Tunneling Protocols

Most VPNs use the concept of tunneling to create a private network that extends across the Internet. Conceptually, it’s as if a secure tunnel has been built between two end devices (routers, firewall, or VPN device). Data can be directed into one end of the tunnel and it travels securely to the other end. These end devices, or tunnel interfaces, are typically the perimeter router firewalls for the LANs being connected.

Technically, no tunnel exists and the process doesn’t resemble a tunnel, but the term “tunneling” somewhat describes the end result of traffic being able to pass through a non-secure environment without concerns about eavesdropping, data hijacking, or data manipulation. Tunneling is a process of encapsulating an entire data packet as the payload within a second packet, which is understood by the network and both end points. Depending on the protocols used, the new payload—the original packet—can be encrypted. Figure 9-5 is a common graphical representation of Layer 3 tunneling technology.

Figure 9-5: Layer 3 VPN tunneling representation

The tunneling process requires three different protocols:

Carrier protocol The network protocol used to transport the final encapsulation
Encapsulating protocol The protocol used to provide the new packet around the original data packet. Examples: IPSec, GRE, L2F, L2TP, PPTP
Passenger protocol The original data packet that’s been encapsulated. Examples: IP, IPX, NetBEUI

Through tunneling techniques, you can pass non-IP packets or private IP addressed packets through a public IP network. You can even route NetBEUI—the famous non- routable protocol—once it’s been encapsulated for tunneling through a VPN. What happens is the new data frame, or packet, is, in fact, a legal packet with proper addressing to travel through the network. Hidden safely within the payload portion of this new frame is the original packet, which needs the assistance and/or protection.

L2F, L2TP, and PPTP are all three Layer 2 tunneling protocols that support Access VPN solutions by tunneling PPP.

Layer Two Forwarding (L2F) Protocol

L2F is a tunneling protocol developed by Cisco Systems, which is similar to PPTP developed by Microsoft. Both protocols enable organizations to set up VPNs that use the Internet backbone for transporting traffic. L2F is supported by other vendors, such as Shiva and Nortel.

Recently, Microsoft and Cisco agreed to merge their respective protocols into a single, standard protocol called Layer Two Tunneling Protocol (L2TP) an IETF and industry-standard Layer 2 tunneling solution. Microsoft supports L2TP in Windows 2000/XP client software for client-initiated VPN tunnels.

Layer 2 Tunneling Protocol (L2TP)

L2TP is an emerging IETF standard and one of the key building blocks for VPNs in the dial access space. L2TP combines the best features of Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP), enabling mobile workforces to connect to their corporate intranets or extranets wherever and whenever they require.

L2TP is a standard way to build Access VPNs that simulate private networks using a shared infrastructure, such as the Internet. These Access VPNs offer access for mobile users, telecommuters, and small offices through dial, ISDN, xDSL, and cable.

Benefits of L2TP include per-user authentication, dynamic address allocation from an address pool or by using DHCP server, plus RADIUS and AAA support.

Generic Routing Encapsulation (GRE)

GRE is an early Layer 3 tunneling technology that has existed for years. Cisco has supported this tunneling technology since Cisco IOS software version 9.21. IPSec is the new IETF standard for Layer 3 encryption and encrypted tunnels supported by the Cisco IOS software since version 11.3(3)T.