Introduction to VPNs

When you use a private WAN connection from a service provider, you trust them that they treat
your data confidential. The service provider will make sure that they separate traffic from different
customers and that nobody else is able to see your data.
What about the Internet? When you send traffic from A to B using the Internet, you have no control
at all which networks are used to get from the source to the destination. Someone in between the
traffic path might be capturing your packets and you wouldn’t know.
VPNs (Virtual Private Network) help by establishing a secure connection over an insecure network,
such as the Internet. This is a great alternative to private WAN connections since Internet access is
usually cheaper and it’s available pretty much everywhere.
VPNs provide a couple of features such as:
• Confidentiality: preventing anyone from reading your data. This is implemented with
encryption.
• Authentication: verifying that the router/firewall or remote user that is sending VPN traffic
is a legitimate device or router.
• Integrity: verifying that the VPN packet wasn’t changed somehow during transit.
• Anti-replay: preventing someone from capturing traffic and resending it, trying to appear as
a legitimate device/user.

VPN Types
There are two common VPN types that we use:
• site-to-site VPN
• client-to-site VPN (remote user)

Let me give you some examples.

Site-to-site VPN
With the site-to-site VPN, we have a network device at each site, between these two network
devices we build a VPN tunnel. Each end of the VPN tunnel will encrypt the original IP packet,
adds a VPN header, a new IP header and then forwards the encrypted packet to the other end of the
tunnel.
Here’s an example of a VPN tunnel:
Here’s what happens in the picture above:
• H1 sends an IP packet with source 192.168.1.1 and destination 192.168.2.2.
• R1 encrypts the IP packet, adds a VPN header and creates a new IP header with its own
public IP address as the source and 2.2.2.2 as the destination.
• R1 sends the new packet to R2.
• R2 receives the packet, checks if the packet really came from R1, decrypts it and forwards it
to H2.
• H2 receives the original IP packet.

In the example above I used two routers but firewalls like the Cisco ASA firewall are often used for
VPN tunnels.
Another advantage of (VPN) tunnels is that it allows LANs with private IP addresses to
communicate with each other.

Client-to-site VPN
The client-to-site VPN is also called the remote user VPN. The user installs a VPN client on his/her
computer, laptop, smartphone or tablet. The VPN tunnel is established between the user’s device
and the remote network device. Here’s an example:

In the picture above, the user has established a VPN tunnel between its VPN client and R1. This
allows the user to access a remote server.
VPN Protocols
There are a couple of VPN protocols, the most common ones are:
• IPSec
• PPTP
• L2TP
• SSL VPN

Let me give you an overview of each protocol.

IPSec
The IP protocol itself doesn’t have any security features at all, which is why IPSec was created.
IPSec is not a protocol but it’s a framework and offers confidentiality, integrity, authentication and
anti-replay features on layer three of the OSI model.
It uses a variety of protocols and the advantage of a framework is that the protocols it uses can
change in the future. For example, currently, we can use encryption algorithms like DES, 3DES or
AES but if a new algorithm is created, IPSec might use it in the future.
You can use IPSec for:
• Creating a site-to-site VPN tunnel.
• Creating a client-to-site (remote user) VPN tunnel.
• Between two servers to authenticate and/or encrypt traffic.

PPTP
PPTP (Point to Point Tunneling Protocol) is one of the older VPN protocols, it was released around
1995. It uses a GRE tunnel for tunneling and PPP for authentication (using MS-Chap or MS-Chap
v2). Encryption is done with the MPPE protocol.
Since it’s been around for a while, PPTP is supported on many clients and operating systems. PPTP,
however, has been proven insecure so you shouldn’t use this protocol anymore if you want to
protect your data.

