The LAN Modem and Virtual Private Networks

Overview : Using the LAN Modem to create a VPN

Why use a Virtual Private Network?

Imagine a company that has its head office in USA, and a branch office in Europe. Without a VPN, every time anyone in Europe needs to access files on a server in the USA, a connection must be established to the USA. In the past, companies have relied on permanent connections (leased lines), or dial-up connections between Europe and USA. These solutions are very expensive and difficult to manage.

With the growth of the Internet, it is now possible for companies to use the Internet as the backbone for their company's data. By connecting the head office server to the Internet it is possible for anyone to dial a local Internet Point-of-Presence (POP) to access the server. This reduces the cost of long distance connections.

Using the Internet as a company data backbone is a great idea - except the Internet only routes IP (Internet Protocol), and anyone can see confidential company information very easily. The solution to this is to create a Virtual Private Network (VPN). This VPN (or tunnel, as it is sometimes called) provides a secure, encrypted tunnel between the workstation and the tunnel terminator. This tunnel allows multi-protocol traffic (for example, IPX, Appletalk etc.) to pass between the two endpoints.

What protocols are used by VPN software?

The earliest VPN software uses the Point-to-Point Tunneling Protocol (PPTP). A more secure and improved tunneling protocol called Layer 2 Tunneling Protocol (L2TP) has been defined, and is currently being implemented by a large number of network companies. Some VPN software companies (like CheckPoint, Fortress Technologies, Network Telesystems and many more) use a variation of these protocols, or have implemented proprietary VPN protocols. It is important that both ends of the tunnel use the same tunneling protocol.

3Com has a number of products capable of supporting VPN's, like the NETBuilder and PathBuilder.

PPTP uses GRE (General Routing Encapsulation) to transport data and TCP port 1723 for the control frames. Most other VPN software, but not IPSec, uses UDP (Unnumbered Datagram Protocol) for transport. The LAN Modem cannot terminate tunnels, but it can be used to pass VPN data between VPN clients and servers. The LAN Modem supports GRE (used by PPTP) and UDP (used by L2TP and other VPN software). IPSec is only supported if Network Address Translation (NAT) is not used.

What software can I use to create a VPN?

To create a VPN, you need server software and client software. The server software runs on the server attached to the Internet, and can normally terminate multiple tunnels. Client software normally runs on workstations, and is used to initiate a single tunnel. Some routers have VPN software built-in - they can initiate or terminate a tunnel without any additional software. The LAN Modem cannot act as a tunnel endpoint; tunnels must be initiated by workstations on the LAN.

There are many companies offering VPN software. Microsoft offers PPTP-based VPN software; clients use Dial Up Networking 1.3 and the server uses PPTP server software. 3Com's Enterprise OS platforms (the NETBuilder family and the PathBuilder S5xx series) can both terminate these PPTP tunnels.

Why is IPSec different?

When Network Address Translation (NAT) is enabled, IPSec will not work. When the LAN Modem connects to an Internet Service Provider, it dynamically receives a single IP address from the ISP. It then translates the multiple local IP addresses to this single IP address. This is easy for outbound packets; all local IP addresses map to a single external IP address. When the LAN Modem receives an inbound packet, it has to route the packet to the correct workstation. To do this, it keeps track of the port numbers used for outbound packets, and uses the same port numbers to ensure that inbound packets go to the correct workstation.

IPSec, unfortunately, encrypts the port number. To correctly route the packet, the LAN Modem would need to decrypt the packet - which is not possible. This applies to both ESP and AH encapsulation.

To make IPSec work, NAT needs to be disabled. To do this, you'll need a range of addresses (a subnet) for your local LAN. The router the LAN Modem dials into should be configured to route all traffic destined for this subnet to the LAN Modem. To disable NAT on the LAN Modem, go to the LAN Modem's main configuration screen. Click on Service Providers and select the Service Provider you wish to connect to. Scroll down the page, until you see Use Network Address Translation (NAT)?. Set this to No, then click Submit at the bottom of the page.

Things to consider when creating a VPN ...

