For a list of commonly used VPN related terms and descriptions, please visit the Virtual Private Network Consortium's terms page.

As the VPN market evolves and expands, the differences between various classifications and architectures become somewhat blurred. Features that were historically available only through software or firewall-based solutions are now offered by hardware vendors, while stand-alone applications might offer to improve performance by supporting encrypting routers. Newer developments such as IPsec provide a standard to create custom solutions.

There are basically three types of VPN:

INTRANET: this type of VPN is usually implemented for commonly structured networks that may span various physical locations. An example would be a network that exists in several buildings connected to a data center or mainframe that has secure access through private lines. These may need strong encryption and strict performance and bandwidth requirements.

REMOTE ACCESS: Initiated by remote users to connect to their corporate LAN such as employees and telecommuters equipped with laptops that will connect intermittently from many different locations.

EXTRANET: This type of VPN uses the Internet as its base and deals with a wider scale of users and locations to allow customers and branch offices to access corporate resources across various network types.

The most common reasons to use a VPN are:

• Reduce the costs of telecommunications (especially long distance phone charges) by using the Internet to carry traffic
  
  
• Reduce telecommunications costs by minimizing the number of lines accessing a corporate site
  
  
• Save operating expenses by contracting VPN management and equipment costs to a service provider

Long distance charges can be reduced with a VPN because users are placing local calls to their ISPs instead of making long distance calls to the company.

The number of access lines and their costs are reduced because many companies pay monthly charges for both high-speed Internet access links and frame relay, ISDN Primary Rate Interface or T1 lines to carry data. If the VPN allows data traffic over the company's Internet access lines, the number of installed lines needed is reduced.

Operational costs are additionally reduced by outsourcing remote access to an ISP or other type of service provider because by giving users access to the network via a VPN, modem pools and remote access servers can be eliminated. The operational cost savings come from not having to manage those devices.

VPNs create "virtual" point-to-point connections using a technique called tunneling.

As the name suggests, tunneling acts like a "pipe" which penetrates through a network to connect two points. Normally activated by remote users, tunneling encrypts data into standard TCP/IP packets and encapsulates it for safe transmission across the Internet.

---

VPN ensures the confidentiality and integrity of information as it travels over the public internet because it requires:

Remote user identity authentication

Secure private transmission of data (no unauthorized listeners

Verification of unadulterated data transmission

---

The VPN connection behaves like this:

You connect to the Internet in the normal manner, through your ISP.

The VPN client software on your computer initiates a connection with the VPN server.

The VPN server encrypts the data on the connection so it cannot be read by others while it is in transit.

The VPN server decrypts the data and passes it on to other servers and resources.

For a more detailed explanation of how a VPN works, see this article

Check this great article for a simple illustrated explanation of Diffie-Helman Key Exchange process.

Currently, there is VPN client software available for the following platforms:

• Mac OS 7.6 - 9, OS X
• Linux
• Windows 95/98
• Windows NT 4.0, (Service Pack 3, or later
• Windows 2000 & XP
• Windows Me

VPNs use the tunneling capability of IPSec to transparently move private data across the public Internet. Tunneling treats entire packets from a private internetwork as payload data that must be transported across a public transport network.

A VPN gateway acts as one end of a "tunnel," encapsulating entire packets from the private inter-network in new IP packets before they travel across the public Internet. The new packets, carrying the private source and destination addresses, are simply directed to a second VPN gateway that protects the other end of the transmission. The receiving gateway then recognizes and disassembles the encapsulated packet before passing its contents on to the correct address on the private internetwork.

A variety of different network devices and software products can act as VPN gateways, including VPN access servers, VPN routers, and computers with VPN client software installed.

The private network resources on each internal network, whether single machines or entire internetworks, remain unaware of the fact that the Internet is being used as a transmission medium. A VPN gateway forms the foundation of a secure Internet-based portal to those resources, since it is designed to unconditionally reject all Internet traffic that is not tunneled IPSec.

