ABSTRACT

In Computer Networks, we sometimes need to communicate with two or more disjoint nodes, that don’t have a native routing path between each other, while maintaining the confidentiality and authenticity of the data sent. For this, the technique of IP Tunneling is used.

In IP Tunnel, datagrams are enclosed within datagrams by encapsulation and then tunnelled to the destination host by encrypting the data packets, thus maintaining the authenticity.

Several protocols that are used for tunnelling are PPTP, L2TP and OpenVPN.

Point to Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a PPP tunnel across TCP/IP-based data networks. It provides a vehicle for the transfer of data by PPP.

L2TP is a layer 2 tunneling protocol which provides data authentication at both ends, i.e. client and server to keep the attacks by hackers at bay. It uses IPSec for encryption services.

OpenVPN is an advanced open source VPN solution backed by the company 'OpenVPN technologies' and which is now the de-facto standard in the open source networking space. It uses uses the mature SSL/TLS encryption protocols.

1 | P a g e

TABLE OF CONTENTS

CHAPTER NO. TITLE PAGE NO.

ABSTRACT 1

1 CDoT PROFILE 5

2 IP TUNNELING 6

2.1 Principle of Tunneling 6

2.2 Tunnel using IPSec 7

3.2.1 Authentication Header 7

3.2.2 Encapsulated Security Payload 8

2.3 IPv6 to IPv4 tunnel 8

3.3.1 Topology of a 6to4 Tunnel 9

3.3.2 Packet Flow 10

3 Generic Routing Encapsulation  11

3.1Advantages 11

3.2 Process of Encapsulation and De-Encapsulation 11

3.3 GRE Encapsulation 12

3.4GRE Header

4 POINT-TO-POINT TUNNELING PROTOCOL 144.1 PPTP Cofiguration Steps 15

4.2 PAC and PNS 154.3 Protocol Structure 164.4 Security 174.5 Advantages 174.6 Disadvantages 18

2 | P a g e

5 LAYER 2 FORWARDING PROTOCOL 195.1 Protocol Structure5.2 Advantages and Disadvantages

6 LAYER 2 TUNNELING PROTOCOL 206.1 L2TP Encapsulation6.2 L2TP Basic Components6.3 Tunnel Initiation6.4 Tunneling Models6.5 Packet Structure6.6 L2TP Packet Exchange6.7 L2TP/IPSec6.8 Advantages of L2TP

7 OpenVPN 277.1 Features7.2 Architecture

8 CASE STUDY: IP Tunnel in LINUX 308.1 IP tunneling with the Linux IPIP8.2 IP tunneling with Generic Routing Encapsulation

9 CONCLUSION 33

10 APPENDIX 36

11 REFERENCES 38

3 | P a g e

1. C-DOT Profile

4 | P a g e

The Centre for Development of Telematics (C-DOT) is an Indian Government owned telecommunications technology development centre. It was established in 1984 with initial mandate of designing and developing digital exchanges. C-DOT has expanded its to develop intelligent computer software applications. It has offices in Delhi and Bangalore.

Sam Pitroda, an Indian engineer, business executive, policymaker and is advisor to the Prime Minister of India on public information infrastructure and innovations and the chairman of National Innovation Council, started the Center for Development of Telematics C-DOT, an autonomous telecom R&D organization. In the initial years, a telecom revolution in rural India that was responsible for all-round socio-economic development from global connectivity. As part of its development process, C-DOT spawned equipment manufacturers and component vendors. Research and development facilities were located at its Delhi and Bangalore campuses.

C-DOT has developed telecom switching products suited to Indian conditions appeared in the form of small rural automatic exchanges (RAXs) and medium size switches as SBMs for towns. This was followed by higher capacity digital switches known as main automatic exchanges (MAXs). C-DOT technology spread across the country through its licensed manufacturers.

2. IP TUNNEL

5 | P a g e

IP Tunnel [1] is an internet protocol channel between any two networks which encapsulate IP datagram within IP datagrams, which allows datagrams destined for one IP address to be wrapped and redirected to another IP address.

The technique of IP Tunnelling is used in connecting two dislocated IP networks that don’t have a native routing path between each other. IP tunnelling can be used to create a Virtual Private Network between private network using internet.

2.1Principle of Tunnelling:

The principle of tunnel technology is simple. The user data and their headers are packed into a new packet. Various authentication and encryption procedures can be applied in order to secure the data. 

 Figure 1: The IP tunnel 

The new IP header contains the IP addresses of the two VPN parties in the Internet. It is the only part of the packet external users can see in the Internet in plain text. The user data and the IP addresses of the local networks remain concealed in the interior of the tunnel. In addition to security, the tunnel is thus what makes it possible to connect networks with private IP addresses via the Internet. 

Most common tunnel protocols:

The most common tunnel protocols are:

1. PPTP (Point-to-Point Tunnelling Protocol), 2. L2TP (Layer-2 Tunnelling Protocol)3. IP Security Protocol IPsec.

PPTP and L2TP are older protocols based on PPP (Point-to-Point Protocol), the standard protocol for dial-up connections. For some time now, the encryption of PPTP

6 | P a g e

has been considered insufficiently secure. L2TP can be combined with various encryption procedures, but generates greater overhead and thus reduces net throughput. [2] 

In short, IP Tunnel is used to create a logical path between two disjoint networks.

Some examples of IP tunnels are;

IPSec VPN tunnel, connecting remote sites to each other securely over an untrusted network, ie; Internet.

GRE tunnels, connecting remote sites over another network.

IPv6 to IPv4 tunnels, sending IPv6 traffic over an IPv4 network.

IPv4 to IPv6 tunnels, sending IPv4 traffic over an IPv6 network.

2.2 Tunnel using IPSec

IPSec is a protocol suite used for securing the Internet Protocol communications by authenticating and encapsulating each packet of communication. It also has protocols to establish mutual authentication between agents involved at the beginning of the session.

IPSec is the latest tunnel protocol. It has advanced encryption procedures and can be merged easily into existing IP networks.

IPSec fulfils the demand for authenticity, confidentiality and integrity using two data security methods: Authentication Header (AH) and Encapsulated Security Payload (ESP). 

2.2.1 Authentication Header

Authentication Header provides for the authentication of IP packets. The sender generates a checksum from the original packet and a secret key known only to the sender and recipient. The recipient also generates a checksum and compares the two values. 

 Figure 2: The Authentication Header 

Any change to the packet during the course of transmission over the Internet would lead to a different result, and thus rejection of the packet. In this way the recipient can make sure that the packet originates from the denoted sender and was not changed. 

2.2.2 Encapsulated Security Payload

7 | P a g e

With ESP the packets are encrypted in order to prevent them from falling into the hands of outside parties. Only the recipient, who has the same key as the sender at his disposal, can decrypt the data. At the same time the packet is authenticated via ESP. 

 Figure 3: Encapsulated Security Payload 

AH and ESP can be used individually or in combination in order to provide for maximum security. Both methods are independent of the cryptographic technique used, which define how the checksum is generated and how the data are encrypted. 

2.3 IPv6 to IPv4 tunnel

Tunneling provides a way to use an existing IPv4 routing infrastructure to carry IPv6 traffic.

For this, IPv6 must be compatible to the existing IPv4 component, so it is compulsory to maintain compatibility with IPv4 while sending IPv6 packets. While the IPv6 infrastructure is being deployed, the existing IPv4 routing infrastructure can remain functional, and can be used to carry IPv6 traffic.

IPv6 or IPv4 hosts and routers can tunnel IPv6 datagrams over regions of IPv4 routing topology by encapsulating them within IPv4 packets. 

Item DescriptionRouter-to-Router IPv6 or IPv4 routers interconnected by an IPv4 infrastructure can

tunnel IPv6 packets between themselves.

Host-to-Router IPv6 or IPv4 hosts can tunnel IPv6 packets to an intermediary IPv6 or IPv4 router that is reachable through an IPv4 infrastructure.

Host-to-Host IPv6 or IPv4 hosts that are interconnected by an IPv4 infrastructure can tunnel IPv6 packets between themselves.

Router-to-Host IPv6/IPv4 routers can tunnel IPv6 packets to their final destination IPv6 or IPv4 host.

8 | P a g e

In router-to-router or host-to-router methods, the IPv6 packet is being tunneled to a router. In host-to-host or router-to-host methods, the IPv6 packet is tunneled all the way to its final destination.

The entry node of the tunnel (the encapsulating node) creates an encapsulating IPv4 header and transmits the encapsulated packet. The exit node of the tunnel (the decapsulating node) receives the encapsulated packet, removes the IPv4 header, updates the IPv6 header, and processes the received IPv6 packet. [3]

2.3.1 Topology of a 6to4 Tunnel

The following figure shows how a 6to4 tunnel provides this connectivity between 6to4 sites.

Figure 4: Tunnel Between Two 6to4 Sites

(i) The figure depicts two isolated 6to4 networks: Site A and Site B, each site configured with a router with an external connection to an IPv4 network. A 6to4 tunnel across the IPv4 network provides a connection to link 6to4 sites.

(ii) Qfe0: A globally unique address for the interface between IPv6 site to the external connection to the IPv4 network.

(iii) Hme0 and hme1: address of the interface between subnets 1 and 2 and the 6 to 4 router.

(iv) Site B is another isolated 6to4 site. A boundary router on Site B must be configured for 6to4 support. Otherwise, packets that the router receives from Site A are not recognized and are then dropped.

