A conventional virtual private network (VPN) client simply cannot survive motion. The tunnel breaks, application sessions disconnect or time out, and the user must restart the business communication from scratch. Mobile VPN solutions are designed to adapt to these changes, because mobile VPN tunnels are not tied to physical IP addresses. Instead, each tunnel is bound to a logical IP address. In this section of the VPN tutorial, learn more about mobile VPN solutions and their benefits or skip to other sections in the VPN tutorial using the table of contents below.
Table of contents
- VPN tutorial: Understand the basics of IPsec and SSL VPNs
- VPN types: Protocols and network topologies of IPsec VPNs
- The benefits and different types of SSL VPNs
- Mobile VPN solutions and benefits
- Which VPN should your business network implement?
An introduction to mobile VPNs
Point-to-Point Tunneling Protocol (PPTP), IPsec and SSL VPNs identify the device at the far end of the tunnel by IP address. This works well for users who tunnel from stationary devices: a home PC over residential broadband, a laptop over a hotel LAN, or even a PDA at a Wi-Fi hot spot. But put that device in motion, and physical connectivity, point of network attachment and IP address are all likely to change. A conventional VPN client simply cannot survive such changes. The tunnel breaks, application sessions disconnect or time out, and the user must restart the business communication from scratch.
Mobile VPN solutions from such vendors as Columbitech, Ecutel, IBM, ipUnplugged, Motorola, NetMotion, Nokia, Padcom and Radio IP are designed to adapt transparently to these changes. In a mobile VPN, a VPN server still sits at the edge of your company network, enabling secure tunneled access by authenticated, authorized VPN clients. Mobile VPN tunnels are not tied to physical IP addresses, however. Instead, each tunnel is bound to a logical IP address. That logical IP address sticks to the mobile device no matter where it may roam. For example, a mobile VPN client can accomplish the following:
- Roam from one wireless AP to another at a public Wi-Fi hot spot.
- Leave Wi-Fi coverage and start using a 3G connection (i.e., EV-DO).
- Leave 3G coverage and start using a slower 2G connection (i.e., 1xRTT).
- Return to the office and start using a docked Ethernet LAN connection.
In this example, the mobile VPN client uses four or five different physical IP addresses while retaining one logical IP address. Applications running on the mobile device and inside the corporate network communicate through that one logical IP address, remaining blissfully unaware of the user's motion and associated physical/network transitions.
Readers with large wireless LANs may already be familiar with access point (AP) roaming issues. In fact, many WLAN switches use fast handoff and subnet roaming to reduce latency and avoid re-authentication by Wi-Fi clients inside a private WLAN. Unfortunately, those solutions can't help mobile users who need to roam between entirely separate networks that are owned and operated by third parties.
Further still, subnet roaming is just one of many difficult challenges that face mobile users. Many mobile VPNs take steps to smooth over additional hurdles:
- A roaming Wi-Fi client may lose connectivity for tens to hundreds of milliseconds during an AP-to-AP handoff. But a mobile user can easily lose connectivity for minutes, hours or even days while passing through a no-coverage zone.
- Wi-Fi clients roaming within a given ESSID encounter consistent security throughout the WLAN. But a mobile user roaming from a public Wi-Fi hot spot to a carrier 3G network to a secure enterprise WLAN will be required to complete three separate network logins -- and repeated application logins as well.
- Wi-Fi clients can use the 802.11 power-save option to doze briefly and save battery without losing their AP associations. But a PDA or smartphone that sleeps to save battery when not in use has no standard mechanism to keep application sessions alive until full power is resumed.
- Wi-Fi clients automatically choose the best AP, based on observable metrics such as signal strength and error rate. But a mobile device with more than one type of network connection may also need to consider such factors as cost, security and corporate preferences.
- Wi-Fi standards enable dynamic rate shifting; administrators can establish minimum acceptable rates. By comparison, mobile devices tend to encounter a much broader range of network characteristics that can be difficult to predict, let alone control.
Today's mobile VPN products tackle all of these challenges to some degree. In particular, mobile VPNs deliver network and application persistence. When a mobile VPN client roams subnets, swaps adapters, falls asleep, or enters a coverage gap, the VPN server stands in for the client. That server maintains the client's network state to avoid domain and application re-authentication. It may respond to API calls to prevent application blocking or to hold messages sent to the client. When reachability returns, mobile users can simply resume working exactly where they left off -- subject to the interaction constraints imposed by each application.
This was excerpted from Mobile VPN: Closing the gap, by Lisa Phifer.
→ Continue reading this VPN tutorial to learn which VPN your business network should implement.