Comparative Analysis of Site-to-Site Layer 2 Virtual Private Networks

Si Thu Aung Thandar Thein

University of Computer Studies, Yangon University of Computer Studies (Maubin)
[email protected] [email protected]

Abstract
Nowadays, many companies have branch Large businesses with massive investment may be in a
offices and connect those offices to the main office over better position to deploy a range of IT security
the Internet using a site-to-site Virtual Private Network solutions; small businesses need to be more vigilant.
connection. Most of these connections have always The most effective way to prevent the data from
operated at Layer 3 of the OSI network model. In recent reaching the wrong hands is through the use of a VPN
years, there has been a growing requirement to extend service that makes the Internet usage fully private and
links at Layer 2, which allows broadcast traffic to be secure. Businesses may also find different reasons for
forwarded between sites. Depending on inter-site using a VPN. To fill this gap, there are many kinds of
connection medium, different technologies are utilized. VPN technologies such as IPSec, GRE and SSL. Most
This paper compares and analyses site-to-site Layer 2 of them are Layer 3 VPNs, and it fulfills most of the
VPN technologies, which include layer 2 tunneling business requirements. With Layer 3 VPNs, exchange
protocol (L2TP), and point to point tunneling protocol emails and accessing internal servers are easy to use
(PPTP), OpenVPN, Ethernet over IP (EoIP), and and secure. However, it is not possible to use some
MPLS/VPLS to choose the right VPN for the software for LAN between two sites, although they are
organization. This is done by means of performance connected by Layer 3 VPN, for example, printer
measurement and packet analysis. In order to provide sharing, some database protocols, CRMs, and other
fair comparable results, all technologies are tested in applications that are developed for LAN specified
the same manner. purpose. If people want to use LAN applications, a
Keyword: PPTP, L2TP, OpenVPN, EoIP, VPLS, single Ethernet segment needs to be constructed.
Virtual Private Network Imagine the situation of three remote sites;
Yangon, Mandalay and MauBin, and every site have an
I. INTRODUCTION Ethernet switch. It is a big challenge to connect
Ethernet network cables between them. To lay the
While VPNs were commonly planned for
cable between different offices in different cities is
individual clients, demand is likewise expanding in
expensive as well as time-consuming. The Internet
business. Organizations presently use VPNs to verify
cannot become an alternative to Ethernet because even
their office systems, business PCs, and Internet
if both sites are connected to the Internet, two sites do
connection while others use VPNs to remotely access
not construct the single Ethernet segment at all. Layer
network resources that are not near them geologically.
2 “Site-to-Site VPN” tunnels the Internet and establish
In the course of the most recent couple of years, VPNs
a VPN Session between remote sites with full
have turned strongly to be one of the most well-known
capabilities to transmit any Ethernet frames. Layer 2
and irreplaceable tools for every privacy-conscious
VPN has unlimited protocol transparency, which is
consumer. Globally, the Internet handles around
identical to physical Ethernet segments. Many
71,131 GB of traffic for each second, including
protocols such as IPv4 (TCP, UDP, ICMP, ESP, GRE),
2,790,265 emails and 73,849 Google searches for every
IPv6, PPPoE, RIP, STP, and others can be used on
second [1]. All the company’s communications and
Ethernet. Any legacy and latest protocols can be used
employees searching for business-related information
within the Layer 2 VPN sessions. Although provider
help to make up those numbers. Furthermore, a breach
provisioned Layer 2 VPN solutions such as
or leak of the business’s data transmitted over the
MPLS/VPLS can be purchased from ISPs, most of
Internet could cost people millions. This raises alarms
these services are monthly payment basis, and the price
because, according to a Ponemon Institute survey [2],
is not cost-effective.
67% of SMBs admitted to being attacked in 2018.
 Not only are these restrictions, but also different security, scalability, and other aspects are analyzed and
IP subnets on each site need to be built. A site's IP compared, advantages and inadequacy are
subnet cannot overlap with other sites. Moreover, a summarized. Zhang Zhipeng et al. [7] presented three
number of subnets have to be managed in order to types of common VPNs and explained a comparative
prevent any other subnets from colliding. Adopting the study of their features, performance, security, and cost-
Layer 3 VPN for creating site-to-site VPN requires efficient.
special pain to satisfy the demands of legacy VPNs. None of the related works compared to the
However, when we use Layer 2 VPN to link up the site- performance of Layer 2 VPNs. In this paper, we
to-site VPN, it is very straightforward and reduces the concentrate on the performance of Layer 2 VPNs.
effort to coop against several troublesome errors which
might occur when Layer 3 VPNs are used. Designing III. Characteristics and Models of VPNs
and architecting networks with layer 2 VPNs can be as
A plethora of methods is used to model and
simple as designing traditional Ethernet network
characterize VPNs. The purpose of this section is to
topology with hub-and-spoke mode. Connecting VPN
introduce and explain each of these models and
Sessions between sites is possible instead of using
characterizations.
physical Ethernet network cables.
All kinds of server and inter-client-PC- A. Service Provider and Customer
communication applications will work well, with no Provisioned VPNs
difference between inside the same site and beyond the VPNs that are configured and managed by a
distance. It is the main reason that the decision to carry service provider are service provider provisioned
out a performance comparison of Layer 2 VPNs is VPNs. VPNs that are configured and managed by the
made. customer itself are called customer provisioned VPNs.
In this paper, the impact of Layer 2 VPNs and Examples of service provider provisioned, and
performance analysis of five different VPNs, namely, customer provisioned VPNs are shown in Table 1.
PPTP, L2TP, OpenVPN with BCP, EoIP and
MPLS/VPLS are discussed and presented. However, TABLE 1. Service Provider and Customer
this paper does not provide explicit suggestion on Provisioned VPNs
which technology is to be preferred. The rest of this
paper is organized as follows: Section II presents Provider Provisioned Customer Provisioned
related work. Section III explains the characteristic of
VPWS, VPLS, IPLS PPTP, L2TP, OpenVPN
VPN, and Section IV provides the testbed setup. The
experiment results are discussed in section V and draw BGP/MPLS, IPSec, GRE, IP- IPSec, GRE, EoIP
conclusions in section VI. in-IP