2.3.2 Packet Flow through the 6to4 Tunnel

9 | P a g e

1. A host on Subnet 1 of 6to4 Site A sends a transmission, with a host at 6to4 Site B as the destination. Each packet header has a 6to4 source and destination address.

2. Site A's router encapsulates each 6to4 packet within an IPv4 header. In this process, the router sets the IPv4 destination address of the encapsulating header to Site B's router address. For each IPv6 packet that flows through the tunnel interface, the packet's IPv6 destination address also contains the IPv4 destination address. Thus, the router is able to determine the IPv4 destination address that is set on the encapsulating header. Then, the router uses standard IPv4 routing procedures to forward the packet over the IPv4 network.

3. Any IPv4 routers that the packets encounter use the packets' IPv4 destination address for forwarding. This address is the globally unique IPv4 address of the interface on Router B, which also serves as the 6to4 pseudo-interface.

4. Packets from Site A arrive at Router B, which decapsulates the IPv6 packets from the IPv4 header.

5. Router B then uses the destination address in the IPv6 packet to forward the packets to the recipient host at Site B. [4]

3. Generic Routing Encapsulation 

Generic Routing Encapsulation is a tunnelling protocol developed by CISCO Systems. Generic routing encapsulation (GRE) is an IP encapsulation protocol that is used to transport packets over a network. Information is sent from one network to the other through a GRE tunnel.

GRE works by encapsulating a payload -- that is, an inner packet that needs to be delivered to a destination network -- inside an outer IP packet. GRE tunnel endpoints send payloads through GRE tunnels by routing encapsulated packets through intervening IP networks. Other IP routers along the way do not parse the payload (the inner packet); they only parse the outer IP packet as they forward it towards the GRE tunnel endpoint. Upon reaching the tunnel endpoint, GRE encapsulation is removed and the payload is forwarded along to its ultimate destination.

10 | P a g e

GRE supports Multicasting as well as IPv6 traffic between networks.

3.1 Advantages:

Advantages of GRE tunnels include the following:

GRE tunnels encase multiple protocols over a single-protocol backbone.

GRE tunnels provide workarounds for networks with limited hops.

GRE tunnels connect discontinuous sub-networks.

GRE tunnels allow VPNs across wide area networks.

3.2 Process of Encapsulation and De-Encapsulation

Figure 5: GRE tunnelling

Encapsulation—A switch operating as a tunnel source router encapsulates and forwards GRE packets as follows:

1. When a switch receives a data packet (payload) to be tunneled, it sends the packet to the tunnel interface.

2. The tunnel interface encapsulates the data in a GRE packet.3. The system encapsulates the GRE packet in an IP packet.4. The IP packet is forwarded based on its destination address and routing table.

De-encapsulation—A switch operating as a tunnel remote router handles GRE packets as follows:

11 | P a g e

1. When the destination switch receives the IP packet from the tunnel interface, the switch checks the destination address.

2. The IP header is removed, and the packet is submitted to the GRE protocol.3. The GRE protocol strips off the GRE header and submits the payload packet for

forwarding.

3.3 GRE Encapsulation

Figure 6: GRE Encapsulation

GRE packets are routed over network as usual IP packets.(i) The IP header is around 20 bytes long.(ii) The GRE packet is encapsulated within the IP packet. The header used for

GRE is variable. It could vary from 4 to 20 bytes.(iii) The passenger protocol or the payload is encapsulated inside the GRE

header.

3.4 GRE Header

The GRE header is variable in length, from 4 to 20 bytes, depending on which optional features have been enabled.

Figure 7: GRE HEADER

C, K, and S: Bit flags which are set to one if the checksum, key, and sequence number

fields are present, respectively

Ver: GRE version number (zero)

12 | P a g e

Protocol: Ethertype of the encapsulated protocol

Checksum: Packet checksum (optional)

Key: Tunnel key (optional)

Sequence Number: GRE sequence number (optional)

So, with Generic Routing Encapsulation, network is private because traffic can enter a tunnel

only at an endpoint and can leave only at the other endpoint. Tunnels do not provide true

confidentiality (like encryption does) but can carry encrypted traffic. Tunnels are logical

endpoints configured on the physical interfaces through which traffic is carried.[5]

4. POINT-TO-POINT TUNNELING PROTOCOL

PPTP is a tunneling and encryption protocol developed by Microsoft as a VPN

Technology. PPTP uses a control channel over TCP and a GRE tunnel operating to

encapsulate PPP packets.

PPTP does not have encryption or authentication features and relies on the Point-to-Point

Protocol being tunneled to implement security functionality. However, in Microsoft

Windows, PPTP does uses authenticity and encryption as native feature.

PPTP is provided in Windows 95/98, NT 4.0, and Windows 2000 and

13 | P a g e

does not require any additional client software. Thus, implementing VPN with Microsoft

Window is quite easy.

MPPE is a sub-feature of

Microsoft Point-to-Point Compression (MPPC) that provides confidentiality

through encryption.

Developed as an extension of the Point-to-Point Protocol (PPP), PPTP adds a new level of

enhanced security and multiprotocol communications over the Internet.

4.1 PPTP Configuration Steps:

Figure 8: PPTP Configuration Steps

The following steps are needed in in establishing a PPTP tunnel:The client dials in to the ISP and establishes a PPP session.The client establishes a TCP connection with the tunnel server.The tunnel server accepts the TCP connection.The client sends a PPTP Start Control Connection Request (SCCRQ) message to the tunnel server.The tunnel server establishes a new PPTP tunnel and replies with a Start Control Connection Reply (SCCRP) message.The client initiates the session by sending an Outgoing Call Request (OCRQ) message to the tunnel server.The tunnel server creates a virtual-access interface.

The tunnel server replies with an Outgoing Call Reply (OCRP) message.

14 | P a g e

4.2 PAC and PNS

The PPTP Network Server (PNS) is envisioned to run on a general purpose operating system

while the client, referred to as a PPTP Access Concentrator (PAC) operates on a dial access

platform.

PPTP is implemented only by the PAC and PNS. No other systems need to be aware o

f PPTP. Dial networks may be connected to a PAC without being aware of PPTP. Standard PPP client software should continue to operate on tunneled PPP links.

PPTP uses an extended version of GRE to carry user PPP packets. These enhancements allow for low-level congestion and flow control to be provided on the tunnels used to carry user data between PAC and PNS. This mechanism allows for efficient use of the bandwidth available for the tunnels and avoids unnecessary retransmissions and buffer overruns.

4.3 Protocol Structure - PPTP: Point to Point Tunneling Protocol

16 32 bit

Length PPTP message type

Magic cookie

Control message type Reserved 0

Protocol Version Reserved 1

15 | P a g e

Framing capability

Bearing capability

Maximum channels Firmware revision

Host name (64 Octets)

Vendor string (64 Octets)

Figure:9 PPTP Protocol structure

Length - Total length in octets of this PPTP message including the entire PPTP

header.

PPTP message type - The message type. Possible values are: 1Control message;

2Management message.

Magic cookie - The magic cookie is always sent as the constant 0x1A2B3C4D. Its

basic purpose is to allow the receiver to ensure that it is properly synchronized with

the TCP data stream.

Control Message Type - Values may be: 

Control Connection Management –

1 Start-Control-Connection-Request

5 Start-Control-Connection-Reply

6 Stop-Control-Connection-Request

7 Stop-Control-Connection-Reply

8 Echo-Request

9 Echo-Reply.

Call Management –

10 Outgoing-Call-Request

11 Outgoing-Call-Reply

12 Incoming-Call-Request

13 Incoming-Call-Reply

14 Incoming-Call-Connected

15 Call-Clear-Request

16 Call-Disconnect-Notify

Error Reporting –

14 WAN-Error-Notify

16 | P a g e

PPP Session Control –

15 Set-Link-Info.

Reserved 0 & 1 - Must be set to 0.

Protocol version - PPTP version number

Framing Capabilities - Indicating the type of framing that the sender of this message

can provide: 1 - Asynchronous Framing supported; 2 - Synchronous Framing

supported

Bearer Capabilities - Indicating the bearer capabilities that the sender of this message

can provide: 1 - Analog access supported; 2 - Digital access supported

Maximum Channels - The total number of individual PPP sessions this PAC can

support.

Firmware Revision - Contains the firmware revision number of the issuing PAC,

when issued by the PAC, or the version of the PNS PPTP driver if issued by the PNS.

Host Name - Containing the DNS name of the issuing PAC or PNS.

Vendor Name - Containing a vendor specific string describing the type of PAC being

used, or the type of PNS software being used if this request is issued by the PNS. [6]

    

4.4 SECURITY

It was found that PPTP is vulnerable and has many security loopholes. PPTP is now no

longer recommended by Microsoft and is considered cryptographically broken.

4.5 ADVANTAGES of PPTP

PPTP works by dividing all the information to be transmitted into 2 types of messages

– control messages and data messages. This makes the use of PPTP simpler to

manage and control connections.

 It requires very little bandwidth to operate, so more users can take advantage of a

connection without slowing down transmission.

PPTP also supports a variety of forms of different security measures such as

authentication, encryption and packet filtering.

17 | P a g e

A significant advantage of PPTP for smaller companies is that is much more

affordable and requires less special hardware than other protocols, and n fact comes

free with most operating systems. So it may be the least expensive option for a

company that doesn’t want to invest a large amount of money in setting up their VPN.

4.6 Disadvantages of PPTP

The first is the way in which it handles messages. It doesn’t encrypt the control message traffic for a transmission session.This means that the connection is vulnerable to attack or hijacking, as is the information being transmitted.

