IPASJ International Journal of Information Technology (IIJIT)

Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm

Email: editoriijit@ipasj.org
ISSN 2321-5976

A Publisher for Research Motivation ........

Volume 2, Issue 11, November 2014

AN OVERVIEW OF REMOTE ACCESS

VPNS: ARCHITECTURE AND EFFICIENT
INSTALLATION
DR. P. RAJAMOHAN
SENIOR LECTURER, SCHOOL OF INFORMATION TECHNOLOGY, SEGi UNIVERSITY, TAMAN SAINS
SELANGOR, KOTA DAMANSARA, PJU 5, 47810 PJ, SELANGOR DARUL EHSAN, MALAYSIA.

ABSTRACT
A Virtual Private Network (VPN) is a private data network that makes use of the public telecommunication infrastructure,
maintaining privacy through the use of a tunneling protocol and security procedures. This paper presents the analysis and
special performances of in communication especially the Remote Access Virtual Private Networks architectures and efficient
installation to achieve by the way of secure alternative to traditional remote access is IP-based Virtual Private Networking (IPVPN). In IP-VPNs, all connections to corporate intranets are calls to a local ISP, carried by the Internet to a corporate VPN
gateway.

Keywords:- VPN - Virtual Private Networks, RA-VPN - Remote Access Virtual Private Networks, ISP - Internet
Service Provider, RRAS - The Routing and Remote Access Service, RADIUS - Remote Authentication Dial-In User
Service.

1. INTRODUCTION
A Virtual Private Network (VPN) is a public network being used for private communication. The VPN connection is an
authenticated and encrypted communications channel, or tunnel, across this public network, such as the Internet.
Because the network is considered insecure, encryption and authentication are used to protect data while in transit.
VPN service is considered to be independent, in that client operation is transparent to the user and that all information
exchanged between the two hosts World Wide Web, File Transfer Protocol, e-mail, etc. is transmitted across the
encrypted channel. A Virtual Private Network (VPN) is a private data network that makes use of the public
telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.
A virtual private network can be contrasted with a system of owned or leased lines that can only be used by one
company. The main purpose of a VPN is to give the company the same capabilities as private leased lines at much
lower cost by using the shared public infrastructure.[1].
1.1 Routing
A router is a device that manages the flow of data between network segments, or subnets. A router directs incoming and
outgoing packets based on the information about the state of its own network interfaces and a list of possible sources
and destinations for network traffic. By projecting network traffic and routing needs based on the number and types of
hardware devices and applications used in your environment. We may decide whether to use a dedicated hardware
router, a software-based router, or a combination of both. Generally, dedicated hardware routers handle heavier routing
demands best, and less expensive software-based routers handle lighter routing loads. A software-based routing
solution, such as RRAS in Windows, can be ideal on a small, segmented network with relatively light traffic between
subnets. Enterprise network environments that have a large number of network segments and a wide range of
performance requirements might need a variety of hardware-based routers to perform different roles throughout the
network[1].
1.2 Remote access
By configuring RRAS to act as a remote access server, we can connect remote networks. Remote users can work as if
their computers are directly connected to the network. All services typically available to a directly connected user
including file and printer sharing, Web server access, and messaging are enabled by means of the remote access
connection.
An RRAS server provides two different types of remote access connectivity:
Virtual Private Networking. A virtual private network (VPN) is a secured, point-to-point connection across a
public network, such as the Internet. A VPN client uses special TCP/IP-based protocols called tunneling protocols
to make a connection to a port on a remote VPN server. The VPN server accepts the connection, authenticates the
connecting user and computer, and then transfers data between the VPN client and the corporate network.

Volume 2, Issue 11, November 2014

Page 1

IPASJ International Journal of Information Technology (IIJIT)

A Publisher for Research Motivation ........

Volume 2, Issue 11, November 2014

Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm

Email: editoriijit@ipasj.org
ISSN 2321-5976

Dial-Up Networking. In dial-up networking, a remote access client makes a dial-up telephone connection to a
physical port on a remote access server by using the service of a telecommunications provider, such as analog
telephone or ISDN. Dial-up networking over an analog phone or ISDN is a direct physical connection between the
dial-up networking client and the dial-up networking server.
Remote access is best defined as providing access to fixed site resources for users who are not at a fixed workstation at
that same site's Local Area Network (LAN). The largest remote access user community is mobile
or telecommuting users, such as a sales force or field engineering team. Figure - 1 illustrates a traditional remote access
network using the Public Switched Telephone Network (PSTN) or the Integrated Services Digital Network (ISDN).

Figure - 1. Traditional Remote Access (PSTN/ISDN Transport)

Traditional Remote Access connectivity is achieved with users dialing into a dedicated PSTN/ISDN modem
pool, maintained either by a corporate Information Systems/Information Technology staff or by the network service
provider. A secure alternative to traditional remote access is IP-based Virtual Private Networking (IP-VPN). In IPVPNs, all connections to corporate intranets are calls to a local ISP, carried by the Internet to a corporate VPN
gateway[1]-[3].
1.3 VPN Connection
VPN can be broadly classified into two types of connections. They are: Remote access VPN and Site-to-site VPN.

Figure - 1: Classification of VPN connection

1.3.1 Remote Access VPN
A Remote Access VPN connection enables a user working at home or on the road to access a server on a private
network by using the infrastructure provided by a public network, such as the Internet. From the users perspective, the
VPN is a point-to-point connection between the client computer and the organizations server. The infrastructure of the
shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private link.
1.3.2 Site-to-Site VPN
A Site-to-Site VPN connection (sometimes called a router-to-router VPN connection) enables an organization to have
routed connections between separate offices or with other organizations over a public network while helping to
maintain secure communications. When networks are connected over the Internet, as shown in the following figure - 2:
a VPN-enabled router forwards packets to another VPN-enabled router across a VPN connection. To the routers, the
VPN connection appears logically as a dedicated, data-link layer link. A Site-to-Site VPN connection the calling router
authenticates itself to the answering router, and, for mutual authentication, the answering router authenticates itself to
the calling router. In a Site-to-Site VPN connection, the packets sent from either router across the VPN connection
typically do not originate at the routers. Site to site VPN can be further classified into two types. They are Intranetbased VPN Intranet-Based VPN and Extranet-based VPN[2].

Volume 2, Issue 11, November 2014

Page 2

IPASJ International Journal of Information Technology (IIJIT)

A Publisher for Research Motivation ........

Volume 2, Issue 11, November 2014

Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm

Email: editoriijit@ipasj.org
ISSN 2321-5976

Figure - 2: VPN connecting two remote sites across the Internet

Intranet-Based VPN : If a Company has more remote locations that it wishes to join in a single private network, it can
create an Intranet VPN to connect LAN to LAN.
Extranet-Based VPN : When a Company has close relationship with another company, it can build an Extranet VPN
that connects LAN to LAN and allows all of the various companies to work in a shared environment. Remote access
VPN can be also called as virtual private dial-up network (VPDN). This Remote access VPN establishes the User-toLAN connection. Thus an authenticated User can logon to the VPN tunnel from anywhere using a laptop[2][3].

2. AUTHENTICATION
Authentication is the first major component of a VPN. Authentication is the process of identifying the entity ( user ,
router, or network device) requiring access. This authentication is often done by means of a cryptographic function,
such as with challenge/response algorithms. The following sections discuss the other authentication methods[3]:
Point-to-Point Tunneling Protocol Password Authentication Protocol/Challenge Handshake Protocol (PPTPPAP/CHAP)
Digital certificates
RADIUS servers
2. 1 PPTP-PAP/CHAP
Password Authentication Protocol (PAP) is the most insecure authentication method available today because both the
username and password are sent across the link in clear text. Anyone monitoring the connection could collect and use
the information to gain access to the network. The Challenge Handshake Authentication Protocol (CHAP) works
as follows :
1. The client establishes a connection with the server and the server sends a challenge back to the client.
2. The client then performs a hash (mathematical) function, adds some extra information, and sends the response
back to the server for verification.
3. The server looks in its database and computes the hash with the challenge.
4. If these two answers are the same, authentication succeeds.
While CHAP eliminates a dictionary attack, the hashing functions could still be attacked . CHAP also supports
the (user transparent) periodic challenge of the client username/password during the session to protect against
wire-tapping[2][3].
2. 2 Digital Certificates
Digital certificates include information about the owner of the certificate; therefore, when users visit the (secured) web
site, their web browsers will check information on the certificate to see whether it matches the site information included
in the URL. A digital certificate could be likened to a security driver's license. Certificates are issued by Certificate
Authorities (CAs). The contents of a digital certificate as inclusive of the certificate holder's identity, the certificate's
serial number, valid, unchangeable date for the transaction, certificate's expiration dates, a copy of the certificate
holder's public key for encryption and/or signature and group name & City and state.
2.3 RADIUS Servers
Remote Authentication Dial-In User Service (RADIUS) is a distributed system securing network remote access and
network resources against unauthorized access. RADIUS authentication includes two components :
Authentication server - Installed at the customer's site and holds all user authentication and network access
information
Client protocols - RADIUS works on the client sending authentication requests to the RADIUS server, and the
client acts on server acknowledgements sent back to the client.
RADIUS is not limited to dial-up service; many firewall vendors support a RADIUS server implementation.[2][3]

