1.

1 VPN TOPOLOGIES

A Virtual Private Network (VPN) provides the same network

connectivity for remote users over a public infrastructure as they
would have over a private network. VPN services for network
connectivity include authentication, dataintegrity, and
confidentiality.

There are two basic VPN types: -

• LAN-to-LAN VPNs – There are two common types of LAN-to-

LAN VPNs, also known as site-to-site VPNs:

o Intranet VPNs connect corporate headquarters, remote

offices, and branch offices over a public infrastructure.
o Extranet VPNs link customers, suppliers, partners, or
communities of interest to a corporate Intranet over a
public infrastructure.

• Remote Access VPNs – Which securely connect

remote users, such as mobile users and telecommuters, to
the enterprise
1.1.1 Site-to-Site or LAN-to-LAN VPNs
Site-to-site VPNs can be used to connect corporate sites.
Site-to-site VPN is an extension of a classic WAN network. Site-to-site
VPNs can be built using routers, Security Appliances, or VPN
concentrators .
 1.1.2 Remote Access VPNs

A Remote Access VPN secures connections for remote users,

such as mobile users or telecommuters, to corporate LANs over shared
service provider networks. There two types of Remote Access VPNs:

• Client-initiated – Remote users use a VPN client or web

browser to establish a secure tunnel across a public network to
the enterprise.
• NAS-initiated – Remote users dial in to an ISP Network Access
Server (NAS). The NAS establishes a secure tunnel to the
enterprise private network that might support multiple remote
user-initiated sessions

Remote Access VPNs can support the needs of telecommuters,

mobile users, consumer-to-business extranets, and so on. A Remote
Access VPN can be terminated on head-end devices, such as
routers, PIX Security Appliances, or VPN Concentrators. Remote
access clients can include routers, VPN hardware clients, or VPN
software clients
 1.2 VPN TECHNOLOGIES

1.2.1 VPN Implementation at Different IOS Layers

This figure below,shows the implementation of protection at different

Layers of IOS. With implementation of encryption on one layer, this layer
and all layers above it are automatically protected. Network layer
protection offers one of the most flexible solutions. It is media
independent as well as application independent.

Some standardization has been successful at Layer 4 of the OSI

model with protocols such as Secure Socket Layer (SSL) providing
privacy, authenticity, and integrity to TCP-based applications. SSL is
used heavily in modern e-commerce sites. However, SSL fails to
address the issues of flexibility, ease of implementation, and
application independence. One of the latest technologies available,
Transport Layer Security (TLS), can be used to address many of the
limitations of SSL.

.
 Protection at lower levels of the OSI stack, especially the Data Link
layer, was also used in communication systems of the past. This
provided protocol independent protection on specific untrusted links.
However, Data Link layer protection is expensive to deploy on a large
scale because there is a need to protect every single link separately.
Data Link layer protection allows for man-in-the-middle attacks on
intermediate stations, or routers, and is usually proprietary.

Layer 3 is currently the most popular level to apply cryptographic

protection tonetwork traffic.

1.2.2 Tunneling Protocols and Tunnel Interfaces

The table shows avariety of technologies exist to enable
tunneling of protocols through networks to create a VPN .
 Prior to the Layer 2 Tunneling Protocol (L2TP) standard established in
August 1999, Cisco used Layer 2 Forwarding (L2F) as its proprietary
tunneling protocol. L2TP is entirely backwards compatible with L2F.
L2F is not forward compatible with L2TP. L2TP, defined in RFC 2661, is
a combination of Cisco L2F and Microsoft Point-to-Point Tunneling
Protocol (PPTP). Microsoft supports PPTP in its earlier versions of
Windows and PPTP/L2TP in Windows NT/2000/XP. L2TP is used to
create a media independent, multiprotocol Virtual Private Dial
Network (VPDN). L2TP allows users to invoke corporate security
policies across any VPN or VPDN link as an extension of their internal
networks
The Cisco Generic Routing Encapsulation (GRE) multiprotocol
carrier encapsulates IP, CLNP, IPX, AppleTalk, DECnet Phase IV, and
XNS inside IP tunnels.

With GRE tunneling, a router at each site encapsulates protocol-

specific packets in an IP header .
GRE encapsulation process:-
 This creates a virtual point-to-point link between routers across an IP
cloud. By connecting multiprotocol sub networks in a single-protocol
backbone environment, IP tunneling allows network expansion across
a single-protocol backbone environment. GRE tunneling allows
desktop protocols to take advantage of the enhanced route selection
capabilities of IP.

The IP Security Protocol (IPSec) is the choice for secure corporate

VPNs. However, IPSec supports IP unicast traffic only. For multiprotocol
or IP multicast tunneling, another tunneling protocol must be used.
Because of its PPP ties, L2TP is best suited for remote access VPNs that
require multiprotocol support.

GRE (Generic Routing Encapsulation) is best suited for site-to-site

VPNs that require multiprotocol support. Also, GRE is typically used to
tunnel multicast packets such as routing protocols. Neither of these
tunneling protocols supports data encryption or packet integrity. GRE
encapsulates all traffic, regardless of its source and destination.
Remember to use GRE or L2TP when there is a need to support
tunneling packets other than the IP unicast type. In these cases, IPSec
can be used in combination with these protocols to provide encryption,
such as L2TP/IPSec and GRE/IPSec. In summary, if only IP unicast
packets are being tunneled, then a simple encapsulation provided by
IPSec is sufficient and much less complicated to configure and
troubleshoot.

Multiprotocol Label Switching (MPLS) is a VPN technology. It is

implemented by ISPs and large corporations. MPLS uses label switching
and label switched paths over various link level technologies. Some
examples are Packet-over-SONET, Frame Relay, ATM, and LAN
technologies such as all forms of Ethernet and Token Ring. This
includes procedures and protocols for the distribution of labels
between routers, encapsulations, and multicast considerations.

Aflow chat showing the selection of VPN Technologies:-

Tunnel Interfaces - Tunnel interfaces provide a point-to-point

connection between two routers through a virtual software interface.
They also appear as one direct link between routers hiding the
underlying infrastructure that are connected via a large network, such
as the Internet.
 Tunnel interface configuration proves:-

• Unnumbered Layer 3 addresses are supported but not allowed

for by IPSec.
• Access-lists can be applied to the tunnel interface.
• QoS supports traffic requiring consistent service such as voice
over IP.
• Committed Access Rate (CAR), Weighted Fair-Queue (WFQ), and
Weighted Random Early Detection (WRED) are not supported on
tunnel interfaces at this time

Tunnel Interface acts as appoint-to-point connection.