It remains one of the weakest in security of all of the current VPN protocols.

5. LAYER 2 FORWARDING PROTOCOL

L2F, or Layer 2 Forwarding, is a tunneling protocol developed by Cisco Systems, Inc. to

establish virtual private network connections over the Internet. L2F does not

provide encryption or confidentiality by itself; It relies on the protocol being tunneled to

provide privacy. L2F was specifically designed to tunnel Point-to-Point Protocol (PPP)

traffic.[1]

 It is similar to PPTP in that L2F is a layer 2 tunnelling protocol as is denoted by its name. 

Also L2F is an extension of PPP.  The differences between it and PPTP is that as opposed to

18 | P a g e

wrapping the PPP packets in IP, L2F uses layer 2 protocols such as Fame Relay and ATM to

create tunnels, and L2F is server initiated.  Another difference is that L2F provides

authentication between tunnel endpoints.

5.1 Protocol Structure - L2F: Layer 2 Forwarding Protocol

1 1 1 1 1 1 1 1 1 1 1 1 1 16 24 32bit

F K P S 0 0 0 0 0 0 0 0 C Version Protocol Sequence

Multiplex ID Client ID

Length Offset

Key

Version - The major version of the L2F software creating the packet. Protocol - The protocol field specifies the protocol carried within the L2F packet. Sequence - The sequence number is present if the S bit in the L2F header is set to 1. Multiplex ID - The packet multiplex ID identifies a particular connection within a

tunnel. Client ID - The client ID (CLID) assists endpoints in demultiplexing tunnels. Length - The length is the size in octets of the entire packet, including the header, all

the fields and the payload. Offset - This field specifies the number of bytes past the L2F header at which the

payload data is expected to start. This field is present if the F bit in the L2F header is set to 1.

Key - The key field is present if the K bit is set in the L2F header. This is part of the authentication process.

Checksum - The checksum of the packet. The checksum field is present if the C bit in the L2F header is set to 1.

5.2 Advantages and Disadvantages

Advantage:

L2F provides authentication of end points.

Disadvantages:

L2F requires support in access servers and routers.  Therefore an ISP has to support it.

19 | P a g e

6 LAYER 2 TUNNELING PROTOCOL

Layer 2 Tunneling Protocol or L2TP is a tunnelling protocol and is used to support Virtual Private Networks (VPNs). It does not provide any encryption and confidentiality to the packets sent. It passes its packet through tunnelling from where it gets the required encryption. Thus, it relies on the tunnelling for the encryption services and provides privacy.

6.1 L2TP Encapsulation

20 | P a g e

Figure 10: L2TP Encapsulation

The entire L2TP packet, including payload and L2TP header, is sent within a User Datagram Protocol (UDP) datagram. It is common to carry PPP sessions within an L2TP tunnel.

UDP: With the help of UDP, hosts can end messages or datagrams to other hosts on an IP without any prior communication thus establishing a special communication channel.

PPP: PPP is a data link protocol used for creating a connection between two nodes.It can provide connection, authentication, encryption and compression.

L2TP encapsulates PPP frames to tunnel them across an IP network. The L2TP

packets must be encapsulated as well for transmission.

Since L2TP does not provide any authentication and confidentiality, it seeks the help of IPSec for confidentiality, encryption and integrity.

The combination of these two protocols is generally known as L2TP/IPsec.

Problems that may arise are:

(i) Fragmentation issue(ii) Additional overhead as IPSec adds its own header

6.2 L2TP basic Components

21 | P a g e

Figure 11: L2TP Components

The two endpoints of an L2TP tunnel are called the LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server). The LAC is the initiator of the tunnel while the LNS is the server, which waits for new tunnels. Once a tunnel is established, the network traffic between the peers is bidirectional. [1]

LAC at the ISP communicates PPP messages with the subscribers via L2TP requests and responses with the customers LNS.

6.3 Tunnel Initiation

LAC is responsible for the initiation of tunnel while the LNS is the server.

LAC authenticates a user and get information to set up the

tunnel. This information will be forwarded to the LNS later on in the process.

The LAC physically terminates the incoming call; it does not terminate the PPP

session, though. The PPP session is terminated at the LNS.

6.4 TUNNELING MODELS

22 | P a g e

6.4.1 Voluntary tunnel

In the voluntary tunnel model, a tunnel is created by the user, typically by the use of a L2TP enabled client. As a result, the user will send L2TP packets to the Internet Service Provider (ISP) which will forward them on to the LNS. In voluntary tunneling the ISP does not need to support L2TP, and the L2TP tunnel initiator effectively resides on the same system as the remote client. In this model the tunnel extends across the entire PPP session from the L2TP client to the LNS.