Volume 2, Issue 11, November 2014

Page 3

IPASJ International Journal of Information Technology (IIJIT)

A Publisher for Research Motivation ........

Volume 2, Issue 11, November 2014

Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm

Email: editoriijit@ipasj.org
ISSN 2321-5976

3. ARCCHITECTURE VPN TUNNELING PROTOCOLS

Tunneling enables the encapsulation of a packet from one type of protocol within the datagram of a different protocol.
For example, VPN uses Point-to-Point Tunneling Protocol (PPTP) to encapsulate IP packets over a public network,
such as the Internet. Configure a VPN solution based on PPTP, Layer Two Tunneling Protocol (L2TP), Secure Socket
Tunneling Protocol (SSTP), or Internet Protocol security (IPsec) using Internet Key Exchange version 2 (IKEv2).
PPTP, L2TP, and SSTP depend heavily on the features originally specified for Point-to-Point Protocol (PPP). PPP was
designed to send data across dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packets
within PPP frames and then transmits the encapsulated PPP packets across a point-to-point link. PPP was originally
defined as the protocol to use between a dial-up client and a network access server. [2][3].
3.1 PPTP
PPTP allows multiprotocol traffic to be encrypted and then encapsulated in an IP header to be sent across an IP network
or a public IP network, such as the Internet. PPTP can be used for remote access and site-to-site VPN connections.
When using the Internet as the public network for VPN, the PPTP server is a PPTP-enabled VPN server with one
interface on the Internet and a second interface on the intranet[1],[3].
3.1.1 Encapsulation
PPTP encapsulates PPP frames in IP datagram's for transmission over the network. PPTP uses a TCP connection for
tunnel management and a modified version of Generic Routing Encapsulation (GRE) to encapsulate PPP frames for
tunneled data. The payloads of the encapsulated PPP frames can be encrypted, compressed or both.
3.1.2 Structure of a PPTP packet containing an IP datagram

Figure - 3: PPTP - IP Datagram

3.1.3 Encryption
The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using encryption keys generated from
the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) or Extensible Authentication
Protocol-Transport Layer Security (EAP-TLS) authentication process. Virtual private networking clients must use the
MS-CHAP v2 or EAP-TLS authentication protocols in order for the payloads of PPP frames to be encrypted. PPTP is
taking advantage of the underlying PPP encryption and encapsulating a previously encrypted PPP frame. Only 128-bit
RC4 encryption algorithm is supported. 40 and 56-bit RC4 support was removed starting with Windows Vista and
Windows Server 2008, but can be added by changing a registry key[2][9].
3.2 L2TP/IPsec
L2TP/IPsec allows multiprotocol traffic to be encrypted and then sent over any medium that supports point-to-point
datagram delivery, such as IP or Asynchronous Transfer Mode (ATM). L2TP is a combination of PPTP and Layer 2
Forwarding (L2F), a technology developed by Cisco Systems, Inc. L2TP represents the best features of PPTP and L2F.
Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP datagrams. L2TP uses IPsec in
Transport Mode for encryption services. The combination of L2TP and IPsec is known as L2TP/IPsec. Both L2TP and
IPsec must be supported by both the VPN client and the VPN server. Client support for L2TP is built in to the Windows
remote access clients, and VPN server support for L2TP is built in to the Windows Server operating system.
L2TP/IPsec is installed with the TCP/IP protocol[1][3].
3.2.1 Encapsulation
Encapsulation for L2TP/IPsec packets consists of two layers:
3.2.1.1 First Layer: L2TP encapsulation
A PPP frame (an IP datagram) is wrapped with an L2TP header and a UDP header. The following figure shows the
structure of an L2TP packet containing an IP datagram.

