Overview of VPNs

This section explains the concepts you must understand in order to configure a VPN. It contains the following subsections:


VPN Configurations

A VPN is used to transfer sensitive company information across an untrusted network, such as the Internet, in a secure fashion by encapsulating and encrypting the data. Novell BorderManager 3.7 supports both client-to-site VPNs and site-to-site VPNs.

Client-to-site VPNs can use two types of connections:

Site-to-site VPNs can use the following types of secure connections:

Both intranet and Internet site-to-site VPNs can be deployed in one of two ways:


Routing on a VPN

By default, Novell BorderManager 3.7 has dynamic routing enabled for routing IP packets. With dynamic routing, the local private networks of VPN members are automatically known to other VPN members through the encrypted tunnel.

An alternative to using dynamic routing is to configure a list of networks that are protected by the VPN. Configuring this list of protected networks is equivalent to configuring static routes. Configuring a list of protected networks frees your VPN from extra traffic created by the dynamic routing protocol while it learns the routes to your private networks. You can specify one or more local IP network addresses or host addresses in the list of protected networks. The list is used by the VPN server to determine which networks can send encrypted data through the VPN tunnel. This approach reduces network traffic by eliminating Routing Information Protocol (RIP) packets in the network.

Use static routes when you do not want VPN servers to exchange routing information. Also use static routes when you are using VPN for site-to-site and site-to-Internet connections to prevent unencrypted information from reaching the Internet because it was incorrectly routed.


VPN Terminology

This section discusses the basic VPN terminology you must understand in order to design and plan a VPN. This section explains the following VPN concepts:


Master Server

The master VPN server is the server at which all other VPN servers are added to the network. The master server maintains the list of slave servers that are part of the VPN. It also provides the encryption information that is used by the slave servers to generate their encryption keys. A VPN can have only one master server.

The master server is typically placed at a central site where most of the key system administrators are located or where the corporate Information Systems (IS) organization is based.


Slave Server

Other than the master server, all servers on a VPN are slave servers. Slave servers generate their encryption keys from encryption information provided by the master server. A VPN server can be a member of only one VPN at a time.


Tunneling

Tunneling refers to encapsulating data packets inside other data packets. VPN servers encapsulate encrypted IP or IPXTM packets within IP packets that are used to exchange information across the Internet or local intranet. The connection that is used to exchange these IP packets is called the VPN tunnel or encrypted tunnel.


Client

A VPN client is a dial-in client that uses the Point-to-Point Protocol (PPP) to connect to a slave or master VPN server. After the dial-in connection is established, the client has access to the networks protected by any member of the VPN. The client can dial in to a server directly or can use an ISP connection through the Internet.


Encryption and Key Management

The Novell BorderManager 3.7 VPN software uses 128-bit or 40-bit encryption to keep data hidden and secure. The 40-bit encryption is used in countries where Novell is restricted from selling the 128-bit encryption. Novell BorderManager 3.7 uses the IPSEC standard for Network-layer authentication and encryption and the SKIP standard for key management. SKIP enables you to specify in the VPN configuration how many packets can pass through an encrypted tunnel before the authentication and encryption key is automatically changed.


Server Synchronization and Control

You can set control parameters for your VPN. You can specify whether IP, IPX, or both, are encrypted. You can also specify the VPN network topology and whether a connection between two VPN servers can be initiated by only one sever or either server.

When you synchronize a VPN, the master server updates all slave servers with the most recent topology and encryption key information. You can specify the interval between updates to ensure that any changes are propagated as quickly as possible.


Filters for a VPN

When you set up VPN servers, the NIASCFG utility automatically configures packet (RIP) filters that prevent the propagation of VPN server addresses. The following filters are automatically configured for the VPN:

The VPN packet filters are automatically configured when you enter the public IP address and the VPN tunnel address. If you delete these filters from FILTCFG, you can automatically re-create them using the Update VPN Filter option in NIASCFG.