VPN Tutorial Guide
A Virtual private network (VPN) is a secure connection between two or more endpoints. It can also be seen as an extension to a private network.
Site-to-Site VPN
In site-to-site VPN, data is encrypted from one VPN gateway to another VPN gateway, providing a secure link between two sites\organisations\departments over the internet. This would enable both sites to share resources such as documents and other types of data over the secure VPN link. The following figure illustrates a site-to-site VPN deployment, where an organisation has two offices and would like to provide a secure VPN link between the two offices to share resources.
Remote Access VPN
In a remote access VPN scenario, which is sometimes known as mobile VPN, a secure connection would be made from an individual computer to a VPN gateway device that is situated at the organisation's data centre. This VPN device would enable a user to access their e-mail, files and other resources at work from anywhere in the world, providing they have an internet connection. There are two common forms of frameworks\technology that exists in remote access VPN known as IPsec and SSL that are covered further within this article. The following figure illustrates a remote access user VPN deployment.
VPN Use Case
A site-to-site VPN is a cost effective solution which provides a secure connection that enables sharing of IT resources between multiple organisations or offices. This saves companies from renting expensive dedicated leased lines, and can save companies from investing in additional IT infrastructure services because all of the services can be accessed over a VPN connection at the head office.
Remote access VPN technology provides the ability for users to work remotely, as if they were in the office sitting at their desks. This saves companies from investing in larger offices to facilitate employees and the need for various office supplies.
In many real world scenarios, organisations grow and introduce additional working environments. For example, a company may be situated in the US and locates at its head office in the over there in the US, and due to growth, open a new branch office within the UK. The US office will already have a complete IT infrastructure, including network and storage and all the other infrastructure hardware and software in place which consists of services such as Active Directory, email and so on. The UK branch office may only consist of a small number of users, let’s say ten employees. To make this particular scenario cost effective, a VPN connection between the US and UK offices would be the best solution. Implementing a VPN tunnel between the UK and US offices would save on cost from the need to install IT infrastructure within the UK, as employees can utilise the existing infrastructure within the US over the VPN tunnel. Another workaround would be to use cloud services, which is something many organisations are moving towards which would be a discussion for another article; we will stick to VPN use cases in the article.
Another cost saving use case and a perfectly valid scenario to the example above would be to allow employees based within the UK to work from remote locations, such as from within their home offices, and this can be achieved by implementing a remote access VPN solution at the corporate head office within the US. The UK based employees would only require an internet connection and configured VPN client software enabling them to securely connect to their corporate network within the US. Additionally, If it was for very specific access to a few resources, these can be made available to the UK based employees with the use of web based VPN portals, which can be accessed over a web browser, and this would mean they would not even require a configured client side VPN software application; they would browse to a URL address, and then login with their credentials before they find links to corporate resources such as the intranet and their emails.
VPN technology provides a superb and cost effective solution for companies with several branch offices, partners, and remote users being able to share data and connect to corporate network resources in a secure and private manner.
Sending data via a VPN tunnel, VPN client software encapsulates all data packets providing high levels of security. If VPN traffic was sniffed by a potential hacker over the internet, the packets would be unreadable, and if modified this would also be detected by the VPN gateway solution.
The finer details of how VPN technologies and frameworks are constructed to establish VPN tunnels are covered below and within this website. You can find some of the other VPN related topics on the left hand side within the menu bar.
VPN Networking Protocols
VPN tunnels use one of four main networking protocols, which provide sufficient level of security as detailed below.
Point to Point Tunnelling Protocol (PPTP)
PPTP is a protocol or technology that supports the use of VPN technology. Using PPTP, remote users can access their corporate networks securely using the Microsoft Windows Platforms and other PPP (Point to Point tunnelling Protocols) enabled systems. This is achieved with remote users dialling into their local internet security providers to connect securely to their networks via the internet.
PPTP has its issues and is considered a weak security protocol according to many experts, although Microsoft continues to improve the use of PPTP and claims issues within PPTP have now been corrected. Although PPTP is easier to use and configure than IPsec, IPsec outweighs PPTP in other areas, such as being more secure and a robust protocol.
Layer 2 Tunnelling Protocol (L2TP)
L2TP is an extension of the Point to point tunnelling protocol (PPTP), and used by internet service providers to provide VPN services over the internet. L2TP combines the functionality of PPTP and Layer 2 forwarding protocol (L2F) with some additional functions using some of the IPsec functionality. L2TP can be used in conjunction with IPsec to provide encryption, authentication and integrity. IPsec is considered better than the layer 2 VPN protocols such as PPTP and L2TP and this is why security vendors have integrated the IPsec framework into their technologies.