If you are thinking about creating a VPN, there are a few things you should consider:

1. Most VPN protocols (PPTP included) have a "heartbeat". This is an exchange of packets between the ends of the tunnel to verify that the VPN tunnel still exists. This packet exchange happens every few seconds, and resets the LAN Modem's inactivity timer. This, in turn, means that the LAN Modem won't terminate the call, possibly resulting in a large phone bill.
2. If the phone line to the Internet Service Provider (ISP) does go down (for whatever reason) and is re-established, the chances are very good that the LAN Modem will be assigned a different IP address by the ISP's router. Most VPN software treats this change of IP address as a security violation, and will require re-authentication.
3. Microsoft does offer 128-bit encryption for PPTP. You can download this software from their web site. There may be export restrictions on this software.
4. When running a VPN, there is a great deal of additional overhead and inefficiencies created by the VPN protocol itself, and the transport layers that carry it. As a general rule, you can only expect around half of the connect bandwidth to be available when using a VPN.

How do I create a VPN using Microsoft software?

Microsoft currently provides PPTP support for both Windows '95/'98 and Windows NT. Your NT server must be directly accessible from the Internet.

If your network administrator has already configured your VPN server, click here to configure the LAN Modem and your workstation.

To successfully create a VPN using Microsoft software you need to follow the following steps:

Configuring the Microsoft PPTP server

Your NT server needs to be directly accessible to the Internet. This NT server will be the tunnel terminator for VPN sessions. To install the PPTP server on your NT server, you need to follow the following steps:

1. Before starting, make sure you have Service Pack 4 loaded on your NT server. You can get this software update from Microsoft's web site.
2. From the Start Menu on your NT server open the Control Panel. Double-click the Network icon.
3. Click the Protocols tab, then click on the Add... button.
4. Select Point to Point Tunneling Protocol and click OK.
5. Type the path to the location of the setup files in the text box, and click Continue.
6. Select the number of virtual private networks to establish from the Number of Virtual Private Networks drop-down list box, and click OK.
7. NOTE: The PPTP protocol requires that the Remote Access be configured during the installation of the protocol. Click OK.
8. (Optional) Change the settings of the installed RAS devices:
   1. Select a modem from those listed in the Port box.
   2. To change the port usage settings, click Configure, select the desired port settings, and click OK.
   3. To change the network protocol settings, click Network..., select the desired protocols, and click 'OK'.
9. Click Continue.
10. Click Close.
11. Click Yes to restart the computer and enable the new settings.

Configuring the PPTP clients

1. Download PPTP client software for your Windows '95/'98 or NT workstations. This software forms part of Dial-Up Networking (DUN) 1.3, and is a free download. Install the software on each workstation that needs VPN connectivity.
2. The LAN Modem does not need any special configuration for VPN to work. It will transparently pass the VPN packets to the PPTP server. Configure your LAN Modem to connect to the Internet as you normally would. Refer to the LAN Modem's Getting Started Guide for instructions on how to do this. It is best to verify your connection to the Internet before trying to establish a VPN. Try to ping the PPTP server configured to be your tunnel terminator. Make sure your ISP doesn't block GRE traffic.
3. Run Dial-Up Networking 1.3 on your workstation. Select Make a New Connection. Enter the name of the computer you are connecting to. Select Microsoft VPN Adapter from the pull-down list. Click on the Next button.

   

4. Enter the name or IP address of your PPTP server. Click on the Next button.

   

5. Click on the Finish button to create the Dial-Up Networking VPN entry.
6. From the Dial Up Networking window, double click on the newly created entry.

   

7. Enter the user name and password configured for you on the PPTP server. Click on the Connect button.

   

8. Dial-Up Networking will initiate the VPN tunnel by sending a packet to the LAN Modem. The LAN Modem will make a call to your Internet Service Provider (ISP), and forward the packet to your PPTP server using the Internet. Once Dial-Up Networking and your PPTP server have negotiated a tunnel between them, you are free to pass data to the remote LAN, as if you were connected to that LAN.

Each workstation that wants to connect to the VPN must run Dial-Up Networking 1.3. Each workstation will create it's own tunnel, even though they will all share the same physical connection to the ISP.

For more information of PPTP, take a look at article Q162847 (Troubleshooting PPTP Connectivity Issues in Windows NT 4.0) on Microsoft's web site.