3.2.1.2 Structure of an L2TP packet containing an IP datagram

Figure - 4: L2TP - IP Datagram

Volume 2, Issue 11, November 2014

Page 4

IPASJ International Journal of Information Technology (IIJIT)

A Publisher for Research Motivation ........

Volume 2, Issue 11, November 2014

Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm

Email: editoriijit@ipasj.org
ISSN 2321-5976

3.2.1.3 Second Layer: IPsec encapsulation

The resulting L2TP message is then wrapped with an IPsec Encapsulating Security Payload (ESP) header and trailer,
an IPsec Authentication trailer that provides message integrity and authentication, and a final IP header. In the IP
header is the source and destination IP address that corresponds to the VPN client and VPN server. The following
illustration shows L2TP and IPsec encapsulation for a PPP datagram[2][9][10].
3.2.2 Encryption of L2TP traffic with IPsec ESP

Figure - 5: L2TP Traffic with IPSec ESP

3.2.2.1 Encryption
The L2TP message is encrypted with one of the following protocols by using encryption keys generated from the IKE
negotiation process: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3DES encryption algorithms.
Data Encryption Standard (DES) encryption algorithm with Message Digest 5 (MD5) integrity check support has been
removed, but can be added (not recommended) by changing a registry key[3].
3.3 SSTP
Secure Socket Tunneling Protocol (SSTP) is a tunneling protocol that uses the HTTPS protocol over TCP port 443 to
pass traffic through firewalls and Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a
mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of
PPP allows support for strong authentication methods, such as EAP-TLS. SSL provides transport-level security with
enhanced key negotiation, encryption, and integrity checking. When a client tries to establish a SSTP-based VPN
connection, SSTP first establishes a bidirectional HTTPS layer with the SSTP server. Over this HTTPS layer, the
protocol packets flow as the data payload[3][9][10].
3.3.1 Encapsulation
SSTP encapsulates PPP frames in IP datagram for transmission over the network. SSTP uses a TCP connection (over
port 443) for tunnel management as well as PPP data frames.
3.3.2 Encryption
The SSTP message is encrypted with the SSL channel of the HTTPS protocol.
3.3.3 IKEv2
IKEv2 is a tunneling protocol that uses the IPsec Tunnel Mode protocol over UDP port 500. An IKEv2 VPN provides
resilience to the VPN client when the client moves from one wireless hotspot to another or when it switches from a
wireless to a wired connection. The use of IKEv2 and IPsec allows support for strong authentication and encryption
methods.
3.3.4 Encapsulation
IKEv2 encapsulates datagram by using IPsec ESP or AH headers for transmission over the network.
3.3.5 Encryption
The message is encrypted with one of the following protocols by using encryption keys generated from the IKEv2
negotiation process: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3DES encryption algorithms.
3.4 Choosing Between Tunneling Protocols for Remote Access VPNs
When choosing between PPTP, L2TP/IPsec, SSTP, and IKEv2 remote access VPN solutions, consider the following:
PPTP can be used with a variety of Microsoft clients, including Microsoft Windows 2000 and later versions of
Windows. Unlike L2TP/IPsec and IKEv2, PPTP does not require the use of a public key infrastructure (PKI). By
using encryption, PPTP-based VPN connections provide data confidentiality (captured packets cannot be
interpreted without the encryption key). PPTP-based VPN connections, however, do not provide data integrity
(proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the
authorized user).
L2TP can be used with client computers running Windows 2000 and later versions of Windows. L2TP supports
either computer certificates or a preshared key as the authentication method for IPsec. Computer certificate
authentication, the recommended authentication method, requires a PKI to issue computer certificates to the VPN
server computer and all VPN client computers. By using IPsec, L2TP/IPsec VPN connections provide data

Volume 2, Issue 11, November 2014

Page 5

IPASJ International Journal of Information Technology (IIJIT)

A Publisher for Research Motivation ........

