• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Question about VPN Encapsulation

U

Udgnim

Diamond Member
this is my basic understanding of what is involved in sending a VPN packet

[data] gets encapsulated by [IP header & footer] which gets encapsulated by [tunneling protocol] which gets encapsulated by [encryption protocol] which gets encapsulated by [IP header & footer]

please correct me if I'm wrong on the following

the very outside [IP header & footer] is for routing from the Internet to the remote VPN server

the [encryption protocol] would be something like IPsec encrypting the tunnel

the [tunneling protocol] would be something like PPP creating the tunnel and VPN connection to an organization's internal network

the inside [IP header & footer] is what I'm pretty unsure about. is it used for accessing internal network resources?

thanks for the help
 
Take your original IP packet, from layer 3 on up (IP layer, layer4 and 7. layer5/6 if they're there as well). But it's the entire packet.

That packet is encrypted and new layer3 src/dst/options/checksum ip layer is added. ESP is typical, IPsec manages and negotiates the tunnel, ESP is the actual encrypted/tunneled traffic. Many times an additional layer4 is added with tcp or udp to allow the packet to traverse address translation (NAT travseral).

On the other end the original pack with src/dst layer 3 ip address is removed and then routed as normal. Typical yes, that is routed to an inside/internal network.

These days VPNs and tunnels use SSL for encryption but the concept remains exactly the same apart from encryption method.

Now you can start to see where fragmentation becomes a problem. Take the typical ip packet of max size 1500 bytes. You try to encapsulate that entire thing and it will be bigger than max packet size of 1500. So it will be fragmented into two encapsulated packets. The other end of the tunnel and systems sometimes have problems reassembling the orginal packet and if the do-not-fragment bit is set. Needless to say vpn fragmentation problems still exist and the easiest way to deal with it is to set the computers MTU to something like 1300 to make sure even if it gets encapsulated many times, reassembling the packet won't be a problem.
 
Last edited:
You must log in or register to reply here.

TRENDING THREADS

Back
Top