For Gold, Peace, and Freedom


The Concept of Virtual Private Network

December 26th, 2009

virtual-private-network.jpgA local area network (LAN) is a network within an organization that links between computers belonging to that entity. These networks are increasingly connected to the Internet through interconnection equipment. It often happens that companies feel the need to communicate with subsidiaries, customers, or staff who are geographically remote via the Internet. However, the data transmitted over the Internet is generally more vulnerable than when running on an internal network within an organization because the path is not defined in advance, which means that data using a such an infrastructure can be detected by different public operators. It is not impossible that somewhere along the journey, the network is listened to by an indiscreet user or even hijacked. Therefore it is not recommended to transmit any sensitive information to the organization or company under such conditions.

The first solution to address this need for secure communications was to connect remote networks with dedicated lines. But most companies cannot afford to connect two remote networks through a dedicated line, so it is sometimes necessary to use the Internet as a medium of transmission. A good compromise is to use the Internet for transmission using a protocol of “tunneling”. This is called Virtual Private Network (VPN) to designate a separate network that is artificially created. The network is said to be ‘virtual’ because it connects two ‘physical’ networks (LANs) by an untrusted link (Internet) and private computers because only local networks on both sides of the VPN can “see” the data. The VPN allows for a secure connection at a lower cost, if not the implementation of terminal equipment. In return it does not ensure quality of service comparable to a leased line as the physical network is public and therefore not guaranteed.

More about VPN

A virtual private network is usually based on a protocol called ‘tunneling protocol’, which allows data from one end of the VPN to another to be secured by encryption algorithms and cryptography. The term ‘tunnel’ is used to symbolize the fact that the entry and exit of VPN data is encrypted and therefore incomprehensible to anyone between the two ends of the VPN, as if they had gone into a tunnel.

The tunneling protocols

The main tunneling protocols are:

  1. PPTP (Point-to-Point Tunneling Protocol) is a level 2 protocol developed by Microsoft, 3om, Ascend, U.S. Robotics, and ECI Telematics.
  2. L2F (Layer Two Forwarding) is a level 2 protocol developed by Cisco, Northern Telecom, and Shiva. It is now almost obsolete.
  3. L2TP (Layer Two Tunneling Protocol) is the culmination of the work of the IETF (RFC 2661) to converge the features of PPTP and L2F. It is thus a level 2 protocol based on PPP.
  4. IPSec is a level 3 protocol from the work of the IETF and is designed to carry data for IP networks.


The principle of PPTP (Point to Point Tunneling Protocol) is to create frames under the PPP and to encapsulate in an IP datagram. Thus, in this connection, the remote machines on both networks are connected via a point-to-point connection (including a system of encryption and authentication), and the package passed in an IP datagram. In this way, local area network data (as well as the addresses of these machines in the header of the message) is encapsulated in a PPP message, which is itself a message encapsulated in IP.


L2TP is a standard protocol for tunneling (in a standard RFC) that is very close to the idea of PPTP. Thus L2TP encapsulates PPP frames, encapsulating them in other protocols (such as IP, IPX, or NetBIOS).

The IPSec

IPSec is a protocol defined by IETF to secure trade at the network layer. This is actually a protocol improvement in security in IP protocol to ensure the confidentiality, integrity, and authentication of trade. The IPSec protocol is based on three modules:

  1. IP Authentication Header (AH) on the integrity, authentication, and protection against replay package to encapsulate
  2. Encapsulating Security Payload (ESP) defining encryption packages. ESP provides confidentiality, integrity, authentication, and protection against replay.
  3. Security Association (SA) defining the exchange of keys and security settings. The SA can gather all information on the treatment of IP packets (AH protocols and/or ESP tunnel mode or transportation, algorithms used by security protocols, and the keys used). The exchange of keys is done either manually or with the IKE exchange protocol (most often), which allows both parties to agree on SA.

This article on virtual private networks was originally acquired under a private label rights (PLR) license from the DigitalPoint forums and has been modified somewhat to correct grammatical errors and improve readability.

Post Your Comments, Opinions, or Suggestions Here:


Email (optional)

Website (optional)