Introduction to Virtual Private Networking (VPN)

Access your office's network, anytime, anywhere and remotely

Print Was This Helpful

By: Zac Mutrux September 24, 2008 Editor's Note: This article was originally published in April 2003, and was updated by Kevin Lo, a technology analyst at TechSoup Global. You may have heard the term "VPN." Maybe you've even asked about it in the TechSoup Forums , like many of our readers. But do you really know what the technology can do for you and your organization? Virtual Private Networking, or VPN, is a technology that lets people access their office's computer network over the Internet while at home or traveling. Accessing a network in this way is referred to as remote access. (For comparison, another common form of remote access is dialing in to the office network over a telephone line.) But VPN is useful for more than just remote access. It can also be used to link two separate offices over a distance. This is sometimes called a "persistent VPN tunnel", or "site-to-site VPN".

VPN for Remote Access

So why would you want to use VPN for remote access? Let's say you want users to be able to work from home. Or maybe someone needs to retrieve a file while traveling. Without VPN, in order to make resources on the office network available to users, the network administrator would have to weaken the security of your network by opening holes in your firewall -- which isn't usually a good idea. Or the remote user would have to dial in over a phone line, sometimes incurring long-distance charges. With VPN, the integrity of your office network remains intact, but you can allow remote users to act as part of the office network. After connecting over VPN, remote users can access files, print to printers, and generally do anything with their computers that they would be able to do in the office. Still, using VPN is not the same as being in the office. Most office networks are pretty fast. Most Internet connections are not. Even the fastestDSL and cable connections are around one-tenth the speed of your average office LAN. This means that accessing resources on the LAN will be much slower over VPN. It would also depend on the "upstream" or upload speed of your office's network connection. As opposed to working on files directly over the VPN connection, it is often more time-efficient to to copy them to your computer over the VPN connection. When you are done working with them you would copy them back to the file server.

How It Works
In a small office network, VPN is most frequently implemented through a router. Just about every small office that shares an Internet connection with more than one computer already has a router of some kind, but most of them don't include VPN. For example, small office/home office (SOHO) routers by Linksys, Netgear, or D-Link are popular choices, offering DHCP, NAT, and basic security features in a single device, but they don't always include VPN support. Once the VPN router is in place, individual computers can be set up to connect to it from outside the network. Depending on the router and the computers involved, you might need to install software on the computers that will use VPN. Sometimes computers have the ability to connect built-in. Either way, once the hardware and software has been set up, the remote user can initiate a VPN connection. How a VPN session is initiated depends on how the computer is connected to the Internet. Usually it works something like this: the user double-clicks on a shortcut and the VPN connection window appears. The user enters a username and password and hits "connect." If the computer has an always-on connection like DSL or cable, the VPN connection is immediately established. If the computer dials in to an ISP in order to access the Internet, that connection is established first and then the VPN connection is established on top of that. Once users are connected to the office network over VPN, they can access files and other resources. When users are done working, they simply disconnect the VPN connection.

VPN As a Persistent Tunnel

VPN technology can also be used to link two separate networks over the Internet so they operate as a single network. This is useful for organizations that have two physical sites. Rather than set up VPN connections on every person's computer, the connection between the two sites can be handled by routers, one at each location. Once configured, the routers maintain a constant tunnel between them that links the two sites. In this scenario, users don't have to do anything to initiate the VPN session because it is always on.

Security and Encryption

There are mainly two kinds of VPN: Point to Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). Both can link a remote computer to a network, but only L2TP offers strong security. If you must transmit sensitive information, do not use PPTP. Remember that when you set up VPN, you're offering a way into your office network. To minimize the risk of unauthorized parties poking around your network, choose and enforce a strong password policy. If you allow home users to connect to the office network via VPN, you have to consider viruses or other security threats that could come from the user's home. One way to address this risk is by giving home users a computer that is owned and maintained by the organization, so is certified as up-to-date and virus-free.

Implementing VPN
Before you implement VPN, evaluate the benefits to your organization and weigh it against the costs of equipment, installation time, and staff training. Maybe you're considering VPN because your executive director wants to be able to access files on the server while traveling. Maybe VPN would be a good solution. Or perhaps it would work just as well for your executive director to call the office and ask the receptionist to e-mail the file. Given the plethora of online collaboration tools and web-based technologies available now, VPN may not be the only method to access documents off site. However, VPN remains to be the industry standard that is established, scaleable, and secure. Before deciding on any of these technologies, determine the many risks and rewards first. Once you have decided to implement VPN, determine whether you need help or not. If someone on your staff understands TCP/ IP networking well and can set up the new router, you might be set. If not, consider finding a trusted consultant to help set it up. In order to use VPN, your Internet connection should have a static IP address. Most types of Internet connections -- dial-up, DSL, and cable -- provide you with a numerical address on the Internet that changes from time to time. This is called a dynamic IP address. In order to provide VPN access to remote users it is preferable to have an address that doesn't change, a static IP. Alternately, you can use a dynamic DNS (DDNS) service that can map a domain name to a dynamic IP. There are free services that can map a fixed domain to an account, which your router can update as it obtains different IP addresses. Consult your router or firewall documentation if DDNS is supported To obtain a static IP address for your Internet connection, talk to your Internet service provider. It may require an additional monthly fee of a few dollars. If you have a friendlyISP, sometimes you can talk it into just giving you a static IP. Occasionally, an ISP will try to sell you much more expensive DSL service, possibly bundled with equipment, when you ask about a static IP. The company might call it a "business class" of service. If the upgrade is too expensive, test the VPN functionality in a pilot phase if DDNS is supported, only then should you decide to pay for the upgrade if necessary.

