Troubleshooting Q&A - April 21, 2005
Is That a VPN or Is It Just Passing Through?
Is there a difference between a VPN and VPN Passthrough device? Turns out it's a big difference. Plus, what's the best protocol for VPNs? IPSec or PPTP?
By Ron Pacchiano
Q. I've wanted to set up VPN access to my home network for sometime now. So this past weekend I went to Best Buy to pick up a new router. While reading through the router specifications, I noticed that some of the routers were labeled "VPN" while others were called "VPN Passthrough." At first I thought that this was just another way of describing the VPN feature, but then I noticed that all of routers with the VPN nomenclature were more expense then the ones that said VPN Passthrough. This leads me to believe that there is a technological difference between these two products, but I don't know what that is.
I always thought VPN was just an acronym for Virtual Private Network and never thought there were different flavors of it. Could you please explain the difference between VPN and VPN Passthrough to me if there even is one? By the way, since we're on the subject of VPNs anyway, I was wondering which protocol you would suggest I use to establish my VPN connection: PPTP or IPsec. Thanks for your help!
A. This is an excellent question, because it confuses a lot of folks who don't know much about the inner workings of VPNs. VPN Passthrough is a feature you typically come across only on home (or small office) Internet gateway devices, usually because they are less expensive to produce than a router with a full VPN feature set.
A router with built-in VPN support generally means that the router itself is capable of supporting the various IPsec, Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP) or Secure Sockets Layer (SSL) VPN technologies. This means that the device actually has an implementation of these VPN protocols running on it. Since the router itself is equipped with these protocols, it doesn't need to relay on a network server or workstation to establish the VPN connection. So thanks to the router's VPN capabilities, your entire workgroup would be able to communicate with a remote network through a single VPN tunnel and without the need to have VPN client software installed on every individual PC.
On the other hand, a router that supports VPN Passthrough simply means that it can support "passing through" packets that originate from VPN clients. An example of this would be your laptop or home office PC trying to connect to the VPN server at your corporate office location. Features like VPN Passthrough are needed because most routers are Network Address Translation (NAT)-enabled and VPN protocols such as IPsec don't have a specific port number for the device to multiplex the port address translation back to. This feature enables special processing of IPsec data packets and allows the device to keep a table of active connected VPN tunnels.
In regards to which protocol you should run, I would suggest you use IPsec. IPsec (Short for IP Security) is a set of IP extensions developed by the Internet Engineering Task Force (or IETF for short) to create encrypted tunnels (VPN) that are compatible with existing IP standards (IPv.4), as well as its replacement, IPv.6.
IPSec can protect any protocol that runs on top of IP (for instance TCP, UDP, and ICMP) and allows for the information exchanged between remote sites to be encrypted and verified. IPsec accomplishes this using cryptographic security services. These services allow for authentication, integrity, access control and confidentiality using two protocols: Authentication Header (AH) and Encapsulation Security Payload (ESP).
Through the use of these protocols, you can create encrypted tunnels (VPNs) or just do encryption between computers. This flexibility in implementation is one of the reasons why IPSec is truly the more versatile network security solution. Lastly, IPsec is a Layer 3-based encryption technology, whereas PPTP is a Layer 2-based technology. IPSec is therefore faster and more efficient than PPTP for VPNs. Since IPsec resides in a higher level of the networking stack, IPSec can also be used as the encryption scheme for PPTP or the even the newer L2PT. L2TP is an extension of the PPT) commonly used today and merges the best features of Microsoft's own PPTP and L2F from Cisco Systems.
By contrast, PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. PPTP ensures that messages are transmitted from one private network to another. Users can easily dial into their corporate network via the Internet with PPTP. It's been around for quite some time and is compatible with just about everything. However, by today's standards it is somewhat outdate and there have been various security concerns with this protocol. For that reason, most people these days will actually implement IPsec for all of their VPN needs.
The only real advantage of going with PPTP over IPsec that I could see is that PPTP suffers from fewer compatibility problems on older hardware (particularly from different vendors) that implemented it before the protocol was standardized. Also, IPSec doesn't support protocols beyond TCP/IP. Whereas PPTP supports TCP/IP, NetBEUI, IPX, and SPX although for most networks today, this lack of support isn't really a problem.
Use our feedback form to submit your questions on home or SOHO networking issues. We cannot guarantee to answer every question we get, but we’ll consider them all.
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|