A virtual private network (VPN) is defined as the logical channel that allows the sending of data between two computers across an internetwork in a manner that mimics the properties of a dedicated private network. In this lesson, you will learn about VPNs in a routed environment and with the Internet.
After this lesson, you will be able to
Estimated lesson time: 20 minutes
A VPN allows you to send data between two computers across an internetwork in a manner that mimics the properties of a dedicated private network (see Figure 12.11). For example, VPNs allow users working at home or on the road to connect securely to a remote corporate server using the routing infrastructure provided by a public internetwork such as the Internet. From the user's perspective, the VPN is a point-to-point connection between the user's computer and a corporate server. The nature of the intermediate internetwork (hereafter referred to as the transit internetwork) is irrelevant because it appears as if the data is being sent over a dedicated private link.
Figure 12.11 Virtual private network diagram
VPN technology also allows a corporation to connect with its branch offices or with other companies over a public internetwork (such as the Internet) while maintaining secure communications. The VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.
In both of these cases, the secure connection across the transit internetwork appears to the user as a virtual network interface providing private network communication over a public internetwork, hence the term virtual private network.
Figure 12.12 A VPN tunnel
Tunneling, also known as encapsulation, is a method of using an internetwork infrastructure to transfer a payload (see Figure 12.12). The payload may be the frames (or packets) of another protocol. Instead of sending the frame as produced by the originating node, the frame is encapsulated with an additional header. The additional header provides routing information so that the encapsulated payload can traverse the intermediate internetwork. The encapsulated packets are then routed between tunnel endpoints over the transit internetwork. Once the encapsulated frames reach their destination on the transit internetwork, the frame is de-encapsulated and forwarded to its final destination.
This entire process (the encapsulation and transmission of packets) is known as tunneling. The logical path through which the encapsulated packets travel through the transit internetwork is called a tunnel.
Tunneling can be achieved in one of the following ways:
In some corporate internetworks (see Figure 12.13), the data of a department (such as the Human Resources department) is so sensitive that the department's LAN is physically disconnected from the rest of the corporate internetwork. Although this protects the department's data, it creates information accessibility problems for those users not physically connected to the separate LAN.
Figure 12.13 Corporate internetwork
VPNs allow the department's LAN to be physically connected to the corporate internetwork but separated by a VPN server. Note that the VPN server does not act as a router between the corporate internetwork and the department LAN. Users on the corporate internetwork having the appropriate credentials (based on a need-to-know policy within the company) can establish a VPN with the VPN server and gain access to the protected resources of the department. Additionally, all communication across the VPN can be encrypted for data confidentiality. For those users not having proper credentials, the department LAN is essentially hidden from view.
VPN allows users to use their ISP to securely connect to corporate server instead of making toll (or toll-free) calls to the corporate office. Using the connection to the local ISP, a VPN is created between the dial-up user and the corporate VPN server across the Internet (see Figure 12.14).
Figure 12.14 Remote Access over the Internet
To connect a network over the Internet (see Figure 12.15), you have two options:
Figure 12.15 VPN over the Internet
NOTE
In both cases, the users are not charged based on the distance between the offices because only local physical links are being used.
For VPN connections to be reliably available, the corporate hub router acting as a VPN server must be connected to a local ISP using a dedicated line. The VPN server must be listening 24 hours a day for incoming VPN traffic. Although this is possible with a dial-up connection, it is less reliable because dynamically assigned IP addresses are commonly used and the connection may not be persistent.
In this practice, you will create VPN interfaces on each router.
The Dial-In Credentials dialog box appears. This is the user name the remote router will be dialing in with. The name is grayed because it is the name of the interface you are creating.
NOTE
When creating a router-to-router tunnel over a public network, filters should be set on the external router interfaces to allow only the tunneled traffic.
Once the router interfaces are created for both routers, you need to exchange the routes using Auto Static Update.
The routes should appear in the dialog box.
The demand-dial tunnel should be initiated and the ping should succeed.
A VPN is created when you send data between two computers across an internetwork in a manner that mimics the properties of a dedicated private network. In this lesson, you learned about VPNs in a routed environment and with the Internet.