Поделиться через


How SSTP based VPN connection works

In this blog, I will explain how SSTP based VPN tunnel works - i.e. the data flow during VPN connection coming up and how data transfer occurs.

The flow to get VPN connection up looks like:

1) Client gets Internet connectivity and then establishes TCP connectivity to server over port 443. Let us say the IP address of client is 100.100.100.1 and server is 200.200.200.1.

2) Then on top of this TCP session, SSL negotiation takes place. Client gets the server certificate during SSL authentication phase and it validates the server certificate. If it is not valid, the connection is broken down. No client (or user) authentication happened on the server side at the SSL stage.

3) Client then sends HTTPS request on top of the encrypted SSL session to the server.

4) Client then sends SSTP control packets on top of the HTTPS session. Once SSTP state machine is up on either side, lower-link up indication is given to PPP layer on each ends.

5) PPP negotiation (on top of SSTP over HTTPS) takes place at both ends. As part of PPP authentication phase, client is authenticated to server and optionally (depending upon the authentication algorithm) server is authenticated to client. 

6) Once PPP completes, it attaches as IP interface on both client and server side. Let us say the "inner IP" or the IP address given by VPN server to the client is 192.168.1.2 and the IP address of VPN interface on VPN server is 192.168.1.1

7) Now both ends are ready to send IP packets to each other.

Now let us try to understand how data path works: Lets say user does ping to VPN server IP address i.e. 192.168.1.1 in this example

1) Ping (i.e. ICMP echo request) packet will go over IP (with source IP as 192.168.1.2 and destination IP as 192.168.1.1) over PPP over SSTP.

2) SSTP sends to SSL layer which does the encryption and sends over TCP over IP (with source IP as 100.100.100.1 and destination IP as 200.200.200.1) over Internet interface.

Hope this helps for you to understand SSTP based VPN tunnel in detail and how it differs from PPTP and L2TP. The main thing to note is: PPP and above remains same on the protocol stack and SSTP adds a layer to encapsulate PPP packets over HTTPS session.

Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments

  • Anonymous
    January 01, 2003
    Hi Everyone: Our third and final planned beta is upon us and I am proud to announce that Forefront TMG

  • Anonymous
    January 01, 2003
    Microsoft is working on a remote access tunneling protocol for Vista and Longhorn Server that lets client

  • Anonymous
    January 01, 2003
    In this FAQ, I will cover client specific queries of SSTP 1) How to enable SSTP based VPN connection

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Happy New Year to everyone! There is some exciting news being announced on the RRAS blog around a new

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 20, 2007
    The comment has been removed

  • Anonymous
    January 24, 2007
    Please, please, please strongly consider submitting this to be formally standardized.  We don't need another PPTP, L2TP, or Yet Another Proprietary SSL VPN.  IPsec stinks, but at least it's a standard and there is at least a chance for interoperability.