VPN Setup Tutorial Guide
A VPN (Virtual private network) is a secure connection between two or more endpoints. It can also be seen as an extension to a private network.
Site to Site VPN
In a site to site VPN data is encrypted from one VPN gateway to the other, providing a secure link between two sites over the internet. This would enable both sites to share resources such as documents and other types of data over the VPN link.
Remote Access VPN
In a remote access VPN scenario which is also known as mobile VPN a secure connection would be made from an individual computer to a VPN gateway. This would enable a user to access their e-mail, files and other resources at work from where ever they may be, providing they have an internet connection. There are two common forms of technology that exists in remote access VPN known as IPSec and SSL that are covered further below.
Why have a VPN
A VPN saves organisations \ companies from renting expensive dedicated leased lines, VPN's give the ability for users to work from home and saves cost on resources such as e-mail servers, file servers, etc, as all these can be accessed on the VPN connection at the central site.
A real world example would be if a company was split into two sites (When referring to sites we mean offices), the main site in the US and a smaller site in the UK. The US site has already a full network and storage infrastructure in place which consisted of active directory, an exchange server, file server and so on. The UK site only consisted of a small number of users, let’s say 10 employees. To make this particular scenario cost effective a VPN connection from site to site would be the best solution. Providing a VPN tunnel from the UK site to the US site would save costs from having to install another network infrastructure, exchange server, active directory server and so on. As the US site would already have administrators maintaining servers and the infrastructure and can now maintain the VPN connection as well as other resources would prove another area where savings would be made.
Another cost saving scenario to the above example would be to close the UK site down where employees based in UK could work from home. A remote access VPN scenario would be suited if the 10 users were not based anywhere in particular, and there was no UK based office. In this case they would just require an internet connection and a configured VPN client software enabling them to securely connect to their corporate network in the US. If they were using SSL VPN then they would not even require a configured client side software, they would just require the URL address to connect to the VPN portal.
So VPN’s provide a superb and cost effective solution for companies with several branch offices, partners, and remote users to share data and connect to their corporate network in a secure and private manner.With normal internet traffic, packets can be sniffed and read by anyone. However sending data via a VPN tunnel encapsulates all data packets providing high level of security. If packets which were sent securely over the internet were sniffed, they would be unreadable and if modified this would also be detected by the VPN gateway.
VPN Networking Protocols
VPN tunnels use one of four main networking protocols, which provide the sufficient level of security as shown below;
PPTP (Point to Point tunneling protocol)
PPTP is a protocol or technology that supports the use of VPN’s. Using PPTP, remote users can access their corporate networks securely using the Microsoft Windows Platforms and other PPP (Point to Point tunneling Protocols) enabled systems. This is achieved with remote users dialing into their local internet security providers to connect securely to their networks via the internet.
PPTP has its issues and is considered as a weak security protocol according to many experts, although Microsoft continues to improve the use of PPTP and claims issues within PPTP have now been corrected. Although PPTP is easier to use and configure than IPSec, IPSec outweighs PPTP in other areas such as being more secure and a robust protocol.
L2TP (Layer 2 Tunneling Protocol)
L2TP is an extension of the PPTP (Point to point tunneling protocol), used by internet service providers to provide VPN services over the internet. L2TP combines the functionality of PPTP and L2F (Layer 2 forwarding protocol) with some additional functions using some of the IPSec functionality. Also L2TP can be used in conjunction with IPSec to provide encryption, authentication and integrity. IPSec is the way forward and is considered better than the layer 2 VPN’s such as PPTP and L2TP.
IPSec (IP Security)
IPSec operates on layer 3 and so can protect any protocol that runs on top of IP. IPSec is a framework consisting of various protocols and algorithms which can be added to and developed. IPSec provides flexibility and strength in depth, and is an almost perfect solution for securing VPN’s. The only drawback is IPSec requires setting up on the corporate network and on the client end and is a complex framework to work with. IPSec is used for both site to site and remote user connectivity.
SSL VPN (Secure Socket Layer)
SSL VPN provides excellent security for remote access users as well as ease of use. SSL is already heavily used such as when you shop online, accessing your bank account online, you will notice an SSL protected page when you see the “https” in your browser URL bar as opposed to “http”.
The difference in using SSL VPN to IPSec is with IPSec a remote user would require client software which would need installing, configuring and sometimes troubleshooting. However with SSL there is no client software if a user was using the SSL portal. The portal is a GUI interface that is accessed via a web browser and contains tools and utilities in order to access applications on the network such as RDP and Outlook. SSL can also imitate the way IPSec works via a lightweight software. If a user required client SSL software, it can be installed with very little effort via a browser which simplifies the process in securely accessing to the corporate network.
Using SSL VPN would mean thousands of end user’s would be able to access the corporate network without the support of an administrator and possible hours of configuring and trouble shooting, unlike IPSec. The end user would just need to know the address of the SSL VPN portal. Another advantage is they can do this from any computer as they do not have to rely on a configured client side software.
Advantages and Disadvantages using a VPN
VPN’s eliminate the need for expensive leased lines. Historically T1 lines have been used connecting office locations together in a secure manner. If the office locations are further away, the cost of renting these least lines can be unbearable. A VPN though, only requires you to have a broadband internet connection, and so avoiding paying a hefty sum of monthly rental on dedicated leased lines. VPN’s are also a replacement for remote access server’s and dial up network connections although rarely used anymore.
