1 | P a g e

ABSTRACT

In Computer Networks, we sometimes need to communicate with two or more
disjoint nodes, that dont have a native routing path between each other, while
maintaining the confidentiality and authenticity of the data sent. For this, the
technique of IP Tunneling is used.
In IP Tunnel, datagrams are enclosed within datagrams by encapsulation and
then tunnelled to the destination host by encrypting the data packets, thus
maintaining the authenticity.
Several protocols that are used for tunnelling are PPTP, L2TP and OpenVPN.
Point to Point Tunneling Protocol (PPTP) is a network protocol that enables the
secure transfer of data from a remote client to a private enterprise server by
creating a PPP tunnel across TCP/IP-based data networks. It provides a vehicle
for the transfer of data by PPP.
L2TP is a layer 2 tunneling protocol which provides data authentication at both
ends, i.e. client and server to keep the attacks by hackers at bay. It uses IPSec
for encryption services.
OpenVPN is an advanced open source VPN solution backed by the company
'OpenVPN technologies' and which is now the de-facto standard in the open
source networking space. It uses uses the mature SSL/TLS encryption protocols.








2 | P a g e

TABLE OF CONTENTS
CHAPTER NO. TITLE PAGE NO.

ABSTRACT 1

1 CDoT PROFILE 5
2 IP TUNNELING 6
2.1 Principle of Tunneling 6
2.2 Tunnel using IPSec 7
3.2.1 Authentication Header 7
3.2.2 Encapsulated Security Payload 8
2.3 IPv6 to IPv4 tunnel 8
3.3.1 Topology of a 6to4 Tunnel 9
3.3.2 Packet Flow 10
3 Generic Routing Encapsulation 11
3.1Advantages 11
3.2 Process of Encapsulation and De-Encapsulation 11
3.3 GRE Encapsulation 12
3.4GRE Header

4 POINT-TO-POINT TUNNELING PROTOCOL 14
4.1 PPTP Cofiguration Steps 15

4.2 PAC and PNS 15
4.3 Protocol Structure 16
4.4 Security 17
4.5 Advantages 17
4.6 Disadvantages 18

3 | P a g e

5 LAYER 2 FORWARDING PROTOCOL 19
5.1 Protocol Structure
5.2 Advantages and Disadvantages

6 LAYER 2 TUNNELING PROTOCOL 20
6.1 L2TP Encapsulation
6.2 L2TP Basic Components
6.3 Tunnel Initiation
6.4 Tunneling Models
6.5 Packet Structure
6.6 L2TP Packet Exchange
6.7 L2TP/IPSec
6.8 Advantages of L2TP

7 OpenVPN 27
7.1 Features
7.2 Architecture


8 CASE STUDY: IP Tunnel in LINUX 30
8.1 IP tunneling with the Linux IPIP
8.2 IP tunneling with Generic Routing Encapsulation
9 CONCLUSION 33
10 APPENDIX 36
11 REFERENCES 38







4 | P a g e























5 | P a g e

1. C-DOT Profile



The Centre for Development of Telematics (C-DOT) is an Indian
Government owned telecommunications technology development centre. It was established
in 1984 with initial mandate of designing and developing digital exchanges. C-DOT has
expanded its to develop intelligent computer software applications. It has offices
in Delhi and Bangalore.
Sam Pitroda, an Indian engineer, business executive, policymaker and is advisor to the Prime
Minister of India on public information infrastructure and innovations and the chairman
of National Innovation Council, started the Center for Development of Telematics C-DOT, an
autonomous telecom R&D organization. In the initial years, a telecom revolution in rural
India that was responsible for all-round socio-economic development from global
connectivity. As part of its development process, C-DOT spawned equipment manufacturers
and component vendors. Research and development facilities were located at its Delhi and
Bangalore campuses.
C-DOT has developed telecom switching products suited to Indian conditions appeared in the
form of small rural automatic exchanges (RAXs) and medium size switches as SBMs for
towns. This was followed by higher capacity digital switches known as main automatic
exchanges (MAXs). C-DOT technology spread across the country through its licensed
manufacturers.



6 | P a g e

2. IP TUNNEL

IP Tunnel [1] is an internet protocol channel between any two networks which encapsulate IP
datagram within IP datagrams, which allows datagrams destined for one IP address to be
wrapped and redirected to another IP address.
The technique of IP Tunnelling is used in connecting two dislocated IP networks that dont
have a native routing path between each other. IP tunnelling can be used to create a Virtual
Private Network between private network using internet.
2.1Principle of Tunnelling:
The principle of tunnel technology is simple. The user data and their headers are packed into
a new packet. Various authentication and encryption procedures can be applied in order to
secure the data.



Figure 1: The IP tunnel


The new IP header contains the IP addresses of the two VPN parties in the Internet. It is the
only part of the packet external users can see in the Internet in plain text. The user data and
the IP addresses of the local networks remain concealed in the interior of the tunnel. In
addition to security, the tunnel is thus what makes it possible to connect networks with
private IP addresses via the Internet.
Most common tunnel protocols:
The most common tunnel protocols are:
1. PPTP (Point-to-Point Tunnelling Protocol),
2. L2TP (Layer-2 Tunnelling Protocol)
7 | P a g e

3. IP Security Protocol IPsec.

PPTP and L2TP are older protocols based on PPP (Point-to-Point Protocol), the
standard protocol for dial-up connections. For some time now, the encryption of PPTP
has been considered insufficiently secure. L2TP can be combined with various
encryption procedures, but generates greater overhead and thus reduces net
throughput. [2]
In short, IP Tunnel is used to create a logical path between two disjoint networks.
Some examples of IP tunnels are;
IPSec VPN tunnel, connecting remote sites to each other securely over an untrusted
network, ie; Internet.
GRE tunnels, connecting remote sites over another network.
IPv6 to IPv4 tunnels, sending IPv6 traffic over an IPv4 network.
IPv4 to IPv6 tunnels, sending IPv4 traffic over an IPv6 network.

2.2 Tunnel using I PSec
IPSec is a protocol suite used for securing the Internet Protocol communications by
authenticating and encapsulating each packet of communication. It also has protocols to
establish mutual authentication between agents involved at the beginning of the session.
IPSec is the latest tunnel protocol. It has advanced encryption procedures and can be merged
easily into existing IP networks.
IPSec fulfils the demand for authenticity, confidentiality and integrity using two data security
methods: Authentication Header (AH) and Encapsulated Security Payload (ESP).
2.2.1 Authentication Header

Authentication Header provides for the authentication of IP packets. The sender generates a
checksum from the original packet and a secret key known only to the sender and recipient.
The recipient also generates a checksum and compares the two values.


Figure 2: The Authentication Header

Any change to the packet during the course of transmission over the Internet would lead to a
8 | P a g e

different result, and thus rejection of the packet. In this way the recipient can make sure that
the packet originates from the denoted sender and was not changed.
2.2.2 Encapsulated Security Payload

With ESP the packets are encrypted in order to prevent them from falling into the hands of
outside parties. Only the recipient, who has the same key as the sender at his disposal, can
decrypt the data. At the same time the packet is authenticated via ESP.


Figure 3: Encapsulated Security Payload

AH and ESP can be used individually or in combination in order to provide for maximum
security.
Both methods are independent of the cryptographic technique used, which define how the
checksum is generated and how the data are encrypted.

2.3 I Pv6 to I Pv4 tunnel

Tunneling provides a way to use an existing IPv4 routing infrastructure to carry IPv6 traffic.
For this, IPv6 must be compatible to the existing IPv4 component, so it is compulsory to
maintain compatibility with IPv4 while sending IPv6 packets. While the IPv6 infrastructure is
being deployed, the existing IPv4 routing infrastructure can remain functional, and can be
used to carry IPv6 traffic.

IPv6 or IPv4 hosts and routers can tunnel IPv6 datagrams over regions of IPv4 routing
topology by encapsulating them within IPv4 packets.

Item Description
Router-to-Router IPv6 or IPv4 routers interconnected by an IPv4 infrastructure can
tunnel IPv6 packets between themselves.

Host-to-Router IPv6 or IPv4 hosts can tunnel IPv6 packets to an
intermediary IPv6 or IPv4 router that is reachable through
an IPv4 infrastructure.

9 | P a g e

Item Description
Host-to-Host IPv6 or IPv4 hosts that are interconnected by
an IPv4 infrastructure can tunnel IPv6 packets between themselves.

Router-to-Host IPv6/IPv4 routers can tunnel IPv6 packets to their final
destination IPv6 or IPv4 host.

In router-to-router or host-to-router methods, the IPv6 packet is being tunneled to a router. In
host-to-host or router-to-host methods, the IPv6 packet is tunneled all the way to its final
destination.
The entry node of the tunnel (the encapsulating node) creates an encapsulating IPv4 header
and transmits the encapsulated packet. The exit node of the tunnel (the decapsulating node)
receives the encapsulated packet, removes the IPv4 header, updates the IPv6 header, and
processes the received IPv6 packet. [3]
2.3.1 Topology of a 6to4 Tunnel

The following figure shows how a 6to4 tunnel provides this connectivity between 6to4 sites.

