The Role of VPNs

A virtual private network (VPN) is a secure way to connect to a remote computer or network over the internet, allowing users to access otherwise unavailable resources. It is a private network that uses encryption technology to protect data traveling between two points, such as computers or a computer and a server. Companies commonly use VPNs to secure remote access to their internal networks and are also popular among individuals for protecting their privacy on the internet.

A VPN creates an encrypted tunnel between the user’s computer and the remote network. All data that passes through this tunnel is secured and encrypted, making it much more difficult for hackers to intercept. This also allows users to access websites and services that their local government or ISP may block. VPNs can also spoof a user’s location, allowing them to access geo-restricted content.

When setting up a VPN, users have several options. They can use a dedicated VPN service or configure their own VPN using open-source software. The type of VPN protocol used can also vary depending on the security requirements and desired performance.

VPN network. Layer 2 and Layer 3 technologies

Virtual Private Networks ( VPNs ) are top-rated among businesses and individuals who access the Internet regularly and are provided by various suppliers. They are available as Layer 2 and Layer 3 technologies. They act as extensions, expanding private networks over public networks. Groups of different users share public networks; if privacy is required, encryption must be deployed to secure endpoint communication. The Internet is the most prevalent and widely known “public” network. In its simplest form, a VPNoverview, VPN connects two endpoints to form a logical connection. 

VPNs provide a couple of features such as:

• Confidentiality: preventing anyone from reading your data. This is implemented with encryption.
• Authentication: verifying that the router/firewall or remote user sending VPN traffic is a legitimate device or router.
• Integrity: verifying that the VPN packet wasn’t changed somehow during transit.
• Anti-replay: preventing someone from capturing traffic and resending it, trying to appear as a legitimate device/user.

VPN Types

There are two common VPN types that we use:

Site-to-site VPN

With the site-to-site VPN, we have a network device at each site. Between these two network devices, we build a VPN tunnel. Each end of the VPN tunnel encrypts the original IP packet, adds a VPN header and a new IP header, and then forwards the encrypted packet to the other end.

Client-to-site VPN

The client-to-site VPN is also called the remote user VPN. The user installs a VPN client on his/her computer, laptop, smartphone, or tablet. The VPN tunnel is established between the user’s and remote network devices.

IPSec: VPN Protocols

IPSEC, short for Internet Protocol Security, is a protocol for secure Internet communication. VPN, or Virtual Private Network, extends a private network across a public network, enabling users to send and receive data as if their devices were directly connected to the private network. IPSEC VPN combines the power of both these technologies to create a secure and private connection over the internet.

IPSec was created because the IP itself lacks security features. On layer three of the OSI model, IPSec provides confidentiality, integrity, authentication, and anti-replay features, but it isn’t a protocol.

Frameworks use a variety of protocols, and the advantage is that they can be changed in the future. If a new encryption algorithm is developed, such as DES, 3DES, or AES, IPSec may use it.

IPSec can be used for a variety of purposes:

• Setting up a VPN tunnel from one site to another.
• Tunneling a client-to-site VPN (remote user).
• Traffic is authenticated and encrypted between two servers.

PPTP

Developed by Microsoft, PPTP VPN is a widely used VPN protocol that creates a secure and encrypted tunnel between your device and the Internet. It operates at the data link layer of the OSI model and is supported by most operating systems, including Windows, macOS, Linux, Android, and iOS. Its simplicity and compatibility make it an attractive choice for many users.

An older VPN protocol, PPTP (Point to Point Tunneling Protocol), was released around 1995. A GRE tunnel is used for tunneling, and PPP is used for authentication (MS-Chap or MS-Chap v2). MPPE is used for encryption.

As PPTP has been around for a while, many clients and operating systems support it. PPTP, however, has been proven to be insecure, so you shouldn’t use it anymore.

L2TP VPN

L2TP VPN is a protocol for creating a secure connection between two endpoints over an existing network infrastructure. It operates at the data link layer of the OSI model and combines the best features of the L2F (Layer 2 Forwarding) and PPTP (Point-to-Point Tunneling Protocol) technologies. L2TP VPN ensures confidentiality and integrity during transmission by encapsulating and encrypting data packets.

In L2TP (Layer Two Tunneling Protocol), layer two traffic is tunneled over layer three connections, as the name suggests. Using L2TP, you can connect two remote LANs using a single subnet on both sites if you need to “bridge” them together. Because L2TP does not offer encryption, we often use it with IPSec. L2TP/IPSec is a combination of L2TP and IPSec

SSL VPN

SSL VPN is a technology that allows users to establish a secure encrypted connection to a private network over the internet. Unlike traditional VPNs, which often require dedicated software or hardware, SSL VPN leverages the widely used web browser for connectivity. This makes it highly convenient and accessible for users across different devices and platforms. HTTPS (Secure Sockets Layer) is a protocol for encrypting traffic between a web browser and a web server. HTTP allows you to browse the web in clear text. HTTPS is used for secure connections. The same technology can be used for VPNs as well.

Since SSL VPN uses HTTPS, you can use it pretty much anywhere. Most public WiFi hotspots allow HTTPS traffic, while others may block other traffic, such as IPSec. SSL VPN is also popular because you don’t have to use client software. Most SSL VPN solutions can access applications through a web browser portal. However, a software client might need some advanced features.

VPN Technologies: Layer 2 and Layer 3 VPN

A VPN is a logical connection between two endpoints over a public network. Based on these logical connection models, VPN technologies can be classified as Layer 2 or Layer 3 VPNs based on their logical connections. The concept of establishing connectivity between sites over a Layer 2 or Layer 3 VPN is the same. The concept involves adding a “delivery header” before the payload to get it to the destination site. The delivery header is placed at Layer 2 in Layer 2 VPNs and at Layer 3 in Layer 3 VPNs (obviously). GRE, L2TP, MPLS, and IPSec are examples of Layer 3 VPNs; ATM and Frame Relay are examples of Layer 2 VPNs.

Example site to site VPN: GRE as the tunneling protocol

The Generic Routing Encapsulation (GRE) protocol plays a crucial role in overlay virtual networks. GRE encapsulates packets from one network protocol within packets of another, allowing them to traverse different network infrastructures. This encapsulation enables the creation of virtual tunnels, which can securely transmit data across disparate networks. GRE provides a versatile solution for overlay virtual networks by allowing the encapsulation of various protocols, including IPv4, IPv6, and even non-IP protocols.

Before you proceed, you may find the following posts helpful:

1. IPsec Fault Tolerance
2. SSL Security
3. Dead Peer Detection
4. SDP VPN
5. Generic Routing Encapsulation

Lab guide with DMVPN. A layer 3 VPN over the WAN.

DMVPN can be used as an overlay with IPsec or GRE. It enables a VPN from the DMVPN hub and the spokes, creating a DMVPN network. Depending on the DMVPN phase, we will have different VPN characteristics and routing techniques. We started with DMVPN Phase 1, the traditional hub, and spoke to what is more widely used today, DMVPN Phase 3, which offers on-demand spoke-to-spoke tunnels.

The screenshot from the lab guide below shows that we have R11 as the hub and R31 as the spoke. We are operating with DMVPN phase 3. We know this as we have a “Traffic Indication” message sent from R11 to the spokes. A “Traffic Indication” is core to DMVPN Phase 3 and is used when there has been spoken-to-spoke traffic.

The hub tells the spoke that there is a more optimal path and to go directly to the other spoke instead of going via the hub. Another key VPN configuration value for DMVPN Phase 3 is the command: Tunnel mode gre multipoint on the spokes. Both spokes and hubs use multipoint GRE instead of point-to-point GRE.

