Assosa University

College of Engineering Electrical & Computer Engineering Department

Post-Graduate (PG) Program

Advanced-Data Communication and Networking (ECEg-6044)

Title: Advanced Network Concepts: VPN
By
Muluken Yadessa
Habtamu Demera
Abraham Gadissa
Mitiku Kelemwork

Submitted to Girma Beka (PHD)

October 2023
Assosa, Ethiopia
Abstract
The general overview of virtual private networks (VPN) and explores some of the main technologies that make
it possible to use VPNs on open internet networks.

With the requirement of network security, the concept of Virtual private network was established. A Virtual
Private Network (VPN) can be defined as a network in which connectivity between multiple customers’ sites
is deployed on a shared network with the same security as a private network. Different VPN technologies and
protocol architectures are available in the market: MPLS VPN or operation, IPsec VPN, and SSL VPN
architecture. With the introduction of Multiprotocol Label Switching (MPLS), which combines the benefits of
Layer 2 switching and Layer 3 routing, it became possible to construct a technology that combines the benefits
of an overlay VPN with the benefits of peer-to-peer VPN implementation in which routing is simple.
MPLS/VPN is a new and simple technology, which provides simpler routing and makes the number of
topologies easy to implement and otherwise difficult to implement. All architectures have benefits and
drawbacks each of them can be implemented separately or in combination of others according to customer
security requirements and the performance of the network

Keywords: Remote access, Routing VPN, Site to site, P2P, QoS, MPLS, Tunneling

i
Table of Contents
Abstract .......................................................................................................................................................... i
1. Introduction ................................................................................................................................................ 1
1.1. VPN ......................................................................................................................................................... 1
1.2 History of VPN .......................................................................................................................................... 2
1.3 Why do we use VPNs? ............................................................................................................................... 2
1.4 HOW IT WORKS ..................................................................................................................................... 3
1.5 Tunnels ..................................................................................................................................................... 3
1.6 Types of VPN ............................................................................................................................................ 3
1.6.1 Remote access VPN ................................................................................................................................. 3
1.6.2 Site-to-site VPN ...................................................................................................................................... 4
2. VPN Routing and Tunneling Protocols ......................................................................................................... 4
2.1 Tunneling Protocols ................................................................................................................................... 4
2.1.1 Point-to-Point Tunneling Protocol (PPTP) ............................................................................................... 4
2.1.2 Layer Two Tunneling Protocol (L2TP) .................................................................................................... 5
2.1.3 Internet Protocol Security (IPSec) ........................................................................................................... 6
2.1.4 Secure Socket Tunneling Protocol (SSTP) ................................................................................................ 6
2.2 Routing ..................................................................................................................................................... 7
2.2.1 Multi-Protocol Label Switching (MPLS) .................................................................................................. 7
MPLS-based VPN ........................................................................................................................................... 8
Peer-to-Peer VPN ........................................................................................................................................... 9
3. Security Measures ....................................................................................................................................... 9
3.1 Encryption ................................................................................................................................................ 9
3.2 Authentication ........................................................................................................................................... 9
3.3 Authorization .......................................................................................................................................... 10
4. VPN Network Performance Evaluation ...................................................................................................... 10
5. Conclusion ................................................................................................................................................ 10
6. References................................................................................................................................................. 11

ii
1. Introduction
1.1. VPN
A virtual private network (VPN) is the extension of a private network that encompasses links across shared
or public networks like the Internet. A VPN enables you to send data between two computers across a
shared or public internetwork in a manner that emulates the properties of a point-to-point private link. VPN
server uses two network interface cards. One is connected to the intranet network and another one is
connected to the public network.

A VPN is created by establishing a virtual point-to-point connection through the use of tunneling protocols
over existing networks. A VPN available from the public Internet can provide some of the benefits of a
private wide area network (WAN).

To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing
information allowing it to traverse the shared or public transit internetwork to reach its endpoint. To emulate
a private link, the data being sent is encrypted for confidentiality. The portion of the connection in which
the private data is encapsulated is known as the tunnel. The portion of the connection in which the private
data is encrypted is known as the virtual private network (VPN) connection.

Figure 1: Virtual private network connection

VPN connections allow users working at home or on the road to connect in a secure fashion to a remote
corporate server using the routing infrastructure provided by a public internetwork (such as the Internet).