6.4.2 Compulsory tunnel model - incoming call

In the compulsory tunnel model-incoming call, a tunnel is created without any action from the user and without allowing the user any choice. As a result the user will send PPP packets to the ISP (LAC) which will encapsulate them in L2TP and tunnel them to the LNS. In the compulsory tunneling cases, the ISP must be L2TP capable. In this model the tunnel only extends across the segment of the PPP session between the ISP and the LNS.

6.4.3 Compulsory tunnel model - remote dial

In the compulsory tunnel model-remote dial the home gateway (LNS) initiates a tunnel to an ISP (LAC) and instructs the ISP to place a local call to the PPP answer client. This model is intended for cases where the remote PPP Answer Client has a permanent established phone number with an ISP. This model is expected to be used when a company with established presence on the Internet needs to establish a connection to a remote office that requires a dial-up link. In this model the tunnel only extends across the segment of the PPP session between the LNS and the ISP.

6.4.4 L2TP Multi-hop Connection

An L2TP Multi-hop connection is a way of redirecting L2TP traffic on behalf of client LACs and LNSs. A Multi-hop connection is established using a L2TP Multi-hop gateway (a system that links L2TP Terminator and Initiator profiles together). To establish a multi-hop connection the L2TP Multi-hop gateway will act as both a LNS to a set of LACs at the same time as acting as a LAC to a given LNS. A tunnel is established from a client LAC to the L2TP Multi-hop gateway and then another tunnel is established between the L2TP Multi-hop gateway and a target LNS. L2TP traffic from the client LAC is then redirected by the L2TP Multi-hop gateway to the target LNS and traffic from the target LNS is redirected to the client LAC.[2]

6.5 L2TP Packet Structure:

An L2TP packet consists of :[1]

Bits 0–15 Bits 16–31

23 | P a g e

Flags and Version Info Length (opt)

Tunnel ID Session ID

Ns (opt) Nr (opt)

Offset Size (opt) Offset Pad (opt)......

Payload data

Field meanings:

Flags and version

control flags indicating data/control packet and presence of length, sequence, and

offset fields.Length (optional)

Total length of the message in bytes, present only when length flag is set.Tunnel ID

Indicates the identifier for the control connection.Session ID

Indicates the identifier for a session within a tunnel.Ns (optional)

sequence number for this data or control message, beginning at zero and incrementing

by one (modulo 216) for each message sent. Present only when sequence flag set.Nr (optional)

sequence number for expected message to be received. Nr is set to the Ns of the last

in-order message received plus one (modulo 216). In data messages, Nr is reserved

and, if present (as indicated by the S bit), MUST be ignored upon receipt..Offset Size (optional)

Specifies where payload data is located past the L2TP header. If the offset field is

present, the L2TP header ends after the last byte of the offset padding. This field

exists if the offset flag is set.Offset Pad (optional)

Variable length, as specified by the offset size. Contents of this field are undefined.Payload data

Variable length (Max payload size = Max size of UDP packet − size of L2TP header)

24 | P a g e

6.6 L2TP packet exchange

During the time of tunnel initiation between server and client, several packets are sent between them for establishing the tunnel and creating a session.

One will request another for a particular tunnel and session id through these packets. After creating the tunnel and establishing the session, the data is sent with PPP.

The lists of these commands exchanged between LAC and the LNS are given :

Figure 12: L2TP packet exchange

25 | P a g e

6.7 L2TP/IPSec

Since L2TP lacks confidentiality, it is often implemented along with IPsec. This is referred to

as L2TP/IPsec. The process of setting up an L2TP/IPsec VPN is as follows:

Negotiation of IPsec security association (SA), typically through Internet key exchange (IKE).

Establishment of Encapsulating Security Payload (ESP) communication in transport mode. At this point, a secure channel has been established, but no tunneling is taking place.

Negotiation and establishment of L2TP tunnel between the SA endpoints. The actual

negotiation of parameters takes place over the SA's secure channel, within the IPsec

encryption. [1]

SECURITY ASSOCIATION: establishment of security attributes between two network

components for the purpose of communication.

Internet key exchange (IKE):  the protocol used to set up a security association (SA) in the IPsec protocol suite.[1]

6.8 Advantage of L2TP

L2TP has a number of advantages in comparison to PPTP in terms of providing data integrity

and authentication of origin verification designed to keep hackers from compromising the

system. However, the increased overhead required to manage this elevated security means

that it performs at a slower pace than PPTP.

26 | P a g e

7 OpenVPN

OpenVPN is an open source tool used to build site-to-site VPNs with the SSL/TLS protocol or with pre-share keys. It has the role to securely tunnel the data through a single TCP/UDP port over an unsecured network such as Internet and thus establish VPNs.

Figure 13: OPENVPN setup

7.1 FEATURES

EASINESS

The big strength of OpenVPN is to be extremely easy to install and configure which is rarely the case for tools used to create VPNs.

