cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2525
Views
11
Helpful
11
Replies

Types of Vpn`s`

willowklan1
Level 1
Level 1

Hello everyone,

This is a totally newbie question but here it goes...

In some places it is written the L2TP, PPTP and GRE are types of vpn tunnels, so for example you can create a L2TP dialer and (after authentication) it will form a L2TP tunnel, which you can encapsulate in a GRE tunnel

first of all, what is the need for that? since L2TP can transfer any layer 3 protocol. what do you need the GRE over it?

the other thing is, in some documents there are explanations on configuring a L2TP on the LAC and on the LNS, and of of course as a dialer at the client`s end. no GRE. so... what exactly is it? is it a tunnel? is it a dialer? is it both? what are the differences and when should I prefer one over the other? 

the whole Ipsec/isakamp/encryption/mapping phases are understood well. my whole confusion is those different tunnel/dialer types.

thanks ahead,

Willow

2 Accepted Solutions

Accepted Solutions

Dear friends,

Please allow me to join.

1) what is the difference between L2TP and GRE? they both need the ipsec and are just tunnels, while L2TP is also a dialer using PPP/PPPoe to connect to the ISP...

L2TP is used to encapsulate and tunnel entire Layer2 frames (such as Ethernet, HDLC, PPP, ATM, or Frame Relay) including their payload. GRE is used to encapsulate and tunnel Layer3 packets (such as IPv4 or IPv6). There are other significant differences between GRE and L2TP but at this point, I consider this to be the most important distinction between them. In other words, if you consider a tunnel to be a pipe, then with L2TP, you would be feeding Layer2 frames into this pipe, and with GRE, you would be feeding Layer3 packets into this pipe. The choice of either L2TP or GRE depends on the application - whether you need to tunnel entire frames as they are sent by the source, or whether you just need to tunnel original packets without their link layer encapsulation.

There is actually an exception to the rules above which may make things more confusing. You could also tunnel Layer2 frames across GRE tunnels as well. The trick is in knowing what kind of frame you have tunneled in a GRE packet. If you have a closer look at the format of the basic 4-byte GRE header, the first 2 bytes specify GRE version and flags, and the second 2 bytes have the same meaning as the EtherType field in Ethernet: They identify the payload type of the GRE packet. If there is a valid registered EtherType value for the frame you want to carry across a GRE tunnel then by all means, you can tunnel it. If there is no registered EtherType value then you're in trouble because you cannot just invent a value and put it there - the receiving endpoint may not understand the value, or it may mistake it for another protocol and process the encapsulated frame incorrectly. All common Layer3 protocols have their EtherType registered because they are intended to be carried in Ethernet frames, so with Layer3 packets, we usually don't have a problem. However, not all Layer2 protocols have their EtherTypes because tunneling frames inside other frames is not a common practice. Hence the nature of GRE as a predominantly Layer3-oriented tunneling protocol.

Just for your convenience, you can find the available list of existing EtherType values at

http://standards-oui.ieee.org/ethertype/eth.txt

Neither L2TP nor GRE need IPsec per se. Both tunelling protocols will run happily without IPsec but then, of course, they will carry all data unencrypted and unprotected. IPsec is an add-on to both these protocols to provide security for the data transmission (authentication, confidentiality, integrity, replay attack protection).

By saying that "L2TP is also a dialer using PPP/PPPoE to connect to the ISP" you probably mean the Virtual-PPP interface - am I right? Can you clarify this in more detail?

2) what is the difference beteween point-to-point protocol and point to point tunneling protocol? since they both support non-IP traffic

PPP is a Layer2 protocol and is intended to be run directly over physical network interfaces. It is not a tunneling protocol, rather, it is a data link protocol originally created to be used on serial interfaces of computers and routers. It replaced or supplemented other serial link protocols such as SLIP or HDLC. In terms of OSI model placement, PPP is on the same layer as Ethernet - both run over physical network interfaces and define how two directly connected network interfaces send messages to each other.

PPTP is a tunneling protocol that uses a modification of the GRE protocol and an additional signalling protocol to tunnel PPP frames in IP packets over a routed network. This is the confusing thing about PPTP - it uses GRE to tunnel PPP frames, and only PPP frames. You cannot carry other kinds of traffic over PPTP directly - it wasn't designed to work that way even though the GRE itself would be be capable of doing that. Instead, everything you want to carry over a PPTP tunnel has first to be put into PPP frames, and these will then get GRE-encapsulated and sent over the tunnel to the far end.

The fact that PPP is used inside PPTP does not imply that PPP was invented with PPTP in mind. It's actually the other way around - PPP existed long before PPTP, and creators of PPTP felt that it would be beneficial to use it because it provides for some neat features they would otherwise need to reimplement (authentication, higher protocol negotiation, automatic IP configuration to name a few). The fact that PPP is used inside PPTP does not make PPP alone a tunneling protocol; rather, PPP is just a "victim" of PPTP.

PPTP is not a data link layer protocol as it is not directly used over any kind of physical interface, quite the contrary: PPTP expects that basic IP connectivity (using any kind of of physical and data link layer) between the endpoints is already in place.

3) what about standalone PPTP (no GRE)? why do I want PPTP running inside a GRE? how do I benefit from this? also, why can`t I use PPTP with GRE and ipsec for security, or just PPTP with ipsec?  why should I use L2TP? what is it`s benefits?

PPTP consists internally of a somewhat modified GRE plus an additional control channel running over TCP that provides for the tunnel session setup and teardown. There is no such thing as a standalone PPTP without GRE: PPTP is GRE, even though not a vanilla GRE, rather an adapted version of it.

Regarding the combination of PPTP and IPsec - technically, there is nothing that would prevent you from protecting a PPTP tunnel with IPsec. It's just a unicast IP traffic and every such traffic between two fixed endpoints can be protected by IPsec. If this combination is not available on a particular device or operating system it's just because this combination was never sufficiently strongly requested by customers to be implemented by vendors.

L2TP has the advantage of being more feature-rich, more widely supported and actively developed, but it was really designed to be used in service provider environments where hundreds or thousands of individual subscribers and their traffic are tunneled between an access concentrator and a network server. These features are not used if the L2TP is terminated at a single user's PC or home router. Of course there's nothing wrong about it, it's just the L2TP is something of an overkill for such a small-scale deployment. Still, as it turned out, PPTP is considered to be simply obsolete and not developed or maintained anymore, and L2TP is universally suggested as one of the possible replacements.

4) who is the dialer in GRE+IPSEC tunnel (or GRE standalone tunnel?) what protocol is used? what layer 2 is used to establish the connection?

I am not entirely sure what you mean by the "dialer". With GRE, the encapsulation is

Tunnel IP header | GRE header | Original IP packet

This entire packet is an IP packet, and is simply routed across the network to the tunnel endpoint, being L2-decapsulated and L2-encapsulated at each router according to normal rules.

5) when you say GRE uses protocol 47 and ipsec uses protocol 50 and/or 51 (esp/ah) - how do they both come together? how does an encapsulation look with both these protocols? what is used at each layer?

Depending on whether IPsec is used in transport or tunnel mode, an IPsec-protected GRE packet looks like this:

Tunnel mode:
IPsec tunnel IP header | ESP/AH | GRE tunnel IP header | GRE header | Original IP packet

Transport mode:
GRE tunnel IP header | ESP/AH | GRE header | Original IP packet

With IPsec protection, the outer header (the leftmost shown) will always use the Protocol value of 50/51. The Protocol value of 47 is retained in the GRE tunnel IP header (tunnel mode) or is moved to the Next Header field of the ESP/AH header (transport mode).

6) does LNS actually mean "a L2TP server just insdie a router"?

LNS means L2TP Network Server, and it can - but does not need to - mean that this functionality is implemented in a network router. LNS is a software service, and it can be either done in the operating system (and perhaps partially in hardware) of a router, or it can be run on a server. There are implementations of LNS functionality for Linux-based servers, for example.

The terminology of LAC (L2TP Access Concentrator) and LNS (L2TP Network Server) is given by RFCs that specify L2TP operation. These RFCs do not mandate how or where these two elements are implemented. Any device that performs the tasks of LAC or LNS is called a LAC or a LNS, and whether it is a dedicated router or even a PC or a Raspberry Pi does not matter to L2TP.

7) if I come up with a GRE tunnel and ipsec, I still need to use L2TP as the dial-up at the client`s end, don`t I?

Certainly not - GRE tunnels create IP packets, and these IP packets will be routed to the other tunnel endpoint across an existing IP connectivity. Before you can have a GRE tunnel between two endpoints, you must first have a working IP connectivity between them (this is the same as with PPTP; after all, PPTP is based on GRE). There is no need to use L2TP here. Even if you encapsulate the GRE into IPsec, you again get an IP packet that you can just send to the other tunnel endpoint, provided there already is a workable IP connectivity.

