Table of contents

2.1 VPN Communication Protocol

    Table of contents
    You are currently comparing two old versions - only when you are comparing against the latest version can you revert. Return to version archive.

    Version from 02:24, 3 Mar 2013

    This revision modified by yagi (Ban)

    The protocol used by SoftEther VPN for VPN communications are version 3 of the global security standard Secure Socket Layer (SSL). SoftEther VPN includes several technical innovations to increase speed and enhance security of VPN communications.

    This section provides a detailed description of SoftEther VPN protocol. For more information on SoftEther VPN protocol, see 1.6 VPN Communication Details.

    2.1.1 Communication Speed

    SoftEther VPN is a VPN system that consists of exchanging virtual Ethernet frames and communication by VPN among VPN Client / VPN Server / VPN Bridge. Based on TCP/IP protocol, SoftEther VPN protocol plays the role of encapsulating, encrypting and transmitting virtual Ethernet frames on a physical IP network.

    Protocol based on conventional TCP/IP has the drawback of communication efficiency being not all that high. Because the protocol itself conducts retransmission control and flow control, in some cases TCP/IP can only use some actually available network bands.

    By dexterously controlling and optimizing TCP/IP connection established to carry out VPN communication when developing SoftEther VPN protocol, as a result of communication being optimized and made as efficient as possible, in the case where SoftEther VPN is used for a network with sufficient bandwidth, SoftEther VPN Project succeeded in realizing higher speed and lower delay for so the user of VPN communication can't actually sense a difference in whether communication is carried out via VPN or directly flowing on a physical network.

     

    2.1.2 Flexibility

    SoftEther VPN protocol is based on TCP/IP and all data flows according to TCP/IP connection. When constructing VPN by SoftEther VPN, it can be constructed via network devices and servers that support TCP/IP.

    VPN can now be easily constructed through proxy servers, NAT or firewalls that used to be difficult for VPN protocol, representative examples of which as older PPTP or L2TP/IPSec.

    For method of actually conducting stable VPN communications through a proxy server or other firewall, see 4.4 Making Connection to VPN Server.

    2.1.3 Communication Efficiency and Stability

    Communication efficiency (throughput and response) and stability can be enhanced for the following networks if the user properly sets advanced communications parameters of SoftEther VPN protocol.

    • Networks with large delay time despite wide bandwidth.
    • Networks whereby there are proxy servers, NAT or firewalls in the VPN communications route that produce delay.
    • Networks whereby there is band control equipment (QoS equipment) on the VPN communications route which intentionally band control maximum communication speed for each separate TCP/IP connection.
    • Networks whereby there are proxy servers, NAT or firewalls in the VPN communications route, special processing for TCP/IP protocol through network gateway devices and servers is executed, an expiration date is set for each TCP/IP connection and the connection is disconnected when the expiration date is exceeded, count and transmission interval for packets of HTTPS protocol, etc., are strictly recorded, and if there is a violation of the default standards of HTTP protocol, the TCP/IP connection is disconnected and special processing is executed.

    VPN communication source computers simultaneously establish multiple TCP/IP connections for a single VPN session with SoftEther VPN Server, and by distributing load for communications data using the respective connections in parallel, VPN communication data can be sent and received at high speed with low delay by SoftEther VPN protocol.

    2-1-1.png

    Communication of VPN session by multiple TCP/IP connections.

    Computers that connect VPN communications can initiate VPN connection by specifying the following parameters.

    Reconnection Setting when VPN Connection Fails or Becomes Disconnected during Communications

    If VPN connection to SoftEther VPN Server is temporarily cut off due to network problems or the connection destination VPN Server stops temporarily, the system attempts to reconnect to the VPN Server until it succeeds. You can specify the maximum number of reconnection attempts and the interval at which reconnection is attempted (cannot be set less than 5 seconds).

    The default settings are 15 seconds for reconnection attempt interval and unlimited for number of reconnection attempts. The connection is maintained constantly as long as the network is functioning and connection destination VPN Server is running.

    As long as attempts are made to connect the SoftEther VPN Server by cascade connection and connection is completed, the function to maintain connection keeps the reconnection interval fixed to 10 seconds and the number of reconnection attempts fixed to unlimited. The user cannot change the settings.

    VPN session type, reconnection interval, number of reconnection attempts that can be set and the default settings are as follows:

    Session type Reconnection interval Number of reconnection attempts
    Ordinary VPN sessions initiated by VPN Client Min. 5 seconds (default is 15 seconds) 0 - unlimited (default is unlimited)
    Cascade connection VPN sessions initiated by VPN Server / VPN Bridge 10 seconds (fixed) Unlimited (fixed)

    Number of TCP/IP Connections Used for VPN Communication

    Multiple TCP/IP connections can be established during VPN session with SoftEther VPN Server, throughput can be enhanced and delay shortened using respective parallel TCP/IP connections for data transmission. If some of the established TCP/IP connections are disconnected or if communication cannot be carried out for a certain amount of time, the number of insufficient TCP/IP connections can be compensated for by creating new TCP/IP connections up to the specified amount, adding VPN sessions, and maintaining communication with the specified number of TCP/IP connections as much as possible.

    2-1-2.png

    Automatic reconnection processing if disconnected while using multiple TCP/IP connections.

    The user can specify from 1 to 32 TCP/IP connections.

    • The default setting when creating new connection settings by SoftEther VPN Client is 1.
    • The default setting when creating new cascade connections by SoftEther VPN Server / SoftEther VPN Bridge is 8.
    If the number of TCP/IP connections is simply increased, rather than enhancing throughput of VPN communications, if the bandwidth of the communication route with the VPN Server on the IP network is large, it appears that increasing the number of connections often enhances throughput or stabilizes communication. Oppositely, in the case of low speed lines like ISDN or PHS where bandwidth is just server tens or hundreds of kbps, because the band is consumed by Keep-Alive messages and control data of various TCP/IP connections, fewer connections often improved stability and enhances communications speed.

    The number of optimal TCP/IP connections furthermore varies according to the amount of data and type of communications protocol used within the VPN session. After actually constructing VPN, we recommend you select the proper setting while using the communication throughput measurement tool. For details on the communication throughput measurement tool, see 4.8 Measuring Effective Throughput.

    Establishment Interval for TCP/IP Connections

    If conducting VPN communications by establishing 2 or more TCP/IP connections, you can specify how many seconds must pass after the immediately preceding TCP/IP connection is established before another can be established beginning with the second one. The default setting is 1 second. Can be set to 1 second or longer.

    Under ordinary circumstances, 1 second will suffice, but if establishing a large number of TCP/IP connections (such as 32) and TCP/IP connections are established consecutively, the firewall on the IP network or equipment such as IDS may mistakenly interpret it as a DoS attack, etc., and disconnect the TCP/IP connection, and if VPN connection is not correctly established, misdetection can be avoided by increasing the connection interval.

    2-1-3.png

    Establishment interval for TCP/IP connections.

    Life of TCP/IP Connections

    If conducting VPN communications by establishing 2 or more TCP/IP connections, if the number of seconds specified after establishing connection between the connection source computer and VPN Server elapses for the various TCP/IP connections, along with disconnecting the TCP/IP connections, the number of TCP/IP connections that is lacked can be newly established. By default, this function is not used.

    This function is used to stabilize VPN communications by SoftEther VPN protocol in an unstable network such as where network gateway devices on the IP network route such as firewalls, IDS or proxy servers, or if the server setting per TCP/IP connection is set to a long time, the connections may be disconnected or mistaken as a DoS attack, etc.

    Using in Half Duplex Mode

    The half duplex mode is a function whereby, if VPN communications are conducted by establishing 2 or more TCP/IP connections, concerning various TCP/IP connections between VPN connection source and SoftEther VPN Server, approximately half of the TCP/IP connections are dedicated to the transmission direction and the other half are dedicated to receiving. If this function is enabled, transmission direction of data flowing through respective TCP/IP connections established as part of SoftEther VPN protocol is limited to either from VPN server to client (download) or from client to VPN server (upload). If all TCP/IP connections are lumped together, simultaneous communication in both directions is possible (full duplex), but each respective TCP/IP connection can only handle data transmission in one direction, so it is referred to as the half duplex mode.

    This function is used to stabilize VPN communications by SoftEther VPN protocol in an unstable network where the proper communication by SoftEther VPN protocol is mistaken as an attack or malicious backdoor communication and a warning is issued or disconnected forcibly, by the network security devices such as, firewalls, IDS or proxy servers on the physical IP network that inspect TCP/IP packets for bidirectional SSL data flow.

    By using the half duplex mode, some software processing is involved for control processing, and because CPU time is consumed, communication speed efficiency deteriorates but drop in throughput and the effect on the user is extremely small, so there is no problem under ordinary circumstances.

    2-1-4.png

    VPN session communications in half duplex mode.

    Disabling Encryption Option

    By default with SoftEther VPN protocol, all communications contents are encrypted by SSL and an electronic signature is added, but in the following cases encryption and electronic signature can be waived.

    • If physical IP networks that conduct VPN communications are limited to physically secure LAN and it is physically difficult for a malicious third party to eavesdrop on and/or tamper with packets on the line.
    • If communications are conducted by dedicated frame relay offered by communications provider or on a network with high reliability whereby eavesdropping by other users is difficult such as wide area Ethernet and the service provided by the communications provider is sufficiently reliable.
    • If SoftEther VPN protocol is combined with other software (SSH port transmission tool, etc.) and encryption is carried out lower layer.
    • If the same computer is operating between VPN connection source software and SoftEther VPN Server (case where connected to localhost). A connection configuration such as this results when cascade connection, etc., is conducted among Virtual Hubs of the same VPN Server.

    By not executing encryption and electronic signature, a header for encapsulating is simply added to virtual Ethernet frames for data flowing on a physical IP network, and encryption and electronic signature protection is not implemented by SoftEther VPN protocol. Thus more CPU time for calculating encryption and electronic signature can be used for encapsulating virtual Ethernet frames and communication to enhance communication throughput.

    Even if encryption is disabled, important processing such as user authentication is encrypted by SSL.

    Using Data Compression

    SoftEther VPN protocol can compress all Ethernet frames sent and received internally and transmit them. The deflate algorithm developed by Jean-loup Gailly and Mark Adler is used as the data compression algorithm. The compression parameter is set so processing is executed at the fastest speed.

    By using data compression for VPN communications, a maximum of 80% of communications volume can be reduced (depends on protocol used). If compression is conducted, CPU load of both client and server becomes higher, and depending on the performance of the various types of hardware, if the line speed exceeds about 10 Mbps, in many cases not compressing data improves communication speed.

    2.1.4 Encrypted Communication Security

    With SoftEther VPN protocol, encryption and electronic signature are realized using SSL. The following are implemented as the encryption and electronic signature algorithm used.

    • RC4-MD5
    • RC4-SHA
    • AES128-SHA
    • AES256-SHA
    • DES-CBC-SHA
    • DES-CBC3-SHA

    The algorithm used for encryption is specified by the SoftEther VPN Server administrator (cannot be specified by connection source computer users). You can select any of the encryption algorithms given above, but RC4-MD5 is selected by default.

    RC4-MD5 is the fastest algorithm that offers a certain degree of security. There is no need to select another algorithm without a special reason. In a service environment where only a certain algorithm such as AES can be used due to regulations or an administrator that is strict about encryption, you can use a more secure encryption algorithm such as AES.

     

    2.1.5 Support for VoIP / QoS

    SoftEther VPN protocol supports QoS for VPN communication and gives band priority to high priority packets such as VoIP packets for transmission processing. For details see 1.9 VoIP / QoS Support Function

    Version as of 18:51, 3 Mar 2013

    This revision modified by genya (Ban)

    The protocol used by SoftEther VPN for VPN communications are version 3 of the global security standard Secure Socket Layer (SSL). SoftEther VPN includes several technical innovations to increase speed and enhance security of VPN communications.

    This section provides a detailed description of SoftEther VPN protocol. For more information on SoftEther VPN protocol, see 1.6 VPN Communication Details.

    2.1.1 Communication Speed

    SoftEther VPN is a VPN system that consists of exchanging virtual Ethernet frames and communication by VPN among VPN Client / VPN Server / VPN Bridge. Based on TCP/IP protocol, SoftEther VPN protocol plays the role of encapsulating, encrypting and transmitting virtual Ethernet frames on a physical IP network.

    Protocol based on conventional TCP/IP has the drawback of communication efficiency being not all that high. Because the protocol itself conducts retransmission control and flow control, in some cases TCP/IP can only use some actually available network bands.

    By dexterously controlling and optimizing TCP/IP connection established to carry out VPN communication when developing SoftEther VPN protocol, as a result of communication being optimized and made as efficient as possible, in the case where SoftEther VPN is used for a network with sufficient bandwidth, SoftEther VPN Project succeeded in realizing higher speed and lower delay for so the user of VPN communication can't actually sense a difference in whether communication is carried out via VPN or directly flowing on a physical network.

     

    2.1.2 Flexibility

    SoftEther VPN protocol is based on TCP/IP and all data flows according to TCP/IP connection. When constructing VPN by SoftEther VPN, it can be constructed via network devices and servers that support TCP/IP.

    VPN can now be easily constructed through proxy servers, NAT or firewalls that used to be difficult for VPN protocol, representative examples of which as older PPTP or L2TP/IPSec.

    For method of actually conducting stable VPN communications through a proxy server or other firewall, see 4.4 Making Connection to VPN Server.

    2.1.3 Communication Efficiency and Stability

    Communication efficiency (throughput and response) and stability can be enhanced for the following networks if the user properly sets advanced communications parameters of SoftEther VPN protocol.

    • Networks with large delay time despite wide bandwidth.
    • Networks whereby there are proxy servers, NAT or firewalls in the VPN communications route that produce delay.
    • Networks whereby there is band control equipment (QoS equipment) on the VPN communications route which intentionally band control maximum communication speed for each separate TCP/IP connection.
    • Networks whereby there are proxy servers, NAT or firewalls in the VPN communications route, special processing for TCP/IP protocol through network gateway devices and servers is executed, an expiration date is set for each TCP/IP connection and the connection is disconnected when the expiration date is exceeded, count and transmission interval for packets of HTTPS protocol, etc., are strictly recorded, and if there is a violation of the default standards of HTTP protocol, the TCP/IP connection is disconnected and special processing is executed.

    VPN communication source computers simultaneously establish multiple TCP/IP connections for a single VPN session with SoftEther VPN Server, and by distributing load for communications data using the respective connections in parallel, VPN communication data can be sent and received at high speed with low delay by SoftEther VPN protocol.

    2-1-1.png

    Communication of VPN session by multiple TCP/IP connections.

    Computers that connect VPN communications can initiate VPN connection by specifying the following parameters.

    Reconnection Setting when VPN Connection Fails or Becomes Disconnected during Communications

    If VPN connection to SoftEther VPN Server is temporarily cut off due to network problems or the connection destination VPN Server stops temporarily, the system attempts to reconnect to the VPN Server until it succeeds. You can specify the maximum number of reconnection attempts and the interval at which reconnection is attempted (cannot be set less than 5 seconds).

    The default settings are 15 seconds for reconnection attempt interval and unlimited for number of reconnection attempts. The connection is maintained constantly as long as the network is functioning and connection destination VPN Server is running.

