PPTP, L2TP, IPSec, and SSLVPN protocols

Source: Internet
Author: User
Tags openssl library


PPTP, L2TP, IPSec, SSLVPN, and other Protocols define and distinguish between VPN (Virtual Private Network). So far, it is no longer a pure encrypted access tunnel, it integrates multiple functions such as access control, transmission management, encryption, route selection, and availability management, and plays an important role in the global information security system. Also on the network, the advantages and disadvantages of various VPN protocols are benevolent, wise, and wise. For the purpose of use, many technical staff, including access control, security, and ease of use, flexible expansion and other aspects, weigh the advantages and disadvantages, it is difficult to choose; especially in the VOIP voice environment, network security is particularly important, so now more and more network calls and voice gateways support VPN protocol. PPTP Point-to-Point Tunneling Protocol (PPTP) is a Point-to-Point Tunneling Protocol developed by PPTP forums consisting of Microsoft, 3Com, and other companies, the PPP protocol used for dialing uses encryption algorithms such as PAP or CHAP, or Microsoft's point-to-point encryption algorithm MPPE. It creates a VPN over a TCP/IP-based data network to implement secure data transmission from a remote client to a dedicated Enterprise Server. PPTP supports creating on-demand, multi-protocol, and virtual private networks through public networks (such as the Internet. PPTP allows encrypted IP communication, and then encapsulates it in the IP header sent across the company's IP network or public IP network (such as the Internet. L2TP L2TP Layer 2 tunnel protocol (L2TP) is a later version of PPTP developed by IETF Based on L2F (Cisco Layer 2 forwarding protocol. It is an industrial standard Internet tunnel protocol that provides encapsulation for a Point-to-Point Protocol (PPP) framework that spans data packets. Both PPTP and L2TP use the PPP protocol to encapsulate data, and then add additional headers for data transmission over the Internet. PPTP can only establish a single tunnel between two points.

L2TP supports multiple tunnels between two points. Users can create different tunnels for different service quality. L2TP can provide tunnel verification, while PPTP does not. However, when both L2TP or PPTP and IPSEC are used together, IPSEC can provide tunneling verification, without the need to verify that the tunneling uses L2TP on the layer-3 protocol. PPTP requires the Internet to be an IP network. L2TP only requires the tunneling media to provide packet-oriented point-to-point connections. L2TP can relay permanent virtual circuits (PVCs), X.25 virtual circuits (VCs) at IP addresses (using UDP) or use it on the ATM VCs network. The IPSec tunneling mode is the whole process of encapsulation, routing, and unencapsulation. The tunnel hides (or encapsulates) the original data packet inside the new data packet. The new data packet may have new addressing and routing information so that it can be transmitted over the network. When the tunnel is used in combination with data confidentiality, the qie listener on the network will not be able to obtain the original data packet (as well as the original source and target ). After the encapsulated data packet arrives at the destination, the encapsulation is deleted. The original data packet header is used to route the data packet to the destination. A tunnel is a logical data path that encapsulates data. It is invisible to the source and destination, but only to point-to-point connections in the network path. Both parties do not care about any vrouters, switches, proxies, or other security gateways between the start and end points of the tunnel. A VPN can be used to provide a VPN when a tunnel is used in combination with data confidentiality.
The encapsulated data packet is transmitted within the tunnel of the network. In this example, the network is Internet. A gateway can be a perimeter gateway between an external Internet and a private network. Perimeter gateways can be routers, firewalls, proxy servers, or other security gateways. In addition, two gateways can be used inside a private network to protect untrusted communication in the network. When using IPSec in tunneling mode, it only provides encapsulation for IP communication. The IPSec tunneling mode is used to interact with other routers, gateways, or terminal systems that do not support the L2TP or PPTPVPN tunneling technology on IPSec. The SSL protocol for www.2cto.com SSLVPN provides features such as data privacy, endpoint verification, and information integrity. The SSL protocol consists of many sub-protocols, two of which are handshake protocol and record protocol. The handshake protocol allows the server and client to confirm each other before the application protocol transmits the First Data byte and negotiate an encryption algorithm and password key. During data transmission, the record protocol uses the key generated by the handshake protocol to encrypt and decrypt subsequently exchanged data. SSL is independent from the application, so any application can enjoy its security without worrying about the execution details. SSL is placed between the transport layer and the application layer of the network architecture. In addition, SSL is supported by almost all Web browsers. This means that the client does not need to install additional software to support SSL connections. These two features are the key points that SSL can be applied to VPN. A typical SSLVPN application, such as OpenVPN, is a good open-source software. Our products provide PPTP and OpenVPN applications. PPTP is mainly used by users who often go out for mobile or home office work; openVPN is mainly used for non-stop on-demand VPN connections between companies in different regions, such as ERP applications in enterprises.
OpenVPN allows you to use the default private key, third-party certificate, or user name/password to authenticate a single point that participates in the establishment of a VPN. It uses a large number of OpenSSL cryptographic libraries and SSLv3/TLSv1 protocols. OpenVPN can run on Linux, xBSD, MacOSX, and Windows2000/XP. It is not a Web-based VPN software, and is not compatible with IPsec and other VPN software packages. Tunnel encryption OpenVPN uses the OpenSSL library to encrypt data and control information: it uses the OpesSSL encryption and verification function, meaning that it can use any algorithms supported by OpenSSL. It provides optional packet HMAC functions to improve connection security. In addition, OpenSSL hardware acceleration can also improve its performance.
OpenVPN provides multiple authentication methods to verify the identity of both parties involved in the connection, including pre-exclusive private key, third-party certificate, and user name/password combination. Pre-access keys are the easiest, but they can only be used to establish point-to-point VPNs. PKI-based third-party certificates provide the most comprehensive functions, but require extra effort to maintain a PKI certificate system. OpenVPN2.0 introduces a user name/password combination authentication method, which can omit the client certificate, but there is still a server certificate to be used for encryption. www.2cto.com
All communications in the network OpenVPN are based on a single IP port. By default, UDP protocol communication is recommended, and TCP is also supported. OpenVPN connections can work well in NAT environments through most proxy servers. The server can "push" some network configuration information to the client, including the IP address and route settings. OpenVPN provides two virtual network interfaces: Common Tun/Tap drivers, which allow you to establish a layer-3 IP tunnel or a virtual layer-2 Ethernet, the latter can transmit any type of L2 Ethernet data. The transmitted data can be compressed using the LZO algorithm. IANA (InternetAssignedNumbersAuthority) specifies the official port 1194 for OpenVPN. In OpenVPN2.0 and later versions, each process can manage several concurrent tunnels at the same time. OpenVPN uses the features of common network protocols (TCP and UDP) to make it an ideal alternative to protocols such as IPsec, especially when ISP (Internetserviceprovider) filters out certain VPN protocols. When selecting a protocol, pay attention to the network conditions between two encrypted tunnels. If there is a high latency or a large number of packet loss, select TCP as the underlying protocol, due to the absence of connection and retransmission mechanisms, UDP protocol is inefficient because it requires the upper-layer protocol to be retransmitted.
Security OpenVPN has many security features inherent in it: it runs in the user space and does not need to modify the kernel and network protocol stack; it runs in the chroot mode after initial completion, give up the root permission; Use mlockall to prevent the exchange of sensitive data to the disk. OpenVPN supports hardware-encrypted identifiers such as smart cards through PKCS #11.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.