Volume 2, Issue 11, November 2014

Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm

Email: editoriijit@ipasj.org
ISSN 2321-5976

confidentiality, data integrity, and data authentication. Unlike PPTP and SSTP, L2TP/IPsec enables machine
authentication at the IPsec layer and user level authentication at the PPP layer.
SSTP can only be used with client computers running Windows Vista Service Pack 1 (SP1), Windows Server 2008,
and later versions of Windows. By using SSL, SSTP VPN connections provide data confidentiality, data integrity,
and data authentication.
IKEv2 is supported only on computers running Windows 7 and Windows Server 2008 R2. By using IPsec, IKEv2
VPN connections provide data confidentiality, data integrity, and data authentication. IKEv2 supports the latest
IPsec encryption algorithms. Because of its support for mobility (MOBIKE), it is much more resilient to changing
network connectivity, making it a good choice for mobile users who move between access points and even switch
between wired and wireless connections[4].

4. VPN ARCHITECTURE
Several VPN network architectures are deployed by enterprise organizations for VPN services. The following list of
Remote Access VPN network architectures is discussed in the following sections[2]-[5]:
Firewall Based
Black-Boxbbased
Router Based
Remote-Access Based
4.1 Firewall-Based VPNs
With firewall-based VPNs, it is considered a safe presumption that a firewall will be used and placed at the network
perimeter, as illustrated in Figure - 6:.

Figure - 6:. Firewall-Based VPN

This presumption leads to a natural extension that this device also can support the VPN connections, providing a
central point of management of both the firewall and network access security policies. A drawback to this combined
firewall/VPN-access method is performance.
4.2 Black-Box-Based VPNs
In the black-box scenario, a vendor offers just that, a black box; a device loaded with encryption software to create a
VPN tunnel. Black-box VPN vendors should be supporting all three tunneling protocols -PPTP, L2TP, and IPSec.. The
black-box VPN sits behind or with the firewall, as illustrated in Figure - 7:.

Figure - 7 :. Black-Box-Based VPN

The firewall provides security to the organization, not the data, whereas the VPN device provides security to the data,
but not the organization. If the firewall is in front of the VPN device, a rule-based policy on that firewall will need to be
implemented.
4.3 Router-Based VPNs
Router-based VPNs are for an organization that has a large capital investment in routers and an experienced IT staff.
Many router vendors support router-based VPN configurations. There are two ways to go about implementing routerbased VPNs: Software is added to the router to allow an encryption process to occur. An external card from a thirdparty vendor is inserted into the router chassis. This method is designed to off-load the encryption process from the
router CPU to the additional card.

Volume 2, Issue 11, November 2014

Page 6

IPASJ International Journal of Information Technology (IIJIT)

Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm
Email: editoriijit@ipasj.org
ISSN 2321-5976

A Publisher for Research Motivation ........

Volume 2, Issue 11, November 2014

Figure - 8:. Router-Based VPN

Some vendors support hot swapping (replacing hardware) and redundancy (backup solutions), which are built into their
router-based VPN products. Performance can be an issue with router-based VPNs because of the addition of an
encryption process to the routing process; a heavier burden may be added to the router CPU, more than ever if the
router is handling a large number of routes or implementing an intensive routing algorithm. Figure - 8: Illustrates a
router-based VPN, where packets are encrypted from source to destination. The drawback to a router-based VPN is
security. Routers are considered to be poor at providing network security compared to a firewall. It is possible that an
attacker will spoof traffic past the router, in turn fooling the firewall because the firewall will interpret these packets as
originating from the other side of the VPN tunnel. This spoofing allows the attacker to gain access to services that are
not visible from other locations on the Internet[4]-[7].
4.4 Internet-Based VPN Connections
Using an Internet-based VPN connection, an organization can avoid long-distance charges while taking advantage of
the global availability of the Internet.
4.4.1 Remote Access VPN Connections over the Internet
A remote access VPN connection over the Internet enables a remote access client to initiate a dial-up connection to a
local ISP instead of connecting to a corporate or outsourced network access server (NAS). By using the established
physical connection to the local ISP, the remote access client initiates a VPN connection across the Internet to the
organizations VPN server. When the VPN connection is created, the remote access client can access the resources of
the private intranet[5]-[7].
4.4.2 VPN Connecting a Remote Client to a Private Intranet

Figure - 9: Remote Access Over the Internet.

4.4.3 Site-to-Site VPN Connections Over the Internet

When networks are connected over the Internet, as shown in the following figure, a router forwards packets to another
router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link.

4.4.4 VPN Connecting Two Remote Sites Across the Internet

Figure - 10: Connecting Two Remote Sites Across the Internet.

4.5 Intranet-Based VPN Connections

Volume 2, Issue 11, November 2014

Page 7

IPASJ International Journal of Information Technology (IIJIT)

A Publisher for Research Motivation ........

Volume 2, Issue 11, November 2014

Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm

Email: editoriijit@ipasj.org
ISSN 2321-5976

The intranet-based VPN connection takes advantage of IP connectivity in an organizations Local Area Network
(LAN).
4.5.1 Remote Access VPN Connections over an Intranet
In some organization intranets, the data of a department, such as human resources, is so sensitive that the network
segment of the department is physically disconnected from the rest of the intranet. While this protects the data of the
human resources department, it creates information accessibility problems for authorized users not physically connected
to the separate network segment. VPN connections help provide the required security to enable the network segment of
the human resources department to be physically connected to the intranet. In this configuration, a VPN server can be
used to separate the network segments. The VPN server does not provide a direct routed connection between the
corporate intranet and the separate network segment. Users on the corporate intranet with appropriate permissions can
establish a remote access VPN connection with the VPN server and gain access to the protected resources. Additionally,
all communication across the VPN connection is encrypted for data confidentiality. The following figure shows remote
access over an intranet[5]-[10].
4.5.2 VPN Connection Allowing Remote Access to a Secured Network over an Intranet

Figure - 11: VPN Connection Allowing Remote Access to a Secured Network over an Intranet
4.5.3 Site-to-Site VPN Connections over an Intranet
Two networks can be connected over an intranet using a site-to-site VPN connection. This type of VPN connection
might be necessary, for example, for two departments in separate locations, whose data is highly sensitive, to
communicate with each other. For instance, the finance department might need to communicate with the human
resources department to exchange payroll information. The finance department and the human resources department
are connected to the common intranet with computers that can act as VPN clients or VPN servers. When the VPN
connection is established, users on computers on either network can exchange sensitive data across the corporate
intranet. The following figure shows two networks connected over an intranet[5]-[10].
4.5.4 VPN Connecting Two Networks over an Intranet

Figure - 12: VPN Connecting Two Networks Over the Intranet.

5. EFFICIENT INSTALLATION OF REMOTE ACCESS VPNS

Before a VPN can be established, certain requirements must be met. These include the following:
Each network site must be set up with a VPN-capable device (router, firewall, or some other VPN dedicated
device) on the network edge.
Each site must know the IP addressing scheme (host, network, and network mask) in use by the other side of the
intended connection.
Both sites must agree on the authentication method and, if required, exchange digital certificates and Both sites
also must agree on the encryption method and exchange the keys required.
VPNs are used to replace both dial-in modem pools and dedicated wide area network (WAN) links. A VPN solution for
remote dial-in users can reduce support costs because there are no phone lines or 800-number charges. A VPN solution
offers advantages over a dedicated WAN environment when sites are geographically diverse or mobile, saving the cost

Volume 2, Issue 11, November 2014

Page 8

IPASJ International Journal of Information Technology (IIJIT)

A Publisher for Research Motivation ........

