Routing and Remote Access Blog

VPN articles - straight from Windows development team

How SSTP based VPN connection works

How SSTP based VPN connection works

  • Comments 8
  • Likes

In this blog, I will explain how SSTP based VPN tunnel works - i.e. the data flow during VPN connection coming up and how data transfer occurs.

The flow to get VPN connection up looks like:

1) Client gets Internet connectivity and then establishes TCP connectivity to server over port 443. Let us say the IP address of client is 100.100.100.1 and server is  200.200.200.1.

2) Then on top of this TCP session, SSL negotiation takes place. Client gets the server certificate during SSL authentication phase and it validates the server certificate. If it is not valid, the connection is broken down. No client (or user) authentication happened on the server side at the SSL stage.

3) Client then sends HTTPS request on top of the encrypted SSL session to the server.

4) Client then sends SSTP control packets on top of the HTTPS session. Once SSTP state machine is up on either side, lower-link up indication is given to PPP layer on each ends.

5)  PPP negotiation (on top of SSTP over HTTPS) takes place at both ends. As part of PPP authentication phase, client is authenticated to server and optionally (depending upon the authentication algorithm) server is authenticated to client. 

6)  Once PPP completes, it attaches as IP interface on both client and server side. Let us say the "inner IP" or the IP address given by VPN server to the client is  192.168.1.2 and the IP address of VPN interface on VPN server is 192.168.1.1

7)   Now both ends are ready to send IP packets to each other.

Now let us try to understand how data path works: Lets say user does ping to VPN server IP address i.e. 192.168.1.1 in this example

1) Ping (i.e. ICMP echo request) packet will go over IP (with source IP as 192.168.1.2 and destination IP as 192.168.1.1) over PPP over SSTP.

2) SSTP sends to SSL layer which does the encryption and sends over TCP over IP (with source IP as 100.100.100.1 and destination IP as 200.200.200.1) over Internet interface.

Hope this helps for you to understand SSTP based VPN tunnel in detail and how it differs from PPTP and L2TP. The main thing to note is: PPP and above remains same on the protocol stack and SSTP adds a layer to encapsulate PPP packets over HTTPS session.

Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments
  • In this FAQ, I will cover client specific queries of SSTP 1) How to enable SSTP based VPN connection

  • Microsoft is working on a remote access tunneling protocol for Vista and Longhorn Server that lets client

  • Haven't seen any specs yet, but it would be preferrable to have the connection reference appear as any (yet another https://server.some.net/sstpservice) URI to client and it would also make sure the web server portion is general HTTP/1.1 compliant with virtualhost -feauters etc. all functioning would be *very* convinient. The second, or is it third already, issue that pops in my mind is to make sure AAA hooks to infrastructure behind is flexible enough, a layered solution like EAP perhaps. (Just remember to include both TTLS & TLS too, only PEAP as CHAP bound is crap for anyone not having _ALL_ their passwords in AD).

  • Happy New Year to everyone! There is some exciting news being announced on the RRAS blog around a new

  • Please, please, please strongly consider submitting this to be formally standardized.  We don't need another PPTP, L2TP, or Yet Another Proprietary SSL VPN.  IPsec stinks, but at least it's a standard and there is at least a chance for interoperability.

  • Que: Haven't seen any specs yet, but it would be preferrable to have the connection reference appear as any (yet another https://server.some.net/sstpservice) URI to client and it would also make sure the web server portion is general HTTP/1.1 compliant with virtualhost -feauters etc. all functioning would be *very* convinient. The second, or is it third already, issue that pops in my mind is to make sure AAA hooks to infrastructure behind is flexible enough, a layered solution like EAP perhaps. (Just remember to include both TTLS & TLS too, only PEAP as CHAP bound is crap for anyone not having _ALL_ their passwords in AD).

    Ans: Yes it will be HTTP1.1 compliant. The SSTP URI will be something fixed (https://server.some.net//sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/).

    Yes - the AAA infrastructure will be flexible and same as RRAS. i.e. you can  use  radius server for doing AAA with same PPP authentication algorithms (like MSCHAPv2, EAP, PEAP with different inner EAP methods etc).

  • 2005 east texas high school football schedules

  • Hi Everyone: Our third and final planned beta is upon us and I am proud to announce that Forefront TMG

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment