A Vi

rtual Pri
vate N et
work (V PN ) i
s a connecti
on whi
ch provi
des secure pri
vate
communi
cati
on overan i
nsecure net
work such as t
he pub l
ic net
work . Typical
ly, a V PN
provi
des connecti
onsb et
ween fi
x net
work devi
ces. The t
erm “Pri
vate” meanst
hatal
lthe
t
raffi
cinside t
he V PN i
sencrypt
ed and t
he resourcesare onl
y shared among an aut
horized
group ofusers, and are cont
roll
ed b y di
fferentl
evel
sofaccesscont
rol. The t
erm “V i
rtual”
i
ndicat
est
hatV PN l
ooksl
ike a pri
vate net
workfrom t
he user’sperspect
ive and consi
stsofan
i
ndependent
ly admini
stered vi
rtualt
opology, al
though t
he underl
ying net
work i
sshared b y
anyone usi
ngt
he net
work.Furt
hermore,V PN i
scheap,asi
tnormall
yusest
he pub l
ic net
work
i
nstead ofcost
lyl
eased l
ine servi
ces.

O rigi
nall
y, t
he V PN wasassoci
ated wi
thFrame R elaynet
works. Compani
esused dedi
cat
ed
l
inesand l
ayer2 servi
cessuchasFrame R elayt
ointerconnectt
heirnodeswi
thl
inkst
hatt
hey
owned.Frame rel
aynet
worksare consi
dered secure,ascust
omert
raffi
c wi
llb e sentt
hrougha
predet
ermi
ned pat
h (PermanentV i
rtualCircuit
). H owever, wi
tht
he rapi
d developmentofIP
net
work, V PN b egan t
o migrat
e from a conventi
onalL ayer2 Frame R elay t
o a L ayer3 IP-
b ased net
work.

The pri
maryadvantagesofIP V PN soverFrame R elayV PN sare:

• R educed net
work cost (Int
ernet S ervi
ce Provi
ders charge more for a Frame R elay
PermanentV i
rtualCircuit
).

•Easyt
oprovi
de net
workconnecti
vityt
ogeographi
cal
lydi
spersed offi
cesand remote users.

•Convergence ofot
herservi
cessuchasvoi
ce and vi
deo, whi
chreducescost
.

VPN C l
assi
fication
V PN canb e cl
assi
fied i
na vari
etyofways.
B ytopol
ogy:
PeertoPeerVPN
Peert
oPeerV PN set
supa secure t
unnelb et
weent
wocomputersvi
a pub l
ic net
works. A nIP
addresswi
llb e assi
gned t
oeachend oft
he t
unnelsot
hatt
he t
wocomputerscancommuni
cate
wi
th each ot
herasi
ftheyare connected b ya physi
calEthernetcab le. The l
imit
ationofPeer
t
oPeerV PN i
sthatt
he V PN t
unnelcanb e shared b yonl
ytwocomputers.Thissol
uti
oni
snot
wi
del
yused due t
othe l
imit
ation. The t
opologyofPeert
oPeerV PN i
sshownasfol
lows.

Fi
gure 1:Peert
oPeerV PN

Cl
ienttoServerVPN
Cli
entt
oS erverV PN set
supa secure t
unnelb et
weena V PN cl
ientand a speci
fic net
workvi
a
pub l
ic net
works.The V PN cl
ientcanconnectt
oal
lthe computersi
nside t
he speci
fic net
work.
H owever, unl
ike peert
o peerV PN , Cli
entt
o S erverV PN onl
y encrypt
sthe t
raffi
c b et
ween
V PN Cli
entand V PN server, and t
he t
raffi
c b et
weenV PN serverand ot
hercomputersi
nthe
speci
fic net
work i
s notprot
ected. A l
though i
tdoes notprot
ectt
he ful
lpat
h b et
ween end
users(no prot
ecti
on wi
thin t
he company net
work), cl
ientt
o serverV PN i
swi
del
y used i
n
t
oday’snet
worksb ecause b usi
nessmenout
side usual
lywantt
oconnectt
ocompanynet
work,
nota si
ngle computer.

