Virtual Private Networks Tutorial

Virtual private network technology is based on the idea of tunneling. VPN tunneling involves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side.

For Internet-based VPNs, packets in one of several VPN protocols are encapsulated within Internet Protocol (IP) packets. VPN protocols also support authentication and encryption to keep the tunnels secure.

In voluntary tunneling, the VPN client manages connection setup. The client first makes a connection to the carrier network provider (an ISP in the case of Internet VPNs). Then, the VPN client application creates the tunnel to a VPN server over this live connection.

In compulsory tunneling, the carrier network provider manages VPN connection setup. When the client first makes an ordinary connection to the carrier, the carrier in turn immediately brokers a VPN connection between that client and a VPN server. From the client point of view, VPN connections are set up in just one step compared to the two-step procedure required for voluntary tunnels.

Compulsory VPN tunneling authenticates clients and associates them with specific VPN servers using logic built into the broker device. This network device is sometimes called the VPN Front End Processor (FEP), Network Access Server (NAS) or Point of Presence Server (POS). Compulsory tunneling hides the details of VPN server connectivity from the VPN clients and effectively transfers management control over the tunnels from clients to the ISP. In return, service providers must take on the additional burden of installing and maintaining FEP devices.

VPN Tunneling Protocols

Several computer network protocols have been implemented specifically for use with VPN tunnels. The three most popular VPN tunneling protocols listed below continue to compete with each other for acceptance in the industry. These protocols are generally incompatible with each other.

Configuring PIX Firewall 1 with VPN Tunneling

Follow these steps to configure PIX Firewall 1:

Step 1 Define a host name:

hostname NewYork

Step 2 Configure an ISAKMP policy:

isakmp enable outside

isakmp policy 9 authentication pre-share

isakmp policy 9 encrypt des

Step 3 Configure a pre-shared key and associate with the peer:

crypto isakmp key cisco1234 address 209.165.200.229

Step 4 Configure the supported IPSec transforms:

crypto ipsec transform-set strong esp-des esp-sha-hmac

Step 5 Create an access list:

access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0

This access list defines traffic from network 192.168.12.0 to 10.0.0.0. Both of these networks use unregistered addresses.

Note Steps 5 and 6 are not required if you want to enable NAT for all traffic.

Step 6 Exclude traffic between the intranets from NAT:

nat 0 access-list 90

This excludes traffic matching access list 90 from NAT. The nat 0 command is always processed before any other nat commands.

Step 7 Enable NAT for all other traffic:

nat (inside) 1 0 0

Step 8 Assign a pool of global addresses for NAT and PAT:

global (outside) 1 209.165.202.129-209.165.202.159

global (outside) 1 209.165.202.160

The pool of registered addresses are only used for connections to the public Internet.

Step 9 Define a crypto map:

crypto map toSanJose 20 ipsec-isakmp

crypto map toSanJose 20 match address 90

crypto map toSanJose 20 set transform-set strong

crypto map toSanJose 20 set peer 209.165.200.229

Step 10 Apply the crypto map to the outside interface:

crypto map toSanJose interface outside

Step 11 Specify that IPSec traffic be implicitly trusted (permitted):

sysopt connection permit-ipsec