IPsec (IP Security)
IPsec operates at layer 3 of the OSI model and for this reason can protect any protocol that runs on top of IP. IPsec is a framework consisting of various protocols and algorithms which can be added to the framework. IPsec provides flexibility and strength in depth, and is an almost perfect solution for securing VPN tunnels. The only drawback to IPsec is it requires setting up on the corporate network and on the client side devices, and is a complex framework to work with. IPsec is used for both site-to-site and remote user VPN connectivity.
Secure Socket Layer (SSL) VPN
SSL VPN provides excellent ease of use, flexibility and security for remote access users. SSL is already heavily used such as when you shop online, and when accessing your bank account online, you will notice an SSL protected page when you see the “https” in your browser URL bar.
When it comes to remote access VPN technology, one of the main differences between using SSL VPN and IPsec is with IPsec a remote user would require a preconfigured fat client software which would need installing and configuring where there has been known issues around the use of fat pre-configured clients and limited support through certain firewalls and public Internet services, i.e. Wireless Hot Spots. IPsec VPN requires a number of protocols to work, therefore the need to open multiple firewall rules. However with SSL client software, it is optional as to whether you download and install a client, and SSL uses a single port of 443. SSL VPN can be configured with a web portal with user defined resources. The portal is a GUI interface that is accessed via a web browser and contains tools and utilities in order to access applications on the network, for example applications such as RDP and Outlook. SSL can also imitate the way IPsec works by providing a secure tunnel via either installing lightweight client software, or by clicking on connect directly from the web VPN portal. If a user required client SSL software, it can be installed with very little effort via a browser which simplifies the process in securely accessing the corporate network.
Using SSL VPN, makes simple work of provisioning thousands of end users who would be able to access the corporate network resources with very little effort. The end user would need to know the web page address of the SSL VPN portal and the login credentials, and that's pretty much it. With SSL VPN, being a browser based technology, web portals can be created with links to corporate resources defined within the portals, and this is another advantage with SSL VPN technology in that users do not have to rely on a configured client side VPN software application and are able to connect from any client side device with a web browser.
Advantages and Disadvantages to using a Site-to-Site VPN Technology
Advantages
VPN’s eliminate the need for expensive leased lines. Historically T1 lines have been used connecting office locations together in a secure manner. If the office locations are further away, the cost of renting these least lines can be unbearable. A VPN though, only requires you to have a broadband internet connection, and so avoiding paying a hefty sum of monthly rental on dedicated leased lines. VPN’s are also a replacement for remote access servers and dial up network connections although rarely used anymore.
Through the use of link balancing and link bonding, VPN's can use two or more internet connections, where if one connection experienced a failure, VPN traffic would automatically traverse over the remaining connections. Once the failed connection is back online, VPN traffic would automatically use the original connection when it is back up again.
Disadvantages
You have to remember, having a VPN tunnel means having to rely on the Internet, and having to rely that your ISP (Internet Service Provider) is reliable, although this problem can be reduced by having two or more ISP’s and using the 2nd connection in a VPN failover scenario.
Also VPN’s require careful configuration, and possibly some troubleshooting, and the terminology can be overwhelming for administrators not familiar with the technology.
Setting up an IPsec Site-to-Site VPN Tunnel
Below is a basic overview in the typical way a site-to-site VPN is configured using IPsec. IPsec the most commonly used method \ framework used to create VPN tunnels and is known to be a solid, robust and secure VPN technology framework.
If you are new to VPN technology and the IPsec framework, a lot of the terminology can be overwhelming at the beginning, however, clicking on the links in this VPN article will give you a good understanding to the different terminologies used within the guide below.
Setting up a site-to-site VPN with IPsec
The information below covers what is required to set up a VPN connection on a VPN gateway device using IPsec. It is not really aimed at any specific vendor and is fairly generic.
To start with, you would need to decide how you are going to authenticate both VPN peer devices to each other. You need to either agree upon a Pre-shared key or install digital certificates. This is used for authentication and to ensure the VPN gateway devices are authorised. This would prove their identities to each other. Both gateways must use the same type of credentials, so either both sides will use pre-shared keys or both sides will use digital certificates. Also if you are using pre-shared keys, then both keys would have to match.
Phase 1
VPN's are configured and processed in two phases, phase 1 and 2. In phase 1, you would use Main mode or Aggressive mode to set up a secure and encrypted channel, to protect your phase 2 negotiations.
1) You will need to specify both gateway addresses. At each end, you would specify the address of the local VPN gateway and you would also specify the address of the remote VPN gateway. You can either specify an IP address or a domain name. On some VPN gateway devices you could also specify an e-mail address, or if you use a digital certificate, you could specify the certificates subject field.
