other vendors provide IPsec with proprietary extensions. IPsec and L2TP operate at two different layers of the protocol stack. In Windows 2000, Microsoft added IPsec and L2TP to its Dialup Networking VPN client.  Enterprises that want to use embedded Windows clients for secure remote access now have a choice of Microsoft's PPTP or IETF-standard L2TP over IPsec.

Authentication methods

shared secrets, public keys, digital certificates, one-time passwords, and hardware tokens can be used to verify system and user identities

Encryption

IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload.  AAA Servers (Authentication, Authorization and Accounting) are used for more secure access in a Remote-Access VPN environment. When a request to establish a session comes in from a dial-up client, the request is proxied to the AAA server. AAA then checks the following: Who you are (Authentication), What you are allowed to do (Authorization), What you actually do (Accounting). The Accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes.

Tunneling

Most VPNs rely on tunneling to create a private network that reaches across the Internet. Essentially, tunneling is the process of placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is understood by the network and both points, called tunnel interfaces, where the packet enters and exits the network.

Tunneling requires three different protocols:

Most VPNs rely on tunneling to create a private network that reaches across the Internet. Essentially, tunneling is the process of placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is understood by the network and both points, called tunnel interfaces, where the packet enters and exits the network.

Tunneling requires three different protocols:

• Carrier protocol: The protocol used by the network that the information is traveling over
• Encapsulating protocol: The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data
• Passenger protocol: The original data (IPX, NetBeui, IP) being carried

In a Site-to-Site VPN, GRE (Generic Routing Encapsulation) is normally the encapsulating protocol that provides the framework for how to package the passenger protocol for transport over the carrier protocol, which is typically IP-based. This includes information on what type of packet you are encapsulating and information about the connection between the client and server. Instead of GRE, IPSec in Tunnel Mode is sometimes used  as the encapsulating protocol. IPSec works well on both Remote-Access and Site-to-Site VPNs. IPSec must be supported at both tunnel interfaces to use.

IKE

The Internet Key Exchange (IKE) authenticates tunnel endpoints and negotiates security parameters for IPsec.  Together, IPsec and IKE can be used to create site-to-site VPNs, tunneling over the Internet from one enterprise LAN to another.  IPsec and IKE are also used to create remote access VPNs, letting dial-up clients tunnel encrypted, authenticated IP to security gateways, thereby gaining access to the private network behind the gateway.

SSL

Like IPsec, SSL provides authentication, encryption, and message integrity.  However, SSL operates at the application layer, securing an HTTP stream.

Resources

• VPN Labs

Resources

• Administering Linux IPSec Virtual Private Networks
•