1.1 What is PacketiX VPN?

PacketiX VPN is next-generation VPN software that offers stability, flexibility and expandability, and is compatible with all advanced networks that produce wide bandwidth an high load required by large corporations and Internet providers as well as networks for individuals and homes and networks for small and medium size businesses.

This section contains an overview of PacketiX VPN, a comparison with older VPN protocol, and a description of its advanced functions.

1.1.1 SoftEther VPN and PacketiX VPN

SoftEther Corporation previously developed and distributed VPN software called SoftEther 1.0. SoftEther 1.0 is software that enabled users to construct a simple layer 2 VPN by installing a Virtual Network Adapter and Virtual HUB on Windows, and was distributed as freeware.

PacketiX VPN 2.0 is VPN software that is the next version of SoftEther 1.0. When developing PacketiX VPN 2.0, however, SoftEther Corporation did not use even a single line of the source code of the SoftEther 1.0 program. It was designed and developed from scratch. With PacketiX VPN 2.0, therefore, the company was able to release software that does not contain any of the defects contained in SoftEther 1.x (CA 1.x) or the lack of interchangeability and limited expandability.

At the beta version stage the name for PacketiX VPN 2.0 was not yet decided and was tentatively called SoftEther VPN 2.0, but the name was changed to PacketiX VPN 2.0 with the official version release with a new brand name that includes network and security product of SoftEther Corporation called PacketiX.

The names SoftEther VPN 2.0 that currently appears on the Internet and in articles in some magazines and books and PacketiX VPN 2.0 are one and the same product.

Fig. 1-1-1. Correlation of SoftEther 1.0 and PacketiX VPN 2.0

1.1.2 Structure and Operating Principle of VPN

Virtual Private Network (VPN) is a technology that started to spread around 1998. VPN technology allows users to construct a virtual network that maintains security in an existing IP network such as the Internet and communicate freely within the virtual network.

Tunneling and Encapsulating

VPN is a solution for constructing a virtual network. A technique called "tunneling" that enables users to construct a virtual network between two remote points on an existing public IP network and communicate freely is used with VPN.

With tunneling technology, packets transmitted on a physical communications medium such as conventional network cable or optical fiber are encapsulated as data of another protocol such as TCP/IP packets without directly transmitting on a physical network. Encryption and electronic signature can be added simultaneously when encapsulating. Encapsulated data is transmitted through a session called a "tunnel" between the start and end point of VPN communication. The other party who receives the encapsulated data removes the original packets from the capsules. If the data is encrypted when encapsulated, it must be decrypted. If an electronic signature has been added, the user can check whether the contents of the packet have been tampered with during transmission by testing the integrity of the electronic signature.

When VPN communication is to be carried out, because the data transmitted between the computer sending the data and the computer receiving the data travels through the tunnel is sent encapsulated, unprotected data is never exposed on the network.

Fig. 1-1-2. Structure and operating principle of common VPN

Ensuring Security of Transmitted Data by Encryption

An IP network that can be accessed by anyone such as the Internet is always exposed to danger of eavesdropping and masquerading. Even if expensive transmission services and infrastructure such as dedicated line service or satellite links are used, the lines could be physically bugged or data could be surreptitiously viewed by communications company technicians maliciously or out of curiosity, or could be tapped and analyzed by the government, etc. When sending and receiving data over such WAN, it is therefore recommended that data by encrypted by some means.

Fig. 1-1-3 Danger of sending and receiving data over the Internet

The fact that not all existing communication applications and protocols support encryption is a possible problem. For example, HTTP protocol includes a protocol called HTTPS which is encrypted by SSL. SSH protocol is encrypted from the beginning. Numerous Internet based applications however either do not have an encryption function, or if they do, they might have a problem with packaging or encryption strength.

Fig. 1-1-4 Encrypted packets and packets that are not encrypted

If these conventional communications protocols with insufficient security are used as they are on WAN such as dedicated lines or the Internet, the data can be intercepted or altered by hacking.

Security can be dramatically enhanced by automatically encrypting communication of almost all applications using IP or Ethernet by utilizing VPN.

Better Connectivity and Network Independence

Another significant advantage of using VPN is that it enhances connectivity and offers network independence.

Because with public IP networks such as the Internet, as a rule, any IP packet can be transmitted from a computer of any IP address to another computer of any IP address, if data is to be transmitted over the Internet, when communication is to be conducted between a client computer and server computer, the server computer may actually receive packets from a different computer with malicious intent. Nowadays vulnerable operating systems and worms that open security holes in transmission software and server software on the Internet are going around and there is possibility of infection. Because the computer directly connected to the Internet is substantially unsafe, it is not recommended that computers that process important communications data for business, etc., be allotted direct Internet global IP addresses and connected to the Internet.

