How SSTP based VPN connection works
In this blog, I will explain how SSTP based VPN tunnel works - i.e. the data flow during VPN connection coming up and how data transfer occurs.
The flow to get VPN connection up looks like:
1) Client gets Internet connectivity and then establishes TCP connectivity to server over port 443. Let us say the IP address of client is 100.100.100.1 and server is 200.200.200.1.
2) Then on top of this TCP session, SSL negotiation takes place. Client gets the server certificate during SSL authentication phase and it validates the server certificate. If it is not valid, the connection is broken down. No client (or user) authentication happened on the server side at the SSL stage.
3) Client then sends HTTPS request on top of the encrypted SSL session to the server.
4) Client then sends SSTP control packets on top of the HTTPS session. Once SSTP state machine is up on either side, lower-link up indication is given to PPP layer on each ends.
5) PPP negotiation (on top of SSTP over HTTPS) takes place at both ends. As part of PPP authentication phase, client is authenticated to server and optionally (depending upon the authentication algorithm) server is authenticated to client.
6) Once PPP completes, it attaches as IP interface on both client and server side. Let us say the "inner IP" or the IP address given by VPN server to the client is 192.168.1.2 and the IP address of VPN interface on VPN server is 192.168.1.1
7) Now both ends are ready to send IP packets to each other.
Now let us try to understand how data path works: Lets say user does ping to VPN server IP address i.e. 192.168.1.1 in this example
1) Ping (i.e. ICMP echo request) packet will go over IP (with source IP as 192.168.1.2 and destination IP as 192.168.1.1) over PPP over SSTP.
2) SSTP sends to SSL layer which does the encryption and sends over TCP over IP (with source IP as 100.100.100.1 and destination IP as 200.200.200.1) over Internet interface.
Hope this helps for you to understand SSTP based VPN tunnel in detail and how it differs from PPTP and L2TP. The main thing to note is: PPP and above remains same on the protocol stack and SSTP adds a layer to encapsulate PPP packets over HTTPS session.
Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking
[This posting is provided "AS IS" with no warranties, and confers no rights.]
Comments
Anonymous
January 01, 2003
Hi Everyone: Our third and final planned beta is upon us and I am proud to announce that Forefront TMGAnonymous
January 01, 2003
Microsoft is working on a remote access tunneling protocol for Vista and Longhorn Server that lets clientAnonymous
January 01, 2003
In this FAQ, I will cover client specific queries of SSTP 1) How to enable SSTP based VPN connectionAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Happy New Year to everyone! There is some exciting news being announced on the RRAS blog around a newAnonymous
January 01, 2003
The comment has been removedAnonymous
January 20, 2007
The comment has been removedAnonymous
January 24, 2007
Please, please, please strongly consider submitting this to be formally standardized. We don't need another PPTP, L2TP, or Yet Another Proprietary SSL VPN. IPsec stinks, but at least it's a standard and there is at least a chance for interoperability.