1.6 VPN Communication Details
This section contains a brief description of basic concept of various
matters involving VPN communication using PacketiX VPN and a description
of important things to know when constructing VPN by PacketiX VPN.
1.6.1 VPN Sessions
With PacketiX VPN, VPN communication starts when the VPN connection
source computer connects to the VPN Server by VPN. This unit of VPN
communication is referred to as a "VPN session".
In 「1.4.2 Virtual HUB」, it was explained that along with emulating a conventional
Ethernet switching hub, PacketiX VPN can accept connection from a VPN
connection source just as with a physical connection point of a
conventional switching hub.
Physical network adapters and switching hubs are connected to each
other by network cable, but in the case of PacketiX VPN, but when a
Virtual Network Adapter or Virtual HUB of another computer is connected
to a Virtual HUB, the communication contents are tunneled and flow
through a physical network as TCP/IP-based PacketiX VPN protocol.
Consequently each and every PacketiX VPN protocol connection is
substantially the same as a network cable is to physical Ethernet, and
can be expressed as a connection unit for Ethernet.
With PacketiX VPN, when VPN Client connects by VPN to VPN Server or
when Virtual HUBs connect to each other by cascade connection, a
transmission path for VPN communications established, and in the case
where encapsulated Ethernet frames are transmitted, a VPN session is
established between VPN connection source and VPN Server in all cases.
In addition to this, although it does not physically exist, virtual
hosts or DHCP servers connected to a Virtual HUB by software internally
generate VPN sessions.
For more information on VPN sessions, see the rest of this chapter
and 「3.4.5 Session Management」, etc.
Fig. 1-6-1 List of VPN session types from perspective of
Virtual HUB |
As will be subsequently explained, the following seven
types of session exist for PacketiX VPN 2.0. Concerning each respective
session, with the exception of some special treatment, Virtual HUB
handles all by same mechanism.
| Type |
Session name |
Generator |
|
Ordinary session |
Client mode session |
Conventional VPN connection from VPN Client |
|
Bridge/router mode session |
Conventional VPN connection from VPN Client Cascade
connection from VPN Server Cascade connection from VPN
Bridge |
|
Monitoring mode session |
Conventional VPN connection from VPN Client |
| Special session |
Local bridge session |
Local bridge function in VPN
Server |
| Cascade connection session |
Cascade connection function in VPN
Server |
| SecureNAT session |
SecureNAT function in VPN Server /
VPN Bridge |
| Virtual layer 3 switch session |
Virtual layer 3 switch function in
VPN Server |
1.6.2 Accepting Connection by VPN Server
PacketiX VPN Server is the only software that can accept VPN
connection session from PacketiX VPN Client, PacketiX VPN Server and
PacketiX VPN Bridge running on another computer.
PacketiX VPN Server stands by for connection with multiple TCP/IP
ports open as a port number for accepting VPN connection from the VPN
connection source computer. The VPN Server administrator can freely
establish or modify the list of port numbers used at this time.
TCP/IP port numbers open to stand by for VPN connection from other
computers are called "listener ports". The following three TCP/IP ports
are allocated as listener ports by default.
- Port No. 8888 (This port number is used exclusively by PacketiX
VPN; the number 8888 is used so it is easy to remember.)
- Port No. 443 (This port number is the same port number as that
of HTTPS protocol. It is convenient to make relay equipment
recognize TCP/IP connection as HTTPS protocol for VPN session.)
- Port No. 992 (This port number is the same port number as that
of TELNETS protocol, which is hardly used anymore. It is convenient
to make relay equipment recognize TCP/IP connection as TELNETS
protocol for VPN session.)
By opening multiple TCP/IP ports, other computers that attempt to
connect to that VPN server, PacketiX VPN Server executed connection to
the easiest port number to connect to according to network environment,
proxy servers and limitations such as firewalls. No matter which TCP/IP
port you connect to, the functions and performance are the same after
the VPN session is established. PacketiX VPN Server treats each TCP/IP
listener port equally.
For more information on listener ports, see 「3.3.6 Listener Ports」.
Fig. 1-6-2 TCP/IP listener ports of VPN Server |
1.6.3 Connecting to Virtual HUB
As was described in 「1.4.2 Virtual HUB」, PacketiX VPN Server can operate multiple
Virtual HUBs within a single server process.
Computers that attempt to connect by VPN to VPN Server specify one of
the Virtual HUBs operating in VPN Server and connect to it.
When attempting to connect to a Virtual HUB, user authentication such
as explained in 「1.5.1 Abundant User Authentication Options」 has to be carried out. User information is
managed separately for each Virtual HUB and has to be set in advance by
each PacketiX VPN Server and Virtual HUB administrator. As a result of
carrying out user authentication according to user information in the
security account database that exists for each Virtual HUB, if the VPN
Server recognizes the VPN connection as proper, the VPN Server accepts
VPN connection to the Virtual HUB, an new VPN session is established and
VPN communication starts.
During the time until connection to the Virtual HUB is completed,
there is no VPN communication between the VPN connection source computer
and VPN Server (sending/receiving of Ethernet frames); VPN data
communication is carried out after user authentication has been
completed. Processing during connection to Virtual HUB before completion
of user authentication by PacketiX VPN protocol during negotiation VPN
is actually completed, session is established, and state where VPN
communication can be used is expressed as "established".
Fig. 1-6-3 VPN protocol sequence and status transition at
time of connection to Virtual HUB and session establishment |
1.6.4 TCP/IP Communication of Session Data
With PacketiX VPN protocol, packets that flow through the actual
physical network for communication between PacketiX VPN Server and VPN
connection source computer (VPN session) are encapsulated as TCP/IP
packets and are generated by sender. TCP/IP packets received by the
reception side are encapsulated and de-capsulated. All TCP/IP
communication is encrypted by Secure Socket Layer (SSL) and an
electronic signature can be added.
For communication between PacketiX VPN Server and VPN connection
source computer, communication can be carried out by one TCP/IP
connection per VPN session, but if the user so desires, multiple TCP/IP
connections can be established and load distribution can be performed
for communication data among these TCP/IP connections, delay can be
managed, transmission sequence automatically adjusted, network line used
more efficiently and throughput and response enhanced. Data transmission
direction (full duplex or half duplex) and life until cut off can also
be set for each TCP/IP connection. For details see 「2.1.3 Communication Efficiency and Stability」 and 「4.4.11 Advanced Communication Settings」.
All data contents for data transmission of PacketiX VPN protocol is
encrypted by SSL and is compressed by a data compression algorithm. When
used for low-speed lines such as modems or ISDN or PHS, data compression
may theoretically function effectively when transmitting large
quantities of data. Compression can be used simultaneously with
encryption. For more information on data compression, see 「2.1.3 Communication Efficiency and Stability」 and
「4.4.16 Data Compression Option」.
Fig. 1-6-4 Virtual Ethernet frame transmission in VPN
session |
1.6.5 Association with MAC Address
Virtual HUB manages multiple VPN sessions from VPN client connection
sources, receives virtual Ethernet frames sent to Virtual HUB from those
sessions, identifies destination MAC address and sends them out to other
proper VPN sessions. This processing is the equivalent of layer 2
Ethernet frame switching (packet exchange) carried out in a physical
switching hub.
Just like a physical switching hub, Virtual HUB automatically
conducts MAC address learning and associates the learned MAC addresses
with VPN sessions. When Ethernet frames that need to be processed
arrive, the destination MAC address of the Ethernet frame can be read
and switched to a suitable matching VPN session. This virtual Ethernet
frame switching processing is the most important function of Virtual HUB
and is the most substantial part of VPN communications by PacketiX VPN.
MAC address tables managed by Virtual HUB are automatically updated
and the actual network status is applied as much as possible. The
Virtual HUB administrator can display the MAC address table an can
freely delete entries.
The mechanism and timing by which Virtual HUB learns new MAC
addresses and update the MAC address table database is the same as that
of a physical Ethernet switching hub.
Fig. 1-6-5 VPN session and MAC address association by
Virtual HUB |
1.6.6 Session from other VPN Server / VPN Client / VPN Bridge
PacketiX VPN Server accepts connection from software that is
compatible with PacketiX VPN protocol that is running on other computers
(there is no problem if running by localhost). There are three types of
this software: PacketiX VPN Server, PacketiX VPN and PacketiX VPN Bridge
(new software or dedicated hardware that supports PacketiX VPN may be
developed and offered by SoftEther Corporation or third party in the
future).
Fig. 1.6.6 Session from other VPN Server / VPN Client / VPN
Bridge |
All VPN connections from these three types of software
are conducted by PacketiX VPN protocol; the communication contents and
nature are the same regardless of the type of software and purpose of
communication.
Connection from PacketiX VPN Client
Connection from PacketiX VPN Client is generally connection from
Virtual Network Adapter attempting to connect to Virtual HUB. In other
words if VPN Client is installed on client computers of end users using
VPN communications and VPN Server is registered as the connection
destination of VPN Client, the Virtual Network Adapter of the computer
connects to Virtual HUB operating by VPN Server, and can carry out the
same communication as for example a network adapter connected to a
physical switching hub by network cable.
As a special usage method, bridge connection by layer 2 between VPN
Client computer Virtual Network Adapter and existing physical network
adapter connected to the computer is possible. The bridge function of
the operating system is used for this. With SoftEther 1.0, bridging
between Virtual HUB and physical network adapter was often accomplished
by this method. With PacketiX VPN 2.0, however, because bridging could
be accomplished easier and faster by local bridge connection function of
VPN Server or VPN Bridge, this method ceased to be used frequently.
Connection from PacketiX VPN Bridge
PacketiX VPN Bridge operating at a base at a remote location can be
connected to PacketiX VPN Server by cascade connection. By connecting
the two Virtual HUBs on the VPN Server and VPN Bridge sides to existing
physical LAN of both bases, you can connect the two bases by VPN
connection. This method is often used for base-to-base VPN connection.
For more information on PacketiX VPN Bridge, see 「Chapter 5 PacketiX VPN Bridge 2.0 Manual」.
Connection from PacketiX VPN Server
Because PacketiX VPN Bridge is software that limits just one part of
PacketiX VPN Server, previously described connection method from
PacketiX VPN Bridge works the same for cascade connection from one
PacketiX VPN Server to another and can be used as such.
1.6.7 VPN Session Connection Modes
As was explained in 「1.6.6 Session from other VPN Server / VPN Client / VPN Bridge」, VPN connection of VPN Client / VPN
Server / VPN Bridge, etc., operating on another computer to VPN Server
is established and managed as a VPN session for all Virtual HUBs.
VPN Server is basically treated the same for VPN sessions of any
PacketiX VPN protocol, but that does not mean it is interested in the
type of VPN software of the VPN session connection source or the type of
network of the VPN session destination.
To facilitate administration of the VPN network of PacketiX VPN
Server, you may want to differentiate and separate the connection type
of the connection source computer of VPN session, into two types
according to the objective of VPN session. Thus PacketiX VPN adopts the
concept of connection mode for ordinary VPN session and defines two
types of connection modes.
Connection modes include a client mode and a bridge/router mode.
1.6.8 Client Mode Session
VPN session in the client mode is primarily applied to VPN sessions
connected from VPN Client to VPN Server. This way of using conventional
VPN Client is primarily usage as VPN client for remote access VPN by
installing VPN Client on client computers in a remote location, creating
Virtual HUB and connecting the Virtual HUB to VPN Server.
With VPN sessions established by connection from conventional VPN
Client, only one Ethernet device with a MAC address should be connected
to VPN on the VPN Client side. In other words, Virtual Network Adapter
device driver used by VPN Client for connection is simply connected to
Virtual HUB, and the MAC address allotted to the Virtual Network Adapter
is supposed to be the only network adapter existing on the client side
for the concerned VPN session.
Users who actually use computers installed with VPN Client however
can bridge connect to a separate physical network adapter on the client
computer side using function of the operating system and can connect to
another IP network using the IP routing function of the operating
system. If this operation is randomly performed by users having VPN
Client, the user may unintentionally alter the network topology on the
VPN administrator side, and could destroy the uniformity and
manageability of the VPN network as a whole.
Thus in a client mode session (i.e., VPN session connected from VPN
Client layer 2 bridge or layer 3 routing on the client side of the VPN
session is forbidden as a rule. This makes it impossible for users of
VPN Client connected to PacketiX VPN Server to connect Virtual Network
Adapter on the client computer side to another network. In other words
alteration of the network topology or unintentional computer connection
to VPN by administrator can be prevented.