Volume 2, Issue 11, November 2014

Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm

Email: editoriijit@ipasj.org
ISSN 2321-5976

of dedicated facilities and hardware. A VPN is made up of three technologies that when used together form the secure
connection; authentication, tunneling, and encryption. We need to do the following before we configure an RRAS
server as a remote access VPN server[5]-[9].
Determine which network interface connects to the Internet and which network interface connects to your private
network. During configuration, you will be asked to choose which network interface connects to the Internet. If you
specify the incorrect interface, your remote access VPN server will not operate correctly.
Determine whether remote clients will receive IP addresses from a DHCP server on your private network or
directly from the remote access VPN server that you are configuring. If you have a DHCP server on your private
network, the remote access VPN server can lease 10 addresses at a time from the DHCP server and assign those
addresses to remote clients. If you do not have a DHCP server on your private network, the remote access VPN
server can assign IP addresses to remote clients from a predefined pool of addresses. You must determine that
range based on your network infrastructure.
If you are using DHCP, determine whether VPN clients are able to send DHCP messages to the DHCP server on
your private network. If a DHCP server is on the same subnet as your remote access VPN server, DHCP messages
from VPN clients will be able to reach the DHCP server after the VPN connection is established. If a DHCP server
is on a different subnet from your remote access VPN server, make sure that the router between subnets can relay
DHCP messages between clients and the server.
Determine whether you want connection requests from VPN clients to be authenticated by a Remote Authentication
Dial-In User Service (RADIUS) server or by the remote access VPN server that you are configuring. Adding a
RADIUS server is useful if you plan to install multiple remote access VPN servers, wireless access points, or other
RADIUS clients to your private network. For more information, see Network Policy Server Help.
Verify that all users have user accounts that are configured for dial-up access. Before users can connect to the
network, they must have user accounts on the remote access VPN server or in Active Directory Domain Services
(ADDS). Each user account on a stand-alone server or a domain controller contains properties that determine
whether that user can connect. On a stand-alone server, you can set these properties by right-clicking the user
account in Local Users and Groups and clicking Properties. On a domain controller, you can set these properties by
right-clicking the user account in the Active Directory Users and Computers console and clicking Properties.

6. CONCLUSION
Remote access solutions are deployed by enterprise organizations to provide access to fixed site resources to remote
users (not at a fixed workstation) at a site's LAN. A virtual private network (VPN) is a public network being used for
this private and secure communication between the remote ( telecommuting or mobile) user and the organization's
LAN. This VPN connection is authenticated and encrypted across the public network. Often times this public network
is the Internet.

REFERENCES
[1] Dave Kosiur, Wiley & Sons, Building and Managing Virtual Private Networks; ISBN: 0471295264, pp. 35-110.
[2] John Mains, VPNs A Beginners Guide, McGraw Hill; ISBN: 0072191813, pp. 28-72.
[3] Dr.S.S.Riaz Ahamed & P.Rajamohan, Comprehensive performance Analysis and special issues of Virtual Private
Network Strategies in the computer Communication: a Novel Study, International Journal of Engineering Science
and Technology (IJEST), ISSN : 0975-5462 Vol. 3 No. 7 July 2011, pp. 640-648.
[4] Wei Luo, Carlos Pignataro, Dmitry Bokotey, Anthony Chan (Cisco Press 2005), Layer 2 VPN Architectures,
pp.73-122.
[5] Cisco Press, Network Sales and Services Handbook (Cisco Press Networking Technology) - Chapter 16, Remote Access VPNs, page
138
[6] Alwin Thomas and George Kelley, Cost-Effective VPN-Based Remote Network Connectivity Over the Internet,
2003.
[7] Ronald, F.J. (Ed 2003). CCSP Cisco Secure VPN. Types of VPN, pp. 24-26.
[8] Ronald, F.J. (Ed 2003). CCSP Cisco Secure VPN. VPN Over IPSec., pp. 36-39.
[9] Ronald, F.J. (Ed 2003). CCSP Cisco Secure VPN. Explanation of the IPSec protocols, pp. 39-45.
[10] B. Gleeson et al., IP Based Virtual Private Networks, RFC 2764, February 2000.

Volume 2, Issue 11, November 2014

Page 9

IPASJ International Journal of Information Technology (IIJIT)

A Publisher for Research Motivation ........

Volume 2, Issue 11, November 2014

Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm

Email: editoriijit@ipasj.org
ISSN 2321-5976

AUTHOR
DR. P. RAJAMOHAN received his Bachelor of Science Degree in Physics later he obtained his Post
Graduate Diploma in Computer Applications (PGDCA), Master Degree in Computer Applications
(MCA) and PhD in Computer Science. His primary research interest in Virtual Private Network
Implementation for Efficient Data Communication, Wireless Networks and Sensor Communications. He
is the member of the Institution of Engineers (India), Member of Associate in Cisco Certified Networks
and Member of the International Association of Engineers (IAENG). Dr. P. Rajamohan, over all his 20
years experiences in both academic and IT industry. He is currently working as a Senior Lecturer in School of
Information Technology, SEGi University, Malaysia.

Volume 2, Issue 11, November 2014

Page 10