Feel welcome to ask further!

Best regards,
Peter

View solution in original post

Hi Willow,

I apologize for answering late - I hope you are still tuned in to this thread.

it seems the only place on this planet where you need an PPTP/L2TP connection to your ISP is in Israel and Ukraine. this is when you are on a cable infrastructure, and only for low speeds (30mps or less). 

why is that so?

To be honest, I am at a loss. The only reason I can think of is that the cable service provider does not provide plain internet connectivity within its network itself, just provides an IP connectivity from customers to some device (let's call it access gateway) that can terminate tunnels and forward them to internet. So the net result would be that although the service provider can be IP-based and interconnect its customers using IP, this IP connectivity within the service provider's network is local to the service provider only. There is no direct access to internet from this network. Only those customers who got an extra account at the access gateway can get internet connectivity.

Oh, and by the way, I was wrong regarding PPTP tunnels being unencrypted. Microsoft has its own encryption in PPP that is compounded with compression - perhaps you've heard about MPPC (Microsoft Point-to-Point Compression) and MPPE (Microsoft Point-to-Point Encryption). This compression and encryption is negotiated in PPP similarly to packet payload compression. So in fact, PPTP tunnels are - or can be - encrypted if MPPC+MPPE is being used, and this is encryption on PPP level. Perhaps that's the reason why IPsec is not used along with PPTP+MPPE because it would be superfluous.

Would this make any sense?

Best regards,
Peter

View solution in original post

11 Replies 11

Philip D'Ath
VIP Alumni
VIP Alumni

PPTP is an old user to site VPN technology and should not be used any more.  Note that PPTP uses GRE and a control channel under the hood.

L2TP is a layer 2 tuneling protocol.  For user to site VPNs it is often combined with IPSec, so you run L2TP over IPSec.

I have never seen L2TP and GRE used together in a single environment.

In the service provider world, PPPoE/PPPoA (aka customer connections) may be terminated on local DSLAM's.  Perhaps not ever their own.  Each customer connection can then be delivered back to their network core via L2TP.  So the core sees an inbound L2TP dialler session for each of their customers.

rewrote the questions and uploaded them again

willowklan1
Level 1
Level 1

I`ll try to the questions in a more tidy manner...

1) what is the difference between L2TP and GRE? they both need the ipsec and are just tunnels, while L2TP is also a dialer using PPP/PPPoe to connect to the ISP...

2) what is the difference beteween point-to-point protocol and point to point tunneling protocol? since they both support non-IP traffic

3) what about standalone PPTP (no GRE)? why do I want PPTP running inside a GRE? how do I benefit from this? also, why can`t I use PPTP with GRE and ipsec for security, or just PPTP with ipsec?  why should I use L2TP? what is it`s benefits?

4) who is the dialer in GRE+IPSEC tunnel (or GRE standalone tunnel?) what protocol is used? what layer 2 is used to establish the connection?

5) when you say GRE uses protocol 47 and ipsec uses protocol 50 and/or 51 (esp/ah) - how do they both come together? how does an encapsulation look with both these protocols? what is used at each layer?

6) does LNS actually mean "a L2TP server just insdie a router"?

7) if I come up with a GRE tunnel and ipsec, I still need to use L2TP as the dial-up at the client`s end, don`t I? what goes on at the client`s side, for establishing the layer 2 connectivity? 

I know I shouldn`t use PPTP in 2016, but still would like to know about it. 

thanks,

Willow

Dear friends,

Please allow me to join.

1) what is the difference between L2TP and GRE? they both need the ipsec and are just tunnels, while L2TP is also a dialer using PPP/PPPoe to connect to the ISP...

L2TP is used to encapsulate and tunnel entire Layer2 frames (such as Ethernet, HDLC, PPP, ATM, or Frame Relay) including their payload. GRE is used to encapsulate and tunnel Layer3 packets (such as IPv4 or IPv6). There are other significant differences between GRE and L2TP but at this point, I consider this to be the most important distinction between them. In other words, if you consider a tunnel to be a pipe, then with L2TP, you would be feeding Layer2 frames into this pipe, and with GRE, you would be feeding Layer3 packets into this pipe. The choice of either L2TP or GRE depends on the application - whether you need to tunnel entire frames as they are sent by the source, or whether you just need to tunnel original packets without their link layer encapsulation.

There is actually an exception to the rules above which may make things more confusing. You could also tunnel Layer2 frames across GRE tunnels as well. The trick is in knowing what kind of frame you have tunneled in a GRE packet. If you have a closer look at the format of the basic 4-byte GRE header, the first 2 bytes specify GRE version and flags, and the second 2 bytes have the same meaning as the EtherType field in Ethernet: They identify the payload type of the GRE packet. If there is a valid registered EtherType value for the frame you want to carry across a GRE tunnel then by all means, you can tunnel it. If there is no registered EtherType value then you're in trouble because you cannot just invent a value and put it there - the receiving endpoint may not understand the value, or it may mistake it for another protocol and process the encapsulated frame incorrectly. All common Layer3 protocols have their EtherType registered because they are intended to be carried in Ethernet frames, so with Layer3 packets, we usually don't have a problem. However, not all Layer2 protocols have their EtherTypes because tunneling frames inside other frames is not a common practice. Hence the nature of GRE as a predominantly Layer3-oriented tunneling protocol.

Just for your convenience, you can find the available list of existing EtherType values at

http://standards-oui.ieee.org/ethertype/eth.txt

Neither L2TP nor GRE need IPsec per se. Both tunelling protocols will run happily without IPsec but then, of course, they will carry all data unencrypted and unprotected. IPsec is an add-on to both these protocols to provide security for the data transmission (authentication, confidentiality, integrity, replay attack protection).

By saying that "L2TP is also a dialer using PPP/PPPoE to connect to the ISP" you probably mean the Virtual-PPP interface - am I right? Can you clarify this in more detail?

2) what is the difference beteween point-to-point protocol and point to point tunneling protocol? since they both support non-IP traffic

PPP is a Layer2 protocol and is intended to be run directly over physical network interfaces. It is not a tunneling protocol, rather, it is a data link protocol originally created to be used on serial interfaces of computers and routers. It replaced or supplemented other serial link protocols such as SLIP or HDLC. In terms of OSI model placement, PPP is on the same layer as Ethernet - both run over physical network interfaces and define how two directly connected network interfaces send messages to each other.

PPTP is a tunneling protocol that uses a modification of the GRE protocol and an additional signalling protocol to tunnel PPP frames in IP packets over a routed network. This is the confusing thing about PPTP - it uses GRE to tunnel PPP frames, and only PPP frames. You cannot carry other kinds of traffic over PPTP directly - it wasn't designed to work that way even though the GRE itself would be be capable of doing that. Instead, everything you want to carry over a PPTP tunnel has first to be put into PPP frames, and these will then get GRE-encapsulated and sent over the tunnel to the far end.

The fact that PPP is used inside PPTP does not imply that PPP was invented with PPTP in mind. It's actually the other way around - PPP existed long before PPTP, and creators of PPTP felt that it would be beneficial to use it because it provides for some neat features they would otherwise need to reimplement (authentication, higher protocol negotiation, automatic IP configuration to name a few). The fact that PPP is used inside PPTP does not make PPP alone a tunneling protocol; rather, PPP is just a "victim" of PPTP.

PPTP is not a data link layer protocol as it is not directly used over any kind of physical interface, quite the contrary: PPTP expects that basic IP connectivity (using any kind of of physical and data link layer) between the endpoints is already in place.

3) what about standalone PPTP (no GRE)? why do I want PPTP running inside a GRE? how do I benefit from this? also, why can`t I use PPTP with GRE and ipsec for security, or just PPTP with ipsec?  why should I use L2TP? what is it`s benefits?

PPTP consists internally of a somewhat modified GRE plus an additional control channel running over TCP that provides for the tunnel session setup and teardown. There is no such thing as a standalone PPTP without GRE: PPTP is GRE, even though not a vanilla GRE, rather an adapted version of it.

Regarding the combination of PPTP and IPsec - technically, there is nothing that would prevent you from protecting a PPTP tunnel with IPsec. It's just a unicast IP traffic and every such traffic between two fixed endpoints can be protected by IPsec. If this combination is not available on a particular device or operating system it's just because this combination was never sufficiently strongly requested by customers to be implemented by vendors.

L2TP has the advantage of being more feature-rich, more widely supported and actively developed, but it was really designed to be used in service provider environments where hundreds or thousands of individual subscribers and their traffic are tunneled between an access concentrator and a network server. These features are not used if the L2TP is terminated at a single user's PC or home router. Of course there's nothing wrong about it, it's just the L2TP is something of an overkill for such a small-scale deployment. Still, as it turned out, PPTP is considered to be simply obsolete and not developed or maintained anymore, and L2TP is universally suggested as one of the possible replacements.

