How VPN works
The VPN network is quite akin to simple server/client architecture, where the server is responsible for storing and sharing encrypted data, providing gateway to initiate intra-organization communication and authorizing clients connected with the network, while VPN clients, just like clients in isolated LAN, send requests to server for retrieving shared information, establish connection with other clients on VPN and process secured information using provided application.
What makes VPN end-to-end communications different from simple LAN environment is Tunneling. You can think of it as a tunnel in the internet cloud through which the send and receive data requests travel.
The Tunnel is actually just a concept that helps us better understand the VPN network dynamics. When you initiate communication or send data over VPN network, the Tunneling protocol(s) used by the VPN network (like PPTP, L2TP, IPSec etc.) wraps up the data packets into another data packet and encrypts the package that is to be sent through the tunnel. At receiver’s end, the tunneling device/protocol deciphers the package and then strips the wrapped data packet to read and access the original message and reveal the source of packet and other classified information.
Compulsory And Voluntary Tunneling
The classification of Tunneling is based on the source that initiates the connection. Based on the source, there are primarily two types of Tunneling – Compulsory Tunneling and Voluntary Tunneling. The Compulsory Tunneling is initiated by Network Access Server without requiring user’s input. Moreover, VPN clients don’t have access to information on VPN server, since they are neither responsible nor in control of connection initiation. The compulsory tunneling acts as an intermediary between VPN server and clients, and responsible for authenticating the client and setting it up with VPN server.
The Voluntary Tunneling is initiated, controlled and managed by user. Unlike Compulsory Tunneling which is managed from carrier network, it requires users to establish connection with local ISP followed by running the VPN client application. You may have used numerous VPN client software that create secured tunnels for a specific VPN server. When VPN client software attempts to initiate a connection, it targets a specific or user-defined VPN server. Voluntary Tunneling requires nothing more than installing an additional tunneling protocol on the user’s system, so that it can be used as one end-point of the tunnel.
Developed by IETF, IPSec’s responsibility mainly includes securing the (IP) Internet Protocol communication between end points of VPN tunnel. The data packets that pass through IPSec get encrypted with AES, DES or 3DES. Moreover, it provides both compression and authentication at network level. IPsec VPN technique uses tunnel instead of transport mode. Before sending data, it encapsulates IP packet into a new IPSec packet, ensuring the confidentiality of data packet. It adds an additional IP header, along with ESP (Encapsulated Security Payload) header to add security policy and provide encryption to original data packet. Apart from ESP, it uses AH (Authentication Header) as a sub-protocol to apply additional security layer to original data packet; this prevents third party interferences and IP spoofing.
IP security (IPSec) is often used to secure Internet communications and can operate in two modes. Transport mode only encrypts the data packet message itself while Tunneling mode encrypts the entire data packet. This protocol can also be used in tandem with other protocols to increase their combined level of security.