Figure 4: Tunnel Between Two 6to4 Sites

(i) The figure depicts two isolated 6to4 networks: Site A and Site B, each site
configured with a router with an external connection to an IPv4 network. A 6to4
tunnel across the IPv4 network provides a connection to link 6to4 sites.
(ii) Qfe0: A globally unique address for the interface between IPv6 site to the external
connection to the IPv4 network.
10 | P a g e

(iii) Hme0 and hme1: address of the interface between subnets 1 and 2 and the 6 to 4
router.
(iv) Site B is another isolated 6to4 site. A boundary router on Site B must be
configured for 6to4 support. Otherwise, packets that the router receives from Site
A are not recognized and are then dropped.
2.3.2 Packet Flow through the 6to4 Tunnel

1. A host on Subnet 1 of 6to4 Site A sends a transmission, with a host at 6to4 Site B as the
destination. Each packet header has a 6to4 source and destination address.
2. Site A's router encapsulates each 6to4 packet within an IPv4 header. In this process, the
router sets the IPv4 destination address of the encapsulating header to Site B's router
address. For each IPv6 packet that flows through the tunnel interface, the packet's IPv6
destination address also contains the IPv4 destination address. Thus, the router is able to
determine the IPv4 destination address that is set on the encapsulating header. Then, the
router uses standard IPv4 routing procedures to forward the packet over the IPv4
network.
3. Any IPv4 routers that the packets encounter use the packets' IPv4 destination address for
forwarding. This address is the globally unique IPv4 address of the interface on Router B,
which also serves as the 6to4 pseudo-interface.
4. Packets from Site A arrive at Router B, which decapsulates the IPv6 packets from the
IPv4 header.
5. Router B then uses the destination address in the IPv6 packet to forward the packets to
the recipient host at Site B. [4]










11 | P a g e

3. Generic Routing Encapsulation
Generic Routing Encapsulation is a tunnelling protocol developed by CISCO
Systems. Generic routing encapsulation (GRE) is an IP encapsulation protocol that is used to
transport packets over a network. Information is sent from one network to the other through a
GRE tunnel.
GRE works by encapsulating a payload -- that is, an inner packet that needs to be delivered to
a destination network -- inside an outer IP packet. GRE tunnel endpoints send payloads
through GRE tunnels by routing encapsulated packets through intervening IP networks. Other
IP routers along the way do not parse the payload (the inner packet); they only parse the outer
IP packet as they forward it towards the GRE tunnel endpoint. Upon reaching the tunnel
endpoint, GRE encapsulation is removed and the payload is forwarded along to its ultimate
destination.
GRE supports Multicasting as well as IPv6 traffic between networks.
3.1 Advantages:
Advantages of GRE tunnels include the following:
GRE tunnels encase multiple protocols over a single-protocol backbone.
GRE tunnels provide workarounds for networks with limited hops.
GRE tunnels connect discontinuous sub-networks.
GRE tunnels allow VPNs across wide area networks.

3.2 Process of Encapsulation and De-Encapsulation


Figure 5: GRE tunnelling


12 | P a g e


EncapsulationA switch operating as a tunnel source router encapsulates and forwards
GRE packets as follows:
1. When a switch receives a data packet (payload) to be tunneled, it sends the packet to
the tunnel interface.
2. The tunnel interface encapsulates the data in a GRE packet.
3. The system encapsulates the GRE packet in an IP packet.
4. The IP packet is forwarded based on its destination address and routing table.
De-encapsulationA switch operating as a tunnel remote router handles GRE packets as
follows:
1. When the destination switch receives the IP packet from the tunnel interface, the
switch checks the destination address.
2. The IP header is removed, and the packet is submitted to the GRE protocol.
3. The GRE protocol strips off the GRE header and submits the payload packet for
forwarding.

3.3 GRE Encapsulation

Figure 6: GRE Encapsulation

GRE packets are routed over network as usual IP packets.
(i) The IP header is around 20 bytes long.
(ii) The GRE packet is encapsulated within the IP packet. The header used for
GRE is variable. It could vary from 4 to 20 bytes.
(iii) The passenger protocol or the payload is encapsulated inside the GRE
header.
3.4 GRE Header
The GRE header is variable in length, from 4 to 20 bytes, depending on which optional
features have been enabled.
13 | P a g e


Figure 7: GRE HEADER
C, K, and S: Bit flags which are set to one if the checksum, key, and sequence number
fields are present, respectively
Ver: GRE version number (zero)
Protocol: Ethertype of the encapsulated protocol
Checksum: Packet checksum (optional)
Key: Tunnel key (optional)
Sequence Number: GRE sequence number (optional)



So, with Generic Routing Encapsulation, network is private because traffic can enter a tunnel
only at an endpoint and can leave only at the other endpoint. Tunnels do not provide true
confidentiality (like encryption does) but can carry encrypted traffic. Tunnels are logical
endpoints configured on the physical interfaces through which traffic is carried.[5]















14 | P a g e

4. POINT-TO-POINT TUNNELING PROTOCOL
PPTP is a tunneling and encryption protocol developed by Microsoft as a VPN
Technology. PPTP uses a control channel over TCP and a GRE tunnel operating to
encapsulate PPP packets.
PPTP does not have encryption or authentication features and relies on the Point-to-Point
Protocol being tunneled to implement security functionality. However, in Microsoft
Windows, PPTP does uses authenticity and encryption as native feature.
PPTP is provided in Windows 95/98, NT 4.0, and Windows 2000 and
does not require any additional client software. Thus, implementing VPN with Microsoft
Window is quite easy.
MPPE is a sub-feature of
Microsoft Point-to-Point Compression (MPPC) that provides confidentiality
through encryption.
Developed as an extension of the Point-to-Point Protocol (PPP), PPTP adds a new level of
enhanced security and multiprotocol communications over the Internet.