4) who is the dialer in GRE+IPSEC tunnel (or GRE standalone tunnel?) what protocol is used? what layer 2 is used to establish the connection?

I am not entirely sure what you mean by the "dialer". With GRE, the encapsulation is

Tunnel IP header | GRE header | Original IP packet

This entire packet is an IP packet, and is simply routed across the network to the tunnel endpoint, being L2-decapsulated and L2-encapsulated at each router according to normal rules.

5) when you say GRE uses protocol 47 and ipsec uses protocol 50 and/or 51 (esp/ah) - how do they both come together? how does an encapsulation look with both these protocols? what is used at each layer?

Depending on whether IPsec is used in transport or tunnel mode, an IPsec-protected GRE packet looks like this:

Tunnel mode:
IPsec tunnel IP header | ESP/AH | GRE tunnel IP header | GRE header | Original IP packet

Transport mode:
GRE tunnel IP header | ESP/AH | GRE header | Original IP packet

With IPsec protection, the outer header (the leftmost shown) will always use the Protocol value of 50/51. The Protocol value of 47 is retained in the GRE tunnel IP header (tunnel mode) or is moved to the Next Header field of the ESP/AH header (transport mode).

6) does LNS actually mean "a L2TP server just insdie a router"?

LNS means L2TP Network Server, and it can - but does not need to - mean that this functionality is implemented in a network router. LNS is a software service, and it can be either done in the operating system (and perhaps partially in hardware) of a router, or it can be run on a server. There are implementations of LNS functionality for Linux-based servers, for example.

The terminology of LAC (L2TP Access Concentrator) and LNS (L2TP Network Server) is given by RFCs that specify L2TP operation. These RFCs do not mandate how or where these two elements are implemented. Any device that performs the tasks of LAC or LNS is called a LAC or a LNS, and whether it is a dedicated router or even a PC or a Raspberry Pi does not matter to L2TP.

7) if I come up with a GRE tunnel and ipsec, I still need to use L2TP as the dial-up at the client`s end, don`t I?

Certainly not - GRE tunnels create IP packets, and these IP packets will be routed to the other tunnel endpoint across an existing IP connectivity. Before you can have a GRE tunnel between two endpoints, you must first have a working IP connectivity between them (this is the same as with PPTP; after all, PPTP is based on GRE). There is no need to use L2TP here. Even if you encapsulate the GRE into IPsec, you again get an IP packet that you can just send to the other tunnel endpoint, provided there already is a workable IP connectivity.

Feel welcome to ask further!

Best regards,
Peter

willowklan1
Level 1
Level 1

Hello Peter,

Thanks alot for joining in with a comprehensive and detailed replay, as usual. 

I`m afraid I did not explain myself well on the dialer issues (questions 1,4 and 7) so I`ll try to be more clear this time:

when you try to set a VPN tunnel to the ISP you can do it in 3 ways (at least where I live): if it`s through the phone provider (i.e. copper-lines going to DSLAM and then to an NGN all-IP network) you will need to set up a PPPoe dialer, and once you needed a PPTP dialer. I`m talking about the client/windows dialer here. 

if your provider is the cable company (mpls) you can either dial up with PPTP or L2TP, both found on ms-windows of course, or you can use a direct link to their mpls network, which in this case requires no client dial-up software (always connected).

what I get from this is that a layer 2 PPP is required for authentication, that is what enables the ISP to know who is trying to connect and to bill them accordingly. 

all of my dial question are referring to a client trying to establish a VPN tunnel to the ISP and hopefully to a remote access device. 

so an L2TP dialer would form a L2TP tunnel, but what will PPTP form? an regular unsecured GRE tunnel? if so, how is it considered a VPN?

you said it is not common to see a PPTP tunnel with IPsec covering it, so when a client dials through a PPTP client-software -  is IPsec only added at the ISP or already at the client`s end? since PPTP is end-to-end but unsecured AND is considered a VPN - where is it added?

I think I got a little confused by the client-side, trying to establish a VPN to the ISP, and the provider-side which is what you learn when you practice this stuff: creating a GRE, IPsec encapsulation, transport/tunnel etc. in no place do you learn about PPTP dial-up (obsolete) and configuring an LNS and LAC devices is way beyond my scope, so I focus on the client-end - for now. can you explain a bit about those dialer from the client prespective?

again, thanks alot...

Willow


Hi Peter,

Another thing, I was reading your replay and assumed the packet-structure examples you gave (question 5) refers to "GRE over IPsec". if so, how come in the "transport mode" the outer header is a GRE header? isn`t the routing done with an IPsec IP header in "GRE over IPsec" (as you showed in tunnel mode)?

on the same note, can you please draw the structure of an "IPsec over Gre" packet same way you did to "GRE over IPsec", i.e. tunnel/transport modes?

also, what is the point of using an AH-IPsec, if AH does not encrypt? what is the purpose of this tunnel? how is it different from a plain regular GRE tunnel? when should I use a tunnel that only authenticates? 

so many question... hope you`ll find the time for them :)

thanks,

Willow

Hi Willow,

Okay, let's start ;)

First, though, let me ask you a question. You wrote:

when you try to set a VPN tunnel to the ISP you can do it in 3 ways

Why would you want to set up a VPN tunnel to the ISP? What kind of traffic would be tunneled across it? I am asking because usually, you want an ISP to provide you with basic (or native) internet (IP) connectivity. The VPN types we're discussing (PPTP, L2TP, GRE, IPsec) are add-ons to the basic connectivity, and you cannot have these VPN types without the basic connectivity. So if your ISP gives you this basic connectivity, there's no specific need to do additional tunneling unless you have some special need for that - and I am asking what that special need is supposed to be.

if it`s through the phone provider (i.e. copper-lines going to DSLAM and then to an NGN all-IP network) you will need to set up a PPPoe dialer

Customarily, we do not consider PPPoE to be a VPN. Of course it shares traits of a VPN as it involves tunneling PPP frames in Ethernet frames, but because the Ethernet part of this tunneling is outside the client's reach (with DSL routers, the Ethernet network isn't there anymore as they already have the DSL interface integrated), it merely becomes a mandatory - almost a legacy - part of all the overhead. So from the common client's point of view, there is no VPN to PPPoE because there is no "native connectivity" over the underlying Ethernet infrastructure - the Ethernet isn't anywhere in direct client's reach.

and once you needed a PPTP dialer.

This surprises me. PPTP assumes that the basic connectivity is already in place. PPTP cannot provide basic IP connectivity itself - on the contrary, it relies on it. So if you have a basic connectivity, what would you need PPTP toward your ISP for?

if your provider is the cable company (mpls) you can either dial up with PPTP or L2TP

Same as before. It is possible that I am not familiar with the way your providers offer internet connectivity, but of one thing I am certain: Both PPTP and L2TP need a working IP connectivity between your client software and the remote access server beforehand. Would that connectivity not suffice for accessing the internet?

what I get from this is that a layer 2 PPP is required for authentication, that is what enables the ISP to know who is trying to connect and to bill them accordingly. 

Basically, yes. Providers have been accustomed to PPP since the times of old analog dialups and ISDNs, and when broadband technologies came in, PPP was just adapted to be used over them. This allowed providers to largely keep all the access, authentication and billing infrastructure unchanged - and compatible with different ways of client accessing the provider's network.

so an L2TP dialer would form a L2TP tunnel, but what will PPTP form? an regular unsecured GRE tunnel? if so, how is it considered a VPN?

L2TP will form an L2TP tunnel carrying either PPP or Ethernet frames (these are the most common frame types carried over L2TP). PPTP will form a GRE tunnel carrying PPP frames. Both L2TP and PPTP are unsecured tunnels and they would need IPsec for their protection.

A VPN does not necessarily include encryption. That is an added quality but not a prerequisite. VPN is a generic name for a network that, from your viewpoint, operates as a dedicated network just for you and no one else, while in reality, it runs over a shared infrastructure. Even an Ethernet VLAN is a form of VPN. There are several categories of VPNs but from the security standpoint, there are two major categories: Secure VPNs and Trusted VPNs. Secure VPNs are all those technologies that employ encryption mechanisms (IPsec, SSL, ...). Trusted VPNs are those technologies where, by the nature of how the VPNs operate, your data cannot leak out, and you trust your provider of this technology that he won't misconfigure things or sniff your data illegally (MPLS VPNs, Frame Relay PVCs, ...).

you said it is not common to see a PPTP tunnel with IPsec covering it, so when a client dials through a PPTP client-software -  is IPsec only added at the ISP or already at the client`s end? since PPTP is end-to-end but unsecured AND is considered a VPN - where is it added?

