|
| ||||
 |
|
Home | Reviews | Tools | Forums | FAQs | Find Service | ISP News | Maps | About |
|
how-to block ads |
100. Introduction
200. How it works
300. Limitations500. Miscellaneous Info
900. Links to other VPN information
100. Introduction
A VPN provides a secure way to access network resources over the Internet or other public or private networks and allows you to connect to a remote network and become a node on that network. VPNs use tunneling, encryption, authentication, and access control over a public network at the same time for security. Although they often use public networks, VPNs inherit the characteristics of a private network, thus the "Virtual" Private Network. A VPN can be a better alternative to traditional dial-up connections to provide access to remote users and telecommuters. It can also take the place of the public switched telephone network or dedicated leased lines to connect LANs in different sites. VPNs can also be used to give customers, clients and consultants access to corporate resources. LinkSys has an informative VPN explanation here: What is VOIP?
 got feedback?by NickD got feedback?by jazzman916 There are basically three types of VPN:  INTRANET: this type of VPN is usually implemented for commonly structured networks that may span various physical locations. An example would be a network that exists in several buildings connected to a data center or mainframe that has secure access through private lines. These may need strong encryption and strict performance and bandwidth requirements. REMOTE ACCESS: Initiated by remote users to connect to their corporate LAN such as employees and telecommuters equipped with laptops that will connect intermittently from many different locations. EXTRANET: This type of VPN uses the Internet as its base and deals with a wider scale of users and locations to allow customers and branch offices to access corporate resources across various network types.
got feedback?by KeysCapt
Long distance charges can be reduced with a VPN because users are placing local calls to their ISPs instead of making long distance calls to the company. The number of access lines and their costs are reduced because many companies pay monthly charges for both high-speed Internet access links and frame relay, ISDN Primary Rate Interface or T1 lines to carry data. If the VPN allows data traffic over the company's Internet access lines, the number of installed lines needed is reduced. Operational costs are additionally reduced by outsourcing remote access to an ISP or other type of service provider because by giving users access to the network via a VPN, modem pools and remote access servers can be eliminated. The operational cost savings come from not having to manage those devices.
got feedback?by KeysCapt 200. How it works
As the name suggests, tunneling acts like a "pipe" which penetrates through a network to connect two points. Normally activated by remote users, tunneling encrypts data into standard TCP/IP packets and encapsulates it for safe transmission across the Internet. VPN ensures the confidentiality and integrity of information as it travels over the public internet because it requires:
The VPN connection behaves like this:
got feedback?you have not explained about the different errors on vpn issues like
1. remote host not found,
2. host not responding,
3. enter credentials like passcode.......... 2009-12-09 05:02:54 by KeysCapt got feedback?by KeysCapt got feedback?by DrTCP • Mac OS 7.6 - 9, OS X got feedback?Also on Linux. As an example, see this FAQ: http://www.dslreports.com/faq/5319 2009-01-18 16:59:25 (aefstoggaflm by KeysCapt A VPN gateway acts as one end of a "tunnel," encapsulating entire packets from the private inter-network in new IP packets before they travel across the public Internet. The new packets, carrying the private source and destination addresses, are simply directed to a second VPN gateway that protects the other end of the transmission. The receiving gateway then recognizes and disassembles the encapsulated packet before passing its contents on to the correct address on the private internetwork. A variety of different network devices and software products can act as VPN gateways, including VPN access servers, VPN routers, and computers with VPN client software installed. The private network resources on each internal network, whether single machines or entire internetworks, remain unaware of the fact that the Internet is being used as a transmission medium. A VPN gateway forms the foundation of a secure Internet-based portal to those resources, since it is designed to unconditionally reject all Internet traffic that is not tunneled IPSec.
got feedback?by KeysCapt Split tunneling is commonly configured on the connecting client to receive pushed secure route's or set statically. In this situation, only specific traffic matching a "secure" destination address is forwarded out the virtual tunnel interface. All other traffic is routed normally and un-secured through the configured default gateway. These specific routes are configured on the VPN server and can normally be seen injected into the client's route table while connected to the VPN. The advantages of split-tunneling is that it allows the connected client connectivity to both secure networks AND normal un-secured traffic while connected. The disadvantage is that the client is putting the remote connected network at risk because they are bypassing secure gateways that might normally be found on the remote network's infrastructure, making it accessible through the non-secured public network.
got feedback?by bky got feedback?by KeysCapt One such system is here And another one for PALM© Devices One that works with PocketPC: Freeswan-PocketPC got feedback?by KeysCapt The "flip side" of this, is that a VPN "tunnel" really does "tunnel" internet traffic for all "ports" via the VPN connection. This means that if the VPN itself isn't blocked (see above), than traffic on ports that are supposedly blocked for some reason (be that because of some firewall, or some restriction of your ISP), can still go out via the (unblocked) VPN tunnel! This can be both a useful "feature" (allowing you to do things with the VPN that you couldn't do directly via the internet), or a security weakness that is all too easy to overlook. For example, I telecommute a couple of days a week. At my office, the company firewall blocks all attempts to access (from the internet) files on our Windows servers (for obvious security reasons). However, the VPN ports are not blocked at the firewall (so that remote users can connect to the VPN). When I setup a VPN connection to the office, it "tunnels" all traffic (for the IP numbers at our office) via the VPN. This means that when I have a VPN connection setup, I am essentially bypassing all restrictions of the office firewall! This is "a good thing", because I can pretty much do anything (including accessing files) that other machines on the office LAN can do (even when the firewall supposedly blocks that traffic from the internet). However, it also means that my home office machine better be secured "better than most", if I don't want to be "the weak link" that lets some jerk use my VPN connection to make it much easier to "hack" the machines "at the office"!
