Properties of VPN Connections

  • Article

VPN connections that use PPTP and L2TP over IPSec have the following properties:

  • Encapsulation

  • Authentication

  • Data encryption

  • Address and name server assignment

Encapsulation

VPN technology provides a way of encapsulating private data with a header that allows the data to traverse the transit internetwork.

Authentication

Authentication for VPN connections takes two forms:

  • User authentication
    For the VPN connection to be established, the VPN server authenticates the VPN client attempting the connection and verifies that the VPN client has the appropriate permissions. If mutual authentication is being used, the VPN client also authenticates the VPN server, providing protection against masquerading VPN servers.

  • Data authentication and integrity
    To verify that the data being sent on the VPN connection originated at the other end of the connection and was not modified in transit, the data can contain a cryptographic checksum based on an encryption key known only to the sender and the receiver.

Data Encryption

To ensure confidentiality of the data as it traverses the shared or public transit internetwork, it is encrypted by the sender and decrypted by the receiver. The encryption and decryption processes depend on both the sender and the receiver having knowledge of a common encryption key.

Intercepted packets sent along the VPN connection in the transit internetwork are unintelligible to anyone who does not have the common encryption key. The length of the encryption key is an important security parameter. Computational techniques can be used to determine the encryption key. Such techniques require more computing power and computational time as the encryption key gets larger. Therefore, it is important to use the largest possible key size.

In addition, the more information that is encrypted with the same key, the easier it is to decipher the encrypted data. With some encryption technologies, you are given the option to configure how often the encryption keys are changed during a connection.

For more information about how encryption keys are managed for the VPN technologies in Windows 2000, see "VPN Security" later in this chapter.

Address and Name Server Allocation

When a VPN server is configured, it creates a virtual interface that represents the interface on which all VPN connections are made. When a VPN client establishes a VPN connection, a virtual interface is created on the VPN client that represents the interface connected to the VPN server. The virtual interface on VPN client is connected to the virtual interface on the VPN server creating the point-to-point VPN connection.

The virtual interfaces of the VPN client and the VPN server must be assigned IP addresses. The assignment of these addresses is done by the VPN server. By default, the VPN server obtains IP addresses for itself and VPN clients using the Dynamic Host Configuration Protocol (DHCP). You can also configure a static pool of IP addresses defined by an IP network ID and a subnet mask.

Name server assignment, the assignment of domain name system (DNS) and Windows Internet Name Service (WINS) servers, also occurs during the VPN connection establishment process. The VPN client obtains the IP addresses of the DNS and WINS servers from the VPN server for the intranet to which the VPN server is attached.