Nowhere. PPTP is an unsecured VPN. It was commonly used to access internal company networks by a home teleworker or a travelling employee, but it was not encrypted. That does not prevent it from being classified as a VPN - it's just not a secure VPN. That's one of the reasons it is now completely replaced by different technologies.

If you think that having an unencrypted VPN is something unimaginable, think again :) Telnet, POP3, IMAP, HTTP, FTP, SNMPv1/v2... - all these protocols and more are unencrypted and carry all information, including passwords and sensitive data, unprotected. IP protocols were originally designed with a belief that the network user (or an administrator) is not malicious :)

I think I got a little confused by the client-side, trying to establish a VPN to the ISP

Well, to simplify it, out of all technologies you have been asking about, you're only using PPPoE for accessing the ISP and gaining access to internet. You do not ordinarily use PPTP or L2TP to access the internet; instead, you use PPTP or L2TP to access some private network across the existing internet connection. You are usually not creating a VPN to your ISP; you are creating a VPN across your ISP to some other location that is accessible through your ISP.

I was reading your replay and assumed the packet-structure examples you gave (question 5) refers to "GRE over IPsec". if so, how come in the "transport mode" the outer header is a GRE header? isn`t the routing done with an IPsec IP header in "GRE over IPsec" (as you showed in tunnel mode)?

That is because the IPsec transport mode maintains the original IP header along with all original addressing and stuff. The only thing that is changed is the Protocol field that obviously needs to be rewritten to indicate the presence of the AH/ESP. IPsec transport mode implicitly assumes that a direct connectivity already exists between the communicating stations that want to protect their communication by IPsec, so there is no reason to add another IP header with some other addresses.

In other words, if the end hosts whose traffic is being IPsec-protected are also the IPsec tunnel endpoints then they can use IPsec transport mode. Otherwise, if the traffic between two end hosts is IPsec-encrypted and decrypted by other devices on the path (such as home routers), IPsec will need to run in tunnel mode.

on the same note, can you please draw the structure of an "IPsec over Gre" packet same way you did to "GRE over IPsec", i.e. tunnel/transport modes?

This order of encapsulation is used extremely rarely, mostly because there is no reason to add a GRE encapsulation onto an IPsec-protected packet that is itself fully capable of being routed across the network. I can draw the structure of such packets but it's more of an academic exercise, as you won't be seeing such packets out in the wild.

IPsec over GRE, Tunnel mode:
GRE tunnel IP header | GRE header | IPsec tunnel IP header | ESP/AH | Original IP packet

IPsec over GRE, Transport mode:
GRE tunnel IP header | GRE header | Original IP header | ESP/AH | Original IP packet's payload

also, what is the point of using an AH-IPsec, if AH does not encrypt? what is the purpose of this tunnel? how is it different from a plain regular GRE tunnel? when should I use a tunnel that only authenticates?

Originally, perhaps in the good Unix way of having a tool do just one thing but do it perfectly, IPsec had split the problem of comprehensive data transmission security into different protocols, each taking care of just a selected aspect of security. To provide for confidentiality, IPsec used ESP. To provide for integrity and anti-replay, IPsec used AH. If you wanted to implement just a part of these security aspects, you used only the corresponding protocol. If you wanted all of it, you used both ESP and AH at the same time.

The authentication and anti-replay in AH make sure that the protected packets are received exactly as they have been sent - that is, no one has modified their contents, no one has spoofed these packets in the name of the original sender, and no one has captured these packets and re-sent them repeatedly to cause some action to be repeated. In other words, AH protects the integrity and un-repeatibility of these packets including their outer headers.

Obviously, just as you are asking, the added value of AH protection alone was rather small. With AH, there was a guarantee that the packets have not been modified, spoofed or repeated while in transit, but their contents were still unprotected and readable by anyone having access to the transmission path. In addition, while the AH protection also covered the outer packet's header contents which could be perceived a good thing, this made AH immediately incompatible with NAT boxes that by definition modify the outer header's address fields.

So as time passed, ESP was extended with the ability to not only provide for confidentiality but also for data integrity and anti-replay, and AH became obsolete. Nowadays, Cisco ASA firewalls do not even support AH (I am not sure if they ever supported it). Simply put, AH was a design choice that once appeared to be sensible but turned out otherwise.

