Understanding Virtual Private Networks
Access VPN Basic Components
An access VPN has two basic components:
L2TP Network Server (LNS): A device
such as a Cisco router located in the customer premises. Remote dial users access
the home LAN as if they were dialed into the home gateway directly, although their
physical dialup is via the ISP network access server. Home gateway is the Cisco
term for LNS.
An LNS operates on any platform capable of PPP termination. LNS handles the server
side of the L2TP protocol. Because L2TP relies only on the single media over which
L2TP tunnels arrive, LNS may have only a single LAN or WAN interface, yet still
be able to terminate calls arriving at any LAC's full range of PPP interfaces
(async, synchronous ISDN, V.120, and so on). LNS is the initiator of outgoing
calls and the receiver of incoming calls. LNS is also known as HGW in L2F terminology.
L2TP Access Concentrator (LAC): A device such as a Cisco access
server attached to the switched network fabric (for example, PSTN or ISDN) or
colocated with a PPP end system capable of handling the L2TP protocol. An LAC
needs to only implement the media over which L2TP is to operate to pass traffic
to one or more local network servers (LNSs). It may tunnel any protocol carried
within PPP. LAC is the initiator of incoming calls and the receiver of outgoing
calls. LAC is also known as NAS in L2F.
Client-Initiated Access VPN
There are two types of Access VPNs. Essentially
they are dedicated or dial.
With a dedicated or client-initiated Access VPNs, users establish
an encrypted IP tunnel from their clients across a service
provider's shared network to their corporate network.
With a client-initiated architecture, businesses manage the
client software tasked with initiating the tunnel. Client-initiated
VPNs ensure end-to-end security from the client to the host.
This is ideal for banking applications and other sensitive
business transactions over the Internet.
With client-initiated VPN Access, the end user has IPSec client
software installed at the remote site, which can terminate
into a firewall for termination into the corporate network.
IPSec and IKE and certificate authority are used to generate
the encryption, authentication, and certificate keys to be
used to ensure totally secure VPN solutions.
An advantage of a client-initiated model
is that the "last mile" service provider access
network used for dialing to the point of presence (POP) is
secured. An additional consideration in the client-initiated
model is whether to utilize operating system embedded security
software or a more secure supplemental security software package.
While supplemental security software installed on the client
offers more robust security, a drawback to this approach is
that it entails installing and maintaining tunneling/encryption
software on each client accessing the remote access VPN, potentially
making it more difficult to scale.
NAS-Initiated Access VPN
In a NAS-initiated scenario, client software
issues are eliminated. A remote user dials into a service
provider's POP using a PPP/SLIP connection, is authenticated
by the service provider, and, in turn, initiates a secure,
encrypted tunnel to the corporate network from the POP using
L2TP or L2F. With a NAS-initiated architecture, all VPN intelligence
resides in the service provider network---there is no end-user
client software for the corporation to maintain, thus eliminating
client management burdens associated with remote access. The
drawback, however, is lack of security on the local access
dial network connecting the client to the service provider
network. In a remote access VPN implementation, these security/management
trade-offs must be balanced.
Access VPNs require no specialized client software, allowing
greater flexibility for companies to choose the access software
that best fits their requirements. NAS solutions use robust
tunneling protocols such as Cisco L2F or L2TP.
IPSec provides encryption only, in contrast with the client-initiated
model where IPSec enables both tunneling and encryption. Premium
service examples include reserved modem ports, guarantees
of modem availability, and priority data transport.
The NAS can simultaneously be used for Internet as well as
All traffic to a given destination travels over a single tunnel
from a NAS, making larger deployments more scalable and manageable.
Con: NAS-initiated Access VPN connections
are restricted to POPs that can support VPNs.