2.1 VPN Communications Protocol
The protocol used by PacketiX VPN for VPN communications are version
3 of the global security standard Secure Socket Layer (SSL). PacketiX
VPN includes several technical innovations to increase speed and enhance
security of VPN communications.
This section provides a detailed description of PacketiX VPN
protocol. For more information on PacketiX VPN protocol, see 「1.6 VPN Communication Details」.
2.1.1 Communication Speed
PacketiX VPN is a VPN system that consists of exchanging virtual
Ethernet frames and communication by VPN among VPN Client / VPN Server /
VPN Bridge. Based on TCP/IP protocol, PacketiX VPN protocol plays the
role of encapsulating, encrypting and transmitting virtual Ethernet
frames on a physical IP network.
Protocol based on conventional TCP/IP has the drawback of
communication efficiency being not all that high. Because the protocol
itself conducts retransmission control and flow control, in some cases
TCP/IP can only use some actually available network bands.
By dexterously controlling and optimizing TCP/IP connection
established to carry out VPN communication when developing PacketiX VPN
protocol, as a result of communication being optimized and made as
efficient as possible, in the case where PacketiX VPN is used for a
network with sufficient bandwidth, SoftEther Corporation succeeded in
realizing higher speed and lower delay for so the user of VPN
communication can't actually sense a difference in whether communication
is carried out via VPN or directly flowing on a physical network.
2.1.2 Flexibility
PacketiX VPN protocol is based on TCP/IP and all data flows according
to TCP/IP connection. When constructing VPN by PacketiX VPN, it can be
constructed via network devices and servers that support TCP/IP.
VPN can now be easily constructed through proxy servers, NAT or
firewalls that used to be difficult for VPN protocol, representative
examples of which as older PPTP or L2TP/IPSec.
For method of actually conducting stable VPN communications through a
proxy server or other firewall, see 「4.4.11 Advanced Communication Settings」.
2.1.3 Communication Efficiency and Stability
Communication efficiency (throughput and response) and stability can
be enhanced for the following networks if the user properly sets
advanced communications parameters of PacketiX VPN protocol.
- Networks with large delay time despite wide bandwidth.
- Networks whereby there are proxy servers, NAT or firewalls in
the VPN communications route that produce delay.
- Networks whereby there is band control equipment (QoS equipment)
on the VPN communications route which intentionally band control
maximum communication speed for each separate TCP/IP connection.
- Networks whereby there are proxy servers, NAT or firewalls in
the VPN communications route, special processing for TCP/IP protocol
through network gateway devices and servers is executed, an
expiration date is set for each TCP/IP connection and the connection
is disconnected when the expiration date is exceeded, count and
transmission interval for packets of HTTPS protocol, etc., are
strictly recorded, and if there is a violation of the default
standards of HTTP protocol, the TCP/IP connection is disconnected
and special processing is executed.
VPN communication source computers simultaneously establish multiple
TCP/IP connections for a single VPN session with PacketiX VPN Server,
and by distributing load for communications data using the respective
connections in parallel, VPN communication data can be sent and received
at high speed with low delay by PacketiX VPN protocol.
Fig. 2-1-1 Communication of VPN session by multiple TCP/IP
connections |
Computers that connect VPN communications can initiate VPN connection
by specifying the following parameters.
Reconnection Setting when VPN Connection Fails or Becomes
Disconnected during Communications
If VPN connection to PacketiX VPN Server is temporarily cut off due
to network problems or the connection destination VPN Server stops
temporarily, the system attempts to reconnect to the VPN Server until it
succeeds. You can specify the maximum number of reconnection attempts
and the interval at which reconnection is attempted (cannot be set less
than 5 seconds).