Best regards,
Peter

Hi Peter,

Completely understood, after this excellent explanation (as usual...) can`t thank you enough.

I would only like to ask about what you said - that there is no need for additional tunneling after the IP is set between the customer and the ISP. my question is: why not? can`t the provider offer you a safe VPN (encrypted) tunnel to his end point, as a default service, so you can be sure that at least the connectivity between you and him is secure? how the ISP runs it`s traffic afterwards is beyond your reach, but a safe VPN ipsec tunnel to the ISP seems logical, isn`t it? 

and if it is not so, why our cable provider offers two methods of connectivity: one directly to his mpls infrastructure which is "always connected" (no dial-up and dialers needed) and one is using L2TP and has to be activated each time you want to connect to the internet (i.e. - a dialer). if there is no need for a VPN tunnel to this provider (as you said, because there is already an IP connectivity) - then why does he offer this "dial-up" scheme? 

Peter, I would like to take this opportunity and say that I really appreciate the time and effort you put in those elaborated answers, you have helped me alot at my studies and there is nothing I can say that will emphasize this enough. bless you.

Willow

willowklan1
Level 1
Level 1

Hi Peter,

Well, I did some searching around and it seems the only place on this planet where you need an PPTP/L2TP connection to your ISP is in Israel and Ukraine. this is when you are on a cable infrastructure, and only for low speeds (30mps or less). 

why is that so? what exactly is going on with that sort of connection? is it a vpn tunnel from me to the isp? does that mean that EVERYTHING i do online is encrypted? seems pretty odd. I read somewhere that this method is provided when the ISP uses "a local network" in something that is called "a dual access". have you ever heard of this method? can you explain what it is and why is it used? (high speed connect directly to the mpls cable infrastructure).

why do you need a vpn client software (a dialer like l2tp) to reach your isp? why would an isp use such a method? what good does it do?

here are some quotes i read online, maybe they would help me explain myself....

--------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------

btw, these questions are regarding to our conversation from before:

Thanks,
Willow

Hi Willow,

I apologize for answering late - I hope you are still tuned in to this thread.

it seems the only place on this planet where you need an PPTP/L2TP connection to your ISP is in Israel and Ukraine. this is when you are on a cable infrastructure, and only for low speeds (30mps or less). 

why is that so?

To be honest, I am at a loss. The only reason I can think of is that the cable service provider does not provide plain internet connectivity within its network itself, just provides an IP connectivity from customers to some device (let's call it access gateway) that can terminate tunnels and forward them to internet. So the net result would be that although the service provider can be IP-based and interconnect its customers using IP, this IP connectivity within the service provider's network is local to the service provider only. There is no direct access to internet from this network. Only those customers who got an extra account at the access gateway can get internet connectivity.

Oh, and by the way, I was wrong regarding PPTP tunnels being unencrypted. Microsoft has its own encryption in PPP that is compounded with compression - perhaps you've heard about MPPC (Microsoft Point-to-Point Compression) and MPPE (Microsoft Point-to-Point Encryption). This compression and encryption is negotiated in PPP similarly to packet payload compression. So in fact, PPTP tunnels are - or can be - encrypted if MPPC+MPPE is being used, and this is encryption on PPP level. Perhaps that's the reason why IPsec is not used along with PPTP+MPPE because it would be superfluous.

Would this make any sense?

Best regards,
Peter

Hi Peter,

You are very much correct. when using this vpn method, the provider supply you with a 172.20 IP address, which is the provider`s local-inner network, and according to your destination request forward you to the internet or leaves you inside his local network if you just need access to local servers (like local forums or news etc.)

Peter, I want to know another thing: why can`t one use a vpn with a proxy together? aside the issue that it does not add no your safety (you are only safe as your weakest link in the chain) I would really want to understand the reason behind this. why can`t I connect to a remote VPN server and create a safe tunnel between us, and than, after this is done, connect from that VPN server to a proxy? 

say you are using some service like "cyber-ghost" to connect to a vpn, and than you try to use "hola" to connect to a proxy - you will not be able to do it. if you try to configure a proxy address by yourself it won`t work as well. everyone says something different about this issue, so your opinion would be very appreciated as a tie-breaker :)

on another note, I am happy to tell you I passed my ccna with almost the highest score possible - no dumps in the process, just pure knowledge - and a-lot of it is thanks to you! getting prepared to my ccnp these days... thank you very much for all your help along this journey! 

Willow