VPN - how does it work


I understand what VPN is and have been trialling with RRAS and doing some reading, internally i have set up a RRAS server and can connect to it just fine with an xp machines inbuilt VPN connection.

I also understand that at my office i would have to enable port mapping on a router to point to my VPN server - 1723 for PPTP

The concept i do struggle with however is, If i am sitting at home with a normal DSL connection through a standard ISP, how do i authenticate with my VPN connection, to my RRAS server which sites behind a firewall in a private IP managed network, or scrapping the private IP managed side of things, a standard network that sits behind a router with a different ISP on the other side of my country!

for example my home network in New South Wales sits quite contentedly with a 192.168.X.X IP scheme which is doled about by DHCP on my router. Now my imaginary office in Western Aus sits on a standard network that also sits on a 192.168.X.X IP scheme that is once again doled about by my standard ADSL router.

how does this work - i know it does but i would like to understand how it is done. How do Site to Site full time VPN tunnels configured through RRAS stay up sot hat DC's can replicate! this is a mystery to me! just want to know how in the world my home laptop knows where to go with the millions of ADSL routers out there dolling out 192.168.X.X Ip schemes for home LANS! i know it pulls on the WAN address but i still dont understand it!

Thanks for your expertise!
i dont need links on how to set them up as i have plenty of them and have handed them out to people with questions in the past - i get how to set them up to a point. what i want to know is How this works!!

if this is to much of a broad question let me know and ill narrow it down if i can
LVL 48
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The VPN server at your office would have a few ports passed from your firewall at the office to the VPN server.  This would allow external clients world-wide to request a vpn connection on your public interface and the request would be passed through your firewall to the VPN server.  The server would then authenticate you, and if allowed, would pass your requests for DHCP through to it's internal network (or assign you one as configured).

From then on, the VPN server acts as an internal router, passing traffic from your computer (at home or wherever) onto the internal network.  The firewall just forwards the packets to the VPN server and the VPN server figures it out from there.

When you talk about authentication, I will take a stab at what I think you are asking, but you may need to clarify your question for me.  You can confiure your server to accept a number of different authentication types to ensure that clients accessing your remote network are trusted individuals.  The most common means of authentication is a simple domain username/password combination that is encrypted using a technology such as MS-CHAP or something like that.  Nowadays, we use a technology called PEAP (protected extensible authentication protocol) to authenticate you to your VPN server.  You could also use something like a certificate to prove your identity, but that would require you maintaining your own private key infrastructure (PKI) and ensuring certificates are always up-to-date and revoked when necessary.  The benefit to these technologies is that they can be jointly used with other technologies needing authenticaiton (like a corporate wirless LAN), whcih means you may be able to kill two birds with one stone when implementing something like this.

Please let me know if this helps answer your question or if you are looking for something different.
Virtual Private Network - Network scheme in which portions of a network are connected via Internet, but information sent across the Internet is encrypted. The result is a "virtual network" which is also part of a larger network entity. This allows users to privately share private information over a public infrastructure.

Jay_Jay70Author Commented:
Thanks both for your comments

however, as i mentioned i know what a VPN itself is, i know how to set it up and have played with it quite a bit. I have a Big setup currently using Checkpoint VPN which sits down in melbourne - im just trying to understand RRAS

i know what needs to be done to allow the connection from the remote side to be passed through the router etc I also wook heavily with Active Directory and know all about the aunthentication and secuity side of things

say i have RRAS installed on a LAN with the address for example. I have enabled port forwarding on my router to say allow passthrough to All good all makes sense.

now from home im sitting on a address on my laptop with a standard DSL connection. I run my wizard to create VPN connection.....

from here i am confused. Do io need to know my WAN IP of my router at the remote side? is that what i would enter here   eg. my routers internal LAN IP would be Is it the WAN side that i enter in to my wizard???? what happens in a scenario where a company has just a standard DSL connection and dont have a static IP on the WAN side? ie, sometimes my home connection drops out and when i reestablish a connection i get a different WAN IP

i just need to know how from my laptop, the connections knows WHERE to look.

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

normally we do need a static ip at the VPN server side, if you use a DSL which the ISP can't give you static IP, from time to time the connection will disconnected as you mentioned.

unless use a domain name so everytime you connect is a pointer which will point back to your router.
Rob WilliamsCommented:
Jay_Jay70, to add a little to the above,  I think the confusion may be with the fact that there are different types of VPN's, ignoring the fact that there are also different types of authentication and or encryption as mentioned above.
1)You can of course make use of RRAS, where Windows becomes the VPN server. If so the client initiates an out going connection (no port forwarding required) to your public IP. Depending on the chosen encryption/encapsulation method, PPTP, L2TP, and/or IPSec, it will use a standard set of ports. When it reaches your router by using it's public IP, it would simply be dropped unless you have set up rules on your router as to what to do with those packets. In the case of a standard Windows PPTP, you would create a rule (port forwarding) that all traffic on port 1723 gets forwarded to the VPN server. The VPN server then deals with it, sends a reply to the client and communications begins. At the client end, as with any outgoing request, http or otherwise, the "door" is kept open and traffic redirected to the originating source using NAT (Network Address Translation. Two things to remember with setting these up. The subnet at either end of a VPN tunnel needs to be different and you need to allow the encapsulation protocol you are using, to pass-through the router. Make sure the router supports VPN pass-though, not all do.
2)You can also ignore all of the above, except requiring the subnets to be different, and use a client to hardware or hardware to hardware VPN. You mentioned you have a CheckPoint VPN/firewall. Forget RRAS altogether!!! CheckPoint uses IPSec, where the basic RRAS VPN uses PPTP. IPSec is far more secure. You can set up L2TP with IPSec using RRAS but I'm sure you have far better things to do with your time. It's not fun. Next, if you use the CheckPoint VPN, or any hardware VPN, you don't need to open any ports, another big security advantage. The Checkpoint VPN will effectively act as a simple router once connected, allowing all traffic from one subnet to another. (Depending on how the client is configured, it may only allow the client on the remote end.) In this case, the router is configured to accept VPN connections, with rules such as; only allow from one IP. When the client or other router connects to the public IP of the router, it has internal rules that say; any traffic of type 'x', IPSec in this case, is allowed to pass to the local subnet, under the specified conditions, is un-encrypted and passed through and seen by the local subnet as a local IP due to NAT.

With either VPN your connection is seamless, you use local IP's and all routing from your subnet to the other is controlled by the VPN, and as you mentioned that address may be changed/routed numerous times while on route. Keep in mind this is the true security risk of a VPN. if it is branch-to-branch, you have effectively put all remote computers in the middle of your corporate office. Unless rules are set up browsing the remote LAN is as easy as any local network. If on the remote network you have someone working at home, and little Johnny is downloading Viruses and hacking every IP he can see, you can be at risk. The CheckPoint unit will allow you to tighten that down considerably, far more than RRAS.

In my opinion, always go the hardware route, unless you want to use ISA, but that is another topic.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jay_Jay70Author Commented:
Thanks Robwill,

pretty much nailed what i needed to know.... i am guessing the key part that have been missing is the fact that that i do need to know the WAN IP of the router that i am trying to get too... pretty basic huh!

>>>>The subnet at either end of a VPN tunnel needs to be different

now im slightly confused in regards to the subnet side of things     say home LAN has 192.168.1.X/24     with an external IP of 203.208.X.X /24     and office has internal LAN of 192.168.1.X/24     with an external IP of 202.204.X.X/23  
is this a no go? why so?

i set up my RRAS server, its all very pretty and seems to be happily humming along and configured. If i go home run my  VPN wizard, put in the WAN IP of the remote router (202.204.X.1) it humms along, finds my router on the other side of the state, forwards the packet on to the RRAS server, Authenticates and wallah i have a connection yes?? i will now have an IP that matched my remote office subnet, thus giving me access toall my remote resources

i would agree with you on the checkpoint side of things, its been flawaless so far, i just wasnt around at the time that it was set up so didnt get to see how it was all done and managed! This RRAS setup is just more for my understanding on how business can use inbuilt VPN features! I've read articles but it doesnt quite explain the nitty gritties like you have above.

Thankyou for answering! hopefully you can clarify the above for me

Rob WilliamsCommented:
>>"need to know the WAN IP of the router that i am trying to get too"
Or set up a DDNS service, using Dynamic or Static. I have all my sites set up with custA.homedns.com or similar.

""home LAN has 192.168.1.X/24     with an external IP of 203.208.X.X /24     and office has internal LAN of 192.168.1.X/24     "
Won't work. Think of it a simple connection, LAN and WAN sides of a router. When you want to connect to a device from home. How does the router know whether to connect to the Local Or the Remote network, when both are the same subnet. Routers and VPN's route packets from one subnet to another. To avoid this problem, I always choose something non standard for the business network because you know one of these days some airport or other location will choose the default. Common ones, to avoid, are 192.168.0.x, 192.168.2.x, 192.168.100.x, 10.0.0.x   I usually choose the 3 digits from the customers address, where possible, for the 3rd octet. That way I might remember if I have to. For example 192.168.223.x

You mention using RRAS. RRAS creates a Virtual Adapter for the remote client. That adapter will be assigned an IP in the same subnet as the office network. For whatever reason that usually works. I stress USUALLY. Best bet is to keep the remote and office networks different.

RRAS works great, but I would go with Checkpoint if you can. Very good to have knowledge of RRAS, as you often need to create temporary access somewhere. If you are ever stuck Hamachi is another good alternative. It doesn't require any ports to be forwarded on the router. http://www.hamachi.cc  However, CheckPoint is much better. I have a colleague who swears by CheckPoint. It is as simple as a user name and password to set up, but has the granularity of Cisco if you need to set up filtering. Recently had to set up a Safenet client for him (Netgear, Watchguard and Sonicwall use SafeNet) said he would never consider it again, as it was a pain to set up.

Have a bottle of wine waiting for me. B' happy to respond to furtherrrr questions tomorrow, butthe efffectss are starting to tace over allllready.  <G>

ps- Isn't it Saturday already there? Go to the beach, enjoy your self !!!!!

Jay_Jay70Author Commented:

thankyou for clarifying for me, i think i understand more the WAN side of things a little bit more now and the subnets make sense, good to know for sure as i had no idea previously, i think the key point that was missing silly enough was the need to know those WAN side IP's. from there it is all farly logical :)

i will be sticking with checkpoint at work as it has been great for us so far, RRAS was just another aspect of networking that i was wanting to understand :)

thankyou to everyone who posted and thanks to Rob expecially for nailing any questions i had

---==== too cold to be at the beach yesterday and today is not better, im off to go and warm myself up with a nice friendly drink of Mr Daniels! hope your head survived your wine adventure. Thanks mate ======-----

Rob WilliamsCommented:
Thanks Jay_Jay70. Say hi to Jack D. <G>
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.