II. RELATED WORK B. Site-To-Site and Remote Access VPNs

Singh and Gupta [3] proposed Multi-phase Whether provider or customer provisioned,
encryption and payload encryption; it was applied to VPNs fall into one of two broad categories: site to site
the data inside the IP packet of the encapsulated tunnel or remote access. Site-to-site VPNs allow connectivity
packet. They discussed the traditional security between an organization’s geographically dispersed
measures of VPN and a whole new approach for VPN sites (such as a head office and branch offices). Fig 1
security by using a multi-phase encryption technique. illustrates a typical site-to-site VPN.
I. Kotuliak, P. Rybár, and P. Trúchly [4] analyzed Remote access VPNs allow mobile or home-
OpenVPN and IPSec based VPN; they compared those based users to access an organization’s resources
technologies based on parameters such as throughput, remotely. Fig. 2 illustrates typical remote access VPNs.
the response time of each protocol. They chose
OpenVPN due to its simplicity and fast and C. Protocol Background
straightforward implementation. This section presents protocols used in Layer 2
Chawla et al. [5] explained the architecture and VPN technologies.
protocols of IPSec and SSL VPN technologies, 1)PPTP: The Point to Point Tunneling Protocol
including their advantages and disadvantages for real (PPTP) is one of the oldest protocol. PPTP uses the
kinds of applications. Qin et al. [6] studied IPSec and TCP port 1723 for remote access over the Internet. The
SSL VPN in detail, and the scope of application, data packets transmitted through the tunnel are
encapsulated. It is suitable for applications where speed for configuring, activating and disabling the bridge
is important, such as streaming and gaming. protocol modules at both ends of the point-to-point
link. PPTP, L2TP, and OpenVPN protocols can carry
only the upper layer of Layer 3 and more. However,
with the support of BCP, they can work as Layer 2.
5)EoIP with IPSec: IP protocol 47/GRE allows
tunnel creation by encapsulating Ethernet frames in IP
packets and forwarding them to another router.
Ethernet over IP (EoIP) establishes an Ethernet tunnel
on top of an IP connection between two routers. All
Ethernet traffic will be bridged, just as if there is a
physical interface.
6)MPLS VPLS: Virtual Private LAN Service
(VPLS) offers multipoint Ethernet-based connectivity
over IP or MPLS networks. It enables geographically
dispersed sites to share an Ethernet broadcast domain
Figure 1. Typical site-to-site VPN by linking sites through pseudowires. It is often used
for extending LAN services over a network given by
a service provider.

