CHAPTER 5
Site-to-Site VPNs
The IP Security (IPsec) virtual private network (VPN) is an essential tool for providing a secure network for business communication. This chapter addresses the different protocols and algorithms that IPsec uses and the different security services that IPsec provides. This chapter also introduces the different VPN technologies and examines the various Cisco products available and the best practices that you should use with them.
VPN Overview Historically, a VPN was an IP tunnel. Therefore, a generic routing encapsulation (GRE) tunnel is technically a VPN, even though GRE does not encrypt. Point-to-Point Tunnel Protocol (PPTP) is another good example of a VPN. With PPTP, a client makes a Point-toPoint Protocol (PPP) dial-up connection to an Internet service provider (ISP). Once connected to the ISP, the client sends IP packets, which carries PPP frames. This second connection is established from the client to the PPTP server at his corporate head office, as an example. Encapsulating Versus Decapsulating Versus Tunneling Encapsulation takes place when a data unit is passed to the next layer down on the OSI reference model. When a packet travels from a lower layer to an upper layer, we call this process decapsulation. When a data unit travels sideways in the OSI model, we call that tunneling. PPTP is a tunneling protocol because it is the action of a PPP frame being carried inside of an IP packet, which is in turn encapsulated in a new frame.
Today, the use of a VPN implies the use of encryption. With a VPN, the information from a private network is transported over a public network, such as the Internet, to form a virtual network instead of using a dedicated Layer 2 connection, as shown in Figure 5-1. To remain private, the traffic is encrypted to keep the data confidential. For the purposes of this chapter, a VPN is defined as an encrypted connection between private networks over a public network, usually the Internet.