2024年2月24日发(作者：)

VPN Technology

VPN Technology

Profile

VPN English name is a "virtual private network”, translated as" virtual private

network ". As the name suggests, VPN it might be construed as a virtual enterprise

inside the line. Virtual private networking (VPN) defined by a public network, secure

connection, the path through the confusion of public network security and stability

of the tunnel. Use this tunnel may be several times in the data encryption to use the

Internet. Virtual private network is an intranet expansion. Virtual private network

helps remote users, the company branch, business partners and suppliers with the

company's internal network to establish a credible security, data and guarantee the

safety of transmission. Virtual private network can be used for growing mobile users

worldwide internet access to implement security link can be used to reach the

company web site communication between the security of a virtual private sidings

way to the economy effectively Connect to the business partners and the users

security outside the on-line VPN.

Function

VPN can provide function: Firewall function, authentication, encryption, a

tunnel. VPN by special agreement on clear communications in the internet

connection is located in different parts of the two or more of an intranet to a

dedicated communications lines, it is like to put up a narrow line, but it doesn't need

to be made of real fiber optic cabling, circuit. This is a physical post office continue to

apply, but don't lay the line there is no need to buy a router and hardware device.

VPN technology is an important technology to the routers, switches, one of the

firewall or 2000, windows starts in the software is also supported the VPN, a word,

VPN the core is the use of public network set up a virtual private network.

Characteristics

1. Security

Although the security of the VPN technology and are many ways, but all of the

1

VPN Technology

VPN shall be guaranteed by the public network platforms transmission and security.

The security aspects, the VPN directly in the public internet, to build simple, easy and

flexible, but also its security issues have also underlined. The enterprise must ensure

that the VPN on the transfer of data are not against the door and poisoning, and to

prevent illegal network users to access resources, or proprietary information.

2. The quality of services to guarantee （QOS ）

VPN net should help enterprises to provide different levels of data quality of

service, different users and service quality assurance to claim a big difference. In a

network, the establishment of the VPN another important demand is fully effective

use of limited resources for wan, important data provide a reliable bandwidth wan

traffic. The uncertainty of the bandwidth utilization is very low in the rush hour

traffic network congestion to a timely high demands on sending data without ；at

the traffic growth and caused a large number of network bandwidth. QOS in the flow

and flow control strategies, according to priority in the implementation of various

types of data bandwidth management, capable of being rational order and

prevention of obstruction.

3. Scalability, and flexibility

VPN must be able to support extranet through the intranet and of any type of

data, to add new nodes and support various types of a transmission medium, can

satisfy the transport voice and images and data and new applications for high quality

and transmission bandwidth requirements.

4. Manageability

Angle from users and operators perspective should be convenient to carry out

the management and maintenance. The goal of the VPN management network for ：

Reduce risks and high extensibility, economy and high reliability. In fact, VPN

Administration mainly Include security, equipment management, administrative and

access control list control and management. QOS

The network protocols

The virtual private networking protocols have IP (for security is protection of IP)

2

VPN Technology

IP agreement secure communication, which IP agreement to encrypt and

certification of groups. IP as an agreement or a clan (series of interrelated )

agreement by the following parts ： (1) Protection groups of the agreement ； (2)

Used to establish these security group the key exchange agreement. The former was

divided into two parts Encryption are the encapsulation of the security of the loading

and use less authentication head of the certification of groups and guarantee its

message integrity, but not provide confidentiality. Now, key agreement is the only

have the key exchange agreement, point to point tunneling protocol -- some tunnels

agreement on the internet to build IP VPN agreement, the main contents of the

tunnel is set up more agreement on the internet security virtual private networking

of communication means: layer forwarding, second tier: layer 2 protocol l2tp

forwarding tunneling protocol -- the second floor of the tunnel VPN agreement of the

tunnel agreement. Using encrypted data and control information ：It uses encryption

and verification functions, means that it can use any support of reckoning. It provides

optional packets functions to improve the security, in addition, can improve the

hardware to speed up its performance.

Demand

VPN can help the user, the company branch, business partners and suppliers

with the company's internal network to establish a credible security and ensure the

safety of transmission of data. In data transferred to the low cost of the pressure of

the enterprise network, virtual private networking solutions will substantially reduce

the cost in the domain and remote network connection costs. At the same time, this

will simplify the network design and management, the connection of a new user and

web site. In addition, VPN can also protect the existing network investment. As a

business enterprise development, VPN solution enables users to their energies into

own business, rather than on the internet. Virtual private network can be used for

growing mobile users worldwide internet access to implement security link can be

used to reach the company web site communication between the safety of road, a

virtual private sidings, economy effectively used to connect to the business partners

3

VPN Technology

and the users security outside the on-line VPN.

At present many units are facing this challenge ： Branch, distributors and

customers, partners and overseas Staff for the public network at any time after a visit

to the company's resources, these resources Include: the office of internal

documents, the project management system, etc. Now many firms use IP VPN to

ensure that the company headquarters or branches, as well as mobile staff security

link between.

Solution

For different user requirements, there are three VPN solutions ： Remote

access virtual network access and business network intranet within the virtual and

enterprises expanded the virtual, the three types of the VPN, and traditional remote

access network, intranet and enterprise within the enterprise and relevant partners

of the enterprise network of outside the extranet.

For many user IP solutions to the high cost and complexity of the structure is a

headache. The existence of the following facts ： To deploy and use client, it needs

assessment, planning, training, promotions and support, for users, these both

economically and technically is a great burden on the remote solutions and

expensive in integration and application of the interior for it professionals are severe

challenges Or more VPN IP by and large enterprises that IP is a VPN cost and

complexity, even a in the implementation of the scheme. To remain competitive, the

corporations internal information on the island, many companies and business

related to the different organizations and personal message, so many companies

need to find a kind of implementation, do not need to change the existing, operating

costs were low solutions.

--- -Conceptually, IP and VPN is operators (the service provider) support for

enterprise users of application. A common method can be applied by the operators

to support, which involve other operators network （ as operators of the

operators ）.

---- IP VPN, the router is used to a user site users of internet access service provider

4

VPN Technology

on routers and routers. It is connected with the routers, the service provider to the

edge of the router. The site is such a network or network, they are part of users and

network through one or more of the link up to the VPN is a VPN. The group shared

the same route information, a site can be located in different a VPN.

---- In a service provider network to support more VPN, a site can belong to more

VPN. On certain policy, is more VPN site can in two VPN provided between the

forward, may also provide that capability. When a site at the same time of more VPN,

it must have a VPN in all the only address space. MPLS to implement - VPN IP

provides a flexible and scalability of the technical infrastructure and service providers

can use their internal networks, users to the specific needs to determine its own

network to support IP, VPN. Therefore, the MPLS network, a number of supports IP,

VPN, this one of the two methods.

VPN技术

一、简介

VPN的英文全称是“Virtual Private Network”，翻译过来就是“虚拟专用网络”。顾名思义，虚拟专用网络可以把它理解成是虚拟出来的企业内部专线。虚拟专用网（vpn）被定义为通过一个公用网络（通常是因特网）建立一个临时的、安全的连接，是一条穿过混乱的公用网络的安全、稳定的隧道。使用这条隧道可以对数据进行几倍加密达到安全使用互联网的目的。虚拟专用网是对企业内部网的扩展。虚拟专用网可以帮助远程用户、公司分支机构、商业伙伴及供应商同公司的内部网建立可信的安全连接，并保证数据的安全传输。虚拟专用网可用于不断增长的移动用户的全球因特网接入，以实现安全连接；可用于实现企业网站之间安全通信的虚拟专用线路，用5

VPN Technology

于经济有效地连接到商业伙伴和用户的安全外联网虚拟专用网。

二、功能

VPN可以提供的功能： 防火墙功能、认证、加密、隧道化。

VPN可以通过特殊的加密的通讯协议在连接在Internet上的位于不同地方的两个或多个企业内部网之间建立一条专有的通讯线路，就好比是架设了一条专线一样，但是它并不需要真正的去铺设光缆之类的物理线路。这就好比去电信局申请专线，但是不用给铺设线路的费用，也不用购买路由器等硬件设备。VPN技术原是路由器具有的重要技术之一，在交换机，防火墙设备或Windows 2000等软件里也都支持VPN功能，一句话，VPN的核心就是在利用公共网络建立虚拟私有网。

三、特点

1.安全保障

虽然实现VPN的技术和方式很多，但所有的VPN均应保证通过公用网络平台传输数据的专用性和安全性。在安全性方面，由于VPN直接构建在公用网上，实现简单、方便、灵活，但同时其安全问题也更为突出。企业必须确保其VPN上传送的数据不被攻击者窥视和篡改，并且要防止非法用户对网络资源或私有信息的访问。

2.服务质量保证（QoS）

VPN网应当为企业数据提供不同等级的服务质量保证。不同的用户和业务对服务质量保证的要求差别较大。在网络优化方面，构建VPN的另一重要需求是充分有效地利用有限的广域网资源，为重要数据提供可靠的带宽。广域网流量的不确定性使其带宽的利用率很低，在流量高峰时引起网络阻塞，使实时性要求高的数据得不到及时发送；而在流量低谷时又造成大量的网络带宽空闲。QoS通过流量预测与流量控制策略，可以按照优先级分实现带宽管理，使得各类数据能够被合理地先后发送，并预防阻塞的发生。

3.可扩充性和灵活性

VPN必须能够支持通过Intranet和Extranet的任何类型的数据流，方便增加新的节点，支持多种类型的传输媒介，可以满足同时传输语音、图像和数据等新应用对高质量传输以及带宽增加的需求。