Back to basics with VPNOverview

Concepts of VPN

A VPN allows users to expand a private network across an untrusted network. The term “Virtual” emphasizes that a logical private connection virtually extends the private network. A VPN can be secure or insecure. We can use IPsec to secure VPNs. In addition, when IPsec VPNs are used, traffic will be protected to ensure that an observer cannot view the plaintext data.

Almost every operating system ships with an IPsec VPN client, and numerous hardware devices provide various IPsec VPN gateway functionality. As a result, IPsec VPNs are a popular choice now for secure connectivity over the Internet or for delivering secure communications over untrusted networks.

Concepts of IPSec

IPsec (Internet Protocol Security) is a network security protocol that encrypts IP packets. It protects data communications between two or more computers by providing authentication and encryption. It is one of the world’s most widely used security protocols, as it is the de facto standard for protecting data in transit across the Internet. It also secures private networks, such as those used by corporations and government agencies.

IPsec works by authenticating and encrypting each IP packet of a communication session. It uses two main protocols to provide this security: Authenticated Header (AH) and Encapsulated Security Payload (ESP). AH provides authentication and data integrity, while ESP includes encryption. The two protocols can be used together or separately to provide the desired level of security.

IPsec can secure various communication protocols, including TCP, UDP, and ICMP. It is also used to protect mobile devices, such as smartphones, which require secure communication between them and the network they are attached to. IPsec also provides an additional layer of security by providing access control. This means that only authenticated users can access the data. This is especially important when protecting sensitive information and corporate data.

Concepts of IKEv1 vs IKEV2

IKEv1 and IKEv2 are two major versions of the Internet Key Exchange (IKE) protocol; both are used to create secure Virtual Private Networks (VPNs). IKEv1 was the original version, developed in 1998, and IKEv2 was released in 2005.

Both versions of IKE use the same cryptographic algorithms and protocols, but IKEv2 is the more secure version due to its additional features. For example, IKEv2 is capable of automatic re-keying, which IKEv1 does not support, and the IKEv2 protocol is implemented more structured and modularly than IKEv1. Additionally, IKEv2 has more advanced authentication methods, such as EAP and XAUTH, and supports the authentication of multiple peers.

IKEv2 is also more efficient than IKEv1, as it is designed to reduce the amount of data sent over the network. This helps to increase the speed of the VPN connection. Finally, IKEv2 is more resilient in the face of network issues and disruptions, as it supports the ability to reconnect automatically.

It is important to note that IKEv1 and IKEv2 have advantages and drawbacks. For example, IKEv1 is more straightforward to deploy and configure but is less secure than IKEv2. On the other hand, IKEv2 is more secure but may require more effort to set up.

When deciding between IKEv1 and IKEv2, the network’s security requirements and the VPN connection’s desired performance must be considered.

Layer 3 and Layer 2 VPNs

Firstly, for a VPNoverview, let’s start with the basics of Layer 2 and 3 VPNs. Layer 2 virtual private network: Frame Relay or ATM Permanent Virtual Circuits ( PVC ) utilize someone else’s public transport to build private tunnels with ( VC ) virtual circuits. A Virtual Private LAN Service ( VPLS ) network creates tunnels over the Multi-Protocol Label Switched ( MPLS ) core. Ethernet VLAN or QinQ is also an example of a Layer 2 VPN.

Layer 3 virtual private network: Generic Routing Encapsulation ( GRE ) tunnels and MPLS tunnels between Service providers and customers are examples of a Layer 3 VPN. Also, IP Protocol Security ( IPsec ) tunnels, which are the focus of this post, are an example of a Layer 3 VPN. The critical advantage of Layer 3 IPsec VPNs is the independence of the access method. You can establish a VPN if you establish IPv4 or IPv6 connectivity between two endpoints. VPNs do not require encryption, but encryption can take place if needed.

What is IP protocol security ( IPsec )?

