Virtual private networking with IPSec
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Virtual private networking with IPSec
Tunneling is the entire process of encapsulation, routing, and decapsulation. Tunneling wraps, or encapsulates, the original packet inside a new packet. This new packet might have new addressing and routing information, which enables it to travel through a network. When tunneling is combined with data confidentiality, the original packet data (as well as the original source and destination) is not revealed to those listening to traffic on the network. After the encapsulated packets reach their destination, the encapsulation is removed, and the original packet header is used to route the packet to its final destination.
The tunnel itself is the logical data path through which the encapsulated packets travel. To the original source and destination peer, the tunnel is usually transparent and appears as just another point-to-point connection in the network path. The peers are unaware of any routers, switches, proxy servers, or other security gateways between the tunnel’s beginning point and the tunnel’s end point. When tunneling is combined with data confidentiality, it can be used to provide a virtual private network (VPN).
The encapsulated packets travel through the network inside the tunnel. In this example, the network is the Internet. The gateway might be an edge gateway that stands between the outside Internet and the private network. The edge gateway can be a router, firewall, proxy server, or other security gateway. Also, two gateways can be used inside the private network to protect traffic across untrusted parts of the network.
Tunnel types that use IPSec
In Windows XP and the Windows Server 2003 family, two types of tunneling are provided that use IPSec:
The combination of the Layer Two Tunneling Protocol (L2TP) and IPSec (L2TP/IPSec)
L2TP is used to tunnel the data across a shared or public network such as the Internet, and IPSec Encapsulating Security Payload (ESP) is used to encrypt the data. L2TP/IPSec can be used to tunnel IP or Internetwork Packet Exchange (IPX) traffic.
IPSec in tunnel mode
When IPSec is used in tunnel mode, IPSec itself provides encapsulation for IP traffic only. The primary reason for using IPSec tunnel mode is interoperability with other routers, gateways, or end-systems that do not support L2TP/IPSec or PPTP VPN tunneling. IPSec tunnel mode is supported only in gateway-to-gateway tunneling scenarios and for certain server-to-server or server-to-gateway configurations as an advanced feature. IPSec tunnel mode is not supported for remote access VPN scenarios. L2TP/IPSec or PPTP should be used for remote access VPN connections.
For information about IPSec tunnel mode and configuring IPSec tunnels, see Tunnel mode.
How L2TP and IPSec work
L2TP and IPSec are combined to provide both tunneling and security for IP, IPX, and other protocol packets across any IP network. IPSec can also perform tunneling without L2TP, but it is only recommended for interoperability, when one of the gateways does not support L2TP or PPTP.
L2TP encapsulates original packets first inside a PPP frame (performing compression when possible) and then inside a UDP message using port 1701. Because the UDP message is an IP payload, L2TP uses IPSec transport mode to secure the tunnel. This design supports RFC 3193 ("Securing L2TP Using IPSec"), and it is compatible with Windows XP and Windows 2000. The IPSec Internet Key Exchange (IKE) protocol negotiates security for the L2TP tunnel using certificate-based or preshared key authentication. If IPSec main mode and quick mode security associations are successfully established, L2TP negotiates the tunnel, including compression and user authentication options, and performs PPP-based user authentication.
The original packet, shown here as the PPP payload, includes the original and ultimate source and destination addresses used on the private network. The outer IP header, shown as IP header, contains the source and destination addresses of the VPN client and server on the public network. The L2TP header includes L2TP tunnel control information. The PPP header identifies the protocol of the original packet (for example, IP or IPX).
Note
- The IPX/SPX protocol is not available on Windows XP 64-bit Edition (Itanium) and the 64-bit versions of the Windows Server 2003 family.
Common L2TP/IPSec scenarios
Two common scenarios for L2TP/IPSec are securing communications between remote access clients and the corporate network across the Internet and securing communications between branch offices.
Remote access clients with L2TP/IPSec
A common requirement is securing communications between remote access clients and the corporate network across the Internet. Such a client might be a sales consultant who spends most of the time traveling, or an employee working from a home office.
In this figure, the remote gateway is a server that provides edge security for the corporate intranet. The remote client represents a roaming user who requires regular access to network resources and information. An ISP is used as an example to demonstrate the path of communication when the client uses an ISP to access the Internet. L2TP is combined with IPSec to provide a simple, efficient way to build the tunnel and protect the data across the Internet.
For more information about configuring L2TP-based client remote access VPN connections, see Setting Up Remote Access VPNs, Make a virtual private network (VPN) connection, and Virtual Private Network (VPN) Connections.
Connecting branch offices with L2TP/IPSec
A large corporation often has multiple sites that require communication--for example, a corporate office in New York and a sales office in Washington. In this case, L2TP is combined with IPSec to provide the VPN connection and protect the data between the sites.
In this figure, the router running the Windows Server 2003 family provides edge security. The routers might have a leased line, dial-up, or other type of Internet connection. The IPSec SA and L2TP tunnel runs between the routers only and provides protected communication through the Internet.
For more information about configuring L2TP-based router-to-router VPN connections, see Deploying Router-to-Router VPNs.