    As long as attempts are made to connect the SoftEther VPN Server by cascade connection and connection is completed, the function to maintain connection keeps the reconnection interval fixed to 10 seconds and the number of reconnection attempts fixed to unlimited. The user cannot change the settings.

    VPN session type, reconnection interval, number of reconnection attempts that can be set and the default settings are as follows:

    Session type Reconnection interval Number of reconnection attempts
    Ordinary VPN sessions initiated by VPN Client Min. 5 seconds (default is 15 seconds) 0 - unlimited (default is unlimited)
    Cascade connection VPN sessions initiated by VPN Server / VPN Bridge 10 seconds (fixed) Unlimited (fixed)

    Number of TCP/IP Connections Used for VPN Communication

    Multiple TCP/IP connections can be established during VPN session with SoftEther VPN Server, throughput can be enhanced and delay shortened using respective parallel TCP/IP connections for data transmission. If some of the established TCP/IP connections are disconnected or if communication cannot be carried out for a certain amount of time, the number of insufficient TCP/IP connections can be compensated for by creating new TCP/IP connections up to the specified amount, adding VPN sessions, and maintaining communication with the specified number of TCP/IP connections as much as possible.

    2-1-2.png

    Automatic reconnection processing if disconnected while using multiple TCP/IP connections.

    The user can specify from 1 to 32 TCP/IP connections.

    • The default setting when creating new connection settings by SoftEther VPN Client is 1.
    • The default setting when creating new cascade connections by SoftEther VPN Server / SoftEther VPN Bridge is 8.
    If the number of TCP/IP connections is simply increased, rather than enhancing throughput of VPN communications, if the bandwidth of the communication route with the VPN Server on the IP network is large, it appears that increasing the number of connections often enhances throughput or stabilizes communication. Oppositely, in the case of low speed lines like ISDN or PHS where bandwidth is just server tens or hundreds of kbps, because the band is consumed by Keep-Alive messages and control data of various TCP/IP connections, fewer connections often improved stability and enhances communications speed.

    The number of optimal TCP/IP connections furthermore varies according to the amount of data and type of communications protocol used within the VPN session. After actually constructing VPN, we recommend you select the proper setting while using the communication throughput measurement tool. For details on the communication throughput measurement tool, see 4.8 Measuring Effective Throughput.

    Establishment Interval for TCP/IP Connections

    If conducting VPN communications by establishing 2 or more TCP/IP connections, you can specify how many seconds must pass after the immediately preceding TCP/IP connection is established before another can be established beginning with the second one. The default setting is 1 second. Can be set to 1 second or longer.

    Under ordinary circumstances, 1 second will suffice, but if establishing a large number of TCP/IP connections (such as 32) and TCP/IP connections are established consecutively, the firewall on the IP network or equipment such as IDS may mistakenly interpret it as a DoS attack, etc., and disconnect the TCP/IP connection, and if VPN connection is not correctly established, misdetection can be avoided by increasing the connection interval.

    2-1-3.png

    Establishment interval for TCP/IP connections.

    Life of TCP/IP Connections

    If conducting VPN communications by establishing 2 or more TCP/IP connections, if the number of seconds specified after establishing connection between the connection source computer and VPN Server elapses for the various TCP/IP connections, along with disconnecting the TCP/IP connections, the number of TCP/IP connections that is lacked can be newly established. By default, this function is not used.

    This function is used to stabilize VPN communications by SoftEther VPN protocol in an unstable network such as where network gateway devices on the IP network route such as firewalls, IDS or proxy servers, or if the server setting per TCP/IP connection is set to a long time, the connections may be disconnected or mistaken as a DoS attack, etc.

