VPN (Virtual Private Network) is no longer a simple encrypted access tunnel, it integrates multiple functions such as access control, transmission management, encryption, route selection, and availability management, and plays an important role in the global information security system. Also on the network, the advantages and disadvantages of various VPN protocols are benevolent, wise, and wise. For the purpose of use, many technical staff, including access control, security, and ease of use, flexible expansion and other aspects, weigh the advantages and disadvantages, it is difficult to choose; especially in the VOIP voice environment, network security is particularly important, so more and more network calls and voice gateways support VPN protocol.
I. PPTP
The Point-to-Point Tunneling Protocol (PPTP) is a Point-to-Point Tunneling Protocol developed by PPTP forums consisting of companies such as Microsoft and 3com, the PPP protocol used for dialing uses encryption algorithms such as PAP or chap, or Microsoft's point-to-point encryption algorithm MPPE. It creates a VPN over a TCP/IP-based data network to implement secure data transmission from a remote client to a dedicated Enterprise Server. PPTP supports creating on-demand, multi-protocol, and virtual private networks through public networks (such as the Internet. PPTP allows encrypted IP communication.
Encapsulate the IP address header.
Ii. L2TP
Layer 2 Tunneling Protocol (L2TP) is a later version of PPTP developed by IETF Based on l2f (Cisco's L2 forwarding protocol. It is an industrial standard Internet tunnel protocol that provides encapsulation for a Point-to-Point Protocol (PPP) framework that spans data packets. Both PPTP and L2TP use the PPP protocol to encapsulate data, and then add additional headers for data transmission over the Internet. PPTP can only establish a single tunnel between two points. L2TP supports multiple tunnels between two points. Users can create different tunnels for different service quality. L2TP can provide tunnel verification, while PPTP does not. However, when both L2TP or PPTP and IPSec are used together, IPSec can provide tunneling verification, without the need to verify that the tunneling uses L2TP on the layer-3 protocol.
PPTP requires the Internet to be an IP network. L2TP only requires the tunneling media to provide packet-oriented point-to-point connections. L2TP can relay permanent virtual circuits (PVCs), X.25 virtual circuits (VCS) at IP addresses (using UDP) or use it on an ATM VCs network.
Iii. IPSec
The IPSec tunneling mode is the whole process of encapsulation, routing, and unencapsulation. The tunnel hides (or encapsulates) the original data packet inside the new data packet. The new data packet may have new addressing and routing information so that it can be transmitted over the network. When the tunnel is used in combination with data confidentiality, the person who listens to the communication on the network will not be able to obtain the original data packet (as well as the original source and target ). After the encapsulated data packet arrives at the destination, the encapsulation is deleted. The original data packet header is used to route the data packet to the destination.
A tunnel is a logical data path that encapsulates data. It is invisible to the source and destination, but only to point-to-point connections in the network path. Both parties do not care about any vrouters, switches, proxies, or other security gateways between the start and end points of the tunnel. A VPN can be used to provide a VPN when a tunnel is used in combination with data confidentiality.
The encapsulated data packet is transmitted within the tunnel of the network. In this example, the network is internet. A gateway can be a perimeter gateway between an external internet and a private network. Perimeter gateways can be routers, firewalls, proxy servers, or other security gateways. In addition, two gateways can be used inside a private network to protect untrusted communication in the network.
When using IPSec in tunneling mode, it only provides encapsulation for IP communication. The IPSec tunneling mode is used to interact with other routers, gateways, or terminal systems that do not support the L2TP or pptp vpn tunneling technology on IPSec.
Iv. SSL VPN
The SSL protocol provides features such as data privacy, endpoint verification, and information integrity. The SSL protocol consists of many sub-protocols, two of which are handshake protocol and record protocol. The handshake protocol allows the server and client to confirm each other before the application protocol transmits the First Data byte and negotiate an encryption algorithm and password key. During data transmission, the record protocol uses the key generated by the handshake protocol to encrypt and decrypt the data to be exchanged.
SSL is independent from the application, so any application can enjoy its security without worrying about the execution details. SSL is placed between the transport layer and the application layer of the network architecture. In addition, SSL is supported by almost all web browsers. This means that the client does not need to install additional software to support SSL connections. These two features are the key points that SSL can be applied to VPN.
A typical ssl vpn application, such as openvpn, is a good open-source software. PPTP is mainly used for users who often go out for mobile or home office work. openvpn is mainly used for non-stop on-demand VPN connections between companies in different regions, such as ERP applications in enterprises.
V. features and advantages of openvpn
Openvpn allows you to use the default private key, third-party certificate, or user name/password to authenticate a single point that participates in the establishment of a VPN. It uses a large number of OpenSSL cryptographic libraries and SSLv3/tlsv1 protocols. Openvpn can run on Linux, xbsd, Mac OS X, and Windows 2000/XP. It is not a Web-based VPN software, and is not compatible with IPSec and other VPN software packages.
Tunnel Encryption
Openvpn uses the OpenSSL library to encrypt data and control information: it uses the opesssl encryption and verification function, meaning that it can use any algorithms supported by OpenSSL. It provides optional packet HMAC functions to improve connection security. In addition, OpenSSL hardware acceleration can also improve its performance.
Openvpn provides multiple authentication methods to confirm the identity of both parties involved in the connection, including: Pre-enjoy private key, third-party certificate and user name/password combination. Pre-access keys are the easiest, but they can only be used to establish point-to-point VPNs. PKI-based third-party certificates provide the most comprehensive functions, but require extra effort to maintain a PKI certificate system. Openvpn2.0 introduces a user name/password combination authentication method, which can omit the client certificate, but there is still a server certificate to be used for encryption.
All communication in openvpn is based on a single IP port. UDP protocol communication is recommended by default, and TCP is also supported. Openvpn connections can work well in Nat environments through most proxy servers. The server can "push" some network configuration information to the client, including the IP address and route settings. Openvpn provides two types of Virtual Network Interfaces: Common tun/TAP drivers, which allow you to establish a layer-3 IP tunnel or a virtual layer-2 Ethernet, the latter can transmit any type of L2 Ethernet data. The transmitted data can be compressed using the lzo algorithm. Iana (Internet Assigned Numbers
Authority) The official port assigned to openvpn is 1194. In openvpn 2.0 and later versions, each process can manage several concurrent tunnels at the same time.
Openvpn uses the features of common network protocols (TCP and UDP) to make it an ideal alternative to protocols such as IPSec, especially when the ISP (Internet Service Provider) filters certain VPN protocols. When selecting a protocol, pay attention to the network conditions between two encrypted tunnels. If there is a high latency or a large number of packet loss, select TCP as the underlying protocol, due to the absence of connection and retransmission mechanisms, UDP protocol is inefficient because it requires the upper-layer protocol to be retransmitted.
Openvpn has many inherent security features: it runs in the user space and does not need to modify the kernel and network protocol stack. After the initial operation, it runs in the chroot mode and gives up the root permission; use mlockall to prevent the exchange of sensitive data to the disk.
Openvpn supports hardware-encrypted identifiers such as smart cards through PKCS #11.
Source: Http://qiaodahai.com/personal/article/2010/pptp-l2tp-ipsec-ssl-vpn-openvpn.htm