Additional Resources

TechSoup Networks Forum How Virtual Private Networks Work from HowStuffWorks Use Virtual Private Networks for Secure Internet Data Transfer from Microsoft Virtual Private Networks for Windows Server 2003 from Microsoft Download the VPN Utility for Mac OS X

first of all you need to study Well the concepts of IPSec , VPN types , CRYPTOLOGY before you read this document Its just show you how to type the right commands on both router sides using packet tracer 5.3 We will have the following topology

Notice you will set static route between the two routers while on real live both will connected through ISPs for router 1 we will type the following commands : Router(config)#crypto isakmp enable <=== enable IPsec Router(config)#crypto isakmp policy 1 <=== set new policy with number 1 Router(config-isakmp)#authentication pre-share <=== using shred key authentication method (if use certification use rsa-sig instead of pre-share) Router(config-isakmp)#encryption aes <=== use symmetric encryption AES Router(config-isakmp)#hash sha <=== use hash alghorthim sha for data integrity Router(config-isakmp)#group 2 <=== use diffe helman group 2 Router(config-isakmp)#exit Router(config)#crypto isakmp key 0 address 11.0.0.1 0.0.0.0 <=== 0 is the key will used with next site , next site ip address 11.0.0.1 and note on packet tracer you use 0.0.0.0 instead of subnetmask Router(config)#crypto ipsec transform-set yasser esp-aes esp-sha-hmac <=== set transform set called yasser and esp is the protocol will be used , u can use AH on internal VPN Router(config)#crypto ipsec security-association lifetime seconds 86400 <=== key expire after 86400 seconds Router(config)#ip access-list extended ramzy <=== ACL called ramzy to tell which traffic will use the vpn tunnel Router(config-ext-nacl)#permit ip 12.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 Router(config-ext-nacl)#exit Router(config)#crypto map auda 100 ipsec-isakmp <=== create crypto map called auda with seq number 100 % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router(config-crypto-map)#match address ramzy <=== link above ACL to this crypto map Router(config-crypto-map)#set peer 11.0.0.1 <=== link next site ip address to this crypto map Router(config-crypto-map)#set pfs group2 <=== link DH group 2 to this crypto map Router(config-crypto-map)#set transform-set yasser <=== link above transform set to this crypto map Router(config-crypto-map)#ex Router(config)#int fa 0/1 <=== apply crypto map auda to interface face the next site link. Router(config-if)#crypto map auda *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Router(config-if)#do wr Building configuration... [OK] Router(config-if)#^Z Router# for router 0 we will type the following commands : Router(config)#crypto isakmp enable Router(config)#crypto isakmp policy 1 Router(config-isakmp)#authentication pre-share Router(config-isakmp)#encryption aes Router(config-isakmp)#group 2 Router(config-isakmp)#hash sha Router(config-isakmp)#exit Router(config)#crypto isakmp key 0 address 11.0.0.2 0.0.0.0 Router(config)#crypto ipsec transform-set yasser esp-aes esp-sha-hmac

Router(config)#crypto ipsec security-association lifetime seconds 86400 Router(config)#ip access-list extended ramzy Router(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 12.0.0.0 0.255.255.255 Router(config-ext-nacl)#exit Router(config)#crypto map auda 100 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router(config-crypto-map)#match address ramzy Router(config-crypto-map)#set peer 11.0.0.2 Router(config-crypto-map)#set pfs group2 Router(config-crypto-map)#set transform-set yasser Router(config-crypto-map)#exit Router(config)#interface fastEthernet 0/1 Router(config-if)#crypto map auda *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Router(config-if)#exit Router(config)#do wr Building configuration... [OK] Router(config)# now lets go to router 0 and do some show commands : Router#show crypto Isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: AES - Advanced Encryption Standard (128 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Router# Router#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 11.0.0.1 11.0.0.2 QM_IDLE 1062 0 ACTIVE IPv6 Crypto ISAKMP SA Router# Router#show crypto map Crypto Map auda 100 ipsec-isakmp Peer = 11.0.0.1 Extended IP access list ramzy access-list ramzy permit ip 12.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 Current peer: 11.0.0.1 Security association lifetime: 4608000 kilobytes/86400 seconds PFS (Y/N): Y Transform sets={ yasser, } Interfaces using crypto map auda: FastEthernet0/1 Router# Router#sh crypto ipsec transform-set Transform set yasser: { { esp-aes esp-sha-hmac } will negotiate = { Tunnel, }, Router#

now lets make pc0 ping pc1 Router#show crypto ipsec sa interface: FastEthernet0/1 Crypto map tag: auda, local addr 11.0.0.2 protected vrf: (none) local ident (addr/mask/prot/port): (12.0.0.0/255.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) current_peer 11.0.0.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 0 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 11.0.0.2, remote crypto endpt.:11.0.0.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1 current outbound spi: 0x12D96D50(316239184) inbound esp sas: spi: 0x590D14F4(1494029556) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: FPGA:1, crypto map: auda sa timing: remaining key lifetime (k/sec): (4525504/86170) IV size: 16 bytes replay detection support: N Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x12D96D50(316239184) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2005, flow_id: FPGA:1, crypto map: auda sa timing: remaining key lifetime (k/sec): (4525504/86170) IV size: 16 bytes replay detection support: N Status: ACTIVE outbound ah sas: outbound pcp sas: