An access VPN has two basic components:
L2TP Network Server (LNS): A device such as a Cisco router located in the customer premises. Remote dial users access the home LAN as if they were dialed into the home gateway directly, although their physical dialup is via the ISP network access server. Home gateway is the Cisco term for LNS.
An LNS operates on any platform capable of PPP termination. LNS handles the server side of the L2TP protocol. Because L2TP relies only on the single media over which L2TP tunnels arrive, LNS may have only a single LAN or WAN interface, yet still be able to terminate calls arriving at any LAC’s full range of PPP interfaces (async, synchronous ISDN, V.120, and so on). LNS is the initiator of outgoing calls and the receiver of incoming calls. LNS is also known as HGW in L2F terminology.
L2TP Access Concentrator (LAC): A device such as a Cisco access server attached to the switched network fabric (for example, PSTN or ISDN) or colocated with a PPP end system capable of handling the L2TP protocol. An LAC needs to only implement the media over which L2TP is to operate to pass traffic to one or more local network servers (LNSs). It may tunnel any protocol carried within PPP. LAC is the initiator of incoming calls and the receiver of outgoing calls. LAC is also known as NAS in L2F.
Client-Initiated Access VPN
There are two types of Access VPNs. Essentially they are dedicated or dial.
With a dedicated or client-initiated Access VPNs, users establish an encrypted IP tunnel from their clients across a service provider’s shared network to their corporate network.
With a client-initiated architecture, businesses manage the client software tasked with initiating the tunnel. Client-initiated VPNs ensure end-to-end security from the client to the host. This is ideal for banking applications and other sensitive business transactions over the Internet.
With client-initiated VPN Access, the end user has IPSec client software installed at the remote site, which can terminate into a firewall for termination into the corporate network. IPSec and IKE and certificate authority are used to generate the encryption, authentication, and certificate keys to be used to ensure totally secure VPN solutions.
An advantage of a client-initiated model is that the “last mile” service provider access network used for dialing to the point of presence (POP) is secured. An additional consideration in the client-initiated model is whether to utilize operating system embedded security software or a more secure supplemental security software package. While supplemental security software installed on the client offers more robust security, a drawback to this approach is that it entails installing and maintaining tunneling/encryption software on each client accessing the remote access VPN, potentially making it more difficult to scale.
NAS-Initiated Access VPN
In a NAS-initiated scenario, client software issues are eliminated. A remote user dials into a service provider’s POP using a PPP/SLIP connection, is authenticated by the service provider, and, in turn, initiates a secure, encrypted tunnel to the corporate network from the POP using L2TP or L2F.
With a NAS-initiated architecture, all VPN intelligence resides in the service provider network—there is no end-user client software for the corporation to maintain, thus eliminating client management burdens associated with remote access. The drawback, however, is lack of security on the local access dial network connecting the client to the service provider network. In a remote access VPN implementation, these security/management trade-offs must be balanced.
Pros: NAS-initiated Access VPNs require no specialized client software, allowing greater flexibility for companies to choose the access software that best fits their requirements. NAS solutions use robust tunneling protocols such as Cisco L2F or L2TP.
IPSec provides encryption only, in contrast with the client-initiated model where IPSec enables both tunneling and encryption. Premium service examples include reserved modem ports, guarantees of modem availability, and priority data transport.
The NAS can simultaneously be used for Internet as well as VPN access.
All traffic to a given destination travels over a single tunnel from a NAS, making larger deployments more scalable and manageable.
Con: NAS-initiated Access VPN connections are restricted to POPs that can support VPNs.