Lesson 3: Supporting Virtual Private Networks

Previous page
Table of content
Next page

A virtual private network (VPN) is defined as the logical channel that allows the sending of data between two computers across an internetwork in a manner that mimics the properties of a dedicated private network. In this lesson, you will learn about VPNs in a routed environment and with the Internet.

After this lesson, you will be able to

  • Describe the function of a VPN
  • Describe a VPN in a routed environment
  • Describe a VPN server with the Internet

Estimated lesson time: 20 minutes

Implementing a VPN

A VPN allows you to send data between two computers across an internetwork in a manner that mimics the properties of a dedicated private network (see Figure 12.11). For example, VPNs allow users working at home or on the road to connect securely to a remote corporate server using the routing infrastructure provided by a public internetwork such as the Internet. From the user's perspective, the VPN is a point-to-point connection between the user's computer and a corporate server. The nature of the intermediate internetwork (hereafter referred to as the transit internetwork) is irrelevant because it appears as if the data is being sent over a dedicated private link.

Figure 12.11 Virtual private network diagram

VPN technology also allows a corporation to connect with its branch offices or with other companies over a public internetwork (such as the Internet) while maintaining secure communications. The VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.

In both of these cases, the secure connection across the transit internetwork appears to the user as a virtual network interface providing private network communication over a public internetwork, hence the term virtual private network.

Figure 12.12 A VPN tunnel

Tunneling Basics

Tunneling, also known as encapsulation, is a method of using an internetwork infrastructure to transfer a payload (see Figure 12.12). The payload may be the frames (or packets) of another protocol. Instead of sending the frame as produced by the originating node, the frame is encapsulated with an additional header. The additional header provides routing information so that the encapsulated payload can traverse the intermediate internetwork. The encapsulated packets are then routed between tunnel endpoints over the transit internetwork. Once the encapsulated frames reach their destination on the transit internetwork, the frame is de-encapsulated and forwarded to its final destination.

This entire process (the encapsulation and transmission of packets) is known as tunneling. The logical path through which the encapsulated packets travel through the transit internetwork is called a tunnel.

Types of Tunneling

Tunneling can be achieved in one of the following ways:

  • Point-to-Point Tunneling Protocol (PPTP). PPTP allows IP, Internetwork Packet Exchange (IPX), or NetBIOS Enhanced User Interface (NetBEUI) traffic to be encrypted and then encapsulated in an IP header to be sent across a corporate IP internetwork or public internetworks like the Internet.
  • Layer Two Tunneling Protocol (L2TP). L2TP allows IP traffic to be encrypted and then sent over any medium that supports point-to-point datagram delivery, such as IP, frame relay, or Asynchronous Transfer Mode (ATM).
  • IP Security (IPSec) Tunnel mode. IPSec Tunnel mode allows IP payloads to be encrypted and then encapsulated in an IP header to be sent across a corporate IP internetwork or public internetworks like the Internet.
  • IP-in-IP tunneling. IP-in-IP tunneling encapsulates an existing IP datagram with an additional IP header. This allows a packet to traverse a network with disjointed capabilities or policies. A popular use of IP-in-IP tunneling is for forwarding multicast traffic through portions of the Internet that do not support multicast routing.

Integrating VPN in a Routed Environment

In some corporate internetworks (see Figure 12.13), the data of a department (such as the Human Resources department) is so sensitive that the department's LAN is physically disconnected from the rest of the corporate internetwork. Although this protects the department's data, it creates information accessibility problems for those users not physically connected to the separate LAN.

Figure 12.13 Corporate internetwork

VPNs allow the department's LAN to be physically connected to the corporate internetwork but separated by a VPN server. Note that the VPN server does not act as a router between the corporate internetwork and the department LAN. Users on the corporate internetwork having the appropriate credentials (based on a need-to-know policy within the company) can establish a VPN with the VPN server and gain access to the protected resources of the department. Additionally, all communication across the VPN can be encrypted for data confidentiality. For those users not having proper credentials, the department LAN is essentially hidden from view.

Integrating VPN Servers with the Internet

VPN allows users to use their ISP to securely connect to corporate server instead of making toll (or toll-free) calls to the corporate office. Using the connection to the local ISP, a VPN is created between the dial-up user and the corporate VPN server across the Internet (see Figure 12.14).

Figure 12.14 Remote Access over the Internet

To connect a network over the Internet (see Figure 12.15), you have two options:

  • Branch office using dedicated lines. Rather than using conventional methods such as frame relay, both the branch office and the corporate hub routers are connected to the Internet using a local dedicated circuit and local ISP. Utilizing the local ISP connections, a VPN is created between the branch office router and corporate hub router across the Internet.
  • Branch office using a dial-up line. Rather than having a router at the branch office make a long-distance call (or toll-free call) to a corporate or outsourced NAS, the router at the branch office calls its local ISP. From the connection to the local ISP, a VPN is created between the branch office router and the corporate hub router across the Internet.

Figure 12.15 VPN over the Internet

NOTE

In both cases, the users are not charged based on the distance between the offices because only local physical links are being used.

For VPN connections to be reliably available, the corporate hub router acting as a VPN server must be connected to a local ISP using a dedicated line. The VPN server must be listening 24 hours a day for incoming VPN traffic. Although this is possible with a dial-up connection, it is less reliable because dynamically assigned IP addresses are commonly used and the connection may not be persistent.

Practice: Creating VPN Interfaces

In this practice, you will create VPN interfaces on each router.

Exercise 1: Creating a Router Interface

  1. From the Routing and Remote Access Manager, right-click Routing Interfaces and choose New Demand-Dial Interface, and then click Next.
  2. Name the interface the name of the remote router you will be connecting to.
  3. On the Connection Type page, select Connect Using Virtual Private Network (VPN), and then click Next.
  4. On the VPN Type page, select L2TP, and then click Next.
  5. Enter the IP address of the router you will be connecting to, and then click Next.
  6. On the Protocols And Security page, check Route IP Packet On This Interface, and Add A User Account So A Remote Router Can Dial In, and then click Next.

    The Dial-In Credentials dialog box appears. This is the user name the remote router will be dialing in with. The name is grayed because it is the name of the interface you are creating.

  7. Click Next.
  8. Enter the local router name in the Dial-Out Credentials dialog box. This is the user name this router will use when connecting to the remote router. This user name will match the name of a demand-dial interface on the remote router. Leave Domain and Password blank, and then click Next.
  9. Click Finish.
  10. Repeat steps 1 to 9 on the other router.

    NOTE

    When creating a router-to-router tunnel over a public network, filters should be set on the external router interfaces to allow only the tunneled traffic.

    Once the router interfaces are created for both routers, you need to exchange the routes using Auto Static Update.

  11. From the Routing and Remote Access Manager, go to IP Routing, General.
  12. Right-click the demand-dial interface and choose Update Routes.
  13. Repeat steps 11 and 12 on the other router.
  14. To view the routes received during the Auto Static Update, from the Routing and Remote Access Manager, go to IP Routing, Static Routes.

    The routes should appear in the dialog box.

  15. To test the tunnel, from Router 1, ping the IP address of Router 2.

    The demand-dial tunnel should be initiated and the ping should succeed.

Lesson Summary

A VPN is created when you send data between two computers across an internetwork in a manner that mimics the properties of a dedicated private network. In this lesson, you learned about VPNs in a routed environment and with the Internet.


Previous page
Table of content
Next page
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244
BUY ON AMAZON
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Mastering Delphi 7
Ruby Cookbook (Cookbooks (OReilly))
Quantitative Methods in Project Management
Java All-In-One Desk Reference For Dummies
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy