How VPNs Work Now that you understand the basics of tunneling, let’s discuss the details of VPNs. A VPN link can be established over any other network communication connection. This could be a typical LAN cable connection, a wireless LAN connection, a remote access dial-up connection, a WAN link, or even a client using an Internet connection for access to an office LAN. A VPN link acts just like a typical direct LAN cable connection; the only possible difference would be speed based on the intermediary network and on the connection types between the client system and the server system. Over a VPN link, a client can perform the exact same activities and access the same resources they could if they were directly connected via a LAN cable. VPNs can be used to connect two individual systems or two entire networks. The only dif- ference is that the transmitted data is protected only while it is within the VPN tunnel. Remote access servers or firewalls on the network’s border act as the start points and endpoints for VPNs. Thus, traffic is unprotected within the source LAN, protected between the border VPN servers, and then unprotected again once it reaches the destination LAN. VPN links through the Internet for connecting to distant networks are often inexpensive alter- natives to direct links or leased lines. The cost of two high-speed Internet links to local ISPs to sup- port a VPN is often significantly less than the cost of any other connection means available. Implementing VPNs VPNs can be implemented using software or hardware solutions. In either case, there are four common VPN protocols: PPTP, L2F, L2TP, and IPSec. PPTP, L2F, and L2TP operate at the Data Link layer layer 2 of the OSI model. PPTP and IPSec are limited for use on IP networks, whereas L2F and L2TP can be used to encapsulate any LAN protocol. Point-to-Point Tunneling Protocol PPTP is an encapsulation protocol developed from the dial-up protocol Point-to-Point Protocol PPP. PPTP creates a point-to-point tunnel between two systems and encapsulates PPP packets. PPTP offers protection for authentication traffic through the same authentication protocols supported by PPP; namely, Microsoft Challenge Handshake Authentication Protocol MS-CHAP, Challenge Handshake Authentication Proto- col CHAP, Password Authentication Protocol PAP, Extensible Authentication Protocol EAP, and Shiva Password Authentication Protocol SPAP. The initial tunnel negotiation pro- cess used by PPTP is not encrypted. Thus, the session establishment packets that include the IP address of the sender and receiver—and can include usernames and hashed passwords—could be intercepted by a third party. Cisco developed its own VPN protocol called Layer 2 Forwarding L2F, which is a mutual authentication tunneling mechanism. However, L2F does not offer encryption. L2F was not widely deployed and was soon replaced by L2TP. Layer 2 Tunneling Protocol L2TP was derived by combining elements from both PPTP and L2F. L2TP creates a point-to-point tunnel between communication endpoints. It lacks a built- in encryption scheme, but it typically relies upon IPSec as its security mechanism. L2TP also supports TACACS+ and RADIUS, whereas PPTP does not. The most commonly used VPN protocol is now IPSec. IP Security IPSec is both a stand- alone VPN protocol and the security mechanism for L2TP, and it can only be used for IP traffic.