LikeMind Solutions - VPN

LikeMind and DrayTek were pioneers in bringing low-cost, easy to use hardware-based VPN products to the SME market. These products enable you to to carry confidential company data securely site-to-site using your standard Internet connection, saving on having dedicated leased lines or dial-up access. VPN has made the idea of true teleworking cheap and simple. In this short guide, we explain what VPN is and what it can do for you.

A company might have one office, or it might have many. It might have office based staff or teleworkers - workers who do company business from home or in the field. In a single office, Local Area Networking, perhaps using regular Ethernet, can connect all of your computers to each other and to any local servers. For remote offices or users, you need some other connection medium.

Dial-up connectivity

Traditionally, you might connect remote workers or offices to each other using dial-up modems. A server and modem at the receiving site woud answer the call, you would exchange whatever data you need and then disconnect. This had call costs, line rental costs, tied up phone lines and was limited in speed. It was, however considered to be reasonably secure as it was carried end-to-end across closed networks or private paths. This dial-up access was either analogue or digital (ISDN). If higher speeds or permanent connectivity are required, you can rent a 'leased line' but that was very costly - a dedicated point-to-point always-on connection. Leased lines are used as standard for high-reliability connectivity, for example between ISPs or corporate mission-critical applications where broadband is not considered reliable or secure enough.

Using the Internet

With the introduction of the Internet, there is common public network over which any computer or other connected device can communicate with any other. Every Internet termination point has its own unique (at any one time) IP address. Therefore, in a simple scenario, a PC can talk to any other PC directly across the Internet. If you are using broadband (non-dialup) then your connection can be always on, so there are no ongoing call charges and you're not tying up your regular voice line. This is illustrated in the above diagram: the teleworker can send data directly to the HQ over the Internet, but, being a public network, and specifically a network in which you data will pass through many other locationed en-route, the connection is insecure - anyone en-route can capture and read/use that data. This is clealy unacceptable for a business, and in fact for much domestic usage too. It also means that your computers must be directly accessible on the Internet, with an IP address, which makes you vulnerable to hacking. This arrangement is therefore highly undesirable

Creating a VPN

A VPN provides the security of a private network, with the convenience and low cost of a public network, hence it's a "Virtual" Private Network.

Firstly, before you set about creating a VPN both sides of your connection are isolated from the Internet, normally in a private IP address range. In that way, your PCs cannot be reached from the outside work, providing protection from hackers. A firewall is then put on the Internet connection, providing security from the outside world (any normally also providing NAT and Internet browsing capability for the LAN users). Let us assume that the firewall in this case is a DrayTek Vigor firewall - one at the branch office and one at the headquarters.

The main concept in creating a VPN is that of 'tunnelling'. A VPN tunnel consists of encrypted packets of data sent between the two Vigors (the VPN 'endpoints'). These packets of data will contain a payload of private data, which is decrypted and unpacked at the other end of the tunnel and delivered to the destination, behind the remote firewall. To the outside world, i.e. anyone spying on your data as it passess across the Internet, they just see the outside of the tunnel, the encrypted data but not the actual data within - that can be encrypted with strong 3DES or even strong AES encryption. If high security is less important, and you just want to join two networks for convenience, you can use simpler tunnelling protocols such as PPTP.

In the diagram above, you can see the branch office and the Headquarters. Each has a private network behind the Vigor Firewall, and the Vigor is then creating a VPN endpoint at each end. Through that green VPN tunnel, your private data can flow. The teleworker doesn't have a Vigor router - he could, of course, but in this example he would be using a software VPN client and firewall, such as that built into Windows XP.

Summary - The Advantages of VPNs

1. Link Remote offices or teleworkers using the public Internet
2. Keep your company confidential data behind your firewall
3. High-Security encryption (3DES, AES etc.)
4. Use ADSL, Cable Modem, ISDN or dial-up links to the Internet at either end
5. Save huge sums of money on leased lines or direct dial-up access
6. Scaleable - Support for multiple simultaneous tunnels
7. Flexible - Remote offices can be set up quickly, or deployed temorarily
8. Remote users can 'dial-in' over VPN from anywhere in the world, for example from airport lounges with Internet access or hotel rooms.

VPN Topology Examples

VPN between Branch Offices

The diagram above shows VPN tunnels between two offices in more detail, with respect to their individual IP Address ranges (subnets) and also single teleworker. In both examples, all PCs shown have access to all PCs at all ends of the link. The Teleworker may only have one VPN tunnel if he needs access to only one of the offices.

Using the VPN

A Vigor router with VPN support can operate multiple VPN tunnels simultaneously - for example if you have five offices, you can have five VPN tunnels so that you can commuicate with all of them. The Vigor will display the current VPN status:

Summary of DrayTek VPN Features

Vigor routers with VPN capability provide a wide array of standard protocol support, providing flxible configuration options to suit your own prererences and good cross-compatiblity with other vendors products.

1. No 'per user' licencing for VPN users
2. Compatible with standard O/S VPN software clients
3. Supports multiple tunnels simultaneously
4. Multiple VPN Protocol support
   1. Dial-in or dial-out, LAN-to-LAN or Teleworker-to-LAN
   2. Protocol support for PPTP, L2TP, IPSec
   3. Authentication : MD-5 & SHA-1, PAP and CHAP
   4. Encryption : MPPE, DES/3DES & AES
   5. PFS (Perfect Forward Secrecy) - Adds additional key protection
   6. Pre-shared/IKE keying & and PKI (X.509) certificate support
   7. IKE Phase 1 Agressive/Main Modes & Phase 2 Selectable lifetimes
5. Radius Support for dial-in teleworker profiles
6. Tunnels selectable as dial-on-demand or always-on and direction selectable
7. Compatible with other leading 3rd party vendor VPN devices
8. IP Filtering within VPN Tunnels - allow/block specific LAN IP Addresses
9. Facilities/Support depends on Vigor model; please check model specification

3rd Party Vendor Compatibility

The Vigor routers have also been tested with VPN devices from other manufacturers. This includes Cisco™ Pix, Nokia™, Sonicwall™, Checkpoint™, ZyWall™ and Watchguard™ products. Please note that DrayTek can only offer technical support for their own products any many not be familiar with your own particular 3rd party product, but some setup guides are available on the web site.

VPN Product Information

LikeMind implements VPN solution on Vigor3300 product line. For details, please visit Vigor3300 link.