Using Virtual Private Networks (VPNs) for Internet Connectivity

Virtual private networks (VPNs) enable users to connect to a remote private network through the Internet. With a VPN, data is first encrypted and encapsulated before it is sent to the remote VPN server. When the VPN server obtains the data, it decrypts the packet so that is can be interpreted. VPNs are usually implemented to provide connectivity between two or multiple private networks or LANs, and to enable remote access users to connect to and access the network. Many companies supply their own VPN connections via the Internet. Through their ISPs, remote users running VPN client software are assured private access in a publicly shared environment. By using analog, ISDN, DSL, cable technology, dial and mobile IP; VPNs are implemented over extensive shared infrastructures. Email, and database and office applications use these secure remote VPN connections.

A VPN gateway, also called a VPN router, is a connection point that connects two LANs which are connected by a nonsecure network such as the Internet. A VPN gateway connects to either a single VPN gateway, or to multiple VPN gateways to extend the LAN.

Tunneling is the terminology used to describe a method of using an internetwork infrastructure to transfer a payload. Tunneling is also known as the encapsulation and transmission of VPN data, or packets. The tunnel is the logical path or connection that encapsulated packets travel through the transit internetwork. The tunneling protocol encrypts the original frame so that its content cannot be interpreted. The encapsulation of VPN data traffic is known as tunneling.

With Internet-based VPNs, the remote client connects to the Internet and then utilizes VPN client software to establish a connection with the VPN server. All communications between the client and VPN server are encrypted and encapsulated into packets before being transmitted over the public Internet.

Windows Server 2003 has a VPN component included with Routing and Remote Access service (RRAS) of Windows Server 2003 that enables you to configure a Windows Server 2003 computer as a VPN server. You can use the VPN server t enable clients to remotely access the network. Because remote clients typically already have Internet connectivity, you can set up the VPN server to allow the Internet connections from these clients.

In addition to configuring an Internet-based VPN, you can also configure router-to-router VPNs if you want to connect two physically separated LANs. Router-to-router VPNs are also typically called demand-dial connections. This is due to the connection only being established when traffic needs to pass between the LANs. For a router-to-router VPN configuration to work, a internet connection is needed for each separated LAN. Traffic is then encapsulated on the Internet to create the virtual connection between the two LAN locations.

Using demand-dial connections for small remote sites that only require intermittent VPN connectivity is ideal. Here, you can configure a demand-dial VPN with one-way initiation or with two-way initiation:

  • One-way initiation; the client of one VPN server initiates the connection and the other VPN server is configured to accept the connection.
  • Two-way initiation; clients of both VPN servers can initiate the connection and each VPN server is configured to accept the connection.

An alternative to using demand-dial connections is the utilization of a persistent connection to the Internet. Dedicated leased lines are classed as being persistent connections. This means that the connections are permanent connections, and remain open all the time. A VPN server set up to use persistent Internet connections can make the connection available to VPN clients.

A VPN tunneling protocol is required to create a VPN. The VPN tunneling protocol provides the tunnel which will be used to send private data as encrypted data over the Internet. The VPN tunneling protocols used to encapsulate data and manage VPN tunnels are:

  • Point-to-Point Tunneling Protocol (PPTP): PPTP, an extension of Point-to-Point Protocol (PPP), encapsulates PPP frames into IP datagrams to transmit data over an IP internetwork. Windows Server 2003 includes PPTP version 2. To create and manage the tunnel, PPTP utilizes a TCP connection. A modified version of Generic Route Encapsulation (GRE) deals with data transfer by encapsulating PPP frames for tunneled data. The encapsulated tunnel data can be encrypted and/or compressed. However, PPTP encryption can only be utilized when the authentication protocol is EAP-TLS or MS-CHAP. This is due to PPTP using MPPE to encrypt VPN data in a PPTP VPN, and MPPE needing EAP-TLS or MS-CHAP generated encryption keys. With the Windows Server 2003 implementation of PPTP, both 40-bit encryption and 128-bit encryption is supported.
  • Layer Two Transport Protocol (L2TP): L2TP encapsulates PPP frames, and sends encapsulated data over IP, frame relay, ATM and X.25 networks. With L2TP, the PPP and layer two end-points can exist on different devices. L2TP can also operate as a tunneling protocol over the Internet. L2TP uses UDP packets and a number of L2TP messages for tunnel maintenance. UDP is used to send L2TP encapsulated PPP frames as tunneled data. When L2TP is used with IPSec, the highest level of security is assured. This includes data confidentiality and integrity, data authentication, as well as replay protection. IPSec protects the packets of data and therefore provides security on non-secure networks such as the Internet.

Remote access policies can be used to secure demand-dial connections. You can use a remote access policy to control whether or not a user is allowed to connect to VPN server. Remote access policies contain conditions which you specify through the Routing and Remote Access management console. These conditions determine which users are allowed to connect to the remote access server. Remote access policies can also be used to specify which authentication protocol clients must utilize; specify which encryption methods clients must utilize; and to restrict user access based on user and group membership, and time of day.

 

MekongNet’s Virtual Private Network (VPN) provides your business with secure and cost- effective communication between geographically separated multi-offices to work remotely. It offers employees who work outside office with secure data transmission, file sharing as well as video conferencing within a private network tunnel. Please find MekongNet at #95, 4th floor, AnAnA Building, Preah Norodom Blvd., Sangkat Boeung Raing, Khan Daun Penh, Phnom Penh.

• Tel: 023 22 66 22│093 22 25 00

• Email: sales@corp.mekongnet.com.kh