jsablan
asked on
What is a VPN Encryption Domain?
Hello,
I'm fairly new to VPNs and was wondering if anyone could shine the light on the meaning of an "encryption domain". All is making sense in regards to tunneling and termination but the materials I've read thus far fail to elaborate on a term often seen in examples of brief setup parameters. Are there any links you would recommend to better understand VPNs? Thank You graciously! Please Advise!
-JS
I'm fairly new to VPNs and was wondering if anyone could shine the light on the meaning of an "encryption domain". All is making sense in regards to tunneling and termination but the materials I've read thus far fail to elaborate on a term often seen in examples of brief setup parameters. Are there any links you would recommend to better understand VPNs? Thank You graciously! Please Advise!
-JS
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Lets assume IP and Internet transmission
LAN1 ==> Firewall/VPN-router ====> Internet ====> Firewall/VPN-router ==> LAN2
encryption here transmission decryption here
Now an IP packet from LAN1 is encrypted in the Firewall or VPN router. This packet becomes then the payload of a new IP packet. This is routed over the Internet (or other transmission network). The payload but generally also the IP header is encrypted. One technique is IPsec tunneling. Encryption protocols like 3DES or AES (AES is much better but 3DES is more commonly used). You need to distribute the keys to both sites. You need to configure the tunnel endpoint (this is for the VPN-router where to send the encrypted traffic). All IP traffic can be routed over IPsec tunnels. But because packets are transmitted as the payload of other packets (this is called encapsulation) you add some extra overhead. Another header is added. Also the MTU (maximum transmission unit) reduces because now you have a payload + header + another header. Also remember that when you use protocols that generate small packets, like VoIP, that the extra overhead more or less doubles the packet size so you VoIP now needs twice the BW. All major router and FW vendors support this.
Another concept is ISDN VPN techniques. Here is generally only the B-channel encrypted. So you can dial anywehre (unless the ISDN crypto uses a list of allowed numbers). The signalling is untouched (it can be filtered and/or proxied) but the B-channel is encrypted. There are various commercial ISDN cryptos on the market.
Hope this helps. Marc