Fi
gure 2:Cli
entt
oserverV PN
Si
tetoSi
teVPN
Si
te t
oS i
te V PN set
supa secure t
unnelb et
ween2 net
worksvi
athe pub l
ic Int
ernetwhere t
he
t
unnelendpoi
ntsare a V PN concentrat
orand a V PN server. These V PN sonl
y encryptt
he
t
raffi
c b et
ween V PN concentrat
ors and V PN servers, and any t
raffi
c out
side t
he t
unnel
endpoi
ntsi
snotprot
ected. S i
te t
oS i
te V PN i
swi
del
y used b et
ween company’smain offi
ce
and remote offi
ce

.F igure 3:site to site VPN

A VP N concentratori
sa type ofnetworking device thatprovides secure creation ofVPN
connections and delivery ofm essages between VPN nodes.Iti
s a type ofrouterdevi
ce,
bui
ltspeci
fi
cal
ly forcreati
ng and managi
ng VP N communi
cati
on i
nfrastructures.

A VPN serveri
sat
ypeofser
vert
hatenabl
eshost
inganddel
iver
yofVPN
servi
ces.

Itisacombinat
ionofVPN har
dwar eandsof
twar
etechnol
ogi
esthat
provi
desVPN cl
ientswi
thconnect
ivit
ytoasecur
eand/orpri
vat
enetwor
k,
orrather
,theVPN.

2.2 B yprotocol
s:
The choi
ce ofa V PN prot
ocoldependson t
he t
ype oft
raffi
cto b e sentvi
athe t
unnel
. V PN
prot
ocolscan b e cl
assi
fied accordi
ng t
oO S I l
ayersofrecei
ved packetsused forencrypt
ion.
There are current
ly3 ki
ndsofV PN :
2.2.1Layer2 VPN
A L ayer2 V PN encapsul
atespacketson t
he O S I L ayer2:Dat
a L ink L ayer. M ai
n L ayer2
V PN prot
ocolsare:L ayer2 M PL S V PN , O penV PN , PPTP and L 2TP.

A sthe need to li
nkdi
fferentLayer2 servi
cesto one anotherforexpanded servi
ce
offeri
ngsgrows, Layer2 M ulti
protocolLabelS wi
tchi
ng (MPLS) VPN servi
cesare
i
ncreasi ngl
yi n demand.

Implementi ng a Layer2 VP N on a routeri ssi mil

arto implementi ng a VP N using a
Layer2 technol ogysuch asA synchronousTransferM ode (A TM ) orF rame R el ay.
H owever, fora Layer2 VP N on a router, traffi
cisforwarded to the routerin a Layer2
format.Itiscarried byM P LS overthe servi ce provider’snetwork, and then converted
backto Layer2 formatatthe recei vi
ng si te.Y ou can confi
gure differentLayer2
formatsatthe sendi ng and receivi
ng sites.The securi tyand pri
vacyofan M P LS
Layer2 VP N are equalto those ofan A TM orF rame R el ayVP N .

In the above topol

ogy R 1 and R 4 representthe C E routers atthe two di
fferentsi
tes ofa
si
ngl
e customer.R 2 & R 3 representthe provi
derbackbone routerwhi
ch wi
llbe provi
ding
the L2 connecti
vity to the C E routers ofthe customer.

O n a Layer2 VP N , routi
ng occurs on the customer’
s routers, typi
cal
ly on the customeredge
(C E ) router.The C E routerconnected to a servi
ce provi
deron a Layer2 VP N mustsel
ect
the appropri
ate ci
rcui
ton whi
ch to send traffi
c.The provi
deredge (P E ) routerrecei
ving the
traffi
c sends i
t across the servi
ce provi
der’
s network to the P E router connected to the
recei
ving si
te.The P E routers do notneed to store orprocess the customer’
s routes;they
onl
y need to be confi
gured to send data to the appropri
ate tunnel
.
Impl
ementi
ng a Layer2 M P LS VP N i
ncl
udesthe fol
lowi
ng benefi
ts:
  S ervice providersdo nothave to i nvesti n separate Layer2 equi pmentto
provide Layer2 VP N servi ce.A Layer2 M P LS VP N al lowsyou to provi de
Layer2 VP N servi ce overan exi sti
ng IP and M P LS backbone.
 Y ou can confi gure the P E routerto run anyLayer3 protocoli n additi
on to the
Layer2 protocol s.
 C ustomerswho preferto mai ntai
n controlovermostofthe admi ni
strati
on of
theirown networksmi ghtwantLayer2 VP N connecti onswi th thei
rservi ce
provideri nstead ofa Layer3 VP N .
 B ecause Layer2 VP N suse BGP asthe si gnaling protocol
, theyhave a
simpl erdesi gn and requi re lessoverhead than tradi ti
onalVP N soverLayer2
circuits.B G P si
gnal i
ng al so enablesautodi scoveryofLayer2 VP N peers.
Layer2 VP N sare si mil
arto B G P orM P LS VP N sand VPLS i n manyrespects;
allthree typesofservi cesempl oyB G P forsignaling.

2.2.2 Layer3 VPN

L ayer3 V PN encapsul
atespacketson t
he O S I L ayer3:N et
work L ayer. M ai
n L ayer3 V PN
prot
ocolsare:L ayer3 M PL S V PN , IPsec and O penV PN .

2.2.3 Layer4 VPN

TransportL ayerS ecuri
ty(TL S ) and i
tspre decessorS ecure S ocket
sL ayer(S S L ) are L ayer4
V PN prot
ocolst
hatencryptsegmentsofnet
work connecti
onsatt
he O S I L ayer4 (t
ransport
l
ayer). A prominentuse ofTL S i
sforsecuri
ngweb t
raffi
c carri
ed b yH TTP t
oform H TTPS .
Al
though TL S i
swi
del
y used, i
tcan onl
y encryptL ayer4 packets, notl
owerl
ayers. This
great
lyl
imit
sits appl
icat
ions.

2.3 Layer2 M PLS VPN

M ul
tiprot
ocolL ab elS wi
tching(M PL S ) i
sa mechani
sm used i
nhi
gh-performance net
works
and i
tcarri
esdat
a from one net
worknode t
othe ot
her.InanM PL S net
work,l
ab el
sare added
t
o each dat
a packetand packetsare swit
ched accordi
ng t
othese l
ab el
s. M PL S i
sa scal
ab le
prot
ocolasM PL S l
ab el
scanb e added t
ovari
ousnet
workprot
ocols.L ayer2 M PL S V PN i
sa
t
ype ofV i
rtualPri
vate N et
work (V PN ) t
hatuses M PL S l
ab el
stot
ransportO S I L ayer2
packets. Iti
scommonl
y used when cust
omerswantt
o communi
cate b et
ween remote offi
ces
t
hrought
he Int
ernetS ervi
ce Provi
der(IS P) net
work, b utt
heyhave noaccesst
othe
pub l
ic Int
ernet. The edge rout
erson t
he S ervi
ce provi
dersi
de are call
ed Provi
derEdge (PE)
rout
ersand t
he edge rout
ersont
he cust
omersi
de are call
ed Cust
omerEdge (CE) rout
ers.The
t
opologyofa L ayer2 M PL S V PN net
worki
sshowni
nFi
gure 4.
L ayer2 M PL S V PN net
works are qui
te fast
.Al
lki
nds oft
raffi
c, i
.e. Frame R elay (FR ),
A synchronousTransferM ode (A TM ) and Ethernett
raffi
c, can b e sentt
hrough t
he net
work.
The Provi
derEdge (PE) rout
ersare notresponsi
ble forrout
ingand t
heyonl
yforward packets
accordi
ng t
o L ayer 2 i
nformat
ion and M PL S l
ab el
s. A l
ltraffi
c goi
ng t
hrough Int
ernet
Provi
der’s net
work i
s prot
ected b y L ayer2 M PL S V PN b ecause ot
hercust
omers cannot
accesst
hese packets. S ecuri
ty i
sa b i
gissue forL ayer2 M PL S V PN . Ifseveralcust
omers
share a L ayer2 medium onIS P net
work,t
here i
soft
ennocont
rolovert
he packetst
ransferred
t
othatdevi
ce sot
hatt
he packetsfrom ot
hercust
omerscanb e easi
lycaptured.The chance for
usi
ngexclusive net
workdevi
cesonIS P net
worki
sveryl
imit
ed b ecause oft
he hi
ghcost
.O ne
sol
uti
oni
stouse a port
-b ased Ethernetconnecti
onb et
weent
wophysi
caldat
a port
sprovi
ded
acrossan M PL S net
work. Thismeanst
hatt
he L ayer2 packetsare encapsul
ated i
n 80 2.1Q
Ethernetframesand sentt
othe dest
inat
ion. A not
herb i
gsecuri
tyi
ssue i
sthatL ayer2 M PL S
V PN packetsare notencrypt
ed i
nIS P net
work. L ayer2 M PL S V PN hasnotb eenchosent
o
add mob il
itysupportb ecause ofi
tssecuri
tyi
ssues.
NB

O ri
gin ofM P LS
In the middle ofthe 1990s, IP technology developed rapi
dly due to itssimpl ici
tyand l
ow costs,
and the Internetdata volume i ncreased greatl
y.A sa result, the vol
ume ofdata transmi tted
across the Internetincreased greatly.B ecause ofhardware l i
mitati
ons, IP technol
ogy relieson
software to l
ook up routes based on the longestmatch rule.S oftware cannotachi eve high
forwarding performance, and therefore IP technology i
snotthe mosteffi cientchoi
ce.The
forwarding performance ofIP technol ogy has become a bottl eneck ofnetwork development
nowadays.
To adaptto network devel opment, A synchronous TransferM ode (A TM ) technol ogy emerged.In
compari son with IP technology, A TM wasmuch more effi cientatforwardi
ng packets byusi ng
fixed-l
ength labels (cell
s) and mai ntai
ning a labeltabl
e much smal l
erthan a routi
ng tabl
e.
H owever, A TM technol ogy wasa compl ex protocolwith high deploymentcosts, which hindered
itswidespread popul ari
ty and growth.
C ombi ni
ng the advantages ofboth IP and A TM wasseen asthe optimalsol
uti
on.To achi
eve
this, M ul
tiprotocolLabelS wi
tchi
ng (M P LS ) technol
ogy wasi
ntroduced.
M P LS wasdesi
gned to increase forwarding rates.U nl
ike IP technol
ogy, M P LS anal
yzes packet
headers onl
y on the edges ofa network, notateach hop.Therefore, the packetprocessi ng ti
me
i
sshortened.

Mul ti
-ProtocolLabelSwi tching (MPLS)converts yourrouted network to somethi ng cl
oserto a
switched network.Instead offorwardi ng packets on a hop-by-hop basis, paths are establi
shed
forparticularsource-desti nation pai
rs.These predetermi ned paths are call
ed label-switched
paths (LS P s).The routers thatmake up a label-switched network are call
ed label-switchi
ng
routers (LS R s).

Labelbasics

A spackets are forwarded i

nal abel
-switchi
ng framework, M P LS routers encapsul
ate the packets
with specialheaders call
ed label
s.A l
abelbasi cal
lytel
lsthe routerwhi ch label
-switched paths
(LS P ) i
tbelongs to.

3.OpenVPN
O penV PN i
sanopensource L ayer2 orL ayer3 t
unneli
ngprot
ocol.Itworksb yencapsul
ati
ng
L ayer 2 and L ayer 3 packets i
nside U DP( U ser D atagram P rotocol) orTCP packets and
sendi
ngt
hem t
othe dest
inat
ion.ItusesO penS S L forencrypt
ionand i
mpl
ement
sS S L (Secure
Sockets Layer) and TL S (TransportLayerSecurity) (t
he advanced and st
andardized versi
on
of S S L ). It uses pre-shared, cert
ifi
cate-b ased, and username/password-b ased key for
aut
hent
icati
on. Iti
scapab le ofest
ab li
shi
ng di
rectl
inksb et
ween computersacrossnet
work
addresst
ransl
ators(N A Ts) and fi
rewal
ls. Iti
seasy t
o confi
gure b uti
thasnotb een wi
del
y
used. The packetst
ruct
ure ofO penV PN i
sshowni
nFi
gure 5.

F igure 5 :PacketS tructure ofOpenVPN

The main prob l

em i
n O penV PN i
ssecuri
ty. The key exchange i
n TL S i
sweak, forexampl
e
complet
ely anonymoussessi
onsare vul
nerab le t
o man-i
n-t
he-middl
e at
tacksand pub l
ic key
and pri
vate keysare exposed i
n R S A key exchange. O penV PN i
snotrecommended when
securi
tyi
sa concern.O penV PN b yi
tsel
fisnotusefulformob il
e b usi
nessscenari
osasi
thas
nonat
ive ab i
lityt
ocope wi
thmob il
e cl
ient
s.

Point-to-PointTunnel
ingProtocol(PPTP)
PPTP [1] i
sa l
ayer2 t
unneli
ng prot
ocolwhi
ch worksb y sendi
ng a regul
arPPP sessi
on t
oa
peerwi
tht
he G eneri
c R outi
ng Encapsulat
ion (G R E) prot
ocol. A second sessi
on i
sused t
o
i
nit
iat
e and manage t
he G R Esessi
on.Thissessi
oni
sa si
mpl
e TCP connecti
onfrom t
he PPTP
cl
ientt
o port1723 on t
he PPTP server. PPTP al
so worksi
n sendi
ng IPX packets. The main
di
sadvantage i
n PPTP i
sthe securi
ty. PPTP i
tsel
fdoes notspeci
fy any aut
hent
icati
on or
encrypt
ion al
gorit
hms, and t
he onl
y al
gorit
hms used are i
nside t
he PPP sessi
ons [16].
M i
crosoftChall
enge-handshake aut
hent
icati
onprot
ocol(M S -CH A P) and M i
crosoftPoi
nt-t
o-
Poi
ntEncrypti
on(M PPE) [15] are used forPPP aut
hent
icati
onand encrypt
ion. M S -CH A P i
s
knownt
ob e a weakal
gorit
hm,easi
lycracked b ysoft
ware suchasL 0 phtcrack.M PPEi
sal
so
weaki
nsecuri
tyb ecause anat
tackercanspoofresynchroni
ze keyspacketseasi
ly[13]. A l
so,
t
here are many unaut
hent
icated cont
rolpacketst
hatare readi
ly spoofed [1]. PPTP i
swi
del
y
used i
nM i
crosoftW i
ndowsand some part
sofi
tare pat
entencumb ered. Ithasno nat
ive
ab i
lityt
ocope wi
thmob il
e cl
ient
s.
Layer2 T unnel
ingProtocol(L2TP)
L 2TP i
san open source l
ayer2 t
unneli
ng prot
ocol. Iti
sori
ginal
ly used t
o encapsul
ate PPP
(P oint-to-P oint P rotocol) frames i
nto U DP packets and send U DP packets over exi
sti
ng
net
works. The t
wo endpoi
ntsofan L 2TP t
unnelare t
he L A C (L 2TP A ccessConcentrat
or)
and t
he L N S (L 2TP N et
work S erver). The L A C recei
ves PPP packets from users,
encapsul
atest
he PPP packetsi
nto U DP packetsand t
hen sendst
hese t
othe L N S . The L N S
decapsul
atest
he U DP packetsand sendst
he PPP packetst
othe dest
inat
ion computers. IP
packetscanal
sob e t
unnell
ed t
hroughL 2TP and t
he processoft
unneli
ngIP packetsi
ssi
mil
ar
t
othatoft
unneli
ng PPP packets. L 2TP doesnotprovi
de st
rong aut
hent
icati
on b y i
tsel
fand
oft
enusesIPsec t
osecure t
he t
unnel. The t
opologyofanL 2TP t
unneli
sshowni
nFi
gure 6

