Lessons & Learnings

from real life experiences and examples


Moving on to the next part of routing concepts.This is one of my personal favorites.I have literally lived my life configuring and executing this particular concept which is very interesting and unique in its own way.This chapter is all about this topic - VPN.

Introduction To Virtual Private Networks (VPN):

A virtual private network or VPN extends a private network across a public network, such as the Internet. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network.
The definition is too big isn’t it.Let me explain you this with an example.

Say you are working from home where you have you regular broadband Internet connection. Now let say you want to connect to some file share server which is located inside your office internal network and not available over Internet as it contains various confidential files. Now how do you get access to it sitting at your home.


Solution to that is a VPN connection from your machine to your office such that it will virtually behave as if you are in a private network.
Another very important aspect of VPN is the connection is always encrypted so that regular traffic on the Internet is not able to sniff around your private data.
This VPNs are necessary for building an encrypted and secure connections between your private networks over Internet.

Types of VPN:

Depending on the configuration and setup vpns are of two types:

  • Client to Site VPN
  • Site to Site VPN

Client to Site VPN:

Client to site vpn as the name suggests is a server and client model.In this setup a vpn server is configured for a particular site and authenticated client connections are allowed to access the internal network once a successful client to server connection is established.
The client are usually the the remote users who are working away from their home office networks.


This is how it works:

  • User has a vpn client software installed on his machine.
  • He tries to connect to the vpn server from the client.
  • The client asks for credentials.
  • User provides his vpn credentials
  • The Credentials are validated by the vpn server and the server provides a client certificate which gets installed on the client machine.
  • Then client session is established with the vpn server.Thus the user gets connected to his registered VPN network.

There are various kinds of encryption algorithms that are used to established a vpn connection.The most common type used in client to site vpn is SSl.There are also other encryption types like IPSEC etc the use cases of which are mostly seen in case of site to site vpns.

Site to Site VPN

Site to Site vpn is established between two trusted sites. The reason I have emphasized on the word trusted is because both sides need to exchange certain configurations that has to be trusted as this vpns gives full network access between both the sites. The tunnel built between both the sites are as spoken is always encrypted since they are built over the Internet which is comparatively not so secure.

Here are the key configuration parameters that has to be configured on both peers. This vpn connectivity is established in two phases:

Phase I:

In this step both the sites match three major configurations that validate that both are authorized to established an encrypted vpn tunnel over an Internet. These three factors are :
1. Peer Ip address of both sides: This is usually the wan ip of routers or firewalls at both ends.Each end should have the peer ip of the other end in its configuration. Its like telling your gateway/router who is its counterpart on the other end of the vpn tunnel. Likewise Site A should match the firewall ip of site B and vice versa.
2. Pre-Shared Key: This is a unique key which is exchanged between both sides in phase 1 to authenticate each other. This key is statically configured on both sides and should be exactly same. Its like a code that is exchanged between both the peers.
3. Encryption Type: This is the encryption algorithm defined on both the sides.Both peers should match the encryption types for phase 1 to be complete.There are various types of encryption used like 3DES, MD5 etc.

Phase II:

This phase deals with the actual data passing in the tunnel.It decides which data is supposed to flow in which direction and whether it should be encrypted or not.
One of the ways it determines the direction of data flow is via certain rules.In cisco devices they are done via access-lists. These are basically policies who define what is the source and destination of the data coming from the other end.
Like Phase I , Phase II also needs the VPN Peer Ip and VPN tunnel type to be configured in both the sites.
Once phase II is complete the data actually starts flowing over the tunnel.

Now let us do some simple exercised on vpns.For that you will have to proceed to the next chapter.