PORTABILITY

OpenVPN can be installed on nearly any platform including Linux, Windows 2000/XP/Vista, Mac OS X, and Solaris.The Linux systems must have a 2.4 kernel or higher.

CLIENT/SERVER ARCHITECTURE

OpenVPN is based on client/server architecture. It must be installed on both VPN nodes, one is designated as server the other one as client. 

27 | P a g e

TUNNELLING

OpenVPN creates a TCP or UDP tunnel and then encrypts the data inside the tunnel.

SECURITY MODES:

VPN nodes at the two ends use the same key to encrypt/decrypt the data between them. Due to this, we may have to give the key to someone whom we don’t trust. This may lead to misuse of data.The Public Key Infrastructure (PKI) is used to solve this problem. It is based on the fact that each party owns two keys, a public key known by everybody and a private key kept secret. This process is used by OpenSSL, the free and open source SSL version integrated in OpenVPN, to authenticate the VPN peers before proceeding to the data encryption.

7.2 ARCHITECTURE

Encryption

OpenVPN uses the OpenSSL library to provide encryption of both the data and control channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package

Authentication

OpenVPN has several ways to authenticate peers to each another. OpenVPN offers pre-shared keys, certificate-based, and username/password-based authentication. Preshared secret key is the easiest, with certificate based being the most robust and feature-rich.

Networking

OpenVPN can run over User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) transports. It has the ability to work through most proxy servers (including HTTP) and is good at working through Network address translation (NAT) and getting out through firewalls. OpenVPN's use of common network protocols (TCP and UDP) makes it a desirable alternative to IPsec.

Extensibility

OpenVPN can be extended with third-party plug-ins or scripts which can be called at defined entry points. The purpose of this is often to extend OpenVPN with more advanced logging, enhanced authentication with username and passwords, dynamic firewall updates, RADIUS integration and so on. The plug-ins are dynamically loadable modules, usually written in C, while the scripts interface can execute any scripts or binaries available to OpenVPN. In the OpenVPN source code there are some examples of such plug-ins, including

28 | P a g e

a PAM authentication plug-in. There also exists several third party plug-ins to authenticate against LDAP or SQL databases such as SQLite and MySQL. [1]

8.CASE STUDY: IP Tunnel in LINUX

8.1 IP tunneling with the Linux IPIP

Linux IPIP is the simplest IP in IP type of tunnel. It is the simplest form of tunnelling is generally available in other platforms like Solaris and Windows. IPIP is simply a tunnelling protocol and does not involve any sort of encryption. It can only tunnel unicast packets. For sending multicast packets, we will have to use GRE.

For implementing the Linux ipip, we must have ipip.o installed.

Assume that you have two private networks (10.42.1.0/24 and 10.42.2.0/24) and that these networks both have direct Internet connectively via a Linux router at each network. The "real" IP address of the first network router is 240.101.83.2, and the "real" IP of the second router is 251.4.92.217.

First, load the kernel module on both routers:

# modprobe ipip

Next, on the first network's router (on the 10.42.1.0/24 network):

# ip tunnel add tunnel0 mode ipip remote 251.4.92.217 \ local 240.101.83.2 ttl 255

# ifconfig tunnel0 10.42.1.1

# route add -net 10.42.2.0/24 dev tunnel

And on the second network's router (on the 10.42.2.0/24), reciprocate:

# ip tunnel add tunnel0 mode ipip remote 240.101.83.2 \ local 251.4.92.217 ttl 255

# ifconfig tunnel0 10.42.2.1

# route add -net 10.42.1.0/24 dev tunnel0

29 | P a g e

From the first network's routerwe will be able to ping 10.42.2.1, and from the second network router, we will be able to ping 10.42.1.1. Likewise, every machine on the 10.42.1.0/24 network should be able to route to every machine on the 10.42.2.0/24 network, just as if the Interent weren't even there.

To bring the tunnel down: On both routers, bring down the interface and delete it, if you like:

# ifconfig tunnel0 down

# ip tunnel del tunnel0

By this, the tunnel established between two nodes have been terminated.

8.2 IP tunneling with Generic Routing Encapsulation

As mentioned earlier, GRE routing is same as that of IPIP but it can support multicast of packets. It is also an unencrypted protocol.

In Linux, we will need the ip_gre.o module.

Just as with the IPIP tunneling hack, we'll assume that we have two private networks (10.42.1.0/24 and 10.42.2.0/24) and that these networks both have direct Internet connectivity via a Linux router at each network. The "real" IP address of the first network router is 240.101.83.2, and the "real" IP of the second router is 251.4.92.217.

we'll begin by loading the GRE kernel module on both routers:

# modprobe ip_gre

On the first network's router, set up a new tunnel device:

# ip tunnel add gre0 mode gre remote 251.4.92.217 local 240.101.83.2 ttl 255

# ip addr add 10.42.1.254 dev gre0

# ip link set gre0 up

gre0: It is the name of tunnelling device created.