got feedback?by DracoFelis But, what is safe enough? VPNs that employ multiple security systems, like additional hardware devices, software patches and security standards, can be considered secure. In most cases, security vulnerabilities will be introduced by the users, rather than the system. got feedback?by KeysCapt 500. Miscellaneous Info
The Pix config. nameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list To-Internet permit ip 192.168.1.0 255.255.255.0 any access-list To-Internet permit ip 192.168.2.0 255.255.255.0 any access-list To-Internet permit icmp any any access-list From-Internet permit tcp any host x.x.x.196 eq smtp access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo-reply access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 unreachable access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 time-exceeded access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list 110 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 //iS this necessary? access-list to-internet permit icmp any any ip address outside x.x.x.194 255.255.255.192 ip address inside 192.168.1.25 255.255.255.0 ip audit info action alarm reset ip audit attack action alarm reset ip local pool NONATippool 192.168.2.1-192.168.2.254 global (outside) 1 x.x.x.251 nat (inside) 0 access-list NoNAT nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) x.x.x.196 192.168.1.1 netmask 255.255.255.255 0 0 access-group From-Internet in interface outside access-group To-Internet in interface inside route outside 0.0.0.0 0.0.0.0 x.x.x.193 1 timeout xlate 1:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute sysopt connection permit-ipsec sysopt connection permit-pptp no sysopt route dnat crypto ipsec transform-set MyCOTransf esp-3des esp-md5-hmac crypto dynamic-map MYCOdynmap 10 set transform-set MYCOTransf crypto map MYCOmap 10 ipsec-isakmp dynamic MYCOdynmap crypto map MYCOmap client configuration address initiate crypto map MYCOmap client configuration address respond crypto map MYCOmap interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode isakmp identity address isakmp client configuration address-pool local MYCOippool outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 vpngroup MYCOvpn address-pool NONATippool vpngroup MYCOvpn dns-server 205.171.3.65 vpngroup MYCOvpn wins-server 192.168.1.1 vpngroup MYCOvpn default-domain MYCOMPANY.com vpngroup MYCOvpn idle-time 1800 vpngroup MYCOvpn password ******** vpngroup MYCO address-pool NONATippool vpngroup MYCO dns-server 192.168.1.1 205.171.3.65 vpngroup MYCO wins-server 192.168.1.1 vpngroup MYCO default-domain MYCO.com vpngroup MYCO idle-time 1800 vpngroup MYCO password ******** telnet 192.168.2.0 255.255.255.0 outside telnet 192.168.1.0 255.255.255.0 inside vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 client configuration address local NONATippool vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username xxxx password xxxx vpdn username yyyy password yyyyy vpdn username zzzz password zzzzz vpdn enable outside terminal width 80 Cryptochecksum: : end [OK] MYCOFW# exit The Zywall config. Menu 27.1.1 - IPSec Setup Index #= 1 Name= Work Active= Yes Keep Alive= Yes Nat Traversal= No Local ID type= IP Content= My IP Addr= 0.0.0.0 Peer ID type= IP Content= x.x.x.194 Secure Gateway Address= x.x.x.194 Protocol= 17 Local: Addr Type= SUBNET IP Addr Start= 192.168.0.0 End/Subnet Mask= 255.255.255.0 Port Start= 0 End= N/A Remote: Addr Type= SUBNET IP Addr Start= 192.168.1.0 End/Subnet Mask= 255.255.255.0 Port Start= 0 End= N/A Enable Replay Detection= Yes Key Management= IKE Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main PSK= ******** Encryption Algorithm= 3DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Key Group= DH2 Phase 2 Active Protocol= ESP Encryption Algorithm= 3DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None
got feedback?by TerryMiller Yes. Dynamic DNS services such as »www.dyndns.org allow you to use a Domain Name - either your own or one they will allocate to you - in place of an IP address in your VPN setup. Set-up is simple. When a router wants to contact your router, a DNS look-up is performed and the current IP address for the remote router is provided. More on Dynamic IP and VPN here: »www.technopagan.org/dynamic/ In Win2K, go to My Network Places -> Properties -> Create a New Connection -> Accept Incoming Connections. In the dialog box for Devices for Incoming Connections, do not select any device. Click Next and check "Allow Private Connections", and then click Next again. In the dialog box for Allowed Users, select or add all users for whom you want to enable access. The accounts must exist on all computers that will be involved in establishing the VPN connection. In the New Connection Wizard, File and Printer Sharing for Microsoft Networks, Internet Protocol (TCP/IP) and Client for Microsoft Networks should all be enabled. "Allow callers to access my local area network" and "Assign TCP/IP address automatically using DHCP" are checked by default. To keep the default settings, just click Next. The "Incoming Connection" icon should then appear in My Network Places -> Properties and should be ready to use.
got feedback?by KeysCapt PPTP Ping referred in that article can be found here. got feedback?by DrTCP 900. Links to other VPN information
got feedback?by KeysCapt got feedback?by KeysCapt got feedback?by KeysCapt | |||||||||||||||
| Saturday, 11-Feb 23:44:22 | Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo over 12.5 years online! © 1999-2012 dslreports.com. |
