In this blog, I will explain how SSTP based VPN tunnel works – i.e. the data flow during VPN connection coming up and how data transfer occurs.
The flow to get VPN connection up looks like:
1) Client gets Internet connectivity and then establishes TCP connectivity to server over port 443. Let us say the IP address of client is 100.100.100.1 and server is 220.127.116.11.
2) Then on top of this TCP session, SSL negotiation takes place. Client gets the server certificate during SSL authentication phase and it validates the server certificate. If it is not valid, the connection is broken down. No client (or user) authentication happened on the server side at the SSL stage.
3) Client then sends HTTPS request on top of the encrypted SSL session to the server.
4) Client then sends SSTP control packets on top of the HTTPS session. Once SSTP state machine is up on either side, lower-link up indication is given to PPP layer on each ends.
5) PPP negotiation (on top of SSTP over HTTPS) takes place at both ends. As part of PPP authentication phase, client is authenticated to server and optionally (depending upon the authentication algorithm) server is authenticated to client.
6) Once PPP completes, it attaches as IP interface on both client and server side. Let us say the “inner IP” or the IP address given by VPN server to the client is 192.168.1.2 and the IP address of VPN interface on VPN server is 192.168.1.1
7) Now both ends are ready to send IP packets to each other.
Now let us try to understand how data path works: Lets say user does ping to VPN server IP address i.e. 192.168.1.1 in this example
1) Ping (i.e. ICMP echo request) packet will go over IP (with source IP as 192.168.1.2 and destination IP as 192.168.1.1) over PPP over SSTP.
2) SSTP sends to SSL layer which does the encryption and sends over TCP over IP (with source IP as 100.100.100.1 and destination IP as 18.104.22.168) over Internet interface.
Hope this helps for you to understand SSTP based VPN tunnel in detail and how it differs from PPTP and L2TP. The main thing to note is: PPP and above remains same on the protocol stack and SSTP adds a layer to encapsulate PPP packets over HTTPS session.
Lead Program Manager
RRAS, Windows Enterprise Networking
[This posting is provided “AS IS” with no warranties, and confers no rights.]