However when sending and receiving data between remote bases via public IP network such as the Internet as a rule at least one global IP address port must be open and standing by for communications. This is necessary along with using TCP/IP protocol. Thus when sending and receiving data between computers at remote bases if VPN is not used attainability must be secured for IP packets of both computers in which case problems may occur with the previously mentioned security.

Fig. 1-1-5 When carrying out TCP/IP connection on the Internet as a rule at least one must have a global IP address and the port must be open to the public.

By using VPN these problems can be easily and reliably solved. The fact that VPN carries out communication with the structure whereby encapsulated packets flowing in the tunnel established between computers at remote bases as was previously mentioned when establishing the tunnel user authentication is mutually conducted between the computers and the tunnel is established only if successful. Also once the tunnel is established, as long as physical network communication is not cut off, it is constantly maintained and all the data flowing through the tunnel is encrypted and if electronic signature is added, other computers on the Internet not related to the tunnel can no longer interrupt communications of that tunnel.

With this tunneling technology, multiple computers at remote bases, computers, computer network, by connecting using VPN, a safe virtual network built by VPN can theoretically be made independent of WAN lines such as the Internet with security problems.

Fig. 1-1-6 Prevention of eavesdropping/tampering by third party with malicious intent using VPN

Inexpensive Internet Connection can be Used Instead of Dedicated Line

By utilizing the structure of VPN such as previously described, without using dedicated line services that used to charge high usage fees, with more robust security that dedicated line services, communications can be conducted between computers of any base via the Internet.

Especially recently, for several thousand yen per month, because Internet services using optical fiber or ADSL are available, such inexpensive services can be used for same or safer communications purpose.

By using VPN, public networks whereby any computers can communicate freely by IP Internet can establish a company dedicated virtual communications network within that network, and a safe and stable independent network can be constructed without worrying about danger of Internet.

Fig. 1-1-7 Using inexpensive and fast Internet connection instead of dedicated line

1.1.3 Limitations of old VPN Solution

Several VPN software and hardware solutions have existed for some time, and since 1998 VPN technology and technologies employing it have been used at various sites. For example the following VPN protocols are currently incorporated into several network products and used.

However many older VPN protocols have the following limitations, and under various circumstances, use must be restricted or cannot be used.

Difficulty of Pass of Network Gateway Devices

With many business networks as some home networks, company networks are separated from the Internet by measures such as NAT (IP masquerade) proxy servers and firewalls, number of IP addresses is limited and security is bolstered. Devices that conduct this processing are called network gateway devices. In some cases network gateway device is a dedicated device (appliance) and in some cases is a high-performance computer on which Linux, etc., is installed.

However many older VPN protocols cannot communicate via this network gateway device. One reason for this is many VPN protocols headers of special protocol that is not ordinary TCP/IP protocol may be added when encapsulating communications packets. For example a VPN protocol called PPTP uses an extremely minor protocol called Generic Routing Encapsulation (GRE). A VPN protocol called L2TP furthermore requires use of IPSec, whereby a header is added because it is an IPSec packet.

The majority of conventional VPN protocols such as in these examples, because VPN communications is realized by an approach unlike ordinary TCP/IP connection-oriented communication model, cannot carry out VPN communications transcending many network gateway devices, especially NAT (IP masquerade), almost all proxy servers and firewalls.

Therefore when used, the majority of conventional VPN protocols require a global IP address be allotted to both the VPN connection source client computer and connection destination VPN server computer or installation of network gateway devices customized so special packets can be processed.

Fig. 1-1-8 Many older VPN protocols have difficulty passing NAT router firewalls, etc.

Limitations of Protocol that can Communicate within VPN

Many conventional VPN protocols are limited to layer 3 protocol (IP layer, etc) and furthermore upper layer protocol (TCP layer, application layer, etc.) and communication is conducted by encapsulated tunneling. With this system however VPN protocol cannot be made to individually communicate via VPN with protocols that do not comply.

For example in many cases legacy protocols such as special protocol for control, IPX/SPX and NetBEUI currently used by general purpose equipment cannot be used via VPN and it is difficult to transmit existing system communications using Internet VPN instead of a dedicated line.

Fig. 1-1-9 VPN protocol that encapsulates older IP cannot send and receive packets other than IP packets

IP Routing is Necessary

Of older VPN protocols, if VPN is realized using types of protocols that encapsulate layer 3 (IP layer), basically one of the following must be selected.

If constructing VPN by method 1, if installing VPN client software on all computers that might be connected to VPN and carrying out VPN communications, by conducting connection operation for the VPN server, communications can be freely carried out only between computers installed with VPN client software. With this method however the more computers there are that want to carry out VPN communications the more administration is necessary, computers for which VPN client software cannot be installed or devices for networks such as other network appliances or digital electrical appliances cannot participate in VPN.

