Basically, a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee. In this article, you will gain a fundamental understanding of VPNs, and learn about basic VPN components, technologies, tunneling and security.

What Makes a VPN?

A well-designed VPN can greatly benefit a company. For example, it can:
  • Extend geographic connectivity
  • Improve security
  • Reduce operational costs versus traditional WAN
  • Reduce transit time and transportation costs for remote users
  • Improve productivity
  • Simplify network topology
  • Provide global networking opportunities
  • Provide telecommuter support
  • Provide broadband networking compatibility
  • Provide faster ROI (return on investment) than traditional WAN

What features are needed in a well-designed VPN? It should incorporate:

  • Security
  • Reliability
  • Scalability
  • Network management
  • Policy management

There are three types of VPN. In the next couple of sections, we'll describe them in detail.

Remote-Access VPN

­ Ther­e are two common types of VPN. Remote-access, also called a virtual private dial-up network (VPDN), is a user-to-LAN connection used by a company that has employees who need to connect to the private network from various remote locations. Typically, a corporation that wishes to set up a large remote-access VPN will outsource to an enterprise service provider (ESP). The ESP sets up a network access server (NAS) and provides the remote users with desktop client software for their computers. The telecommuters can then dial a toll-free number to reach the NAS and use their VPN client software to access the corporate network.

A good example of a company that needs a remote-access VPN would be a large firm with hundreds of sales people in the field. Remote-access VPNs permit secure, encrypted connections between a company's private network and remote users through a third-party service provider.

Image Courtesy:Cisco Inc

Site-to-Site VPN

Through the use of dedicated equipment and large-scale encryption, a company can connect multiple fixed sites over a public network such as the Internet. Site-to-site VPNs can be one of two types:

  • Intranet-based - If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to Connect LAN to LAN.
  • Extranet-based - When a company has a close relationship with another company (for example, a partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a shared environment.
Image Courtesy:Cisco Inc

VPN Security: Firewalls

A well-des­igned VPN uses several methods for keeping your connection and data secure:

  • Firewalls
  • Encryption
  • IPSec
  • AAA Server

­ In the following sections, we'll discuss each of these security methods. We'll start with the firewall.

A firewall provides a strong barrier between your private network and the Internet. You can set firewalls to restrict the number of open ports, what type of packets are passed through and which protocols are allowed through. Some VPN products, such as Cisco's 1700 routers, can be upgraded to include firewall capabilities by running the appropriate Cisco IOS on them. You should already have a good firewall in place before you implement a VPN, but a firewall can also be used to terminate the VPN sessions.

VPN Security: Encryption


Encry­ption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Most computer encryption systems belong in one of two categories:

  • Symmetric-key encryption
  • Public-key encryption

In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message. Think of it like this: You create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alphabet. So "A" becomes "C," and "B" becomes "D". You have already told a trusted friend that the code is "Shift by 2". Your friend gets the message and decodes it. Anyone else who sees the message will see only nonsense.

Public-key encryption
uses a combination of a private key and a public key. The private key is known only to your computer, while the public key is given by your computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. A very popular public-key encryption utility is called Pretty Good Privacy (PGP), which allows you to encrypt almost anything. You can find out more about PGP at the PGP site.

­ Internet Protocol Security Protocol (IPSec) provides enhanced security feat­ures such as better encryption algorithms and more comprehensive authentication.

IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload. Only systems that are IPSec compliant can take advantage of this protocol. Also, all devices must use a common key and the firewalls of each network must have very similar security policies set up. IPSec can encrypt data between various devices, such as:

  • Router to router
  • Firewall to router
  • PC to router
  • PC to server

PN Security: AAA Servers

­ AAA (authentication, authorization and accounting) servers are used for more secure access in a remote-access VPN environment. When a request to establish a session c­omes in from a dial-up client, the request is proxied to the AAA server. AAA then checks the following:

  • Who you are (authentication)
  • What you are allowed to do (authorization)
  • What you actually do (accounting)

The accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes.

VPN Technologies


­ Depe­nding on the type of VPN (remote-access or site-to-site), you will need to put in place certain components to build your VPN. These might include:

  • Desktop software client for each remote user
  • Dedicated hardware such as a VPN concentrator or secure PIX firewall
  • Dedicated VPN server for dial-up services
  • NAS (network access server) used by service provider for remote-user VPN access
  • VPN network and policy-management center

Because there is no widely accepted standard for implementing a VPN, many companies have developed turn-key solutions on their own. In the next few sections, we'll discuss some of the solutions offered by Cisco, one of the most prevelant networking technology companies.

VPN Concentrator

­ Incorporating the most advanced encryption and authentication techniques available­, Cisco VPN concentrators are built specifically for creating a remote-access VPN. They provide high availability, high performance and scalability and include components, called scalable encryption processing (SEP) modules, that enable users to easily increase capacity and throughput. The concentrators are offered in models suitable for everything from small businesses with up to 100 remote-access users to large organizations with up to 10,000 simultaneous remote users.

VPN-Optimized Router

­ Cisco's VPN-optimized routers provide scalability, routing, security and QoS (quality of se­rvice). Based on the Cisco IOS (Internet Operating System) software, there is a router suitable for every situation, from small-office/home-office (SOHO) access through central-site VPN aggregation, to large-scale enterprise needs.

Cisco Secure PIX Firewall


­An ­amazing piece of technology, the PIX (private Internet exchange) firewall combines dynamic network address translation, proxy server, packet filtration, firewall and VPN capabilities in a single piece of hardware.