2) Main mode or aggressive mode can be selected depending on which one you would want to use and depending upon the type of VPN and how IP addresses are assigned. Main mode is more secure, but slower than aggressive mode. In Main mode peers exchange identities and protect the exchanges with the use of encryption, and with Aggressive mode, although faster, exchanges identities without encryption (in clear text). Main mode is the more commonly used option. Aggressive mode is typically used for when one or both of the VPN gateway devices have dynamic IP addresses or when it's a remote access VPN connection. Most common method when setting up site-to-site VPN tunnels is Main mode, unless as already explained, when dynamic IP addressing is used.
3) Specify whether to use Nat-Traversal. This is selected if your VPN gateway is behind a NAT device. Specify whether you want both peers to use IKE keep-alive. This ensures that if a VPN gateway device interface is not responding to keep alive requests, it will failover to the second interface (if this has been setup). This is true when you have multiple connections to the internet and both are used to provide VPN connectivity. When the primary ISP connectivity fails the backup\secondary link becomes the active link for the VPN tunnel.
4 You would now configure the VPN proposals\transform sets. This includes the type of encryption, authentication, Hashing algorithm and the security association timeout values. Typically for authentication, you would choose to use either a pre-shared key or digital certificates and two of the common options when choosing a hashing algorithm are Sha or MD5. Sha is the stronger of the two algorithms.For encryption the following are some of the common encryption algorithms, which include DES, 3DES or AES 128, 192, 256 bit key strengths. AES is the strongest protocol of the ones mentioned.
You can specify a limit before your Security Association (SA) expires, which will add further protection to the VPN if your keys have been compromised\hacked. Although, do consider, the more secure and the more options turned on, this will have an effect on performance and could complicate maintenance and troubleshooting.
You will need to specify a Diffie-Hellman key group, usually 1, 2, 5 or 14 or higher, in which the higher the key chosen is the more secure group.
You can optionally set up extra proposals\transform sets if needed. If you’re not sure on your peers proposal settings, then you may want to set up a number of proposals \ transform sets, using algorithms that are acceptable to use. Although it is recommended to know your peers settings and create the minimum proposals required as it is more secure this way.
Phase 2
In phase 2, using Quick mode, you would establish the IPsec Security Association (SA). Here, you would tell the gateway what traffic you will be sending over the VPN, how to encrypt and authenticate it.
1) You will need to specify what traffic will go across the VPN. So you would be specifying an IP address, Network address, or IP address range. This is access to your internal network, so either remote users from home, or the peer office can have access to resources behind the VPN gateway.
2) You can choose whether to use Perfect forward secrecy (PFS), for optional and an extra layer of security. If you will be using PFS, remember that both VPN peers must support and use PFS. You can select which Diffie-Hellman group to use for new keying material. The higher the group you select, the stronger the key.
You would now need to specify some more parameters in securing your data within the IPsec SA (Phase 2), also known as phase 2 proposals. The parameters are made up of encryption and authentication algorithms.
3) Here you first specify the type of proposal, either selecting AH or ESP. AH only provides authentication, and ESP provides authentication and encryption.
4) If you have specified ESP, which the majority would choose, then you would specify your authentication and encryption. For authentication and integrity you can select SHA or MD5, where SHA is the strongest algorithm of the two. For encryption you can select DES, 3DES or AES 128, 192, or 256-bit key strengths. AES 256 is the strongest encryption protocol of the ones mentioned.
5) You may want to specify a value for when your key would expire. This would ensure your encryption keys would change over a period of time, adding more security, as well as having a slight effect on performance. The majority of organisations leave these settings as the default, however if you are a bank or any other company dealing with highly sensitive and confidential data then you may want to force keys to expire, and have them re-created.
Final steps
You may now need to create security policy rules to allow your VPN traffic in and out of your firewall. This step may have already been done for you when you had completed configuring your gateway; this is all dependant on the product functionality of the firewall vendor.
Once the rules are configured, you have completed the configuration of your VPN gateway, and you can now configure the peer VPN gateway, if this is something you have been tasked with to do also. Remember to configure your peer VPN gateway with the exact same settings as you configured your local gateway or else the VPN tunnel will not form successfully.
Final words
The above article is not specific to any VPN gateway so you may find differences in order of settings or slight discrepancies in terminology used, but nothing more than that. Whatever firewall you may use for establishing VPN connectivity, for example Palo Alto, Fortinet, Cisco and so on, they all support IPsec which is a standardised internationally known framework with a standard set of parameters and settings and so you will find the above instructions to be very like how you would set up your firewall VPN gateway device. The only differences you would see would lie within the web based GUI, and possibly some slight naming alterations.
In a nutshell, with all VPN gateways using IPsec you would have to configure your VPN gateway addresses, phase 1 settings, phase 2 settings, create VPN firewall policies (some firewalls automatically create VPN policies for you) and save the configuration, in which ever vendor product you work with.
Further Reading
Wikipedia's guide to VPN
Our other site is now up and running providing a central IT Networking & Security resource site.