PacketiX VPN 2.0
Advantages over older VPN Solutions
| VPN Product Type | PacketiX™ (Layer 2 VPN) |
PPTP | IPsec-VPN | SSL-VPN |
|---|---|---|---|---|
| Tunneling | ||||
| Tunneling Protocol | SSLv3 (TCP), https compatible | PPP over GRE | ISAKMP / ESP | SSLv3 (TCP), https compatible |
| Hindered by | nothing | NAT / Firewall / Proxy | NAT / Firewall / Proxy | nothing |
| Connectivity | Yes | No | No | Yes |
| Data transfer | ||||
| Encapsulated Layer | L2 / L3 | L3 | L3 | L5 |
| Data Transfer Protocols | Ethernet (IPv4, IPv6), AppleTalk, NetBIOS, IPX/SPX etc. | TCP, UDP | TCP, UDP | HTTP etc. (application specific) |
| Usable with any application | Yes | Yes | Yes | No |
| Network | ||||
| Connect whole LANs | Possible | Possible | Possible | - |
| Network segments | Identical or Separate | Separate | Separate | n/a |
| Flexibility | High | Low | Low | None |
Virtual Ethernet with PacketiX VPN
Unlike old many VPN protocols, PacketiX VPN provides a full layer 2 (Ethernet) emulation for VPN data transfer. In other words, with old layer 3 VPN solutions, encapsulated IP packets flowed through the tunnel, but with PacketiX VPN, these are Ethernet packets instead.
Comparison of old VPN protocol and PacketiX VPN (site-to-site connection)
Limitations of old VPN protocols
Since VPN came to wider use around 1998, several VPN protocols have started to become popular, among them:
- PPTP (GRE)
- L2TP / IPSec
- vtun
- OpenVPN
- Port transmission by SSH
However, older VPN solutions have limitations as outlined below, which makes them difficult to use under various circumstances.
Difficulties to pass network gateway devices
Internet access from company LANs and small home networks is usually managed by a gateway device, be it a small hardware router or a Linux server, which serves as firewall, proxy server and router with IP masquerading (NAT). While such a gateway provides necessary functions for the management and security of the network, it can be a barrier for older VPN solutions.
Since previous VPN protocols do not send standard TCP/IP packets, they are often stopped by firewalls and routers which don't know how to handle special protocols like GRE or IPSec. If the IP is not properly masqueraded by the router, VPN client and server are unable to establish a connection.
Older VPN protocols have difficulties passing NAT routers and firewalls.
Thus, older VPNs require either customized devices, or special firewall and router settings, which take time to set up, may not be possible in every configuration and cause lower network security. If the router cannot handle the special protocol employed by the VPN or the VPN protocol cannot handle masqueraded IPs, a global IP is necessary for both client and server.
In all of these cases, PacketiX VPN is able to establish a connection out of the box and without any reconfigurations, special hardware or global IPs. This saves money and reduces administration effort.
Network protocols other than TCP/IP can't be transferred
Conventional VPN protocols can only emulate a network up to OSI layer 3, the network layer (IP), unlike PacketiX VPN, which takes the technology one step further by emulating Layer 2, the data link layer (Ethernet).
Thus, previously a dedicated line was necessary to transfer legacy network protocols such as IPX/SPX and NetBEUI, which are still required by some devices, over a VPN. PacketiX VPN makes it possible to transfer them over the Internet with a software VPN solution.
The older VPN protocol cannot send and receive packets other than TCP/IP
Problems with IP routing
To connect all computers and devices of a network to a VPN, one solution is to install a VPN client on all PCs and devices. This, however, increases traffic on the VPN that could be handled by the local network and it increases administration work. As a VPN Client can't be installed on devices such as network printers, beamers or WLAN routers, these can't be accessed from the VPN at all.
The solution is a gateway between the local network and the VPN, which translates the packages from the protocol used by the local network (usually TCP/IP) to the VPN protocol and routes them to their destination. In older VPN protocols, large-scale setting modifications, such as rewriting the routing tables are necessary when a gateway to a VPN is established. And devices which do not capable of handling routing tables still cannot be accessed from the VPN.
Devices that do not support routing cannot access the VPN
With PacketiX VPN, packets from the local network are encapsulated and transferred as they are, so the routing process is invisible to all PCs and devices and there is no need to rewrite routing tables. All devices that can be accessed from the local network can be accessed from the VPN.
Platform Dependence
For older VPN solutions the range of supported platforms was often too narrow, which poses a problem for company-wide solutions in integrated environments. Even if several platforms were supported, implementations could differ and unnecessarily complicate system administration. In the worst case, only devices of certain vendors was supported because of differences in the hardware implementations.
Differences in hardware implementation or protocol between vendors causes the connection to fail
PacketiX VPN is a all-software solution that does not require special hardware. The code for PacketiX VPN 2.0 was rewritten with maximum portability in mind, and the software runs on a wide range of platforms such as Windows 2000, XP and Vista, Mac OS, Red Hat and several other Linux distributions, FreeBSD and Solaris with an identical implementation.
Low performance despite high costs
Price of network security devices and software that meet professional demands is generally extremely high.
However, high-cost network security products too often do not satisfy performance requirements. For what was considered high connection speed a few years ago, somewhere between 1 Mbps to 10Mbps, older VPN hardware and software can create the necessary throughput. For broadband connections available today, up to 1 Gbps, these older systems can become a network bottleneck.
PacketiX VPN 2.0 has been designed and tested to handle connection speeds in the Gigabyte range without increasing network delay in a noticable manner (less than 1 msec).