Problem solve Get help with specific problems with your technologies, process and projects.

Mobile VPN: Closing the gap

PDA VPN clients have been around for nearly as long as PDAs themselves. From the simple PPTP client found in early Windows HPCs to standard IPsec clients embedded in today's Symbian and Windows Mobile smartphones, solutions abound for tunneling from mobile devices to corporate VPNs. But finding a mobile VPN that can meet your network and device requirements takes research. Here, Lisa Phifer offers some help.

PDA VPN clients have been around for nearly as long as PDAs themselves. From the simple PPTP client found in early Windows HPCs to standard IPsec clients embedded in today's Symbian and Windows Mobile smartphones, solutions abound for tunneling from mobile devices to corporate VPNs. These VPN clients may sound like a convenient way to secure mobile communication, and for many stationary users, they are. But there's a big difference between connecting a VPN user and keeping that user happy while he moves from one location to another. Eliminating that expectation gap requires a different kind of solution: a mobile VPN.

Mobility changes the rules

PPTP, IPsec and SSL VPNs identify the device at the far end of the tunnel by IP address. This works well for users who tunnel from stationary devices: a home PC over residential broadband, a laptop over a hotel LAN, or even a PDA at a Wi-Fi hot spot. But put that device in motion, and physical connectivity, point of network attachment, and IP address are all likely to change. A conventional VPN client simply cannot survive such changes. The tunnel breaks, application sessions disconnect or time out, and the user must restart the business communication from scratch.

Mobile VPN solutions from such vendors as Columbitech, Ecutel, IBM, ipUnplugged, Motorola, NetMotion, Nokia, Padcom and Radio IP are designed to adapt transparently to these changes. In a mobile VPN, a VPN server still sits at the edge of your company network, enabling secure tunneled access by authenticated, authorized VPN clients. Mobile VPN tunnels are not tied to physical IP addresses, however. Instead, each tunnel is bound to a logical IP address. That logical IP address sticks to the mobile device no matter where it may roam. For example, a mobile VPN client can:

  • Roam from one wireless AP to another at a public Wi-Fi hot spot.
  • Leave Wi-Fi coverage and start using a 3G connection (e.g., EV-DO).
  • Leave 3G coverage and start using a slower 2G connection (e.g., 1xRTT).
  • Return to the office and start using a docked Ethernet LAN connection.

In this example, the mobile VPN client uses four or five different physical IP addresses while retaining one logical IP address. Applications running on the mobile device and inside the corporate network communicate through that one logical IP address, remaining blissfully unaware of the user's motion and associated physical/network transitions.

Persistence is key

Readers with large wireless LANs may already be familiar with AP roaming issues. In fact, many WLAN switches use fast handoff and subnet roaming to reduce latency and avoid re-authentication by Wi-Fi clients inside a private WLAN. Unfortunately, those solutions can't help mobile users who need to roam between entirely separate networks that are owned and operated by third parties.

Furthermore, subnet roaming is just one of many difficult challenges that face mobile users. Many mobile VPNs take steps to smooth over additional hurdles:

  • A roaming Wi-Fi client may lose connectivity for tens to hundreds of milliseconds during an AP-to-AP handoff. But a mobile user can easily lose connectivity for minutes, hours or even days while passing through a no-coverage zone.

  • Wi-Fi clients roaming within a given ESSID encounter consistent security throughout the WLAN. But a mobile user roaming from a public Wi-Fi hot spot to a carrier 3G network to a secure enterprise WLAN will be required to complete three separate network logins -- and repeated application logins as well.

  • Wi-Fi clients can use the 802.11 power-save option to doze briefly and save battery without losing their AP associations. But a PDA or smartphone that "falls asleep" to save battery when not in use has no standard mechanism to keep application sessions alive until full power is resumed.

  • Wi-Fi clients automatically choose the best AP, based on observable metrics such as signal strength and error rate. But a mobile device with more than one type of network connection may also need to consider such factors as cost, security and corporate preferences.

  • Wi-Fi standards enable dynamic rate shifting; administrators can establish minimum acceptable rates. By comparison, mobile devices tend to encounter a much broader range of network characteristics that can be difficult to predict, let alone control.

Today's mobile VPN products tackle all of these challenges to some degree. In particular, mobile VPNs deliver network and application persistence. When a mobile VPN client roams subnets, swaps adapters, falls asleep, or enters a coverage gap, the VPN server stands in for the client. That server maintains the client's network state to avoid domain and application re-authentication. It may respond to API calls to prevent application blocking or to hold messages sent to the client. When reachability returns, mobile users can simply resume working exactly where they left off -- subject to the interaction constraints imposed by each application.

Networks and devices

Mobile VPN products operate over many kinds of networks, from satellite links and GSM to Wi-Fi and 3G. Some mobile VPNs are network-agnostic, sending exactly the same messages over any data link. Others are network-aware, adjusting messages to optimize performance over high-latency or low-bandwidth links. Some mobile VPNs simply use the connection with the highest data rate. Others let you control link selection and/or automate network authentication with configurable policies.

Mobile VPN clients have been developed for many devices and operating systems, from Windows XP/2000 laptops and tablets to smartphones and wireless point-of-sale terminals. Be careful: Platform support varies widely and often depends on nitty-gritty details such as OS version, hardware model, and wireless adapter. Some mobile VPN clients can even be purchased with an SDK for porting to additional platforms.

Look before you leap

Finding a mobile VPN that can meet your network and device requirements is just the first step. Selecting the right mobile VPN for your workforce will involve evaluating many requirements -- including the VPN's ability to implement and enforce your company's security policy.

What often matters the most, though, is usability and reliability -- will adopting a mobile VPN really make your workforce more productive? More competitive? More responsive? To answer those questions, I highly recommend taking a mobile VPN out for a test drive. In next month's tip, I will discuss mobile VPN usage examples and share my own recent "road trip" experience.

ABOUT THE AUTHOR: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to and

Dig Deeper on Enterprise mobility strategy and policy