    Using in Half Duplex Mode

    The half duplex mode is a function whereby, if VPN communications are conducted by establishing 2 or more TCP/IP connections, concerning various TCP/IP connections between VPN connection source and SoftEther VPN Server, approximately half of the TCP/IP connections are dedicated to the transmission direction and the other half are dedicated to receiving. If this function is enabled, transmission direction of data flowing through respective TCP/IP connections established as part of SoftEther VPN protocol is limited to either from VPN server to client (download) or from client to VPN server (upload). If all TCP/IP connections are lumped together, simultaneous communication in both directions is possible (full duplex), but each respective TCP/IP connection can only handle data transmission in one direction, so it is referred to as the half duplex mode.

    This function is used to stabilize VPN communications by SoftEther VPN protocol in an unstable network where the proper communication by SoftEther VPN protocol is mistaken as an attack or malicious backdoor communication and a warning is issued or disconnected forcibly, by the network security devices such as, firewalls, IDS or proxy servers on the physical IP network that inspect TCP/IP packets for bidirectional SSL data flow.

    By using the half duplex mode, some software processing is involved for control processing, and because CPU time is consumed, communication speed efficiency deteriorates but drop in throughput and the effect on the user is extremely small, so there is no problem under ordinary circumstances.

    2-1-4.png

    VPN session communications in half duplex mode.

    Disabling Encryption Option

    By default with SoftEther VPN protocol, all communications contents are encrypted by SSL and an electronic signature is added, but in the following cases encryption and electronic signature can be waived.

    • If physical IP networks that conduct VPN communications are limited to physically secure LAN and it is physically difficult for a malicious third party to eavesdrop on and/or tamper with packets on the line.
    • If communications are conducted by dedicated frame relay offered by communications provider or on a network with high reliability whereby eavesdropping by other users is difficult such as wide area Ethernet and the service provided by the communications provider is sufficiently reliable.
    • If SoftEther VPN protocol is combined with other software (SSH port transmission tool, etc.) and encryption is carried out lower layer.
    • If the same computer is operating between VPN connection source software and SoftEther VPN Server (case where connected to localhost). A connection configuration such as this results when cascade connection, etc., is conducted among Virtual Hubs of the same VPN Server.

    By not executing encryption and electronic signature, a header for encapsulating is simply added to virtual Ethernet frames for data flowing on a physical IP network, and encryption and electronic signature protection is not implemented by SoftEther VPN protocol. Thus more CPU time for calculating encryption and electronic signature can be used for encapsulating virtual Ethernet frames and communication to enhance communication throughput.

    Even if encryption is disabled, important processing such as user authentication is encrypted by SSL.

    Using Data Compression

    SoftEther VPN protocol can compress all Ethernet frames sent and received internally and transmit them. The deflate algorithm developed by Jean-loup Gailly and Mark Adler is used as the data compression algorithm. The compression parameter is set so processing is executed at the fastest speed.

    By using data compression for VPN communications, a maximum of 80% of communications volume can be reduced (depends on protocol used). If compression is conducted, CPU load of both client and server becomes higher, and depending on the performance of the various types of hardware, if the line speed exceeds about 10 Mbps, in many cases not compressing data improves communication speed.

    2.1.4 Encrypted Communication Security

    With SoftEther VPN protocol, encryption and electronic signature are realized using SSL. The following are implemented as the encryption and electronic signature algorithm used.

    • RC4-MD5
    • RC4-SHA
    • AES128-SHA
    • AES256-SHA
    • DES-CBC-SHA
    • DES-CBC3-SHA

    The algorithm used for encryption is specified by the SoftEther VPN Server administrator (cannot be specified by connection source computer users). You can select any of the encryption algorithms given above, but RC4-MD5 is selected by default.

    RC4-MD5 is the fastest algorithm that offers a certain degree of security. There is no need to select another algorithm without a special reason. In a service environment where only a certain algorithm such as AES can be used due to regulations or an administrator that is strict about encryption, you can use a more secure encryption algorithm such as AES.

     

    2.1.5 Support for VoIP / QoS

    SoftEther VPN protocol supports QoS for VPN communication and gives band priority to high priority packets such as VoIP packets for transmission processing. For details see 1.9 VoIP / QoS Support Function