Now, add your network routes via the new tunnel interface:

30 | P a g e

# ip route add 10.42.2.0/24 dev gre0

The first network is finished. Now for the second:

# ip tunnel add gre0 mode gre remote 240.101.83.2 local 251.4.92.217 ttl 255

# ip addr add 10.42.2.254 dev gre0

# ip link set gre0 up

# ip route add 10.42.1.0/24 dev gre0

Now, we should now be able to pass packets between the two networks as if the Internet didn't exist. A trace route from the first network should show just a couple of hops to any host in the second network.

To bring the tunnel down, run this on both routers:

# ip link set gre0 down

# ip tunnel del gre0

31 | P a g e

CONCLUSION

Below is a detailed comparison between PPTP, L2TP and OpenVPN.

PPTP L2TP OpenVPNPPTP is based upon PPP but also provides a vehicle for the data packets to move from one host to another.

L2TP is made from the good features of PPTP and L2F.It also ensure encryption of data by IPSec.

OpenVPN provides encryption between hosts by SSL/TSL.

It can be used in Windows and other operating systems.

Windows, MacOS have built in system for L2TP/IPSec. The support can be extended to iPhone and Android platforms.

It works on any platform by installing the client software.

It is faster as it has 128 bit keys.

It is slower as compared to others because of large encapsulation.

It is faster than others when configured in UDP mode.

It is not secured. Even Microsoft has declared it to be vulnerable and told to use at own risk.

It utilises IPSec for the encryption services.

It uses SSL/TSL and uses public keys for the Security. It uses public keys for less important information while uses private keys for encrypted and vulnerable information.

It is not reliable and has comapatibility issues with GRE protocol.

It is more complicated than any other protocol and thus makes it difficult to work upon.

It is very stable and fast over any other types of communication channels.

32 | P a g e

APPENDIX

VPN:

A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefitting from the functionality, security and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.

A VPN connection across the Internet is similar to a wide area network (WAN) link between the sites. From a user perspective, the extended network resources are accessed in the same way as resources available from the private network.

TCP/IP:

Transmission Control Protocol/Internet Protocol, the suite of communications protocols used to connect hosts on the Internet. TCP/IP uses several protocols, the two main ones being TCP and IP. TCP/IP is built into the UNIX operating system and is used by the Internet, making it the de facto standard for transmitting data over networks. Even network operating systems that have their own protocols, such as Netware, also support TCP/IP.

IPv4

Internet Protocol version 4 (IPv4) is the fourth version in the development of the Internet Protocol (IP) and the first version of the protocol to be widely deployed. It is one of the core protocols of standards-based internetworking methods of the Internet, and routes most traffic in the Internet. IPv4 is a connectionless protocol for use on packet-switched networks. It operates on a best effort delivery model; in that it does not guarantee delivery, nor does it assure proper sequencing or avoidance of duplicate delivery.

IPv6

Internet Protocol version 6 (IPv6) is the latest revision of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet.

33 | P a g e

IPX

Short for Internetwork Packet Exchange, a networking protocol used by the Novell NetWare operating systems. Like UDP/IP, IPX is a datagram protocol used for connectionless communications.

NAS

Network-attached storage (NAS) is file-level computer data storage connected to a computer network providing data access to a heterogeneous group of clients.

AAA Server

An AAA server is a server program that handles user requests for access to computer resources and, for an enterprise, provides authentication, authorization, and accounting (AAA) services. The AAA server typically interacts with network access and gateway servers and with databases and directories containing user information. The current standard by which devices or applications communicate with an AAA server is the Remote Authentication Dial-In User Service (RADIUS).

SSL and TLS

SSL is an Internet security protocol used by Internet browsers and Web servers to transmit sensitive information. SSL has become part of an overall security protocol known as Transport Layer Security (TLS).

In your browser, you can tell when you are using a secure protocol, such as TLS, in a couple of different ways. You will notice that the "http" in the address line is replaced with "https," and you should see a small padlock in the status bar at the bottom of the browser window. When you're accessing sensitive information, such as an online bank account or a payment transfer service like PayPal or Google Checkout, chances are you'll see this type of format change and know your information will most likely pass along securely.

34 | P a g e

REFERENCES

[1] http://www.en.wikipedia.org

[2] http://www.avm.de

[3] http://www.pic.dhe.ibm.com

[4] http://www.doc.oracle.com

[5] http://www.cisco.com

[6] http://www.tools.ietf.org/html/rfc2637

[7] http://www.ivpn.net/knowledgebase/62/PPTP-vs-L2TP-vs-OpenVPN.html

35 | P a g e