8.3
provides authentication features.
Authentication Header
Host-to-host communications within a LAN. VPN communications through the Internet, either by itself or in conjunction with the L2TP VPN protocol. Any traffic supported by the IP protocol including Web, e-mail, Telnet, file transfer, and SNMP traffic as well as countless others.
IPSec
provides authentication and encryption, and can be used in conjunction with L2TP or by itself as a VPN solution.
IPSec
uses either digital certificates or pre-shared keys.
IPSec
negotiates the connection. As two end points are securing an IPSec network, they have to negotiate what is called a Security Association (SA). An inbound and outbound SA is necessary for each connection with a remote endpoint.
Internet Key Exchange
Is not supported by older operating systems.
L2TP
Supports multiple protocols (not just IP).
L2TP
Uses IPSec for encryption.
L2TP
Uses TCP port 1701 and UDP port 500.
L2TP
is an open standard for secure multi-protocol routing.
L2TP
Encapsulates other LAN protocols and carries the data securely over an IP network.
PPTP
Is supported by most operating systems and servers.
PPTP
Supports TCP/IP only.
PPTP
Uses Microsoft's MPPE for data encryption.
PPTP
Uses TCP port 1723.
PPTP
Uses standard authentication protocols, such as Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP).
PPTP
was one of the first VPN protocols. Developed by Microsoft
PPTP
use the unencrypted packet headers to deliver the packet to the destination device.
Routers
Authenticates the server to the client using public key cryptography and digital certificates.
SSL
Encrypts the entire communication session.
SSL
The SSL protocol has long been used to secure traffic generated by other IP protocols such as HTTP, FTP, and e-mail. SSL can also be used as a VPN solution, typically in a remote access scenario.
SSL
Uses port 443, a port that is often already opened in most firewalls.
SSL
are devices that can encrypt and decrypt packets.
Tunnel endpoints
can be used over a local area network, across a WAN connection, over the Internet, and even between a client and a server over a dial-up connection through the Internet.
VPN
is a network that uses encryption to allow IP traffic to travel securely over the TCP/IP network.
VPN
is used primarily to support secured communications over an untrusted network.
VPN
work by using a tunneling protocol that encrypts packet contents and wraps them in an unencrypted packet.
VPN
routers on the edge of each site establish a VPN with the router at the other location. Data from hosts within the site are encrypted before being sent to the other site. With this configuration, individual hosts are unaware of the VPN.
site-to-site VPN
IKE uses the following functions:Internet Security Association Key Management Protocol (ISAKMP) establishes a framework for the negotiation. The Diffie-Hellman key exchange generates symmetric keys used for the encryption of the negotiation of the SA.
...
If you use only AH, data is not encrypted.
...
Implementations that use SSL for VPN tunneling include Microsoft's SSTP and Cisco's SSL VPN.
...
Intermediate routers along the path cannot (and do not) read the encrypted packet contents.
...
Use AH to enable authentication with IPSec. AH provides a message integrity check with the Hashed Keyed Message Authentication Code (HMAC). With HMAC, a symmetric key is embedded into a message before the message is hashed. When the message is received, the recipient's symmetric key is added back into the message before hashing the message. If the hash values match, message integrity is proven. AH uses SHA-1 (Secure Hashing Algorithm 1) or MD5 (Message Digest v5) for integrity validation.
...
Use ESP to encrypt data.
...
You should be aware that ports must be opened in firewalls to allow VPN protocols. For this reason, using SSL for the VPN often works through firewalls when other solutions do not. In addition, some NAT solutions do not work well with VPN connections.
...
hen you create a VPN, you establish a security association between the two tunnel endpoints. These endpoints create a secure, virtual communication channel. Only the destination tunnel endpoint can unwrap packets and decrypt the packet contents.
...
provides data encryption.
Encapsulating Security Payload
two hosts establish a secure channel and communicate directly. With this configuration, both devices must be capable of creating the VPN connection.
host-to-host VPN
a server on the edge of a network (called a VPN concentrator) is configured to accept VPN connections from individual hosts in a client-to-site configuration. Hosts that are allowed to connect using the VPN connection are granted access to resources on the VPN server or the private network.
remote access VPN