A variety of technologies exist to enable tunneling of protocols
through networks to create a VPN
. Prior to the
Layer 2 Tunneling Protocol (L2TP) standard established in August 1999, Cisco
used Layer 2 Forwarding (L2F) as its proprietary tunneling protocol. L2TP is
entirely backwards compatible with L2F. L2F is not forward compatible with
L2TP. L2TP, defined in RFC 2661, is a combination of Cisco L2F and Microsoft
Point-to-Point Tunneling Protocol (PPTP). Microsoft supports PPTP in its
earlier versions of Windows and PPTP/L2TP in Windows NT/2000/XP. L2TP is used
to create a media independent, multiprotocol Virtual Private Dial Network
(VPDN). L2TP allows users to invoke corporate security policies across any VPN
or VPDN link as an extension of their internal networks.
The Cisco
Generic Routing Encapsulation (GRE) multiprotocol carrier encapsulates IP,
CLNP, IPX, AppleTalk, DECnet Phase IV, and XNS inside IP tunnels
. With
GRE tunneling, a router at each site encapsulates protocol-specific packets in
an IP header
. This creates a
virtual point-to-point link between routers across an IP cloud. By connecting
multiprotocol sub networks in a single-protocol backbone environment, IP
tunneling allows network expansion across a single-protocol backbone
environment. GRE tunneling allows desktop protocols to take advantage of the
enhanced route selection capabilities of IP.
Currently, the IP Security
Protocol (IPSec) is the choice for secure corporate VPNs. However, IPSec
supports IP unicast traffic only. For multiprotocol or IP multicast tunneling,
another tunneling protocol must be used. Because of its PPP ties, L2TP is best
suited for remote access VPNs that require multiprotocol support. GRE is best
suited for site-to-site VPNs that require multiprotocol support. Also, GRE is
typically used to tunnel multicast packets such as routing protocols. Neither
of these tunneling protocols supports data encryption or packet integrity. GRE
encapsulates all traffic, regardless of its source and destination. Remember to
use GRE or L2TP when there is a need to support tunneling packets other than
the IP unicast type. In these cases, IPSec can be used in combination with
these protocols to provide encryption, such as L2TP/IPSec and GRE/IPSec. In
summary, if only IP unicast packets are being tunneled, then a simple
encapsulation provided by IPSec is sufficient and much less complicated to
configure and troubleshoot.
Multiprotocol Label Switching (MPLS) is a VPN technology. It is implemented
by ISPs and large corporations. MPLS uses label switching and label switched
paths over various link level technologies. Some examples are
Packet-over-SONET, Frame Relay, ATM, and LAN technologies such as all forms of
Ethernet and Token Ring. This includes procedures and protocols for the
distribution of labels between routers, encapsulations, and multicast
considerations.
There are currently many proprietary and standard
protocols used to create a VPN. It is important to understand the proper use
and implementation of each type of VPN when deciding on a technology to
implement
. This module
will provide a detailed coverage of IPSec.