The default settings are 15 seconds for reconnection attempt interval
and unlimited for number of reconnection attempts. The connection is
maintained constantly as long as the network is functioning and
connection destination VPN Server is running.
| As long as attempts are made to
connect the PacketiX VPN Server by cascade connection and
connection is completed, the function to maintain connection
keeps the reconnection interval fixed to 10 seconds and the
number of reconnection attempts fixed to unlimited. The user
cannot change the settings. |
VPN session type, reconnection interval, number of reconnection
attempts that can be set and the default settings are as follows:
| Session type |
Reconnection interval |
No. of
reconnection attempts |
| Ordinary VPN
sessions initiated by VPN Client |
Min. 5 seconds (default is 15 seconds) |
0 - unlimited (default is unlimited) |
| Cascade connection
VPN sessions initiated by VPN Server / VPN Bridge |
10 seconds (fixed) |
Unlimited (fixed) |
Number of TCP/IP Connections Used for VPN Communication
Multiple TCP/IP connections can be established during VPN session
with PacketiX VPN Server, throughput can be enhanced and delay shortened
using respective parallel TCP/IP connections for data transmission. If
some of the established TCP/IP connections are disconnected or if
communication cannot be carried out for a certain amount of time, the
number of insufficient TCP/IP connections can be compensated for by
creating new TCP/IP connections up to the specified amount, adding VPN
sessions, and maintaining communication with the specified number of
TCP/IP connections as much as possible.
Fig. 2-1-2 Automatic reconnection processing if disconnected
while using multiple TCP/IP connections |
The user can specify from 1 to 32 TCP/IP connections.
- The default setting when creating new connection settings by
PacketiX VPN Client is 1.
- The default setting when creating new cascade connections by
PacketiX VPN Server / PacketiX VPN Bridge is 8.
| If the number of TCP/IP connections
is simply increased, rather than enhancing throughput of VPN
communications, if the bandwidth of the communication route with
the VPN Server on the IP network is large, it appears that
increasing the number of connections often enhances throughput
or stabilizes communication. Oppositely, in the case of low
speed lines like ISDN or PHS where bandwidth is just server tens
or hundreds of kbps, because the band is consumed by Keep-Alive
messages and control data of various TCP/IP connections, fewer
connections often improved stability and enhances communications
speed.
The number of optimal TCP/IP connections furthermore varies
according to the amount of data and type of communications
protocol used within the VPN session. After actually
constructing VPN, we recommend you select the proper setting
while using the communication throughput measurement tool. For
details on the communication throughput measurement tool, see
「4.8 Measuring Effective Throughput」. |
Establishment Interval for TCP/IP Connections
If conducting VPN communications by establishing 2 or more TCP/IP
connections, you can specify how many seconds must pass after the
immediately preceding TCP/IP connection is established before another
can be established beginning with the second one. The default setting is
1 second. Can be set to 1 second or longer.
Under ordinary circumstances, 1 second will suffice, but if
establishing a large number of TCP/IP connections (such as 32) and
TCP/IP connections are established consecutively, the firewall on the IP
network or equipment such as IDS may mistakenly interpret it as a DoS
attack, etc., and disconnect the TCP/IP connection, and if VPN
connection is not correctly established, misdetection can be avoided by
increasing the connection interval.
Fig. 2-1-3 Establishment interval for TCP/IP connections |
Life of TCP/IP Connections
If conducting VPN communications by establishing 2 or more TCP/IP
connections, if the number of seconds specified after establishing
connection between the connection source computer and VPN Server elapses
for the various TCP/IP connections, along with disconnecting the TCP/IP
connections, the number of TCP/IP connections that is lacked can be
newly established. By default, this function is not used.
This function is used to stabilize VPN communications by PacketiX VPN
protocol in an unstable network such as where network gateway devices on
the IP network route such as firewalls, IDS or proxy servers, or if the
server setting per TCP/IP connection is set to a long time, the
connections may be disconnected or mistaken as a DoS attack, etc.
Using in Half Duplex Mode
The half duplex mode is a function whereby, if VPN communications are
conducted by establishing 2 or more TCP/IP connections, concerning
various TCP/IP connections between VPN connection source and PacketiX
VPN Server, approximately half of the TCP/IP connections are dedicated
to the transmission direction and the other half are dedicated to
receiving. If this function is enabled, transmission direction of data
flowing through respective TCP/IP connections established as part of
PacketiX VPN protocol is limited to either from VPN server to client
(download) or from client to VPN server (upload). If all TCP/IP
connections are lumped together, simultaneous communication in both
directions is possible (full duplex), but each respective TCP/IP
connection can only handle data transmission in one direction, so it is
referred to as the half duplex mode.