4.1 PPTP Configuration Steps:



Figure 8: PPTP Configuration Steps


The following steps are needed in in establishing a PPTP tunnel:
15 | P a g e

The client dials in to the ISP and establishes a PPP session.
The client establishes a TCP connection with the tunnel server.
The tunnel server accepts the TCP connection.
The client sends a PPTP Start Control Connection Request (SCCRQ)
message to the tunnel server.
The tunnel server establishes a new PPTP tunnel and replies with a Start
Control Connection Reply (SCCRP) message.
The client initiates the session by sending an Outgoing Call Request (OCRQ)
message to the tunnel server.
The tunnel server creates a virtual-access interface.
The tunnel server replies with an Outgoing Call Reply (OCRP) message.


4.2 PAC and PNS

The PPTP Network Server (PNS) is envisioned to run on a general purpose operating system
while the client, referred to as a PPTP Access Concentrator (PAC) operates on a dial access
platform.
PPTP is implemented only by the PAC and PNS. No other systems need to be aware o
f PPTP. Dial networks may be connected to a PAC without being aware of PPTP. Standard
PPP client software should continue to operate on tunneled PPP links.
PPTP uses an extended version of GRE to carry user PPP packets. These enhancements allow
for low-level congestion and flow control to be provided on the tunnels used to carry user
data between PAC and PNS. This mechanism allows for efficient use of the bandwidth
available for the tunnels and avoids unnecessary retransmissions and buffer overruns.












16 | P a g e

4.3 Protocol Structure - PPTP: Point to Point Tunneling Protocol


16 32 bit
Length PPTP message type
Magic cookie
Control message type Reserved 0
Protocol Version Reserved 1
Framing capability
Bearing capability
Maximum channels Firmware revision
Host name (64 Octets)
Vendor string (64 Octets)
Figure:9 PPTP Protocol structure

Length - Total length in octets of this PPTP message including the entire PPTP
header.
PPTP message type - The message type. Possible values are: 1Control message;
2Management message.
Magic cookie - The magic cookie is always sent as the constant 0x1A2B3C4D. Its
basic purpose is to allow the receiver to ensure that it is properly synchronized with
the TCP data stream.
Control Message Type - Values may be:
Control Connection Management
1 Start-Control-Connection-Request
5 Start-Control-Connection-Reply
6 Stop-Control-Connection-Request
7 Stop-Control-Connection-Reply
8 Echo-Request
9 Echo-Reply.

17 | P a g e

Call Management
10 Outgoing-Call-Request
11 Outgoing-Call-Reply
12 Incoming-Call-Request
13 Incoming-Call-Reply
14 Incoming-Call-Connected
15 Call-Clear-Request
16 Call-Disconnect-Notify
Error Reporting
14 WAN-Error-Notify
PPP Session Control
15 Set-Link-Info.
Reserved 0 & 1 - Must be set to 0.
Protocol version - PPTP version number
Framing Capabilities - Indicating the type of framing that the sender of this message
can provide: 1 - Asynchronous Framing supported; 2 - Synchronous Framing
supported
Bearer Capabilities - Indicating the bearer capabilities that the sender of this message
can provide: 1 - Analog access supported; 2 - Digital access supported
Maximum Channels - The total number of individual PPP sessions this PAC can
support.
Firmware Revision - Contains the firmware revision number of the issuing PAC,
when issued by the PAC, or the version of the PNS PPTP driver if issued by the PNS.
Host Name - Containing the DNS name of the issuing PAC or PNS.
Vendor Name - Containing a vendor specific string describing the type of PAC being
used, or the type of PNS software being used if this request is issued by the PNS. [6]

4.4 SECURITY

It was found that PPTP is vulnerable and has many security loopholes. PPTP is now no
longer recommended by Microsoft and is considered cryptographically broken.




18 | P a g e

4.5 ADVANTAGES of PPTP

PPTP works by dividing all the information to be transmitted into 2 types of messages
control messages and data messages. This makes the use of PPTP simpler to
manage and control connections.
It requires very little bandwidth to operate, so more users can take advantage of a
connection without slowing down transmission.
PPTP also supports a variety of forms of different security measures such as
authentication, encryption and packet filtering.
A significant advantage of PPTP for smaller companies is that is much more
affordable and requires less special hardware than other protocols, and n fact comes
free with most operating systems. So it may be the least expensive option for a
company that doesnt want to invest a large amount of money in setting up their VPN.

4.6 Disadvantages of PPTP

The first is the way in which it handles messages. It doesnt encrypt the control message
traffic for a transmission session.
This means that the connection is vulnerable to attack or hijacking, as is the information
being transmitted.
It remains one of the weakest in security of all of the current VPN protocols.















19 | P a g e

5. LAYER 2 FORWARDING PROTOCOL

L2F, or Layer 2 Forwarding, is a tunneling protocol developed by Cisco Systems, Inc. to
establish virtual private network connections over the Internet. L2F does not
provide encryption or confidentiality by itself; It relies on the protocol being tunneled to
provide privacy. L2F was specifically designed to tunnel Point-to-Point Protocol (PPP)
traffic.[1]
It is similar to PPTP in that L2F is a layer 2 tunnelling protocol as is denoted by its
name. Also L2F is an extension of PPP. The differences between it and PPTP is that as
opposed to wrapping the PPP packets in IP, L2F uses layer 2 protocols such as Fame Relay
and ATM to create tunnels, and L2F is server initiated. Another difference is that L2F
provides authentication between tunnel endpoints.

5.1 Protocol Structure - L2F: Layer 2 Forwarding Protocol


1 1 1 1 1 1 1 1 1 1 1 1 1 16 24 32bit
F K P S 0 0 0 0 0 0 0 0 C Version Protocol Sequence
Multiplex ID Client ID
Length Offset
Key
Version - The major version of the L2F software creating the packet.
Protocol - The protocol field specifies the protocol carried within the L2F packet.
Sequence - The sequence number is present if the S bit in the L2F header is set to 1.
Multiplex ID - The packet multiplex ID identifies a particular connection within a
tunnel.
Client ID - The client ID (CLID) assists endpoints in demultiplexing tunnels.
Length - The length is the size in octets of the entire packet, including the header, all
the fields and the payload.
Offset - This field specifies the number of bytes past the L2F header at which the
payload data is expected to start. This field is present if the F bit in the L2F header is
set to 1.
Key - The key field is present if the K bit is set in the L2F header. This is part of the
authentication process.
Checksum - The checksum of the packet. The checksum field is present if the C bit in
the L2F header is set to 1.

20 | P a g e

5.2 Advantages and Disadvantages
Advantage:
L2F provides authentication of end points.
Disadvantages:
L2F requires support in access servers and routers. Therefore an ISP has to support it.






























21 | P a g e

6 LAYER 2 TUNNELING PROTOCOL

Layer 2 Tunneling Protocol or L2TP is a tunnelling protocol and is used to support Virtual
Private Networks (VPNs). It does not provide any encryption and confidentiality to the
packets sent. It passes its packet through tunnelling from where it gets the required
encryption. Thus, it relies on the tunnelling for the encryption services and provides privacy.

6.1 L2TP Encapsulation


Figure 10: L2TP Encapsulation

The entire L2TP packet, including payload and L2TP header, is sent within a User Datagram
Protocol (UDP) datagram. It is common to carry PPP sessions within an L2TP tunnel.
UDP: With the help of UDP, hosts can end messages or datagrams to other hosts on an IP
without any prior communication thus establishing a special communication channel.
PPP: PPP is a data link protocol used for creating a connection between two nodes.It can
provide connection, authentication, encryption and compression.
L2TP encapsulates PPP frames to tunnel them across an IP network. The L2TP
packets must be encapsulated as well for transmission.
Since L2TP does not provide any authentication and confidentiality, it seeks the help of
IPSec for confidentiality, encryption and integrity.
The combination of these two protocols is generally known as L2TP/IPsec.
Problems that may arise are:
22 | P a g e

(i) Fragmentation issue
(ii) Additional overhead as IPSec adds its own header

6.2 L2TP basic Components


Figure 11: L2TP Components

The two endpoints of an L2TP tunnel are called the LAC (L2TP Access Concentrator) and
the LNS (L2TP Network Server). The LAC is the initiator of the tunnel while the LNS is the
server, which waits for new tunnels. Once a tunnel is established, the network traffic between
the peers is bidirectional. [1]
LAC at the ISP communicates PPP messages with the subscribers via L2TP requests and
responses with the customers LNS.
6.3 Tunnel Initiation
LAC is responsible for the initiation of tunnel while the LNS is the server.
LAC authenticates a user and get information to set up the
tunnel. This information will be forwarded to the LNS later on in the process.
23 | P a g e

The LAC physically terminates the incoming call; it does not terminate the PPP
session, though. The PPP session is terminated at the LNS.