F igure 6 :L2TP Topology

A prob l
em wi
thL 2TP/IPsec t
unneli
ngi
sthati
tdoesnotsupportN A T. H owever, IPv6 (next
generat
ion net
work) has an al
most i
nfini
te numb er of addresses t
hat makes N A T
unnecessary. L 2TP b y i
tsel
fisnotusefulformob il
e b usi
nessscenari
osast
here i
sno nat
ive
ab i
lityt
ocope wi
thmob il
e cl
ient
s.

Layer3 M PLS(M ul
tiprot
ocolL ab elS wi
tching) VPN
Si
mil
art
o L ayer2 M PL S V PN , L ayer3 M PL S V PN , al
so known asL 3V PN , i
sa t
ype of
V PN t
hatusesM PL S l
ab el
stot
ransportO S I L ayer3 packets. Iti
scommonl
y used when
cust
omers want t
o communi
cate b et
ween remote offi
ces t
hrough t
he Int
ernet S ervi
ce
Provi
der(IS P) net
work.Cust
omerscanst
illaccesst
he pub l
ic Int
ernett
hroughL 3V PN vi
a an
Int
ernetCust
omerEdge rout
ert
houghst
rictsecuri
typol
ici
esshoul
d b e appl
ied t
othe Int
ernet
Cust
omerEdge rout
er. The t
opologyofa L ayer3 M PL S
V PN net
worki
sshowni
nFi
gure 7.
F igure 7 :Layer 3 M PLS Netw ork

L ayer3 packetsare prot

ected b yL ayer3 M PL S b ecause ot
hercust
omerscannotaccesst
hese
packets. U nl
ike L ayer2 M PL S V PN , t
he Provi
derEdge (PE) rout
ersi
nL ayer3 M PL S V PN
are responsi
ble forrout
ing and forwarding packets accordi
ng t
o IP addresses and M PL S
l
ab el
s. S ecuri
ty i
sal
so a b i
g drawb ack ofL ayer3 M PL S V PN . The V PN doesnotprovi
de
any confi
denti
ali
ty ori
ntegri
ty servi
ces. Thismeanst
hata servi
ce provi
dercan easi
ly sni
ff
V PN dat
a and t
here i
sno guarant
ee t
hatt
he packetsare notcorrupt
ed orchanged duri
ng
t
ransfer.Cust
omerscanonl
ytrustt
he servi
ce provi
der,orgi
ve upt
hisV PN sol
uti
on.L ayer3
M PL S V PN hasnotb eenchosent
oadd mob il
itysupportb ecause ofi
tssecuri
tyi
ssues.