4.可管理性

从用户角度和运营商角度应可方便地进行管理、维护。VPN管理的目标为：减小网络风险、具有高扩展性、经济性、高可靠性等优点。事实上，6

VPN Technology

VPN管理主要包括安全管理、设备管理、配置管理、访问控制列表管理、QoS管理等内容。

四、网络协议

常用的虚拟私人网络协议有：

IPSec : IPsec(缩写IP Security)是保护IP协议安全通信的标准，它主要对IP协议分组进行加密和认证。

IPsec作为一个协议族（即一系列相互关联的协议）由以下部分组成：(1)保护分组流的协议；(2)用来建立这些安全分组流的密钥交换协议。前者又分成两个部分：加密分组流的封装安全载荷（ESP）及较少使用的认证头（AH），认证头提供了对分组流的认证并保证其消息完整性，但不提供保密性。目前为止，IKE协议是唯一已经制定的密钥交换协议。

PPTP: Point to Point Tunneling Protocol -- 点到点隧道协议

在因特网上建立IP虚拟专用网（VPN）隧道的协议，主要内容是在因特网上建立多协议安全虚拟专用网的通信方式。

L2F: Layer 2 Forwarding -- 第二层转发协议

L2TP: Layer 2 Tunneling Protocol --第二层隧道协议

GRE：VPN的第三层隧道协议

OpenVPN:OpenVPN使用OpenSSL库加密数据与控制信息：它使用了OpenSSL的加密以及验证功能，意味着，它能够使用任何OpenSSL支持的算法。它提供了可选的数据包HMAC功能以提高连接的安全性。此外，OpenSSL的硬件加速也能提高它的性能。

五、需求

虚拟专用网可以帮助远程用户、公司分支机构、商业伙伴及供应商同公司的内部网建立可信的安全连接，并保证数据的安全传输。通过将数据流转移到低成本的压网络上，一个企业的虚拟专用网解决方案将大幅度地减少用户花费在城域网和远程网络连接上的费用。同时，这将简化网络的设计和管理，加速连接新的用户和网站。另外，虚拟专用网还可以保护现有的网络投资。随着用户的商业服务不断发展，企业的虚拟专用网解决方案可以使用户将精力集中到自己的生意上，而不是网络上。虚拟专用网可用于不断增长的移动用户的全球因特网接入，以实现安全连接；可用于实7

VPN Technology

现企业网站之间安全通信的虚拟专用线路，用于经济有效地连接到商业伙伴和用户的安全外联网虚拟专用网。

目前很多单位都面临着这样的挑战：分公司、经销商、合作伙伴、客户和外地出差人员要求随时经过公用网访问公司的资源,这些资源包括:公司的内部资料、办公OA、ERP系统、CRM系统、项目管理系统等。现在很多公司通过使用IPSec VPN来保证公司总部和分支机构以及移动工作人员之间安全连接。

六、解决方案

针对不同的用户要求，VPN有三种解决方案：远程访问虚拟网（Access

VPN）、企业内部虚拟网（Intranet VPN）和企业扩展虚拟网（Extranet VPN），这三种类型的VPN分别与传统的远程访问网络、企业内部的Intranet以及企业网和相关合作伙伴的企业网所构成的Extranet（外部扩展）相对应。

对于很多IPSec VPN用户来说，IPSec VPN的解决方案的高成本和复杂的结构是很头疼的。存在如下事实：在部署和使用软硬件客户端的时候，需要大量的评价、部署、培训、升级和支持，对于用户来说，这些无论是在经济上和技术上都是个很大的负担，将远程解决方案和昂贵的内部应用相集成，对任何IT专业人员来说都是严峻的挑战。由于受到以上IPSec VPN的限制，大量的企业都认为IPSec VPN是一个成本高、复杂程度高，甚至是一个无法实施的方案。为了保持竞争力，消除企业内部信息孤岛，很多公司需要在与企业相关的不同的组织和个人之间传递信息，所以很多公司需要找一种实施简便，不需改变现有网络结构，运营成本低的解决方案。

---- 从概念上讲，IP-VPN是运营商(即服务提供者)支持企业用户应用的方案。一个通用的方法可以适用于由一个运营商来支持的、涉及其他运营商网络的情况（如运营商的运营商）。

---- IP-VPN中，CE路由器是用于将一个用户站点接入服务提供者网络的用户边缘路由器。而PE路由器则是与用户CE路由器相连的、服务提供者的边缘路由器。站点是指这样一组网络或子网，它们是用户网络的一部分，并且通过一条或多条PE/CE链路接至VPN。VPN是指一组共享相同路由信息的站点，一个站点可以同时位于不同的几个VPN之中。

----在一个服务提供者网络支持多个VPN时，一个站点可以同时属于多个VPN。依据一定的策略，属于多个VPN的站点既可以在两个VPN之间提供一定的转发能力，也可以不提供这种能力。当一个站点同时属于多个VPN时，它必须具有一个在所有VPN中唯一的地址空间。MPLS为实现IP-VPN提供了一种灵活的、具有可扩展性的技术基础，服务提供者可以根据其内部网络以及用户的特定需求来决定自己的网络如何支持IP-VPN。所以，在MPLS/ATM网络中,有多种支持IP-VPN的方法，本文介绍其中两种方法。

8