If VPN is constructed by method 2, computers in the network of the base connected to VPN can send and receive data to/from each other, and computers for which VPN client software cannot be installed and devices for networks such as other network appliances and digital electrical appliances automatically participate in VPN. This method is however disadvantageous in that it requires IP routing between existing networks connected to VPN and virtual networks by VPN.

Therefore if remote access VPN or VPN connected between bases is realized by old VPN protocol, it requires large scale setting modification for existing networks such as routing table setting modification for existing IP network routers, etc.

Fig. 1-1-10 Devices that do not support routing cannot communicate via VPN of old IP base

Dependence on Certain Platform

For many old VPN protocols there is a problem if the range of platforms that support the various VPN protocols is not very wide, and even if they can be used among multiple platforms, differences in respective implementation have caused resulted in trouble in practical application in some cases.

Some VPN protocols furthermore require hardware of certain network device vendors and compatibility of protocols among vendors has declined.

Fig. 1-1-11 Communication among VPN products of different vendors cannot be carried out

High Cost, Low Performance

Price of network devices and security software is generally extremely high, including network security solutions other than VPN solutions. Realistically however network security products introduced at high cost often do not satisfy performance and function requirements.

Particularly concerning function and performance, the most important factor of conventional VPN is providing security; network permeability and communications performance are not considered as important. The reason for this is, when old VPN protocol began to appear, broadband was not yet very popular but was the fastest Internet connection line available for average businesses and homes whereby speed increased from several Mbps to tens of Mbps.

Currently, even for ordinary homes, with the backbone of broadband line businesses of several tens to 100Mbps, Internet connection lines of gigabit scale are available at an extremely low price compared to several years ago. There is not that much VPN hardware and VPN products that can use these fast physical lines efficiently enough, and the ones that do exist are mostly installed on extremely expensive network dedicated devices.

Need for new VPN System to Compensate for Shortcomings in old VPN Protocol

Old VPN protocol includes the problems described above and various other problems. A high function, reliable, highly flexible VPN system that solves the problems and limitations is therefore necessary.

1.1.4 VPN Communication by PacketiX VPN

Along with solving various limitations of old VPN solutions such as those previously described, PacketiX VPN 2.0 is VPN software with many new innovative functions.

Features of PacketiX VPN 2.0

By just using PacketiX VPN 2.0, many of the matters such as those whereas in the past problems could not be solved unless you combined multiple network security products or software, and programming or developed original tools can be realized by a simple operation.

As for PacketiX VPN 2.0, encapsulated and tunneling communications, layer 2, in other words, set to Ethernet, if PacketiX VPN 2.0 is used, network devices such as conventional network adapter switching HUB and layer 3 switch are realized by software, and by connecting by tunnel called PacketiX VPN protocol based on TCP/IP protocol among them, the user can construct highly flexible VPN that was not possible with products up to now.

Fig. 1-1-12 Making various types of hardware devices on Ethernet virtual for PacketiX VPN

Advantages of Making Ethernet Virtual

Unlike old many VPN protocols, PacketiX VPN targets layer 2 (Ethernet) for VPN communications. In other words, with VPN that targeted old layer 3, encapsulated IP packets flowed through the tunnel, but with PacketiX VPN, encapsulated Ethernet packets flow though the tunnel.

Fig. 1-1-13 Comparison of old VPN protocol and PacketiX VPN when base-to-base connection VPN is constructed

1.1.5 NAT, Proxy Server and Firewall Pass

PacketiX VPN conducts VPN communications by establishing a VPN session called a tunnel between VPN Server and VPN Client or VPN Bridge.

Packets that virtually flow in VPN session which is an Ethernet network are actually encapsulated and flow through a physical IP network. At this time however PacketiX VPN encapsulates random Ethernet frames to TCP/IP protocol. This point is a feature not present in the majority of old VPN protocols.

Also with PacketiX VPN, any TCP/IP port number can be designated and used for VPN communications. The default port numbers are 8888 and 443 (for HTTPS) and 992. For details concerning TCP/IP port number designation, see 「3.3.6 Listener Ports」.

By conducting all VPN communication by TCP/IP, PacketiX VPN can conduct VPN communication via the majority of network gateway devices. VPN can be easily established through almost all types of NAT proxy servers and firewalls.

If PacketiX VPN is used, VPN communications can be easily and safely conducted even in environments that used to be hard to use VPN because of NAT, proxy server and firewall settings.

Because it is no longer necessary to open a hole in existing firewall settings to introduce VPN, the burden on the network administrator is reduced and it helps prevent deterioration of network security due to firewall setting modifications.

