LAN-to-LAN VPN

The LAN-to-LAN VPN is tied to the IPSec standard where the remote dial-up user VPN uses protocols such as PPTP, L2F, and L2TP, IPSec concentrates on LAN-to-LAN. In a typical LAN-to-LAN design, not all traffic is encrypted. Two types of communication are possible:

• Web server access When a user connects to the web server on another network, the HTTP traffic is unencrypted. There is no requirement for the VPN device to encrypt this traffic.

• VPN server access When a user connects to the VPN server on another network, the VPN device recognizes that it is a VPN request and encrypts the packets.

The Data Encryption Standard (DES) supporting 56-bit encryption also can be used for LAN-to-LAN encryption. Symmetric-key systems are simpler and faster; however, their main drawback is that the two parties must somehow exchange the encryption key in a secure way. Public-key encryption avoids this problem because the public key can be distributed in a non-secure way, and the private key is never transmitted.

NOTE DES is the most popular symmetric-key system and cannot be used for export.

DES and Triple-DES (3DES, 168-bit encryption) both can be used to support cryptographic requirements between routers for Intranet communication, as long as both cryptographic endpoints are in the United States.

NOTE LAN-to-LAN VPN configurations also are used in a dial back-up scenario, where a site's dedicated WAN access has failed and the WAN router will initiate a VPN dial session to reestablish communication until the dedicated connection is restored.