6.4 TUNNELING MODELS
6.4.1 Voluntary tunnel
In the voluntary tunnel model, a tunnel is created by the user, typically by the use of a L2TP
enabled client. As a result, the user will send L2TP packets to the Internet Service Provider
(ISP) which will forward them on to the LNS. In voluntary tunneling the ISP does not need to
support L2TP, and the L2TP tunnel initiator effectively resides on the same system as the
remote client. In this model the tunnel extends across the entire PPP session from the L2TP
client to the LNS.
6.4.2 Compulsory tunnel model - incoming call
In the compulsory tunnel model-incoming call, a tunnel is created without any action from
the user and without allowing the user any choice. As a result the user will send PPP packets
to the ISP (LAC) which will encapsulate them in L2TP and tunnel them to the LNS. In the
compulsory tunneling cases, the ISP must be L2TP capable. In this model the tunnel only
extends across the segment of the PPP session between the ISP and the LNS.
6.4.3 Compulsory tunnel model - remote dial
In the compulsory tunnel model-remote dial the home gateway (LNS) initiates a tunnel to an
ISP (LAC) and instructs the ISP to place a local call to the PPP answer client. This model is
intended for cases where the remote PPP Answer Client has a permanent established phone
number with an ISP. This model is expected to be used when a company with established
presence on the Internet needs to establish a connection to a remote office that requires a dial-
up link. In this model the tunnel only extends across the segment of the PPP session between
the LNS and the ISP.
6.4.4 L2TP Multi-hop Connection
An L2TP Multi-hop connection is a way of redirecting L2TP traffic on behalf of client LACs
and LNSs. A Multi-hop connection is established using a L2TP Multi-hop gateway (a system
that links L2TP Terminator and Initiator profiles together). To establish a multi-hop
connection the L2TP Multi-hop gateway will act as both a LNS to a set of LACs at the same
time as acting as a LAC to a given LNS. A tunnel is established from a client LAC to the
L2TP Multi-hop gateway and then another tunnel is established between the L2TP Multi-hop
gateway and a target LNS. L2TP traffic from the client LAC is then redirected by the L2TP
Multi-hop gateway to the target LNS and traffic from the target LNS is redirected to the
client LAC.[2]


24 | P a g e

6.5 L2TP Packet Structure:
An L2TP packet consists of :[1]
Bits 015 Bits 1631
Flags and Version Info Length (opt)
Tunnel ID Session ID
Ns (opt) Nr (opt)
Offset Size (opt) Offset Pad (opt)......
Payload data
Field meanings:
Flags and version
control flags indicating data/control packet and presence of length, sequence, and
offset fields.
Length (optional)
Total length of the message in bytes, present only when length flag is set.
Tunnel ID
Indicates the identifier for the control connection.
Session ID
Indicates the identifier for a session within a tunnel.
Ns (optional)
sequence number for this data or control message, beginning at zero and incrementing
by one (modulo 2
16
) for each message sent. Present only when sequence flag set.
Nr (optional)
sequence number for expected message to be received. Nr is set to the Ns of the last
in-order message received plus one (modulo 2
16
). In data messages, Nr is reserved
and, if present (as indicated by the S bit), MUST be ignored upon receipt..
Offset Size (optional)
Specifies where payload data is located past the L2TP header. If the offset field is
present, the L2TP header ends after the last byte of the offset padding. This field
exists if the offset flag is set.
25 | P a g e

Offset Pad (optional)
Variable length, as specified by the offset size. Contents of this field are undefined.
Payload data
Variable length (Max payload size = Max size of UDP packet size of L2TP header)


6.6 L2TP packet exchange
During the time of tunnel initiation between server and client, several packets are sent
between them for establishing the tunnel and creating a session.
One will request another for a particular tunnel and session id through these packets. After
creating the tunnel and establishing the session, the data is sent with PPP.
The lists of these commands exchanged between LAC and the LNS are given :
26 | P a g e


Figure 12: L2TP packet exchange


6.7 L2TP/IPSec

Since L2TP lacks confidentiality, it is often implemented along with IPsec. This is referred to
as L2TP/IPsec. The process of setting up an L2TP/IPsec VPN is as follows:

security association (SA), typically through Internet key
exchange (IKE).
27 | P a g e

Encapsulating Security Payload (ESP) communication in transport
mode. At this point, a secure channel has been established, but no tunneling is taking place.
negotiation of parameters takes place over the SA's secure channel, within the IPsec
encryption. [1]

SECURITY ASSOCIATION: establishment of security attributes between two network
components for the purpose of communication.

Internet key exchange (IKE): the protocol used to set up a security association (SA) in
the IPsec protocol suite.[1]

6.8 Advantage of L2TP

L2TP has a number of advantages in comparison to PPTP in terms of providing data integrity
and authentication of origin verification designed to keep hackers from compromising the
system. However, the increased overhead required to manage this elevated security means
that it performs at a slower pace than PPTP.












28 | P a g e

7 OpenVPN

OpenVPN is an open source tool used to build site-to-site VPNs with the SSL/TLS protocol
or with pre-share keys. It has the role to securely tunnel the data through a single TCP/UDP
port over an unsecured network such as Internet and thus establish VPNs.



Figure 13: OPENVPN setup
7.1 FEATURES
EASINESS

The big strength of OpenVPN is to be extremely easy to install and configure which is
rarely the case for tools used to create VPNs.

PORTABILITY

OpenVPN can be installed on nearly any platform including Linux, Windows
2000/XP/Vista, Mac OS X, and Solaris.
The Linux systems must have a 2.4 kernel or higher.
CLIENT/SERVER ARCHITECTURE

OpenVPN is based on client/server architecture. It must be installed on both VPN nodes,
one is designated as server the other one as client.