Having many branch offices over the globe requires many leased lines, and so does not scale well. Each office would require a leased line to all other offices. VPN’s connecting via the Internet is a far more scalable solution, as opposed leased lines.
Through the use of link balancing and link bonding VPN's can use two or more internet connections, so if one connection at your company had a problem all VPN traffic can be sent over the remaining connections, and will automatically use the original connection when it is back up again.
You have to remember though, having a VPN means having to rely on the Internet, and having to rely that your ISP (Internet Service Provider) is reliable, although this problem can be reduced by having two or more ISP’s and using the 2nd in a VPN failover scenario.Also VPN’s require careful configuration, possibly some troubleshooting and the terminology can be overwhelming for administrators not familiar with the technology.
Setting up VPN with IPSec
Below is a basic overview in the typical way a site to site VPN is configured using IPSec. IPSec is chosen as the example because it’s the most commonly used technology and is known to be a solid, robust and secure VPN technology.
You may be new to all the VPN terminology, so clicking on the links in this VPN article will give you a good understanding on meanings within the below guide.
Basics in setting up a site to site VPN with IPSec
Below covers what is required to set up a VPN connection on a VPN gateway with IPSec. It is not really aimed at a specific vendor and is fairly general.
First you would decide how your going to authenticate both VPN peers to each other. Either select a Pre-shared key or install a digital certificate. This is used for authentication and to ensure the VPN gateways are authorised. This would prove their identities to each other. Both gateways must use the same type of credentials, so either both use pre-shared keys or both use digital certificates. Also if you are using pre-shared keys, then both keys would have to match.
1) You will need to specify both gateway addresses. So you would specify the address of the local VPN gateway and you would also specify the address of the remote VPN gateway. You can either specify an IP address or a domain name. On some VPN gateways you could also specify an e-mail address, or if you use a digital certificate you could specify the certificates subject field.
2) Main mode or aggressive mode can be selected depending on which one you would want to use. Main mode is more secure, but slower than aggressive mode. In Main mode peers exchange identities with encryption, and Aggressive mode, although faster exchanges identities without encryption. Main mode is the more commonly used. Aggressive mode is typically for when one or both of the VPN gateway's have a dynamic IP address.
3) Specify whether to use Nat-Traversal. This is selected if your VPN gateway is behind a NAT device. Also specify whether you want both peers to use IKE keep-alive. This ensures that if a VPN gateway’s interface is not responding it will failover to the second interface. This is true when your ISP goes down and your secondary interface is a backup ISP.4 You would now decide on your transform set. This includes the type of encryption, authentication and how long your security association will last. For your authentication you can either use Sha1 or MD5. Sha1 is the stronger authentication algorithm.
You can specify a limit before your SA expires, which will add more security to your VPN if your keys have been hacked. Although this will also have a slight affect on performance as well.
You will need to specify a Diffie-Hellman key group, usually 1, 2, 5 or 14 in which 14 is the most secure group.
You can optionally set up extra transform sets if needed. If you’re not sure on your peers transform settings, then you may want to set up more transform sets. Although it is recommended to know your peers settings and create the minimum transform set’s required as it is more secure this way.
1) You will need to specify what traffic will go across the VPN. So you would be specifying an IP address, Network address, or IP address range. This is access to your internal network, so either remote users from home, or the peer office can have access to resources behind the VPN gateway.
2) You can choose whether to use PFS (Perfect forward secrecy), for optional and an extra layer of security. If you will be using PFS, remember that both VPN peers must support and use PFS. You can select which Diffie-Hellman group to use for new keying material. The higher the group you select, the stronger the key.
You would now need to specify some more parameters in securing your data within the IPSec SA (Phase 2), also known as phase 2 proposals. The parameters are made up of encryption and authentication algorithms.
4) If you have specified ESP, which the majority would choose, then you would specify your authentication and encryption. For authentication and integrity you can select SHA1 or MD5, where SHA1 is the strongest algorithm. For encryption you can select DES, 3DES or AES 128, 192, or 256-bit key strength. AES 256 is the strongest encryption protocol.
5) You may want to specify a value for when your key would expire. This would ensure your encryption keys would change over a period of time, adding more security, as well as having a slight affect on performance. The majority leave these settings as the default. However if your a bank or any other company dealing with confidential data then you may want to force keys to expire, and have them re-created.
You may now need to create policies or rules to allow your VPN traffic in and out of your firewall. This may have already been done for you when you had completed configuring your gateway, and you may have had the option to either enable or disable your VPN gateway to automatically doing this for you, all depending on the product functionality.
You can now save all changes to your VPN gateway.
You are done in configuring your VPN gateway, and you can now configure the peer VPN gateway. Remember to configure your peer VPN gateway with the exact same settings as you configured your local gateway or else the VPN tunnel will not form successfully.
The above article is not specific to any VPN gateway so you may find differences in order of settings or slight difference in terminology used, but nothing more than that. Whatever firewall you may use for VPN connectivity such as Watchguard, Fortinet, SonicWALL, Cisco and so on they all support IPSec which is a standardised internationally known framework with a standard set of parameters and settings and so you will find the above instructions to be very like how you would set up your firewall VPN gateway. The only differences you would see would lie within the GUI, and possibly some slight naming alterations.
In a nutshell, with all VPN gateways using IPSec you would have to configure your VPN gateway addresses, phase 1 settings, phase 2 settings, create VPN firewall policies (some firewalls automatically create VPN policies for you) and save the configuration in which ever vendor product you work with.
Wikipedia's guide to VPN
Our new sister site is now up and running providing a central IT security resource site.