This function is used to stabilize VPN communications by PacketiX VPN
protocol in an unstable network where the proper communication by
PacketiX VPN protocol is mistaken as an attack or malicious backdoor
communication and a warning is issued or disconnected forcibly, by the
network security devices such as, firewalls, IDS or proxy servers on the
physical IP network that inspect TCP/IP packets for bidirectional SSL
data flow.
By using the half duplex mode, some software processing is involved
for control processing, and because CPU time is consumed, communication
speed efficiency deteriorates but drop in throughput and the effect on
the user is extremely small, so there is no problem under ordinary
circumstances.
Fig. 2-1-4 VPN session communications in half duplex mode |
Disabling Encryption Option
By default with PacketiX VPN protocol, all communications contents
are encrypted by SSL and an electronic signature is added, but in the
following cases encryption and electronic signature can be waived.
- If physical IP networks that conduct VPN communications are
limited to physically secure LAN and it is physically difficult for
a malicious third party to eavesdrop on and/or tamper with packets
on the line.
- If communications are conducted by dedicated frame relay offered
by communications provider or on a network with high reliability
whereby eavesdropping by other users is difficult such as wide area
Ethernet and the service provided by the communications provider is
sufficiently reliable.
- If PacketiX VPN protocol is combined with other software (SSH
port transmission tool, etc.) and encryption is carried out lower
layer.
- If the same computer is operating between VPN connection source
software and PacketiX VPN Server (case where connected to
localhost). A connection configuration such as this results when
cascade connection, etc., is conducted among Virtual HUBs of the
same VPN Server.
By not executing encryption and electronic signature, a header for
encapsulating is simply added to virtual Ethernet frames for data
flowing on a physical IP network, and encryption and electronic
signature protection is not implemented by PacketiX VPN protocol. Thus
more CPU time for calculating encryption and electronic signature can be
used for encapsulating virtual Ethernet frames and communication to
enhance communication throughput.
Even if encryption is disabled, important processing such as user
authentication is encrypted by SSL.
Using Data Compression
PacketiX VPN protocol can compress all Ethernet frames sent and
received internally and transmit them. The deflate algorithm developed
by Jean-loup Gailly and Mark Adler is used as the data compression
algorithm. The compression parameter is set so processing is executed at
the fastest speed.
By using data compression for VPN communications, a maximum of 80% of
communications volume can be reduced (depends on protocol used). If
compression is conducted, CPU load of both client and server becomes
higher, and depending on the performance of the various types of
hardware, if the line speed exceeds about 10 Mbps, in many cases not
compressing data improves communication speed.
2.1.4 Encrypted Communication Security
With PacketiX VPN protocol, encryption and electronic signature are
realized using SSL. The following are implemented as the encryption and
electronic signature algorithm used.
- RC4-MD5
- RC4-SHA
- AES128-SHA
- AES256-SHA
- DES-CBC-SHA
- DES-CBC3-SHA
The algorithm used for encryption is specified by the PacketiX VPN
Server administrator (cannot be specified by connection source computer
users). You can select any of the encryption algorithms given above, but
RC4-MD5 is selected by default.
RC4-MD5 is the fastest algorithm that offers a certain degree of
security. There is no need to select another algorithm without a special
reason. In a service environment where only a certain algorithm such as
AES can be used due to regulations or an administrator that is strict
about encryption, you can use a more secure encryption algorithm such as
AES.
2.1.5 Support for VoIP / QoS
PacketiX VPN protocol supports QoS for VPN communication and gives
band priority to high priority packets such as VoIP packets for
transmission processing. For details see 「1.9.4 Types of Packets Priority Controlled by VoIP / QoS Support
Function」.
|