TUNNELLING

OpenVPN creates a TCP or UDP tunnel and then encrypts the data inside the tunnel.
SECURITY MODES:

VPN nodes at the two ends use the same key to encrypt/decrypt the data between them.
Due to this, we may have to give the key to someone whom we dont trust. This may lead
29 | P a g e

to misuse of data.
The Public Key Infrastructure (PKI) is used to solve this problem. It is based on the fact
that each party owns two keys, a public key known by everybody and a private key kept
secret. This process is used by OpenSSL, the free and open source SSL version integrated
in OpenVPN, to authenticate the VPN peers before proceeding to the data encryption.

7.2 ARCHITECTURE

Encryption
OpenVPN uses the OpenSSL library to provide encryption of both the data and control
channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN
to use all the ciphers available in the OpenSSL package
Authentication
OpenVPN has several ways to authenticate peers to each another. OpenVPN offers pre-
shared keys, certificate-based, and username/password-based authentication. Preshared secret
key is the easiest, with certificate based being the most robust and feature-rich.
Networking
OpenVPN can run over User Datagram Protocol (UDP) or Transmission Control
Protocol (TCP) transports. It has the ability to work through most proxy
servers (including HTTP) and is good at working through Network address translation (NAT)
and getting out through firewalls. OpenVPN's use of common network protocols (TCP and
UDP) makes it a desirable alternative to IPsec.
Extensibility
OpenVPN can be extended with third-party plug-ins or scripts which can be called at defined
entry points. The purpose of this is often to extend OpenVPN with more advanced logging,
enhanced authentication with username and passwords, dynamic firewall
updates, RADIUS integration and so on. The plug-ins are dynamically loadable modules,
usually written in C, while the scripts interface can execute any scripts or binaries available to
OpenVPN. In the OpenVPN source code there are some examples of such plug-ins, including
a PAM authentication plug-in. There also exists several third party plug-ins to authenticate
against LDAP or SQL databases such as SQLite and MySQL. [1]



30 | P a g e

8.CASE STUDY: IP Tunnel in LINUX

8.1 IP tunneling with the Linux IPIP
Linux IPIP is the simplest IP in IP type of tunnel. It is the simplest form of tunnelling is
generally available in other platforms like Solaris and Windows. IPIP is simply a tunnelling
protocol and does not involve any sort of encryption. It can only tunnel unicast packets. For
sending multicast packets, we will have to use GRE.
For implementing the Linux ipip, we must have ipip.o installed.

Assume that you have two private networks (10.42.1.0/24 and 10.42.2.0/24) and that these
networks both have direct Internet connectively via a Linux router at each network. The
"real" IP address of the first network router is 240.101.83.2, and the "real" IP of the second
router is 251.4.92.217.
First, load the kernel module on both routers:
# modprobe ipip

Next, on the first network's router (on the 10.42.1.0/24 network):
# ip tunnel add tunnel0 mode ipip remote 251.4.92.217 \ local 240.101.83.2 ttl 255
# ifconfig tunnel0 10.42.1.1
# route add -net 10.42.2.0/24 dev tunnel

And on the second network's router (on the 10.42.2.0/24), reciprocate:
# ip tunnel add tunnel0 mode ipip remote 240.101.83.2 \ local 251.4.92.217 ttl 255
# ifconfig tunnel0 10.42.2.1
# route add -net 10.42.1.0/24 dev tunnel0


From the first network's routerwe will be able to ping 10.42.2.1, and from the second network
router, we will be able to ping 10.42.1.1. Likewise, every machine on the 10.42.1.0/24
network should be able to route to every machine on the 10.42.2.0/24 network, just as if the
Interent weren't even there.
31 | P a g e

To bring the tunnel down: On both routers, bring down the interface and delete it, if you like:
# ifconfig tunnel0 down
# ip tunnel del tunnel0
By this, the tunnel established between two nodes have been terminated.

8.2 IP tunneling with Generic Routing Encapsulation

As mentioned earlier, GRE routing is same as that of IPIP but it can support multicast of
packets. It is also an unencrypted protocol.
In Linux, we will need the ip_gre.o module.
Just as with the IPIP tunneling hack, we'll assume that we have two private networks
(10.42.1.0/24 and 10.42.2.0/24) and that these networks both have direct Internet connectivity
via a Linux router at each network. The "real" IP address of the first network router is
240.101.83.2, and the "real" IP of the second router is 251.4.92.217.
we'll begin by loading the GRE kernel module on both routers:
# modprobe ip_gre

On the first network's router, set up a new tunnel device:
# ip tunnel add gre0 mode gre remote 251.4.92.217 local 240.101.83.2 ttl 255
# ip addr add 10.42.1.254 dev gre0
# ip link set gre0 up

gre0: It is the name of tunnelling device created.
Now, add your network routes via the new tunnel interface:
# ip route add 10.42.2.0/24 dev gre0


