by May 6, 2001 0 comments

An organization can use various techniques to interconnect its branch offices. It can use leased lines, Asynchronous Transfer Mode (ATM), Frame Relay, or an ISDN. All of these methods result in direct connectivity between various locations, which can be a costly affair in both installation and maintenance. VPNs (Virtual Private Networks), on the other hand, connect private networks through a public network, which in this case is the Internet. While an organization’s offices would still be connected to their local ISP through dedicated links, they would communicate with each other over the Internet. This makes VPNs a cost-effective solution. It also greatly extends the geographic reach because the location you’re in does not matter anymore as long as you have Internet connectivity.

VPN setups

There are various VPN software solutions in the market. A basic one consists of client and server components. Many network operating systems also have some basic VPN functionality built around the same client/server model. Two setups are possible using this model. These are:

Remote users to LAN

This type of VPN caters to the demand of traveling users like sales people or reporters who need to access their company LAN whenever they travel to remote locations. A company’s office would be connected to the points-of-presence (POP) of its local ISP. The remote users will now connect to their company’s VPN by dialing into the POP of a local ISP. The users will also have a VPN client software installed on their machines, which will be used to access the company network. The company would likewise have a VPN server installed to provide access to these remote users. 


In this type of VPN setup, a company connects its various office networks over the Internet. A second type of VPN configuration possible here is if two companies wish to work closely together, they can create a LAN-to-LAN VPN to share their resources. For this setup, both locations need to use some dedicated equipment, which allows them to establish a secure and reliable connection. 

How VPNs work

Most VPNs rely on tunneling to create a private network on the Internet. Essentially, tunneling is the process of placing an entire packet within another packet, and sending it over a network. The network and both the end-points understand the protocol of the outer packet. These end-points are also called tunnel interfaces, and this is where the packet enters and exits the network. You can even place packets that are not supported on the Internet like those using IPX (Internet packet exchange) and NetBEUI (Network Basic Input/output System Extended User Interface) protocols, inside an IP packet and send it safely over the Net. Further, these packets can even be encrypted so that they don’t make any sense to anybody who might intercept them on the way. 

Tunnels can consist of two types of end-points, either an individual computer or a LAN with a security gateway, which might be a router or firewall. The first case, that of client-to-LAN tunnels, is the type usually set up for a mobile user who wants to connect to the corporate LAN. The client, who is the mobile user, has to initiate the creation of the tunnel on his end in order to communicate with the corporate LAN. For this, he runs the special client software on his computer, to communicate with the gateway protecting the LAN. In the second case, LAN-to-LAN tunneling, a security gateway at each end-point serves as the interface between the tunnel and the private LAN. In such cases, users on either LAN can use the tunnel transparently to communicate. 

VPN protocols

Right now there are four different protocols, which are used for creating VPNs over the Internet: point-to-point tunneling protocol (PPTP), layer-2 forwarding (L2F), layer-2 tunneling protocol (L2TP), and IP security protocol (IPSec). PPTP, L2F, and L2TP are largely aimed at user-to-LAN VPNs, while IPSec is more aimed at a LAN-to-LAN


This was one of the first protocols to be used for setting up VPNs. It has become a widely accepted solution for users-to-LAN VPNs, and Microsoft has included support for it in RRAS (Routing and Remote Access Server) for Windows NT Server 4 and offered a PPTP client in a service pack for Win 95 and a PPTP client in Win 98. The most commonly used protocol for remote access to the Internet is point-to-point protocol (PPP). PPTP builds on the functionality of PPP to provide remote access that can be tunneled through the Internet to a destination site. It encapsulates PPP packets, which give PPTP the flexibility of handling protocols other than IP, such as IPX and NetBEUI. Because of its dependence on PPP, the PPTP relies on authentication mechanisms within PPP, which are password authentication protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Similarly, PPTP can use PPP to encrypt data. Microsoft has also incorporated a stronger encryption method called Microsoft point-to-point encryption (MPPE) for use with


Like PPTP, L2F was designed as a protocol for tunneling traffic from users to their corporate LAN. One major difference between PPTP and L2F is that, because L2F tunneling is not dependent on IP, it is able to work directly with other media, such as frame relay or ATM. Like PPTP, L2F uses PPP for remote user authentication, but it also includes support for terminal access controller access control system (TACACS) and RADIUS (Remote Authentication Dial-In User Service) for authentication. L2F also differs from PPTP in that it allows tunnels to support more than one connection. There are also two levels of user authentication, first by the ISP prior to setting up the tunnel, and later when the connection is set up at the corporate gateway. 


It was designed by the Internet Engineering Task Force (IETF) working group to address the shortcomings of the earlier protocols and aims to become an IETF approved standard. L2TP uses PPP to provide dial-up access that can be tunneled through the Internet to a site. However, L2TP defines its own tunneling protocol, based on the work done on L2F. L2TP transport is defined for a variety of packet media, including X.25, frame-relay and ATM. To strengthen the encryption of the data it handles, L2TP uses IPSec’s encryption methods. Because it uses PPP for dial-up links, L2TP includes the authentication mechanisms within PPP, namely PAP and CHAP. Similar to PPTP, L2TP supports PPP’s use of the extensible authentication protocol for other authentication systems, such as RADIUS. 


IPSec stands for Internet Protocol Security. It’s a set of authentication and encryption protocols, developed by the IETF and designed to address the lack of security for IP-based networks. IPSec encapsulates a packet by wrapping another packet around it. It then encrypts the entire packet. This encrypted stream of traffic forms a secure tunnel across an otherwise insecure network. Many VPN vendors are now implementing IPSec in their solutions. IPSec is built around a number of standardized cryptographic technologies to provide confidentiality, data integrity, and authentication. For example, IPSec uses, Data Encryption Standard (DES) and other bulk encryption algorithms for encrypting data, Keyed hash algorithms (HMAC, MD5, SHA) for authenticating packets, and Digital certificates for validating public keys.

IPSec is considered the best VPN solution for IP environments as it includes strong security measures like encryption, authentication, and key management in its standards set. Because IPSec is designed to handle only IP packets, PPTP and L2TP are more suitable for use in multi-protocol environments, such as those using NetBEUI, IPX, and AppleTalk. 

Sachin Makhija

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.