By default, when most clients connect to a vpn server all traffic initiating from your computer is sent across the VPN tunnel. However, the VPN server is configured only to treat and forward traffic with specific destinations configured as secured routes, all other traffic not matching a destination "secure network" list is dropped by the VPN server.

Split tunneling is commonly configured on the connecting client to receive pushed secure route's or set statically. In this situation, only specific traffic matching a "secure" destination address is forwarded out the virtual tunnel interface. All other traffic is routed normally and un-secured through the configured default gateway. These specific routes are configured on the VPN server and can normally be seen injected into the client's route table while connected to the VPN.

The advantages of split-tunneling is that it allows the connected client connectivity to both secure networks AND normal un-secured traffic while connected. The disadvantage is that the client is putting the remote connected network at risk because they are bypassing secure gateways that might normally be found on the remote network's infrastructure, making it accessible through the non-secured public network.

Try this site for one answer to Linux installations.

There is software available to permit your handheld device to connect to the VPN.

One such system is here
And another one for PALM� Devices
One that works with PocketPC: Freeswan-PocketPC

A VPN will set up a "tunnel" via one or more "ports" (often via the TCP protocol). The exact ports used will vary with the type of VPN, and sometimes also with the advanced setup options for the VPN. However, the VPN "tunnel" itself is just standard IP (internet) traffic, albeit strongly encrypted traffic. As such, any firewall that is configured to block any of the "ports" needed for that VPN, will also block the VPN "tunnel" (preventing you from using the VPN).

The "flip side" of this, is that a VPN "tunnel" really does "tunnel" internet traffic for all "ports" via the VPN connection. This means that if the VPN itself isn't blocked (see above), than traffic on ports that are supposedly blocked for some reason (be that because of some firewall, or some restriction of your ISP), can still go out via the (unblocked) VPN tunnel! This can be both a useful "feature" (allowing you to do things with the VPN that you couldn't do directly via the internet), or a security weakness that is all too easy to overlook.

For example, I telecommute a couple of days a week. At my office, the company firewall blocks all attempts to access (from the internet) files on our Windows servers (for obvious security reasons). However, the VPN ports are not blocked at the firewall (so that remote users can connect to the VPN). When I setup a VPN connection to the office, it "tunnels" all traffic (for the IP numbers at our office) via the VPN. This means that when I have a VPN connection setup, I am essentially bypassing all restrictions of the office firewall! This is "a good thing", because I can pretty much do anything (including accessing files) that other machines on the office LAN can do (even when the firewall supposedly blocks that traffic from the internet). However, it also means that my home office machine better be secured "better than most", if I don't want to be "the weak link" that lets some jerk use my VPN connection to make it much easier to "hack" the machines "at the office"!

Any data packets that move across a publicly shared network like the Internet are potentially vulnerable to tampering. VPNs address that issue by employing multiple security mechanisms.

But, what is safe enough? VPNs that employ multiple security systems, like additional hardware devices, software patches and security standards, can be considered secure. In most cases, security vulnerabilities will be introduced by the users, rather than the system.

The network layout, Lan 192.168.0.0 is connected to the Zywall. Lan 192.168.1.0 is connected to the Pix with a pool of public addresses x.x.x.192 /26 between it and a 1720 router.

The Pix config.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list To-Internet permit ip 192.168.1.0 255.255.255.0 any
access-list To-Internet permit ip 192.168.2.0 255.255.255.0 any
access-list To-Internet permit icmp any any
access-list From-Internet permit tcp any host x.x.x.196 eq smtp
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo-reply
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 unreachable
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 time-exceeded
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 110 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 //iS this necessary?
access-list to-internet permit icmp any any

ip address outside x.x.x.194 255.255.255.192
ip address inside 192.168.1.25 255.255.255.0
ip audit info action alarm reset
ip audit attack action alarm reset
ip local pool NONATippool 192.168.2.1-192.168.2.254