IV. TESTBED SETUP AND PERFORMANCE

PARAMETERS
This section describes how to setup testbed to
measure performance and to analyze security.

A. Testbed Setup
There are two laptop computers and three
desktop computers in this setup. WAN Emulator [8] is
running on a desktop computer. RouterOS [9] is
Figure 2. Remote Access VPNs running on two computers to create a tunnel between
these two desktop computers. Two laptops are running
2)L2TP with IPSec: L2TP stands for Layer 2 iPerf software to test throughput. In testbed example,
Tunneling Protocol and does not provide any the iPerf client send the 100MB of data to the iPerf
encryption on its own. L2TP usually uses IPSec server, and the output are saved in CSV file. Our
(Internet Protocol Security) authentication protocol. testbed setup is as shown in Fig. 3 and their hardware
The data transmitted through the L2TP / IPSec and software specifications are shown in Table 2.
protocol is usually authenticated twice. Each data
packet transmitted through the tunnel includes L2TP
headers. One of the many reasons why L2TP is a
common protocol is that there are no known WAN Emulator
vulnerabilities.
3)OpenVPN: OpenVPN is often referred to as 34.0.0.4/24
12.0.0.1/24
an SSL-based VPN because it uses the SSL/TLS
protocol for secure communication. The control R1 R2

channel is encrypted and protected using SSL/TLS

while the data channel is encrypted using a custom
encryption protocol. OpenVPN's default protocol and
port are UDP and port 1194.
192.168.4.3/24 192.168.4.2/24
4)PPP Bridging Control Protocol: BCP allows
bridging the Ethernet frame through the PPP link. Figure 3. Testbed setup
Established BCP is an integral part of the PPP tunnel.
The Bridging Control Protocol (BCP) is responsible
 TABLE 2. Hardware and Software Specification methods of Layer 2 VPNs in terms of throughput and
protocol analysis.
Type Description
Intel(R) Core(TM) i5-7200 CPU @ A. Throughput
Laptop x 2 2.50GHz(4CPUs), ~2.7GHz, 8GB
memory Throughput is measured in bits per second. By
Intel(R) Core(TM) i3-2100 CPU @
Desktop x 3 analyzing the results, throughput varies depending on
3.10GHz(4CPUs)
WANem
Wide Area Network Emulator v3.0 Beta protocol nature and encryption method. For throughput
2 released
Oracle VirtualBox 6.0 hypervisor
measurement, iPerf3 is used to exchange traffic
VirtualBox [10] between two laptops. For all VPN technologies, the
software
RouterOS 6.46.1 (Stable) release same amount of traffic (100MB) is exchanged and
tested three times with three different delays; 20
In this paper, WANEM is used to emulate to milliseconds (ms), 40 ms, and 60 ms. The results are
define QoS parameters such as packet loss, jitter, and documented in Table 4, and Fig. 4 shows the
delay. Packet loss has a direct impact on the stability of throughput comparisons.
the VPN. Packet loss occurs when the network is
congested.