By selecting the bridge/router mode as the connection mode for
advanced communication setting of VPN Client connection settings, client
mode session limitations are canceled and bridge and routing on the VPN
Client side become possible. For details see 「4.4.17 Selecting the Connection Mode」.
If deny security policy bridge and router operation is enabled for
user setting values registered for each Virtual HUB of PacketiX VPN
Server, users cannot connect to VPN Server in bridge/router mode (error
occurs for VPN connection). For more information on security policy, see
「3.5.9 Security Policies」.
Fig. 1-6-7 Client mode session and bridge/router mode
session |
1.6.9 Bridge/Router Mode Session
If VPN session is connected by bridge/router mode session, the
limitation whereby layer 2 bridge and layer 3 routing are denied on the
VPN connection source side for client mode sessions and as a rule any
kind of communication can be carried out.
The session connection mode is automatically selected when Virtual
HUB of PacketiX VPN Server or PacketiX VPN Bridge are connected to a
separate Virtual HUB by cascade connection.
Setting on the VPN Client side is required to connect to from
PacketiX VPN Client to Virtual HUB in the bridge/router mode. For
details see 「4.4.17 Selecting the Connection Mode」.
The administrator must establish security policy so the user can't
connect to Virtual HUB created for use with general VPN connection in
the bridge/router mode. For more information on security policy, see
「3.5.9 Security Policies」.
1.6.10 Monitoring Mode Session
The monitoring mode is a connection mode that can be selected when
VPN Client connects to Virtual HUB of VPN Server.
VPN sessions connected in the monitoring mode can receive all
Ethernet frames flowing through the connection source Virtual HUB as
they are. This mode can be used for intercepting Ethernet packets
flowing through Virtual HUB, capturing them using packet capture
software, and inspecting all packets such as IDS and IDP. Sessions
connected to Virtual HUB in the monitoring mode can receive all Ethernet
frames flowing through Virtual HUB, but Ethernet fames cannot oppositely
be transmitted to Virtual HUB.
Using this mode enables you to execute the equivalent of functions
such as port monitoring and port mirroring that common layer 2
intelligent switching hubs are equipped with.
Fig. 1-6-8 Monitoring mode session |
1.6.11 Local Bridge Session
A local bridge session is established when a local bridge connection
is created between Virtual HUB of PacketiX VPN Server and a physical
network adapter. Unlike a conventional VPN session established by VPN
connection from VPN Client / VPN Server / VPN Bridge by PacketiX VPN
protocol via a network, the actual communication source for local bridge
sessions is a module separate of the computer on which VPN Server is
operating, and is therefore classified as a special session.
For more information on these functions, see 「3.6 Local Bridges」.
1.6.12 Cascade Connection Session
A cascade connection is a special session generated within a Virtual
HUB of cascade connection source VPN Server or VPN Bridge if Virtual HUB
of PacketiX VPN Server or PacketiX VPN Bridge operating on a separate
computer is connected to Virtual HUB of PacketiX VPN Server by cascade
connection.
In other words, in the case of using cascade connection, a
bridge/router mode session, which is the normal session, is generated by
the Virtual HUB of the side being connected to, and a cascade connection
session, which is a special session, is created by the Virtual HUB which
initiated the cascade connection.
For more information on cascade connection sessions, see 「3.4.11 Cascade Connection Functions」.
1.6.13 SecureNAT Session
A SecureNAT session is a special session automatically created
internally if the SecureNAT function, which is one of the Virtual HUB
functions of PacketiX VPN Server or PacketiX VPN Bridge, is enabled. For
more information on SecureNAT function, see 「3.7 Virtual NAT & Virtual DHCP Servers」.
1.6.14 Virtual Layer 3 Switch Session
A virtual layer 3 switch session is a special session automatically
created internally for connection between virtual layer 3 switch and
Virtual HUB if virtual layer 3 switch function, which is a function of
PacketiX VPN Server, is used. For more information on virtual layer 3
switch function, see 「3.8 Virtual Layer 3 Switches」.
|