VPN technology also allows a corporation to connect to branch offices or to other companies over public
internetwork (such as the Internet), while maintaining secure communications. The VPN connection across
the Internet logically operates as a wide area network (WAN) link between the sites.

1
VPN technology is designed to address issues surrounding the current business trend toward increased
telecommuting and widely distributed global operations, where workers must be able to connect to central
resources and must be able to communicate with each other.

VPN was not the first technology to make remote connections. Several years ago, the most common way
to connect computers between multiple offices was by using a leased line. Leased lines, such as ISDN
(integrated services digital network, 128 Kbps), are private network connections that a telecommunications
company could lease to its customers. Leased lines provided a company with a way to expand its private
network beyond its immediate geographic area. These connections form a single wide-area network (WAN)
for the business. Though leased lines are reliable and secure, the leases are expensive, with costs rising as
the distance between offices increases.

1.2. History of VPN

The technology for implementing VPNs has been in existence for some time. Their origins can be found in
the Virtual Circuit. Virtual circuits are easy to implement in highly connected networks as well as being
cost-effective. We will see that these benefits also apply to VPNs. The virtual circuit was originally
produced in the late seventies and early eighties. The basic structure of the virtual circuit is to create a
logical path from the source port to the destination port. This path may incorporate many hops between
routers for the formation of the circuit. The final, logical path or virtual circuit acts in the same way as a
direct connection between the two ports. In this way, two applications could communicate over a shared
network. Virtual circuit technology progressed with the addition of encryption equipment to router systems.
This new equipment enciphered information between the ports of the virtual circuit. This meant that
attackers would not be able to access information in transit between the communicating entities. Later, other
security technologies were added such as token authentication. The communication lines were,
unfortunately, still open to attack and this lead to the development of secure communication over a public
network, a VPN.

1.3. Why do we use VPNs?

The major benefit of VPNs, from the consumer's point of view, is that they are considerably cost-effective.
The alternative to using VPN technology is the high-speed leased line. These lines are expensive, difficult
to administrate, and difficult to maintain. Additionally, consider what happens when a leased line fails. The
communication between the two parties also fails until the appropriate authorities can repair the line. With
Virtual Private technology, however, if a node in the path or line between routers goes down, the logical
path between the parties is simply changed transparently to the user.

Using the Internet as the backbone for communication guarantees the reliability of service. The Internet
provides further benefits for VPN users. Even extremely remote locations have access to the Internet via
2
dial-up modems. VPNs guarantee secure communication for dial-in users. Mobile users cannot possibly use
leased lines for their communication with the corporate site so VPN technology is the only real solution to
this problem.

1.4. HOW IT WORKS

To use the Internet as a private wide area network, organizations may have to overcome two main hurdles.
First, networks often communicate using a variety of protocols, such as IPX, but the Internet can only handle
IP traffic. So, VPNs may need to provide a way to pass non-IP protocols from one network to another.

Second, data packets traveling the Internet are transported in clear text. Consequently, anyone who can see
Internet traffic can also read the data contained in the packets. This is clearly a problem if companies want
to use the Internet to pass important, confidential business information. VPNs overcome these obstacles by
using a strategy called tunnelling. Instead of packets crossing the Internet out in the open, data packets are
first encrypted for security, and then encapsulated in an IP package by the VPN and tunneled through the
Internet.

1.5. Tunnels
The main concept of VPN is tunneling, which is the private virtual path that is created between two ends of
the public network. Tunnelling or encapsulation is a technique of packaging one network packet inside
another. The encapsulated packet is called the tunneled packet and the outer, encapsulating, packet is called
the transport packet. All the information in the packet is encrypted at the lowest level, which is the link
level of the OSI model. Like VPNs, the concept of encapsulation has been available for many years. It has
been used to bridge the portions of the Internet that have disjoint capabilities or policies. The tunnel acts as
a router on top of the Internet protocol. The method for encapsulation is quite simple. An outer IP header is
added to the original header and between the two of these headers is the security information specific to the
tunnel. The outer header specifies the source and destination or "endpoints" of the tunnel while the inner
header identifies the original sender and the recipient of the packet.

1.6. Types of VPN

1.6.1 Remote access VPN
A remote access VPN connection is made by a remote access client. A remote access client is a single
computer user who connects to a private network from a remote location. The VPN server provides access
to the resources of the network to which the VPN server is connected. The packets sent across the VPN
connection originate at the VPN client. The VPN client authenticates itself to the VPN server and, for
mutual authentication, the VPN server authenticates itself to the VPN client.