TABLE 3. QoS Parameters

Parameters Value

Bandwidth Limit 50 Mbps

Delay 20ms, 40ms, 60ms

Jitter 2ms

Packet Loss 0.1%

Delay is the amount of time a packet travels Figure 4. Throughput comparison

from its source to destination. Jitter is the changing rate
of delay across a network, and is measured in TABLE 4. Throughput Comparison with
milliseconds and it has a great impact on live streaming Different Delays
application such as video and VoIP. To be similar with Delay 20 Delay 60
VPN Delay 40 ms
ms ms
real network, QoS values are defined as shown in Table PPTP-BCP 45.1 Mbps 31.4 Mbps 22.2 Mbps
3. L2TP-BCP 45.2 Mbps 31.4 Mbps 22.6 Mbps
L2TP-BCP-
B. Measurement Tools 44 Mbps 30.8 Mbps 22.7 Mbps
IPSec
OpenVPN 9.6 Mbps 4.16 Mbps 2.6 Mbps
Assessing the performance of Layer 2 VPN EoIP 46 Mbps 30.4 Mbps 21.2 Mbps
requires the use of several measurement tools for EoIP_IPSec 45.1 Mbps 31.8 Mbps 23.1 Mbps
generating, measuring, and monitoring network traffic. MPLS VPLS 48.1 Mbps 29.4 Mbps 21.3 Mbps
The tools used in this work are Wireshark [11] and
iPerf3 [12]. Wireshark is a network protocol analyzer TABLE 5. Throughput and Loss Comparison
with a rich feature set for capturing and analyzing between Non-VPN Traffic and VPN Traffic at
network traffic. iPerf3 is a network testing tool for 20ms delay
active measurements of the maximum achievable Non-VPN VPN
bandwidth on IP networks. VPN % of Loss
Throughput Throughput
PPTP-BCP 50 Mbps 45.1 Mbps 9.8%
V. EXPERIMENTAL RESULTS AND L2TP-BCP 50 Mbps 45.2 Mbps 9.6%
L2TP-BCP-
DISCUSSION IPSec
50 Mbps 44 Mbps 12.0%

OpenVPN 50 Mbps 9.6 Mbps 80.8%

Experimental results are based on the different
EoIP 50 Mbps 46 Mbps 8.0%
parameters for the different VPN technologies. This
EoIP_IPSec 50 Mbps 45.1 Mbps 9.8%
section shows the performance of seven different
MPLS VPLS 50 Mbps 48.1 Mbps 3.8%
 All VPN tunnels can degrade performance
because of the overhead and encryption methods they
use. The amount of throughput loss is due to the trade-
off between network performance and security.
Generally, the more secure tunnel may result in poor Figure 8. OpenVPN
throughput, while less secure tunnel may have better
throughput. Table 5 shows the loss of throughput when 5) EoIP: Similar to unencrypted L2TP and
traversing a tunnel. PPTP tunnels, EoIP also shows protocol and addresses
of both source and destination when analyzed by a
B. Packet Analysis packet sniffer.
Wireshark protocol analyzer captures the traffic
and analyze while two computers ping each other
inside Layer 2 VPN tunnels.
1)PPTP with BCP: Fig. 5 shows the packet
›
analysis for the PPTP with BCP, and it can be seen Figure 9. EoIP
clearly that two computers ping each other since there
is no encryption with PPTP. 6) EoIP with IPSec: EoIP with IPSec no longer
displays which protocols along with source and
destination addresses accessed in packet analysis if it is
properly encrypted by IPSec.
›

Figure 5. PPTP with BCP

2) L2TP with BCP: When analyzing the packets
transmitted through L2TP with BCP tunnel, it is 7) MPLS VPLS: When examine the packets
observed that which protocols, along with which transmitted with MPLS VPLS, it is observed which
source addresses and destination addresses that are protocols can be sniffed along with the source
being used can be sniffed. addresses and destination addresses used.

›
Figure 11. MPLS VPLS

Figure 6. L2TP with BCP TABLE 6. Comparison Matrix of Authentication

and Encryption
3) L2TP with IPSec with BCP: When analyzing
VPN Can be
the packets transmitted through L2TP with BCP Encryption Authentication
Type bridge
tunnel with IPSec encryption, only the information of PPTP MPPE128 Username With BCP
Password
encapsulated payload can be sniffed. L2TP IPSec Username With BCP
Password
OpenVP TLS TLS With BCP
N (AES/BF)
EoIP IPSec No Yes
MPLS/ No No Pseudowires
VPLS & Control
Word

