A virtual private network (VPN) allows users to securely connect over a public network (the Internet) to a remote private network through tunnel traffic inside secure encrypted packets. VPN Connection is a low priced solution for connecting remote sites together through a public network. VPNs are logical networks that physically span the internet.

With a VPN connection, private packets are first encrypted and then encapsulated within a public packet addressed to the remote VPN server. This routing information allows the encrypted payload of private data to “tunnel through” the public network to reach its endpoint. Upon receiving the encapsulated data through a VPN tunnel, the VPN server then removes the public header and decrypts the private payload. An important feature of VPN connection is that the public physical network through which private data is sent becomes transparent to the two endpoints of communication although many hops separate the two computers. Each appears to the other as only one hop away through the VPN connection.

Note that the VPN server as the remote connection must use a registered public IP address and the private network should use the private IP address scheme.

You can do a “tracert” command from each computers and it will reveal that both computers are separated only one hop.

From computer A:

From computer B:

Remote Access VPN

Remote Access VPN connection allows a telecommuter user connect to the corporate network. In Windows 2003, the administrator should first define:

• A remote access policy granting access to the VPN connection.
• Windows group for VPN allowed users.
• Editing the user profile to allow remote access

At the client PC or laptops with Windows OS, the telecommuter uses the New Connection wizard to connect to VPN remote server. The clients then connect to the internet (whether via dial-in or broadband connection) and create a VPN connection to the remote VPN server.

If a VPN hardware appliance is used, the client installation CD that comes with it can be used to make a client RAS installation. Off course after the VPN/Firewall infrastructure has been completed with the supplied public IP used for remote VPN server.

Extranet / Router to Router VPN

In extranet VPN connection, two remote offices are connected each other by means of VPN servers running Routing and Remote Access. Each server can initiate and answer VPN connections. VPN connectivity depends on the authorization of these demand-dial interfaces, not on the authorization of individual users. For each demand-dial VPN interface, you must configure a set of “dial-out” credentials including a user name, password, and domain; by default, the user name corresponds to the name of the demand-dial interface itself. The user name must also match the name of the demand-dial interface configured on the answering VPN server.

VPN Protocols

In windows 2003 system, there are two standards tunneling protocols available.

• PPTP (Point-to-Point Tunneling Protocols)
• L2TP/IPSec (Layer 2 Tunneling Protocols / IP Security)

PPTP

• Security through encrypted packets, less secure than L2TP/IPSec
• Do not provide data integrity (a proof that data was not modified in transit)
• Do not provide data origin authentication (proof that data was sent by authorized user)
• Based on extensions to Point-to-point Protocol (PPP)
• Supports encryption through Microsoft Point-to-Point encryption (MPPE)
• Uses names and passwords for authentications
• Good choice for basic VPN capability
  • Built into all modern Microsoft client OSs
  • Does not require a public-key infrastructure (PKI)

L2TP/IPSec

For L2TP/IPSec-type connections, the L2TP protocol provides VPN tunneling, and the Encapsulation Security Payload (ESP) protocol (itself a feature of IPSec) provides data encryption.

• L2TP/IP is an industry standard tunneling protocol, first supported in Windows 2000
• Encryption provided by IPSec
• Recommended setup requires a PKI to issue certificates, but can also use pre-shared key instead
• Benefits
  • Data confidentiality
  • Integrity
  • Authentication
• Windows 2000, XP, Server 2003, Vista have a built-in L2TP/IPSec client. Microsoft L2TP VPN client available for download

Computer Certificates and L2TP/IPSec

For most L2TP-based VPN connections, computer authentication is performed by means of a certificate infrastructure. To successfully implement this type of VPN, you must install computer certificates issued by the same certificate authority (CA) on each VPN client and VPN server.

Preshared key is a shared string of plaintext that is used to encrypt and decrypt IPSec communication. Preshared keys are not considered a secure means of authentication and are therefore recommended only in test or temporary deployments.

VPN Appliance

There are many VPN appliances available at the market today that is very easy to install such as NETGEAR ProSafe SSL VPN Concentrator 25 – SSL312. This is a VPN concentrator that can support up to 25 concurrent tunnels for small and medium sized organization.

NETGEAR ProSafe® VPN Firewall FVX538 with dual 10/100 WAN ports, allows you build redundant WAN connections. It also includes 8 10/100 Mbps auto-sensing ports and one Gigabit LAN port.

For a SOHO solution you can consider this economical firewall VPN appliance D-Link DIR-330 NetDefend 802.11G Wireless VPN Firewall with 4-Port 10/100Mbps Switch. DIR-330 can support and manage up to 25 VPN tunnels.

Mostly all wireless routers today have the capability of VPN pass-through with PPTP and or L2TP, for example WRT610N Linksys or new Linksys E-Series; and DIR-655 D-Link wireless router. Not just that, the wireless routers have the capability of dual firewall features (NAT and SPI) at least to reduce any types of network security threats, besides the latest security feature WPA/WPA2 security standards.

See also:

• Most popular wireless routers with built-in modem
• Surfboard cable modem by motorola
• Common problems with wireless home routers

Ki Grinsing