3
It is usually called Dial-up Network. From the name remote access, this VPN is used when employees, for
example, want to connect to the company network (LAN) from various external locations. Protocols most
commonly used in remote access VPN are PPTP, L2TP, IPsec and SSL VPN.

1.6.2 Site-to-site VPN

A site-to-site VPN connection connects two portions of a private network or two private networks. It is used
in a case where a company wishes to connect distanced branches together. In this type, larger-scale devices
and encryption are required. Site-to-site has two categories, intranet VPN and extranet VPN. Intranet VPN
is in the scope of the same branch or building while extranet is linking to external agents like customers or
suppliers for example. These VPN Protocols are used to establish a network connection between two
or more Organization’s offices using a shared medium such as the Internet, to securely transmit
network Traffic. Protocols most commonly used in site-to-site VPN is, GRE, MPLS VPN, and
IPsec.

2. VPN Routing and Tunneling Protocols

2.1. Tunneling Protocols
To guarantee compatibility and interoperability between various implementations of VPN, the
standardization of tunneling protocols that support VPN is necessary.

VPN can be based on three different protocols for encapsulating IP packets over a public network, such as
the Internet. They are Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP),
and Secure Socket Tunneling Protocol (SSTP). They all mainly use features that were originally meant for
Point-to-Point Protocol (PPP). PPP was created to communicate through dedicated circuits. It is responsible
for encapsulating IP packets within PPP frames and then transmitting them across the path. Those protocols
are mainly used by Windows servers as they were defined by Microsoft Library.

2.1.1 Point to Point Tunneling Protocol (PPTP)

Through the public network, a VPN server enables PPTP with two interfaces, one is on the internet and the
other is on the intranet. It allows multiprotocol data to be encapsulated and encrypted in the IP header and
sent through the internet. Encapsulation of PPP frames is transmitted in IP datagrams over the network.
PPTP uses a TCP connection for tunnel management and Generic Routing Encapsulation (GRE) for
encapsulating tunnelled data. Encapsulated PPP frames can be encrypted, compressed, or both.

The PPTP encryption process is considered a weak encryption mechanism. It uses Point-to-Point Protocol
(PPP) to make tunnels and data confidentiality.

4
 Figure 1: Structure of a PPTP Packet, Adapted from Microsoft Library.

2.1.2 Layer Two Tunneling Protocol (L2TP)

L2TP is installed with the TCP/IP protocol. L2TP must be supported by both the VPN client and the VPN
server. L2TP relies on Internet Protocol security (IPsec) in Transport Mode for encryption services. The
combination of L2TP and IPsec is known as L2TP/IPsec. Multiprotocol encrypted data can be sent over
any medium which supports point-to-point datagram delivery, such as IP or asynchronous transfer mode
(ATM). Encapsulation for L2TP/IPsec packets consists of two layers: L2TP and IPsec encapsulation. In the
first layer L2TP header and a UDP header is added to the PPP frame. In the second layer, IPsec
Encapsulating Security Payload (ESP) header and trailer are added to the previous L2TP message, which
provides message authentication and IP header. The IP header contains the source and destination IP address
that corresponds to the VPN client and VPN server.

Like PPTP it also relies on PPP for data security. It works on layer 2 and also checks data integrity. It does
not contain any encryption protocol to protect the data. It relies on IPsec to encrypt the data which is sent
through the tunnel. In the protocols, IPsec/L2TP is considered more secure from the comparison of PPTP
protocol.

Figure 2 Structure of an L2TP packet, Adapted from Microsoft Library.

5
 Figure 3: Encryption of L2TP Traffic with IPsec ESP, Adapted from Microsoft Library.

2.1.3 Internet Protocol Security (IPSec)

IPSec is a Layer 3 protocol standard that supports the secured transfer of information across IP internetwork.
It is a stack of protocols that allows encryption, authentication, and integrity of data. It is considered a very
strong VPN protocol.

There are three main components in IPSec.

1. Authentication Header (AH)

2. Encapsulating Security Payload (ESP)
3. Internet Key Exchange (IKE)

In IPSec data integrity and authentication are provided by the Authentication Header (AH). Encryption that
is confidentiality is given by Encapsulating Security Payload (ESP) in addition to data integrity and
authentication. An IPSec key exchange establishes and maintains the security associations.