Instead of using Cisco IOS, this device has a highly streamlined OS that trades the ability to handle a variety of protocols for extreme robustness and performance by focusing on IP.



Most ­VPNs rely on tunneling to create a private network that reaches across the Internet. Essentially, tunneling is the process of placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is understood by the network and both points, called tunnel interfaces, where the packet enters and exits the network.

Tunneling requires three different protocols:

  • Carrier protocol - The protocol used by the network that the information is traveling over
  • Encapsulating protocol - The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data
  • Passenger protocol - The original data (IPX, NetBeui, IP) being carried

Tunneling has amazing implications for VPNs. For example, you can place a packet that uses a protocol not supported on the Internet (such as NetBeui) inside an IP packet and send it safely over the Internet. Or you could put a packet that uses a private (non-routable) IP address inside a packet that uses a globally unique IP address to extend a private network over the Internet.


Tunneling: Site-to-Site

­ In a site-to-site VPN, GRE (generic routing encapsulation) is normally the e­ncapsulating protocol that provides the framework for how to package the passenger protocol for transport over the carrier protocol, which is typically IP-based. This includes information on what type of packet you are encapsulating and information about the connection between the client and server. Instead of GRE, IPSec in tunnel mode is sometimes used as the encapsulating protocol. IPSec works well on both remote-access and site-to-site VPNs. IPSec must be supported at both tunnel interfaces to use.

Tunneling: Remote-Access


­In a r­emote-access VPN, tunneling normally takes place using PPP. Part of the TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the network between the host computer and a remote system. Remote-access VPN tunneling relies on PPP.

Each of the protocols listed below were built using the basic structure of PPP and are used by remote-access VPNs.

  • L2F (Layer 2 Forwarding) - Developed by Cisco, L2F will use any authentication scheme supported by PPP.
  • PPTP (Point-to-Point Tunneling Protocol) - PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend and ECI Telematics. PPTP supports 40-bit and 128-bit encryption and will use any authentication scheme supported by PPP.
  • L2TP (Layer 2 Tunneling Protocol) - L2TP is the product of a partnership between the members of the PPTP Forum, Cisco and the IETF (Internet Engineering Task Force). Combining features of both PPTP and L2F, L2TP also fully supports IPSec.

L2TP can be used as a tunneling protocol for site-to-site VPNs as well as remote-access VPNs. In fact, L2TP can create a tunnel between:

  • Client and router
  • NAS and router
  • Router and router

Post a Comment

  1. The vpn and proxy is perfect solution for home and bussnes network

  2. We use a vpn to secure connectivity - this eliminates the need to expose internal systems to the whole wide world. Related to topic- proxy

  3. A virtual private system or VPN administration is the instrument that is generally utilized nowadays to secure the protection of clients when surfing the web. Visit this site

  4. This is such a great resource that you are providing and you give it away for free. nord vpn free trial

  5. Thank you very much for this great post. I read that Post and got it fine and informative. Please share more like that. Hotspot Shield Elite APK

  6. I just loved your article on the beginners guide to starting a blog.If somebody take this blog article seriously in their life, he/she can earn his living by doing blogging.thank you for thizs article. best sap hana online training

  7. Wow Da weiss man, wo es hingehen muss Viele Grüsse Mirta rent training room

  8. It is truly a well-researched content and excellent wording. I got so engaged in this material that I couldn’t wait reading. I am impressed with your work and skill. Thanks. 13377x

  9. Thanks for your share, There are so many VPN in this market but you should choose better one for your need.
    If you want to know more, Please check out here : vpncouponhub.com/free-vpn/nordvpn-free-trial/

  10. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. https://wall101.com/fanqiang-vpn/

  11. Consumers use a private VPN service or tunnel to protect their identity and online activity. This is especially relevant when we use public wifi which may not be secure. vmvirtualmachine vpn

  12. I love seeing blog that understand the value of providing a quality resource for free. 科学上网

  13. Their dark garments mirrors less light than some other shading and along these lines causes less to notice them than if they were wearing fluorescent yellow for instance. totally free vpn

  14. Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our. 免费vpn

  15. Be certain the entirety of your organization links are connected tight. vpn streaming

  16. At the moment Android is the most demanded platform in mobile phones. In the second quarter of 2009 Android phones had a total of 2.8% share of worldwide Smartphone; by the fourth quarter of 2010 this percentage grew up to 33% making it the market leader. vpn usa free

  17. Wow, What a Excellent post. I really found this to much informatics. It is what i was searching for.I would like to suggest you that please keep sharing such type of info.Thanks https://www.sorrisieservizi.it/internet/vpn-sicura-e-gratuita/

  18. This article gives the light in which we can observe the reality. This is very nice one and gives indepth information. Thanks for this nice article. www.padovagoal.it

  19. Chaga mushroom dinner might have been taught a lot of globally by means of Euro contributor Alexandr Solzhenitsyn michael’s narrative ‘Cancer Ward’ exactly where the large person could alleviated linked with types of cancer among help from this specific coffee. Chaga Mushroom SMM panel India

  20. Pretty nice post. I just stumbled upon your weblog and wanted to say that I have really enjoyed browsing your blog posts. After all I’ll be subscribing to your feed and I hope you write again soon! หวยฮานอย

  21. . You can enter a host name or an IP address on the off chance that you know it. https://onohosting.com/

  22. Remarkable article, it is particularly useful! I quietly began in this, and I'm becoming more acquainted with it better! Delights, keep doing more and extra impressive! หวยยี่กี

  23. An Android VPN is a VPN that is viable with Android fueled gadgets. Not all VPNs work with each gadget. best vpn reddit