VPNs, Virtual Private Networks, are commonly requested by all types of different companies. Some may not be able to afford an MPLS network as this may sometimes result cost prohibitive. It may also occur that the applications to be used by a particular company simply don’t require any specific QoS (Quality of Service) or the latencies demanded don’t need to be extremely low. In some occasions they may be looking to backup their primary MPLS network through IPsec, which will transmit over the public internet but always keeping the data safe and secure, key demands for all businesses. In all situations it may be interesting to implement a VPN.

As a VNO, we are constantly requested to provide internet access in hundreds of countries around the globe. Most of these international connection requests are meant to be used with an IPsec(Internet Protocol Security) router laying behind with the idea of creating a VPN between two or more international delegations. The concept VPN is therefore extremely important to comprehend.


What is a VPN?

The first we need to do is understanding the general concept of VPN. Even though different types of Virtual Private Networks exist, being IPsec VPNs the focus of this article, they all share some parts in common.

A Virtual Private Network is a technique used to protect data transfers over public access mediums like in the case of the Internet. When a VPN tunnel is created, it basically acts as a pipe for enclosure of the traffic flow, preventing any data leakage. In order to do so a bunch of protocols are used, encapsulating and encrypting data packets when they are sent from one network node to another which then remove the encapsulation and decrypt the packets. The packets are encapsulated by adding new unencrypted headers and tails. Since the destination and source addresses in the original packet will get encrypted the headers are to be read instead of the original data packet so the intermediary devices understand how to forward it.


What does a VPN offer?

A VPN offers several types of data protection, including confidentiality, integrity, data origin authentication, replay protection and access control.


There are three main categories of VPNs:

-Site tunnels (also known as LAN-to-LAN tunnels) which are accomplished at layer 2 and/or layer 3 depending on what protocol or protocol suite is used.

-Software client based, accomplished at layer 4 with SSL(Secure Socket Layer) or as layer 3 tunnels with IP Security (IPSec). This is commonly called Remote VPN and provides end-to-end protection for the traffic while Site-to-Site tunnels are setup at network edge devices to only protect packets when they traverse the medium between them.

-Web-VPNs: commonly seen as a subcategory of remote VPN technology, where a client visits a web page residing on a network device to authenticate with SSL.


What is an IPsec VPN?

IPsec is a modular platform of a collection of open protocols responsible for different tasks concerning VPN tunneling. It has become the most common network layer security control.


Several basic IPsec concepts:

Internet Key Exchange (IKE):

To start sending traffic through a tunnel the nodes have to negotiate how the packets should be encapsulated and encrypted. IKEdoes this with the use of two protocols:

-ISAKMP: Internet Security Association and Key Management Protocol.

-SKEME: Secure Key Exchange Mechanism.

Authentication Header (AH):

To protect data from being intercepted on their way to the intended destination. AH inserts a header which precedes the payload of the packet containing an Integrity Check Value (ICV). AH doesn’t provide any encryption method as ESP (seen below) does, thus AH alone is not a good alternative when confidentiality is critical.

Encapsulation Security Payload (ESP):

ESP provides encryption of data packets by surrounding the payload with a header and a tail field. ESP can also optionally provide authentication in the same way as AH does with the difference that the authentication is for the ESP header and not the full IP packet.


What we can offer:

Internet service providers (ISPs) depend on one another to provide global network services. Autonomous ISPs establish contracts with others that suit its own local objective to maximize its profit. However, we understand that the profit-seeking nature of ISPs leads to selfish behaviors that can result in inefficiencies and disputes in the network. In these environment, if more than one international delegation needs to be connected, it may be a good idea to turn up to a VNO(Virtual Network Operator). A VNO can offer homogenic IPsec equipment worldwide contracting all international sites at a local level. Operating as a single one-stop-shop including not only the hardware, configuration and installation but also the best suitable internet access starting from best effort business ADSL or SDSL (Asymmetric or Symmetric Digital Subscriber Line) lines and up to fully dedicated leased lines.

We usually deal with a minimum of a 4 IP range in order to have one modem-router property of the local ISP with one IP assigned and the IPsec router, connected behind, taking the other free fixed IP. This way we have the chance of monitoring both CPEs (Customer Premises Equipment) remotely.

There are 4 different situation we have encountered when it comes to delivery options for an IPsec router on a particular international access:

1- We provide, configure and install onsite the IPsec router connected behind the DSL/DIA (Dedicated Internet Access) modem-router. The routers are managed by us and all configuration changes need to be requested.

2- We provide, configure and install onsite the IPsec router. Remote management is then given to the customer so that the IPsec CPE is remotely accessible. Configuration changes may be done remotely by the customer with no previous notification.

3- Remote accessibility is provided to the IPsec router by connecting it onsite. The IPsec configuration is remotely done by the customer who will get full management on the router.

4- IPsec router is provided, configured and delivered to each location by the customer, once onsite a technician of ours operates as a remote hands engineer plugging the equipment behind the DSL/DIA modem-router.


Thanks to a global network of Cisco Partners and hundreds of ISP and carrier partnerships it is possible to avoid delays on customs and shipping costs.