2.1.4 Secure Socket Tunneling Protocol (SSTP)

Some firewalls and web proxies might block PPTP and L2TP/IPsec, so the Secure Socket Tunneling
Protocol (SSTP) is a new tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic
through those proxies and firewalls. PPP frames are encapsulated in IP datagrams by using a TCP
connection (over port 443) for tunnel management. The SSTP message is encrypted with the SSL channel
of the HTTPS protocol.

PPTP, L2TP and SSTP all three tunnel types carry PPP frames and the common features of PPP, such as
authentication schemes, Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPV6)
negotiation, and Network Access Protection (NAP), remain the same for the three tunnel types.

6
2.2. Routing
2.2.1 Multi-Protocol Label Switching (MPLS)
MPLS provides efficient forwarding, routing and switching of traffic flow through the network. It is a
technology for the delivery of IP services. It gives the ability to offer highly scalable, advanced IP services
end-to-end with simpler configuration and management for both service providers and customers. MPLS
belongs to the family of packet-switching networks and was designed to overcome the limitations of
IPbased forwarding.

In a traditional IP network, each router performs an IP lookup, determines the next hop based on its routing
table and forwards the packet to the next hop thereby creating a lot of overhead at the interface of each
router. However, MPLS on the other hand makes packet forwarding decisions which are based entirely on
the contents of the label without the need to examine the packet itself.

Instead of the IP address or MAC address, MPLS works on small labels. These labels are inserted between
Layer 2 and Layer 3 of OSI and are summarized as Layer 2.5 networking protocol. Forwarding decisions
are based on these labels instead of having to look at complex IP tables. Thus, it reduces the overhead and
makes forwarding decisions more efficient.

MPLS label stack is inserted between the IP header (layer 3) and the corresponding layer 2 headers of the
particular technology. The size of the label is 32 bits long as shown in Figure 4. The first field is a 20-bit
long label value. Labels are represented in decimal format. The second field is experimental bits. These 3
bits are reserved for experiments. 1-bit long Set field (S) is kept 1 if it is the last label in number, otherwise
kept 0. The last field of Time to Live (TTL) comprises 8 bits and is used to count the number of hops.

Figure 4: MPLS label format

7
MPLS-based VPN
Multi-Protocol Label Switching (MPLS) VPN is a flexible method to transport and route several types of
network traffic using an MPLS backbone. MPLS VPNs combine the power of MPLS and the Border
Gateway Protocol (BGP) routing protocol. MPLS is used to forward packets over the provider’s network
backbone, and BGP is used for distributing routes over the backbone.

It is deployed by ISPs in their cloud. It has no direct linkage with the customer’s network. MPLS VPN is a
VPN network construction based on the MPLS-based core network. An MPLS-based VPN is the
implementation of a VPN using the MPLS cloud. All the customer sites communicate with each other using
the MPLS-enabled provider network. MPLS labels make a tunnel in this scenario.

Forward Equivalency Class (FEC)

It refers to the forwarding equivalence class and is a group of IP packets that are forwarded in the same
way. Packets within an FEC are equivalent in terms of forwarding such as same destination, same path and
same class of service.

When a packet enters into an MPLS domain, it is assigned to a specific Forward Equivalency Class (FEC).
The FEC assigns a label and a specific forwarding path to the packet. In the MPLS forwarding paradigm,
once a packet is assigned to a FEC, no further header analysis is done by subsequent routers; all forwarding
is driven by the labels.

An MPLS virtual private network (VPN) is compromised of the following equipment:

Customer Edge (CE) routers: These are placed on-site and are usually owned by the enterprise customer.
Some service providers also supply the CE equipment for a small rental fee.

Provider Edge (PE) routers: These are the provider’s edge routers to which the CE routers connect to.
The PE routers are always owned by the service provider.

Provider (P) routers: These routers are commonly referred to as "transit routers" and are in the service
provider’s core network.

Routing information is passed from the CE router to the PE router using either static routes or a routing
protocol such as BGP. The PE router keeps a per-site forwarding table, also known as a virtual routing and
forwarding table (VRF). At the PE router, each VRF serves an interface or set of interfaces that belongs to
each individual VPN. Each PE router is configured by the service provider with its own VRF that is unique.
Routers within the MPLS VPN network do not share VRF information directly.