The first network is finished. Now for the second:
# ip tunnel add gre0 mode gre remote 240.101.83.2 local 251.4.92.217 ttl 255
32 | P a g e

# ip addr add 10.42.2.254 dev gre0
# ip link set gre0 up
# ip route add 10.42.1.0/24 dev gre0


Now, we should now be able to pass packets between the two networks as if the Internet
didn't exist. A trace route from the first network should show just a couple of hops to any host
in the second network.
To bring the tunnel down, run this on both routers:
# ip link set gre0 down
# ip tunnel del gre0

















33 | P a g e

CONCLUSION
Below is a detailed comparison between PPTP, L2TP and OpenVPN.
PPTP L2TP OpenVPN
PPTP is based upon PPP but
also provides a vehicle for
the data packets to move
from one host to another.
L2TP is made from the good
features of PPTP and L2F.
It also ensure encryption of
data by IPSec.
OpenVPN provides
encryption between hosts by
SSL/TSL.
It can be used in Windows
and other operating systems.
Windows, MacOS have built
in system for L2TP/IPSec.
The support can be extended
to iPhone and Android
platforms.
It works on any platform by
installing the client software.
It is faster as it has 128 bit
keys.
It is slower as compared to
others because of large
encapsulation.
It is faster than others when
configured in UDP mode.
It is not secured. Even
Microsoft has declared it to
be vulnerable and told to use
at own risk.
It utilises IPSec for the
encryption services.
It uses SSL/TSL and uses
public keys for the Security.
It uses public keys for less
important information while
uses private keys for
encrypted and vulnerable
information.
It is not reliable and has
comapatibility issues with
GRE protocol.
It is more complicated than
any other protocol and thus
makes it difficult to work
upon.
It is very stable and fast over
any other types of
communication channels.










34 | P a g e

APPENDIX
VPN:

A virtual private network (VPN) extends a private network across a public network,
such as the Internet. It enables a computer to send and receive data across shared or
public networks as if it were directly connected to the private network, while
benefitting from the functionality, security and management policies of the private
network. This is done by establishing a virtual point-to-point connection through the
use of dedicated connections, encryption, or a combination of the two.
A VPN connection across the Internet is similar to a wide area network (WAN) link
between the sites. From a user perspective, the extended network resources are
accessed in the same way as resources available from the private network.
TCP/IP:
Transmission Control Protocol/Internet Protocol, the suite of communications protocols used
to connect hosts on the Internet. TCP/IP uses several protocols, the two main ones
being TCP and IP. TCP/IP is built into the UNIX operating system and is used by the
Internet, making it the de facto standard for transmitting data over networks. Even network
operating systems that have their own protocols, such as Netware, also support TCP/IP.
IPv4
Internet Protocol version 4 (IPv4) is the fourth version in the development of the Internet
Protocol (IP) and the first version of the protocol to be widely deployed. It is one of the core
protocols of standards-based internetworking methods of the Internet, and routes most traffic
in the Internet. IPv4 is a connectionless protocol for use on packet-switched networks. It
operates on a best effort delivery model; in that it does not guarantee delivery, nor does it
assure proper sequencing or avoidance of duplicate delivery.
IPv6
Internet Protocol version 6 (IPv6) is the latest revision of the Internet Protocol (IP),
the communications protocol that provides an identification and location system for
computers on networks and routes traffic across the Internet.

IPX
Short for Internetwork Packet Exchange, a networking protocol used by the Novell
NetWare operating systems. Like UDP/IP, IPX is a datagram protocol used
for connectionless communications.

35 | P a g e

NAS
Network-attached storage (NAS) is file-level computer data storage connected to a computer
network providing data access to a heterogeneous group of clients.
AAA Server
An AAA server is a server program that handles user requests for access to computer
resources and, for an enterprise, provides authentication, authorization, and accounting
(AAA) services. The AAA server typically interacts with network access and gateway servers
and with databases and directories containing user information. The current standard by
which devices or applications communicate with an AAA server is the Remote
Authentication Dial-In User Service (RADIUS).

SSL and TLS

SSL is an Internet security protocol used by Internet browsers and Web servers to transmit
sensitive information. SSL has become part of an overall security protocol known
as Transport Layer Security (TLS).
In your browser, you can tell when you are using a secure protocol, such as TLS, in a couple
of different ways. You will notice that the "http" in the address line is replaced with "https,"
and you should see a small padlock in the status bar at the bottom of the browser window.
When you're accessing sensitive information, such as an online bank account or a payment
transfer service like PayPal or Google Checkout, chances are you'll see this type of format
change and know your information will most likely pass along securely.








36 | P a g e

REFERENCES
[1] http://www.en.wikipedia.org
[2] http://www.avm.de
[3] http://www.pic.dhe.ibm.com
[4] http://www.doc.oracle.com
[5] http://www.cisco.com
[6] http://www.tools.ietf.org/html/rfc2637
[7] http://www.ivpn.net/knowledgebase/62/PPTP-vs-L2TP-vs-OpenVPN.html