global (outside) 1 x.x.x.251
nat (inside) 0 access-list NoNAT
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) x.x.x.196 192.168.1.1 netmask 255.255.255.255 0 0
access-group From-Internet in interface outside
access-group To-Internet in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set MyCOTransf esp-3des esp-md5-hmac
crypto dynamic-map MYCOdynmap 10 set transform-set MYCOTransf
crypto map MYCOmap 10 ipsec-isakmp dynamic MYCOdynmap
crypto map MYCOmap client configuration address initiate
crypto map MYCOmap client configuration address respond
crypto map MYCOmap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp client configuration address-pool local MYCOippool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup MYCOvpn address-pool NONATippool
vpngroup MYCOvpn dns-server 205.171.3.65
vpngroup MYCOvpn wins-server 192.168.1.1
vpngroup MYCOvpn default-domain MYCOMPANY.com
vpngroup MYCOvpn idle-time 1800
vpngroup MYCOvpn password ********
vpngroup MYCO address-pool NONATippool
vpngroup MYCO dns-server 192.168.1.1 205.171.3.65
vpngroup MYCO wins-server 192.168.1.1
vpngroup MYCO default-domain MYCO.com
vpngroup MYCO idle-time 1800
vpngroup MYCO password ********
telnet 192.168.2.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local NONATippool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxx password xxxx
vpdn username yyyy password yyyyy
vpdn username zzzz password zzzzz
vpdn enable outside
terminal width 80
Cryptochecksum:
: end
[OK]
MYCOFW# exit

The Zywall config.

Menu 27.1.1 - IPSec Setup

Index #= 1 Name= Work
Active= Yes Keep Alive= Yes Nat Traversal= No
Local ID type= IP Content=
My IP Addr= 0.0.0.0
Peer ID type= IP Content= x.x.x.194
Secure Gateway Address= x.x.x.194
Protocol= 17
Local: Addr Type= SUBNET
IP Addr Start= 192.168.0.0 End/Subnet Mask= 255.255.255.0
Port Start= 0 End= N/A
Remote: Addr Type= SUBNET
IP Addr Start= 192.168.1.0 End/Subnet Mask= 255.255.255.0
Port Start= 0 End= N/A
Enable Replay Detection= Yes
Key Management= IKE

Menu 27.1.1.1 - IKE Setup

Phase 1
Negotiation Mode= Main
PSK= ********
Encryption Algorithm= 3DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 28800
Key Group= DH2

Phase 2
Active Protocol= ESP
Encryption Algorithm= 3DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 28800
Encapsulation= Tunnel
Perfect Forward Secrecy (PFS)= None

Im using an ADSL connection with Dynamic IP. Is it possible to setup a VPN server (eg WIn2000) using this type of connection?

Yes.

Dynamic DNS services such as »www.dyndns.org allow you to use a Domain Name - either your own or one they will allocate to you - in place of an IP address in your VPN setup. Set-up is simple. When a router wants to contact your router, a DNS look-up is performed and the current IP address for the remote router is provided. More on Dynamic IP and VPN here: »www.technopagan.org/dynamic/

In Win2K, go to My Network Places -> Properties -> Create a New Connection -> Accept Incoming Connections.

In the dialog box for Devices for Incoming Connections, do not select any device. Click Next and check "Allow Private Connections", and then click Next again.

In the dialog box for Allowed Users, select or add all users for whom you want to enable access. The accounts must exist on all computers that will be involved in establishing the VPN connection.

In the New Connection Wizard, File and Printer Sharing for Microsoft Networks, Internet Protocol (TCP/IP) and Client for Microsoft Networks should all be enabled. "Allow callers to access my local area network" and "Assign TCP/IP address automatically using DHCP" are checked by default. To keep the default settings, just click Next. The "Incoming Connection" icon should then appear in My Network Places -> Properties and should be ready to use.

Check this Microsoft Article regarding some tools to verify that the network path for VPN is open.

PPTP Ping referred in that article can be found here.

See Bob Cerelli's Windows Site for a step-by-step guide.

See Bob Cerelli's Windows Site for a how-to guide.

See This Link for help in setting up a Windows 2000 client to connect to a VPN.