Virtual Private Networking
Applies To: Windows Server 2008 R2
A virtual private network (VPN) is a point-to-point connection across a private or public network, such as the Internet. A VPN client uses special TCP/IP-based protocols called tunneling protocols that establish a secure channel between two computers through which they can send data. From the perspective of the two participating computers, there is a dedicated point-to-point link between them, though in reality the data is routed through the Internet as would be any other packet. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header. The header provides routing information that enables the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data being sent is encrypted for confidentiality. For more information about the tunneling protocols supported in this version of Windows, see VPN Tunneling Protocols.
For installation requirements, see Requirements for Installing RRAS as a VPN Server.
There are two types of VPN connections:
Remote access VPN
A remote access VPN connection enables a user working at home or on the road to access a server on a private network by using the infrastructure provided by a public network, such as the Internet. From the user’s perspective, the VPN is a point-to-point connection between the client computer and the organization’s server. The infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private link.
A site-to-site VPN connection (sometimes called a router-to-router VPN connection) enables an organization to have routed connections between separate offices or with other organizations over a public network while helping to maintain secure communications. When networks are connected over the Internet, as shown in the following figure, a VPN-enabled router forwards packets to another VPN-enabled router across a VPN connection. To the routers, the VPN connection appears logically as a dedicated, data-link layer link.
A site-to-site VPN connection connects two private networks. The VPN server provides a routed connection to the network to which the VPN server is attached. The calling router authenticates itself to the answering router, and, for mutual authentication, the answering router authenticates itself to the calling router. In a site-to site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers.
VPN connecting two remote sites across the Internet
Properties of VPN connections
Encapsulation. Private data is encapsulated with a header that contains routing information that allows the data to traverse the transit network. For examples of encapsulation, see VPN Tunneling Protocols (https://go.microsoft.com/fwlink/?linkid=140602).
Authentication. Authentication for VPN connections takes three different forms:
User-level authentication by using Point-to-Point Protocol (PPP) authentication. To establish the VPN connection, the VPN server authenticates the VPN client that is attempting the connection by using a PPP user-level authentication method and verifies that the VPN client has the appropriate authorization. If mutual authentication is used, the VPN client also authenticates the VPN server, which provides protection against computers that are masquerading as VPN servers.
Computer-level authentication by using Internet Key Exchange (IKE). To establish an Internet Protocol security (IPsec) security association (SA), the VPN client and the VPN server use the IKE protocol to exchange either computer certificates or a preshared key. In either case, the VPN client and server authenticate each other at the computer level. Computer certificate authentication is is a much stronger authentication method and is therefore highly recommended. Computer-level authentication is used by Layer Two Tunneling Protocol (L2TP)/IPsec or IKE version 2 connections.
Data origin authentication and data integrity. To verify that the data sent on the VPN connection originated at the other end of the connection and was not modified in transit, the data contains a cryptographic checksum based on an encryption key known only to the sender and the receiver. Data origin authentication and data integrity are available for L2TP/IPsec and IKE version 2 connections.
Data encryption. To ensure confidentiality of the data as it traverses the shared or public transit network, the data is encrypted by the sender and decrypted by the receiver. The encryption and decryption processes depend on both the sender and the receiver using a common encryption key.
Intercepted packets sent along the VPN connection in the transit network are unintelligible to anyone who does not have the common encryption key. The length of the encryption key is an important security parameter. You can use computational techniques to determine the encryption key. However, such techniques require more computing power and computational time as the encryption keys get larger. Therefore, it is important to use the largest possible key size to ensure data confidentiality.