Applications for IP tunneling
Jun 1, 2008 12:00 PM, By Kevin McNamara, CNE
A VPN can be used to create a secure connection between remote and static locations.
The problem: You need to provide full network access to your crew working at a remote location. Not just the kind of access that allows e-mail or to grab some files from the server, but direct access to the automation, news systems, remote audio feed and call screening. Sure, most of these can be provided through more traditional routes, but wouldn't it be easier to just give the remote users a secure direct connection to the station network? The answer to this is in IP tunneling. A connection established through the IP tunnel is similar to plugging a PC into the network connection at the station. Pretty nice, huh? IP tunnels can operate through any type of wired or wireless network. The document that specifies how IP tunneling works is called RFC2003.
The most common application for IP tunneling is the virtual private network (VPN), which many engineers use regularly to access the company networks when not in the office. Also, if you need to get around a company firewall or feel the need to do some anonymous Web surfing, this is your answer.
The best part of this is that IP tunneling can be implemented for virtually no cost with the many freeware programs that can be downloaded off the Net. In fact, most operating systems already have the necessary software included.
Virtual private networks
The VPN provides a private and secure connection between a remote user and a network over a public network. VPNs can be created through a standard Internet connection or, in some cases, a private WAN. A VPN is designed to work exclusively over IP; however, it will transport other protocols such as NetBEUI and IPX. In reality, the concept behind the VPN has been around for several years, known as IP tunneling. The principle behind IP tunneling is fairly simple: Data is encapsulated within IP packets and can be secured using data encryption and authentication methods.
Originally, the VPN was based on either Point-to-Point Tunneling Protocol (PPTP) developed by Microsoft for PC-to-LAN connections or Layer 2 Forwarding protocol (L2F) developed by Cisco to support LAN-to-LAN communications. Currently, the features of both protocols are combined into a standard known as Layer 2 Tunneling Protocol (L2TP). L2TP supports multiple simultaneous tunnel connections. Other VPN protocols include IP Security (IPSec), a technology developed for firewalls and designed to support the secure transmission of only IP packets; and SOCKS5, which provides a higher level of control, but requires special software running on an independent server and at the client PC location.
There are essentially three protocols that can deliver IP tunneling.
L2TP was created from the best of two previous specifications from Microsoft's Point-to-Point Protocol (PPP) and Cisco's Layer 2 Forwarding (L2F) protocol. It has a deceiving name since it mimics a network (2) layer, but actually works at the Session (5) Layer. It works by encapsulating the full L2TP packet and header information and transports it over a User Datagram Protocol (UDP) as opposed to the Transport Control Protocol (TCP). It is one of the more common protocols due to the popularity of Cisco products found in most corporate networks. Chances are if you have VPN access, you're using the Cisco VPN client software to gain access.
You might recall one of the major differences between UDP and TCP is the fact that UDP is considered an unreliable protocol, which means the packets are broadcast without confirmation that they were received at the other end. TCP is considered reliable since the packets are confirmed they are received or the source resends until completed successfully.
Security is also an issue with L2TP, so it is typically combined with IPSec to achieve adequate encryption; this is also known as L2TP/IPSec.
In order to execute a L2TP session, two endpoints must be established: the L2TP Access Concentrator (LAC) and the L2TP Network Server (LNS).
L2TP defines four tunneling modes:
- Voluntary � Initiated by the user
- Compulsory tunnel (incoming call) � Typically used for most corporate remote VPN connections
- Compulsory tunnel (remote dial) � Initiated from the server
- L2TP multi-hop connection � Used for routing L2TP connections between multiple LNS and clients
PPTP has been essentially replaced by L2TP and IPSec, but is worthy of mention because PPTP clients are found in all current versions of Microsoft operating systems.
PPTP works by encapsulating the PPP packet with the Generic Routing Encapsulation (GRE) protocol. Security can be provided through Microsoft's Point-to-Point Encryption (MPPE) for VPN applications.
IPSec consists of protocols that define a method to secure IP packets through encryption and decryption. IPSec operates at the network layer (2) in one of two modes � transport and tunneling.
In transport mode only the data portion of the stream is encoded; the routing and control information is left intact. This mode is preferred for host-to-host connections.
In tunneling mode, the entire data packet is encapsulated. This is used for creating a VPN to connect networks or client computers to a network.
IPSec also provides an integrity check, which ensures that no data packets are added, removed or modified. Public encryption keys are used to validate security information.
Implementing IP tunnels
Setting up an IP tunnel is a fairly easy and inexpensive task with the myriad of free software found on the Web, but you may already have the proper software included with your operating system. Current Microsoft, Apple and Linux versions should include (or have available for download) the necessary modules that will permit the creation of an IP tunnel. A simple search on the Web will provide a wealth of information that will allow you to load and configure the host and client side of the tunnel. In my search I found a very informative Web page from SeattleWireless.net that describes it well.
On the network server end, the host software could be loaded on your server, but I would recommend dedicating a separate network connected PC to act as the access point for the IP tunneling processing. This will also make it easier to set security levels for users accessing the network. This is an ideal application for an older machine running Linux.
If you have to bypass a company firewall, freeware programs such as IP Tunnel v1.0 from Feneris Solutions make the job easy and intuitive.
I think you can see the possibilities. IP tunneling goes beyond traditional office applications. It will permit a wide range of applications including expanded remote capabilities, setting up emergency back-up solutions any place you need to create a reliable, secure connection.
McNamara is president of Applied Wireless, Cape Coral, FL.