IPsec is a protocol suite that provides security services for IP packets at the network layer. IPsec creates P2P associations between tunnel endpoints. Authenticates and encrypts packets. A broad term that encompasses the following features;

VPNoverview and encryption

In the next stage of this VPNoverivew, we will discuss encryption. VPNs encrypt packets with symmetric ciphers, e.g., DES, 3DES, and AES. Ciphers work with the concept of key exchange. In particular, the symmetric cipher key used to encrypt on one side is the same key to decrypt on another side. The same key is used at both endpoints.

Symmetric encryption contrasts with asymmetric encryption ( public key algorithms ), which utilizes separate public and private keys – one for encryption and another for decryption. The encryption key is known as the public key and is made public. The private key is kept secret and used for decryption.

Encryption takes plain text and makes it incomprehensible to unauthorized recipients. A matching key is required to decode the “incomprehensible” text into readable form. Decryption is the reverse of encryption. It changes the encrypted data back to plain text form. Encryption takes effect AFTER Network Address Translation ( NAT ) and Routing.

IPsec and ISAKMP

ASA uses ISAKMP negotiations and IPsec security features to establish and maintain tunnels for LAN-to-LAN and client-to-LAN VPNs. Tunnels are dynamically negotiated with control plane protocols, IKEv1/IKEv2, over UDP port 500. ISAKMP is a protocol that allows two VPN endpoints to agree and build IPsec security associations. ASA supports both ISAKMP version 1 and ISAKMP version 2. IKEv1 supports connections from legacy Cisco VPN clients, and IKEv2 supports the AnyConnect VPN client.

There are two main phases for tunnel establishment. The first phase objective is to establish and create a tunnel. The second Phase governs traffic within the tunnel. ISAKMP security associations govern tunnel establishment, and IPsec security associations govern traffic within the tunnel.

Key elements agreed upon in Phase 1 before endpoints proceed to Phase 2

**AH only supports authentication and is therefore rarely used for VPN. AH can be used in IPv6 OSPFv3 for neighbor authentication.

KEY POINT: Phase 1 is bidirectional, and Phase 2 uses two unidirectional messages. Phase 2 ESP and AH cannot be inspected by default ASA policies, which may become problematic for stateful firewalls. Phase 1 uses IKE UDP and UDP, which are inspected by default.

IKEv1 vs IKEv2

The main difference between IKEv1 and IKEv2 is authentication methods. With IKEv1, both endpoints must use the same authentication method; the encryption method must be symmetric.

IKEv2 is more flexible and does not need symmetric authentication types—it is possible to have certificates at one end and pre-shared keys at the other end.

IKE initiator sends all of the policies through a proposal. It’s up to the remote end to respond, check its policies, and agree if the receiving policies are acceptable. Policies are matched sequentially. The first match was utilized with an implicit deny at the bottom. IKEv2 allows multiple encryptions and asymmetric authentication types for a single policy.

Two IKE modes: Main and aggressive mode

IKE has two modes of operation: Main Mode and Aggressive Mode.

Main Mode uses more ( 6 ) messages than Aggressive Mode and takes longer to process. It’s slower but protects the identity of communicating with peers.

Aggressive, useless ( 3 ) messages are quicker but less secure. Aggressive mode lets people know the endpoint identity, such as an IP address or Fully Qualified Domain Name ( FQDN ). It does not wait for the secure tunnel before you exchange your identity, allowing flexible authentication.

NAT-T and IPsec

IPsec uses ESP to encrypt data. It does this by encapsulating the entire inner TCP/UDP datagram within the ESP header. Like TCP and UDP, ESP is an IP protocol, but unlike TCP and UDP, it does not have any port information. No ports prevent ESP from passing through NAT / PAT devices. Nat-T auto-detects transit NAT / PAT devices and encapsulates IPsec traffic in UDP datagrams using port 4500. By encapsulating ESP into UDP, it now has port numbers, enabling the pass-through of PAT/NAT gateways.

ISAKMP does not have the same problem, as its control plane already works on UDP. As with any data encryption, it is always important to compare what is on the market to keep your data safe.