InternetProtocolSecuri
ty(IPSec)
(IPsec) i
sa sui
te ofprot
ocolsforsecuri
ng IP communi
cati
onsatt
he O S I N et
work L ayer. It
encrypt
sIP framesi
ntoIPsec packetsand sendst
he packetst
othe ot
herend oft
he net
works.
Itsupport
speeraut
hent
icati
on, dat
aintegri
tyand dat
a confi
denti
ali
ty(encrypt
ion).IPsec can
b e used t
o prot
ectIP packets(O S I L ayer3 packets) b et
ween a pai
rofhost
s(Peert
o Peer
V PN ), b et
ween a securi
ty gat
eway and a host(Cl
ientt
o S erverV PN ), orb et
ween a pai
rof
securi
ty gat
eways(S i
te t
oS i
te V PN ). Compared t
o ot
herV PN prot
ocols, IPsec i
sa sui
te of
V PN prot
ocolswi
thveryst
rongsecuri
ty.Iti
sverypopul
arand hasal
readyi
ntegrat
ed i
ntot
he
nextgenerat
ion net
work (IPv6). IPsec i
sa complex syst
em whi
ch i
ncludesencapsul
ati
on,
encrypt
ion, aut
hent
icati
on, and key exchange and management
. IPsec b y i
tsel
fisnotuseful
formob il
e b usi
nessscenari
osast
here i
sno nat
ive ab i
lity t
o cope wi
th mob il
e cl
ient
s. A n
IPsec ext
ension addsmob il
ity supportt
o IPsec, whi
ch i
sdi
scussed i
n R FC 4555. H owever,
t
hatsol
uti
onhassome l
imit
ations.
C hoosingVPN toadd mobi
litysupport
The V PN prot
ocolsexami
ned donothave a nat
ive ab i
lityt
ocope wi
thmob il
e cl
ient
s.A ddi
ng
mob il
ity supportt
o exi
sti
ng V PN prot
ocols i
s one way t
o sol
ve t
he prob l
em. The fi
nal
sol
uti
on shoul
d have a wi
de range ofappl
icat
ions, good securi
ty, smallhandofft
ime and
si
mpl
icit
y ofusage. A V PN t
hatt
ransfersL ayer2 packetswi
llb e chosen asi
thasa b et
ter
range ofappl
icat
ionsand cant
ransferal
mostal
lki
ndsofInt
ernetpackets:IP packets,non-IP
packets (such as IPX packets) and L ayer2 packets (such as PPP packets [16]). A b ri
ef
comparisonamongdi
fferentL ayer2 V PN i
sshownb el
ow.
•L ayer2 M PL S V PN hasb i
gsecuri
tyi
ssues.Itassumest
hatIS P net
workcanb e t
rust
ed and
al
lthe packetswi
thinIS P net
workare notencrypt
ed.
•O penV PN i
snotwi
del
yused and i
srel
ati
velyweaki
nsecuri
ty
•PPTP i
sweaki
nsecuri
tyand i
spat
entencumb ered. Iti
sdi
ffi
cul
ttomodifyPPTP.
•L 2TP provi
desL ayer2 t
unneli
ngfunct
ionsand t
ogetherwi
thIPsec provi
desgood securi
ty.
Al
though L 2TP/IPsec t
unnelsdo notsupportN A T, IPv6 (nextgenerat
ion net
work) hasan
al
mosti
nfini
te numb erofaddressest
hatmakesN A T unnecessary. The L 2TP/IPsec t
unnel
has b een chosen t
o add mob il
ity support b ecause i
t has a good range of appl
icat
ions
(t
ransferri
ngL ayer2 packets) and i
sst
rongi
nsecuri
ty(usi
ngIPsec).
5.C oncl
usi
on
A Vi
rtual Pri
vate N et
work (V PN ) i
s a connecti
on whi
ch provi
des secure pri
vate
communi
cati
onoverani
nsecure net
work.V PN scanb e cl
assi
fied b yt
opologyorb yprot
ocol
and t
he exami
ned V PN sdonothave nat
ive mob il
itysupport
.L 2TP i
sanopensource l
ayer2
t
unneli
ngprot
ocolwhi
chdoesnotprovi
de st
rongaut
hent
icati
onb yi
tsel
fand oft
enusesIPsec
t
o secure t
he t
unnel. L 2TP/IPsec i
smostsui
tab l
e foraddi
ng mob il
ity supportasot
herV PN
prot
ocolshave prob l
emswi
thsecuri
tyorot
heri
ssues.