Users can also safely access company LAN via free Internet connection spots such as destination stations and airport hotels if they take along a laptop computer installed with VPN Client. Because many free Internet connection spots have introduced NAT or firewall transparent proxy servers, VPN protocol cannot be used in many cases. If equipped with PacketiX VPN however they can be used without worry.

Fig. 1-1-14 Passage through NAT proxy server or firewall by PacketiX VPN

1.1.6 Stability and Security

As was previously mentioned, PacketiX VPN uses TCP/IP protocol only for VPN communications and any Ethernet frames can be tunneled. When VPN communication is carried out, PacketiX VPN encrypts all data by Internet standard encryption protocol called Secure Socket Layer (SSL). At this time the system administrator can use any encryption algorithm of electronic signature algorithm he chooses. For details see 「3.3.15 Selecting Encryption Algorithms for use in SSL Transmission 」.

With PacketiX VPN, not only is communications encrypted, but security concerning user authentication and server authentication is bolstered. PacketiX VPN supports user authentication using RADIUS servers used by companies, NT domain / Active Directory and certificate authentication using X509 and RSA. Also supports some smart cards used for purposes deemed necessary for high security. For details see 「1.5 Bolstering Security」.

Protocol used for transmitting VPN communications packets and security checks such as user authentication actually flowing through a physical IP network during VPN communications is called PacketiX VPN protocol. PacketiX VPN protocol not only encrypts all communication contents by SSL, but it establishes several simultaneous SSL connections established between VPN Server and VPN Client or with VPN Bridge, and by altering the timing by a certain interval and reconnecting, is able to stably communicate through some special network devices whereby TCP/IP connection is lost for a certain time interval. Stable VPN communication can also be carried out with telephone lines with high packet loss rate, some ADSL, PHS, wireless LAN, etc. For details see 「4.4.11 Advanced Communication Settings」.

Fig. 1-1-15 User authentication by PacketiX VPN protocol

1.1.7 High-speed Communications Throughput

Many older VPN protocols focused only on providing security, but it appears that communications throughput does not tend to be high when VPN communications are carried out.

PacketiX VPN is optimized to exhibit high performance for any line from low speed lines such as ISDN and PHS to high speed lines such as 100Mbps and 1.0Gbps. For example, it can exhibit throughput of several hundred Mbps for a computer with a Pentium 4 2.8GHz processor currently available for a low price even if using a VPN Server.

Problems such as decline or marked delay in throughput due to re-transmission if TCP/IP protocol previously discussed in several theses is used for tunnel communications for VPN are improved by technology to establish multiple parallel TCP/IP connections between VPN Server and VPN Client or with VPN Bridge. For details see 「4.4.12 Number of TCP/IP Connections for VPN Session Communications」.

1.1.8 Advanced Function and Expandability

Many older VPN products only realized VPN communications. For example, advanced function such as logging all packets flowing inside VPN, conducting packet filtering inside VPN communications, or applying a highly flexible security policy are extremely rare.

With PacketiX VPN, software of VPN Server, VPN Client, etc., is equipped with extremely advanced functions. For example, the following functions can be easily set and used, and can be used for limiting VPN communications, network administration or other purposes.

With PacketiX VPN, the majority of these functions are provided in software rather than certain hardware. The internal program structure is meticulously formed into modules thus facilitating addition of new functions in the future, and is much more expandable than hardware-based VPN solutions.

1.1.9 Platform Independence and Interchangeability

PacketiX VPN currently supports various types of operating systems and CPU combinations so it can run on various platforms. With the exception of a few limitations, PacketiX VPN works the same without dependency on CPU type or platform such as Windows, Linux, FreeBSD, Solaris and Mac OS X.

The PacketiX VPN program code is written in highly interchangeable C and is programmed so as not to be dependent on a certain operating system. PacketiX VPN currently supports the operating environment indicated in 「Chapter 12 PacketiX VPN Software Specification」, but will support even more operating systems and CPU hardware in the future. Also facilitates integration of network appliances such as routers and firewalls.

PacketiX VPNs that operate in various environments can also be reliably connected with each other via the Internet. Thus if a VPN is constructed using PacketiX VPN, if the number of systems or devices that support PacketiX VPN increased, mutual connect ability is technically maintained with the systems.

1.1.10 Addition of Functions by Option Pack

With conventional software products, to use new functions that appear for products after shipment, you have to purchase a new version of the software to upgrade which involves cost.

If new functions are developed, by introducing Option Pack of the new version, you can use PacketiX VPN software right away without purchasing the new functions by upgrading (limited to case whereby newly developed functions correspond to PacketiX VPN software for same major version). Option Pack can be downloaded free of charge. If you have an Option Pack license, you can install and use any time, thus eliminating the need to pay additional cost each time new functions come out and purchase a software license for new major version upgrade.