User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform Chapter 1
VPN Overview
1-3
The maintenance function of VPN is allocated to be completed by to ISP (the users are
allowed to manage and control services to some extent) and VPN functions are mainly
fulfilled on the equipment at network side. This practice red uces the investments of the
users, increases the flexibility and scalability of services and brings new incomes to the
operators.
II. According to the layer where the tunnel is1) Layer 2 tunneling protocol
Layer 2 tunneling protocol starts from NAS (Network Access Server) and e nds o n th e
equipment at user side. All the PPP frames are encapsulated in the tunnel. The current
layer 2 tunneling protocol mainly includes Point-to-Point Tunneling Protoc ol (PPTP)
(supported by Microsoft, Ascend and 3COM, and also in Windows NT 4.0 above),
Layer 2 Forwarding Protocol (L2F) (supported by Cisco and Nortel), and Layer 2
Tunneling Protocol (L2TP) (drafted by IETF and aided by Microsoft, integrating the
advantages of the above two protocols, and thus accepted by the industry as standa rd
RFC). L2TP can be used for not only dial-up VPN services but also V PN services of
leased line.
2) Layer 3 tunneling protocol
Layer 3 tunneling protocol starts from and ends in ISP. PPP session ends in NAS and
only layer 3 messages are carried in the tunnel. The current layer 3 tunneling prot oc ol
mainly includes General Route Encapsulation Protocol (GRE) and IPSec. GRE and
IPSec are mainly used for VPN services of leased line.
Comparing with layer 2 tunnel, layer 3 tunnel is safe, scalab le and reliable. In terms of
security, as layer 2 tunnel usually ends on the equipment at user side, there exist great
challenges for the security and firewall technical of user’s network . But layer 3 tun nel
usually ends on ISP gateway and does not impose any threat to the security of user’s
network.
In terms of scalability, all the PPP frames are encapsulated in layer 2 IP tunnel and
transmission efficiency may be degraded. And PPP session will be run through entire
tunnel and end on nodes or servers of user’s network. So the gateway at user side
must save a great deal of the status and information of PPP session, which will add to
system load and affect scalability considerably. In addition, as LCP and NCP
negotiations of PPP are very sensitive for time, the efficiency of IP tunnel will r esult in
such a series of problems as PPP session timeout. As layer 3 tunnel e nds in ISP
gateway and PPP session ends in NAS, it is unnecessary for the gateway at user side
to manage and maintain the status of respective PPP session, t hus minimizing the
system load.
Generally, layer 2 and 3 tunneling protocols are independently used, however,
reasonable combination of the two layers of protocols will provide better security for the
users (e.g. use L2TP together with IPSec protocol).
III. According to service purpose1) Intranet VPN
In Intranet VPN, respective locations of enterprises are interconnected through publ ic
network, which is the extension or alternative of traditional leased line networks or other
enterprise networks.
2) Access VPN
Access VPN has two structures: Client-initiated VPN connection an d NAS-initiated
VPN connection.
3) Extranet VPN