L2TP
L2TP (Layer Two Tunneling Protocol) is an extension of PPTP and as the name implies, allows us
to tunnel layer two traffic over layer three connections. L2TP can be used if you need to “bridge”
two remote LANs together and you want to use a single subnet on both sites. L2TP itself does not
offer any encryption or anything, which is why we use often use it together with IPSec. When you
use L2TP and IPSec together, it’s often referred to as L2TP/IPSec

SSL VPN
SSL (Secure Sockets Layer) is a protocol that is normally used to encrypt traffic between a web
browser and web server. When you surf the web using HTTP, everything is clear text. For secure
connections, we use HTTPS. We can use the same technology for VPNs.
Even though it’s called SSL VPN, nowadays we use TLS (Transport Layer Security) for HTTPS,
which is the successor of SSL.
One of the advantages of SSL VPN is that since it uses HTTPS, you can use it pretty much
everywhere. Most public wifi hotspots do permit HTTPS traffic while some might block other
traffic like IPSec. Another reason why SSL VPN is popular is that you don’t always have to use a
software client.
Most SSL VPN solutions offer a “portal” through the web browser that you can use to access
applications. For some advanced features, you might have to install a software client.

Conclusion
In this lesson you have learned some of the basics of VPNs:
• VPNs can be used as an alternative to private WAN connections and offer a secure
connection over an insecure medium, such as the Internet.
• VPNs offer features such as confidentiality, authentication, integrity and anti-replay.
• The two most common VPN types are site-to-site VPNs and client-to-site VPNs.
• Some common VPN protocols are:
• IPSec: a framework that provides security on layer three of the OSI model.
• PPTP: an old VPN protocol that uses PPP and GRE, insecure and should not be used
anymore.
• L2TP: a VPN protocol that tunnels layer two traffic, does not offer any encryption so
should be used together with IPsec.
• SSL VPN: uses SSL (HTTPS) to create a secure connection with the web browser.

Multiprotocol Label Switching

Multiprotocol Label Switching (MPLS) is a Layer-2 switching

technology. MPLS-enabled routers apply numerical labels to packets, and
can make forwarding decisions based on these labels. The MPLS
architecture is detailed in RFC 3031.

MPLS reduces CPU-usage on routers, by allowing routers to make

forwarding decisions solely on the attached label, as opposed to parsing the
full routing table.
Labels can based on a variety of parameters:
• Destination IP network
• Source IP address
• QoS parameters
• VPN destination
• Outgoing interface
• Layer-2 circuit
MPLS is not restricted to IP, or any specific Layer-2 technology, and thus is
essentially protocol-independent.
Labels are applied to and removed from packets on edge Label Switch
Routers (edge LSRs). Only edge routers perform a route-table lookup on
packets. All core routers (identified simply as LSRs) in the MPLS network
forward solely based on the label.
As a packet traverses the core MPLS network, core routers will swap the
label on hop-by-hop basis.
MPLS is completely dependent on Cisco Express Forwarding (CEF) to
determine the next hop.

Cisco Express Forwarding (CEF)

Multilayer switches contain both a switching and routing engine. A packet
must first be “routed,” allowing the switching engine to cache the IP traffic
flow. After this cache is created, subsequent packets destined for that flow
can be “switched” as opposed to “routed,” reducing latency.
This concept is often referred to as route once, switch many. Cisco refers to
this type of Multilayer switching as NetFlow switching or route cache
switching.
As is their habit, Cisco replaced NetFlow multilayer switching with a more
advanced method called Cisco Express Forwarding (CEF). CEF is
enabled by default on all Catalyst multi-layer switches (at least, those that
support CEF). CEF cannot even be disabled on the Catalyst 3550, 4500 and
6500.
CEF contains two basic components:
• Layer 3 Engine – Builds the routing table and then “routes” data
• Layer 3 Forwarding Engine – “Switches” data based on the FIB.
The Layer 3 Engine builds its routing table using either static routes, or
routes dynamically learned through a routing protocol (such as RIP or
OSPF).
The routing table is then reorganized into a more efficient table called the
Forward Information Base (FIB). The most specific routes are placed at
the top of the FIB. The Layer 3 Forwarding Engine utilizes the FIB to then
“switch” data in hardware, as opposed to “routing” it through the Layer 3
Engine’s routing table.
The FIB contains the following information:
• Destination networks
• Destination masks
• Next-hop addresses
• The MAC addresses of each next hop (called the Adjacency Table)
To view the CEF FIB table:
Switch# show ip cef