Local area networks (LANs) are the internal networks of organizations, meaning connections between the machines that belong to a particular organization. These networks are becoming more and more frequently connected to the Internet, using interconnection equipment. Very often, companies have a need to communicate over the Internet with subsidiaries, customers, or even staff who may be geographically distant.
However, data transmitted through the Internet is much more vulnerable than when it is travelling over an organization's internal network, as the path taken is not defined in advance, which means that the data has to go through a public network infrastructure belonging to different entities. For this reason, it is not impossible that somewhere along the line, a nosy user might listen to the network or even hijack this signal. Therefore, information which is sensitive for an organization or business should not be sent under such conditions.
The first solution to fulfill this need for secure communications involves linking remote networks using dedicated lines. However, as most businesses aren't able to link two remote local area networks with a dedicated line, it is sometimes necessary to use the Internet as a transmission medium.
A good compromise involves using the Internet as a transmission medium with a tunneling protocol, which means that the data is encapsulated before being sent in an encrypted manner. The term Virtual Private Network (VPN for short) is used to refer to the network artificially created in this way.
This network is said to be virtual because it links two "physical" networks (local area networks) using an unreliable connection (the Internet), and private because only computers which belong to a local area network on one end of the VPN or the other can "see" the data.
The VPN system, then, can provide a secure connection at a lower cost, as all that is needed is the hardware on either end. On the other hand, it cannot ensure a quality of service comparable to a leased line, as the physical network is public and therefore not guaranteed.
The word "tunnel" is used to symbolise the fact that, between the moment the data enters the VPN and when it leaves, it is encrypted, and therefore incomprehensible to anyone not located at either end of the VPN, as if the data were travelling through a tunnel. In a two-machine VPN, the VPN client is the part which encrypts and decrypts the data on the user's end, and the VPN server (or more often remote access server) is the element that decrypts the data on the organization's end.
That way, whenever a user needs to access the virtual private network, his/her request is transmitted unencrypted to the gateway system, which connects to the remote network using the public network's infrastructure as an intermediary, then transmits the request in an encrypted manner. The remote computer then provides the data to the VPN server on its network, which sends the reply encrypted. When the user's VPN client receives the data, it is decrypted, and finally sent to the user.
The main tunneling protocols are:
Thus, with this kind of connection, remote machines on two local area networks are connected with a point to point connection (including an authentication/encryption system), and the packet is sent within an IP datagram.
This way, the local area network's data (as well as the addresses of the machines found in the message's header) is encapsulated within a PPP message, which is itself encapsulated within an IP message.
L2TP is a standard tunneling protocol (standardized in an RFC) which is very similar to PPTP. L2TP encapsulates PPP frames, which are themselves encapsulating other protocols (such as IP, IPX or NetBIOS).
IPSec is a protocol defined by the IETF which is used to make data transfers secure on the network layer. It is actually a protocol which makes security improvements to the IP protocol in order to ensure the privacy, integrity, and authentication of data sent.
IPSec is based around three modules: