Question : VPN - how does it work

Experts,

I understand what VPN is and have been trialling with RRAS and doing some reading, internally i have set up a RRAS server and can connect to it just fine with an xp machines inbuilt VPN connection.

I also understand that at my office i would have to enable port mapping on a router to point to my VPN server - 1723 for PPTP

The concept i do struggle with however is, If i am sitting at home with a normal DSL connection through a standard ISP, how do i authenticate with my VPN connection, to my RRAS server which sites behind a firewall in a private IP managed network, or scrapping the private IP managed side of things, a standard network that sits behind a router with a different ISP on the other side of my country!

for example my home network in New South Wales sits quite contentedly with a 192.168.X.X IP scheme which is doled about by DHCP on my router. Now my imaginary office in Western Aus sits on a standard network that also sits on a 192.168.X.X IP scheme that is once again doled about by my standard ADSL router.

how does this work - i know it does but i would like to understand how it is done. How do Site to Site full time VPN tunnels configured through RRAS stay up sot hat DC's can replicate! this is a mystery to me! just want to know how in the world my home laptop knows where to go with the millions of ADSL routers out there dolling out 192.168.X.X Ip schemes for home LANS! i know it pulls on the WAN address but i still dont understand it!

Thanks for your expertise!
i dont need links on how to set them up as i have plenty of them and have handed them out to people with questions in the past - i get how to set them up to a point. what i want to know is How this works!!

if this is to much of a broad question let me know and ill narrow it down if i can

Answer : VPN - how does it work

Jay_Jay70, to add a little to the above, I think the confusion may be with the fact that there are different types of VPN's, ignoring the fact that there are also different types of authentication and or encryption as mentioned above.
1)You can of course make use of RRAS, where Windows becomes the VPN server. If so the client initiates an out going connection (no port forwarding required) to your public IP. Depending on the chosen encryption/encapsulation method, PPTP, L2TP, and/or IPSec, it will use a standard set of ports. When it reaches your router by using it's public IP, it would simply be dropped unless you have set up rules on your router as to what to do with those packets. In the case of a standard Windows PPTP, you would create a rule (port forwarding) that all traffic on port 1723 gets forwarded to the VPN server. The VPN server then deals with it, sends a reply to the client and communications begins. At the client end, as with any outgoing request, http or otherwise, the "door" is kept open and traffic redirected to the originating source using NAT (Network Address Translation. Two things to remember with setting these up. The subnet at either end of a VPN tunnel needs to be different and you need to allow the encapsulation protocol you are using, to pass-through the router. Make sure the router supports VPN pass-though, not all do.
2)You can also ignore all of the above, except requiring the subnets to be different, and use a client to hardware or hardware to hardware VPN. You mentioned you have a CheckPoint VPN/firewall. Forget RRAS altogether!!! CheckPoint uses IPSec, where the basic RRAS VPN uses PPTP. IPSec is far more secure. You can set up L2TP with IPSec using RRAS but I'm sure you have far better things to do with your time. It's not fun. Next, if you use the CheckPoint VPN, or any hardware VPN, you don't need to open any ports, another big security advantage. The Checkpoint VPN will effectively act as a simple router once connected, allowing all traffic from one subnet to another. (Depending on how the client is configured, it may only allow the client on the remote end.) In this case, the router is configured to accept VPN connections, with rules such as; only allow from one IP. When the client or other router connects to the public IP of the router, it has internal rules that say; any traffic of type 'x', IPSec in this case, is allowed to pass to the local subnet, under the specified conditions, is un-encrypted and passed through and seen by the local subnet as a local IP due to NAT.

With either VPN your connection is seamless, you use local IP's and all routing from your subnet to the other is controlled by the VPN, and as you mentioned that address may be changed/routed numerous times while on route. Keep in mind this is the true security risk of a VPN. if it is branch-to-branch, you have effectively put all remote computers in the middle of your corporate office. Unless rules are set up browsing the remote LAN is as easy as any local network. If on the remote network you have someone working at home, and little Johnny is downloading Viruses and hacking every IP he can see, you can be at risk. The CheckPoint unit will allow you to tighten that down considerably, far more than RRAS.

In my opinion, always go the hardware route, unless you want to use ISA, but that is another topic.

Random Solutions

Laptop can't connect through router, but 2 desktops can! Shows connected to LAN...

What is base-address.mcast.net ???

Baystack 450 Firmware v3.1.0.22

WINS troubleshooting

get hostname from IP address

DHCP fault tolerance

Help config ADSL Modem for PPPoE and static ip pool

Mac cant access sharing in windows 2008 domain