8
Peer-to-Peer VPN
Peer-to-peer (P2P) VPN systems that allow only mutually trusted peers to participate. This can be achieved
by using a central server such as a connect hub to authenticate clients. Tunneling is a network technology
that enables the encapsulation of one type of protocol packet within the datagram of a different protocol.
For example, Windows VPN connections can use Point-to-Point Tunneling Protocol (PPTP) packets to
encapsulate and send private network traffic, such as TCP/IP traffic over a public network such as the
Internet.

The VPN server can be configured to use either Windows or Remote Authentication Dial-In User Service
as an authentication provider. If Windows is selected as the authentication provider, the user credentials
sent by users attempting VPN connections are authenticated using typical Windows authentication
mechanisms, and the connection attempt is authorized using the VPN client’s user account properties and
local remote access policies.

3. Security Measures
Many security measures are used with VPN technology to ensure the safety of the tunnel and reliability in
sending sensitive data across unsafe mediums (public). Some of those safety mechanisms include the
following:

3.1. Encryption
Encryption is used when the sender wants the data to be read-only by the anticipated receiver. So the sender
will encrypt it with a special key to open it, and the receiver cannot decrypt it unless he or she has the correct
key of decryption. According to Gupta & Meta (2003), there are two main methods of encryption: the
traditional scheme and the public key scheme. The traditional scheme suggests that both sender and receiver
use mutual keys to encrypt and decrypt the data. The public key scheme uses two keys, one called public
key, and the other called private key. Anyone on the network can use the public key, which could belong
to any user, to encrypt data. However, each public key has a corresponding private key indicated to a
specific owner which is necessary to decrypt the sent message, that is sent to its destination. Examples of
public key encryption schemes are Data Encryption Standard (DES) and Pretty Good Privacy (PGP).

3.2. Authentication
Authentication is a procedure in which data is confirmed to be delivered to the intended receiver. Moreover,
it checks the integrity of the message and its source. How it works is that it asks for a username and password
to gain access to the specified data. It can be also based on secret-key encryption or public-key encryption.

9
3.3. Authorization
This happens after the user gets access, after authentication, and it is responsible for giving or denying
access to the network’s located resources.

4. VPN Network Performance Evaluation

Research on network performance in a VPN context has been previously considered. The key finding was
that in most of the cases, there was a sensible variation in delay and network throughput. Throughput at the
destination host was lower than that at the traffic source. And in terms of delays, traffic experienced
proportional delays.

VPN plays an important role in the industry in the sense that it helps keep productivity life. From wherever
one can always connect back to the office and use resources. However, it is understood that in terms of
performance, a VPN-based system is relatively slow when compared with a LAN direct connection.

The main factors of affecting the performance are security services, algorithms, hardware, and software,
just to name a few. The higher the security level, the higher the system overhead. Furthermore, there are
parameters to be considered during network performance evaluation like Bandwidth, Latency (Delay),
Throughput and Jitter.

5. Conclusion
With the help of VPN technology, businesses can connect to other businesses or branch offices via a public
network while yet retaining secure conversations. The current business trend toward more telecommuting
and dispersed worldwide operations presents challenges, including the need for employees to connect to
centralized resources and interact with one another. VPN technology is designed to address these concerns.

This article gives a general overview of VPN and outlines the fundamental needs for practical VPN
technologies, including user authentication, address management, data encryption, key management, and
compatibility for multiple protocols. It describes how these requirements are met by Layer 2 and layer 3
protocols, particularly PPTP, IPSec and L2TP.

10
6. References
[1]. Nemah Alsayed, “Virtual Private Networks (VPN)”, 2015

[2]. J. Myles Powell, “The impact of virtual private network (VPN) on a company’s network”, 2010

[3]. Mukatshung Claude Nawej, “Evaluation of virtual private network impact on network performance”,
2016

[4]. Manoj Kumar Jangid, Prakriti Trivedi, “A Review for VPN and VPN Service Provider”, 2016

[5]. Farooq Ahmed, Zain Ul Abedin Butt, Uzair Ahmad Siddiqui, “MPLS based VPN Implementation in a
Corporate Environment”, 2016

[6]. Rashed Qayoom Shawl, Rukhsana Thaker, Er. Jasvinder Singh, “Multi Protocol Label Switching
(MPLS)”, 2014

[7]. K. Karuna Jyothi* , Dr. B. Indira Reddy, “Study on Virtual Private Network (VPN), VPN’s Protocols
And Security”, 2018

[8]. Diyar Salah Fadhil, Ababakr Ibrahim Rasul, YounusAmeenMuhammed, “IPSec on a Site to Site VPN
Network”, 2017

11
12