VPN Overview and Setup
To review, IPSec provides authentication and encryption of data streams over IP networks to prevent unauthorized parties from accessing and reading private data. In terms of the OSI model, IPSec works at the same layer as IP addressing, which is Layer 3, the network layer, to encrypt and encapsulate data streams so they can be securely transmitted to the intended party.
Surfing to a website with a URL that starts with https uses another security protocol called SSL, or Secure Sockets Layer technology. SSL is frequently used for secure web sites to validate identities. A web server using SSL identifies itself to the receiver through the transmission of a certificate, which the receiver can verify through a public certificate authority. In the event the certificate is not recognized, an error message such as in Figure 2, below, will be presented, warning that the website may not be secure.
Figure 2: Certificate error message
SSL works at the same layer as TCP and UDP, which is Layer 4, the transport layer. As such, it utilizes port 443 instead of the common port 80 used for most web traffic. An SSL VPN utilizes the same technology as SSL websites, but takes it one step further and enables secure network access for a remote client.
The differences between an IPSec VPN client and an SSL VPN client become clear at setup. Configuring an IPSec VPN client involves the installation of a client application and selection of the correct options for key exchange, encryption, shared keys, as well as various options for tunnel initiation and keep-alive on client PCs and the router.
Configuring an SSL VPN client involves creating a valid user ID and password on the router, making sure a few options in the remote PC's browser are enabled, and allowing the installation of a simple applet on the remote PC at the first login. No client application needs to be installed or configured on the remote user PCs!
From my own experience, installation and configuration of IPSec VPN Client applications can be a hassle. Not all IPSec VPN Clients support Vista and there are usually multiple and sometimes confusing options to configure. The PC's firewall also must be aware of the application and the task of adding another application and rebooting is a pain and uses up more disk space.
An SSL VPN is OS and platform agnostic, and requires no installation CD or large application to be downloaded. This means that SSL VPN connectivity can be extended to XP, Vista, Mac OS, and Linux PCs, using common browsers such as Internet Explorer (IE), Netscape, Safari, or Firefox. For IE, an ActiveX applet is used to enable the Virtual Passage VPN interface. For other browsers, a Java applet is used.
Setting up an SSL VPN connection on my Vista laptop using IE was easy following Linksys' directions in the manual. First, I added a username and password to the SSL VPN – User Management submenu on the RVL200. Second, I made sure SSL, scripting, and automatic cookie handling were enabled in the IE-Internet Options-Advanced menus of my laptop. I also added the URL of my Dynamic DNS address to the trusted sites list within IE on my laptop. A static WAN IP could also be added to the trusted sites list.
I then fired up my browser to my Dynamic DNS URL (https://mydomain.com), logged in with the username and password, clicked OK to allow the installation of the Virtual Passage ActiveX applet, and I was connected! A small icon in my system tray indicated the connection was up, and clicking on it provided the status of the connection shown in Figure 3.
Figure 3: Virtual Passage status and icon
As shown in Figure 3, the Virtual Passage connection has issued an IP address of 192.168.3.201 to my laptop and shows I am connected. Working remotely, I was able to access all elements of my LAN with IP addresses in the 192.168.3.0 /24 subnet. For example, the LAN IP of my printer is 192.168.3.112, which I was able to access over this SSL VPN. Indeed, I could access all my LAN devices, including a NAS, the web utilities of a VOIP ATA and Smart Switch, as well as Remote Desktop to a Windows PC and SSH to a Linux PC.
To validate another browser operation, I installed Firefox 126.96.36.199 on my Vista laptop, and repeated the above steps. Functionality and simplicity was the same. I didn't even customize options on Firefox, it simply worked.
Disconnecting from the VPN was just as easy. For IE 7, the browser window to the RVL (shown in Figure 1) needs to stay open to keep the VPN connection up. Closing this window tears down the connection, and the Virtual Passage icon disappears.
For Firefox (Figure 3a), I didn't have to keep the browser window open. I was able to close the Firefox SSL VPN window and verify the VPN connection was up through a simple ping. Disconnecting the VPN connection established through Firefox was accomplished by right-clicking on the Virtual Passage icon and selecting Disconnect.