C. VPN Selection
4) OpenVPN: Due to its secure encryption
methods used, packets that are transmitted through This section discusses the use of each VPN
OpenVPN display only the OpenVPN protocol with based on the various throughput performance test and
no other additional information. packet analysis conducted in previous sections. Packet
analysis describes that OpenVPN, L2TP IPSec with
BCP, and EoIP with IPSec are good for security. The REFERENCES
throughput result shows that MPLS VPLS is 48.1
Mbps at 20 ms. EoIP with IPSec is 31.8 Mbps at 40 ms, [1] Internetlivestats. Accessed: Dec 20, 2019.
and 23.1 Mbps at 60 ms. Although the result of EoIP is [Online]. Available: https://internetlivestats.com
good at 40 ms and 60 ms, it is not widely used in the [2] Ponemon-Report. Accesed: Dec 20, 2019.
industry because it is not mature yet and still vendor [Online]. Available:
dependent. As mentioned in section III, MPLS/VPLS https://www.keepersecurity.com/assets/pdf/Keep
is a provider provisioned VPN, and customer cannot er-2018-Ponemon-Report.pdf
manage themselves. L2TP IPSec with BCP should be [3] Kuwar Kuldeep Veer Vikram Singh and
considered in term of performance and security Himanshu Gupta “A New Approach for the
perspective for enterprise networks which need Layer Security of VPN” in Proc. ICTCS 2016,
2 VPN connections. The pros and cons of each VPN on doi:10.1145/2905055.2905219
various aspects can be observed in Table 7. [4] I. Kotuliak, P. Rybár and P. Trúchly
TABLE 7. Pros and Cons of Different VPNs “Performance Comparison of IPSec and TLS
Security QoS Scalability Cost Based VPN Technologies,” ICTEA 2011,
PPTP-BCP Low No Good Low
L2TP-BCP Low No Good Low
Slovakia, Oct 2011, pp. 217-221, doi:
L2TP-BCP- 10.1109/ICETA. 2011.6112567
High No Good Average
IPSec
OpenVPN Higher No Good Average [5] Baljot Kaur Chawla, O.P. Gupta, B. K. Sawhney
EoIP Low Yes Average High “A Review on IPsec and SSL VPN,” International
EoIP_IPSec High Yes Average High Journal of Scientific & Engineering Research,
MPLS
Average Yes Best Higher Volume 5, Issue 11, November-2014 pp. 21-24
VPLS
[6] Huaqing MAO, Li ZHU and Hang Qin “A
VI. CONCLUSION comparative research on SSL VPN and IPSec
VPN,” in proc. ICTCS 2012
The main purpose of this paper is to analyze and
compare site-to-site Layer 2 VPNs. The experimental [7] Zhang Zhipeng Et al “VPN: a Boon or Trap? A
results are achieved with different throughputs from Comparative Study of MPLS, IPSec, and SSL
five different VPN technologies. They are monitored Virtual Private Networks,” in Proc. ICCMC
and captured by Wireshark network protocol analyzer 2018, pp. 510-515
so as to see what protocols and overheads are added to [8] WANEM, wide area network emulator.
the original frame inside layer 2 tunnel. It is easy to see Accessed: Dec 20, 2019 [Online]. Available:
that Layer 2 VPN carries Ethernet frame that can raise http://wanem.sourceforge.net/
the overhead compared to Layer 3 VPN. As a result of [9] RouterOS, operating system for routerboard.
this study, it is not easy to recommend one VPN against Accessed: Dec 20, 2019 [Online]. Available:
to the other because each one of them has advantages https://mikrotik.com/software
and disadvantages in term of security and performance. [10] VirtualBox, open-source hosted hypervisor.
VPN protocol’s encryption capabilities are paramount Accessed: Dec 20, 2019, [Online]. Available:
important because it determines the level of privacy https://www.virtualbox.org/
and protection, however, this should not be only one
[11] Wireshark, packet analyzer. Accessed: Dec 20,
reason to choose the VPN for organization. Therefore,
2019 [Online]. Available:
organization should consider VPN technology that can
https://www.wireshark.org/download.html
balance performance as well as security.
[12] iPerf, network measurement tool. Accessed: Dec
20, 2019 [Online]. Available: https://iperf.fr/