A virtual private network (VPN) is a type of private network constructed by using public network infrastructure to connect divergent nodes. An example of a VPN uses virtual connections or tunnels routed through the Internet between a company's private central network and a remote site or to a remote employee on the road or working from home.
In a VPN, one or more concentrators provide remote clients with a plurality of points of access to the central server. A concentrator is a type of multiplexor that combines multiple channels onto a single transmission medium in such a way that all the individual channels can be simultaneously active. In the VPN, the concentrators are at the threshold of the central site receiving requests for connections from, typically, many VPN clients. Each concentrator has a unique IP address by which VPN clients address the concentrator within the VPN. Typically, a VPN client has the IP address of only one concentrator. This means that each client accesses the central site through the one concentrator that particular client “knows.”
VPNs are constructed to operate over a public network typically through the use of a combination of data encapsulation, data encryption and user authentication. A variety of mechanisms are used to provide network security for access and data integrity in a VPN. VPNs may use either symmetric-key encryption or asymmetric (i.e. public) key encryption. A protocol commonly used in VPNs is IPsec. IPsec, which stands for Internet Protocol Security, is a set of protocols developed by the Internet Engineering Task Force to implement VPNs. IPsec supports the secure exchange of data packets at the Internet Protocol (IP) network layer. IPsec supports two encryption modes: transport, and tunnel. Transport mode encrypts only the data portion, that is, the payload, of each packet, but leaves the header untouched. Tunnel mode is more secure as it encrypts both the header and the payload. In tunneling, the packet to be sent to the central network is encapsulated within another packet and is then sent over the VPN connection to the central site. On the receiving side, an IPsec-compliant device decrypts each packet. In IPsec, the sending and receiving devices share a public key. IPsec uses a protocol called Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates.