Organizations implement IP virtual private networks (VPNs) for three main reasons:

Reduce the costs of remote access and dedicated site-to-site communications.

Improve performance for distributed access.

Create consistent security policies across heterogeneous enterprise environments (see "Streaming Connections").

Whichever of these reasons drives an enterprise to deploy a VPN, certain minimum requirements must be met. Solutions must provide predictable performance, flexibility and scalability.

A VPN provides connectivity between sites across a shared infrastructure in a secure manner with the same policies as a private network. VPNs employ two strategies to provide that level of control: Use of encryption and encapsulation to set up secure, end-to-end connections over public networks (known as the Overlay Model); and use of tagging technologies to isolate client traffic over networks belonging to a single service provider (known as the Peer Model). The former strategy offers high levels of assurance to the client, but suffers from scalability issues. The latter strategy scales well using classical internetworking techniques, but requires high levels of trust in the service provider.

This article will discuss the best practices for implementing VPN solutions in order to migrate from private leased line and dial solutions to highspeed shared broadband solutions. It will also present the issues surrounding service provider-based VPN solutions.

VPN Protocol Evolution

IPSecurity (IPSec) is a framework of open standards that provides data confidentiality, data integrity and authentication between participating peers (i.e., client to client, client to gateway, gateway to gateway). It is achieving enormous adoption by VPN vendors, and large implementations by enterprises. A few of the key developments for IPSec include:

IS ISAKMP Configuration Method-One of the key issues in a remote access VPN deployment is the configuration of VPN client software with required information such as IP address. An attempt to deal with this issue has come via the Internet Security Association and Key Management Protocol (ISAKMP) Configuration Method, specified as an Internet draft (www.ietf.org/ internet-drafts/draft-dukes-ike-mode-cfg-00.txt).

Many VPN product vendors have implemented the ISAKMP Configuration Method to provide the capability to dynamically configure VPN clients as part of the client connection process. Rather then having to individually configure each user's machine after...