5.3 VPN Fundamentals
Key Takeaways
- A VPN creates an encrypted tunnel over a public network (internet) for secure communication.
- Site-to-site VPNs connect entire networks (office to office) and are always on.
- Remote access VPNs connect individual users to the corporate network from anywhere.
- IPsec provides encryption (ESP) and authentication (AH) at Layer 3 for site-to-site VPNs.
- SSL/TLS VPNs operate at Layer 4-7 and are commonly used for remote access (no client software needed for clientless).
VPN Fundamentals
A VPN (Virtual Private Network) creates an encrypted tunnel over a public network (typically the internet), allowing secure communication as if the endpoints were on the same private network.
VPN Types
Site-to-Site VPN
| Feature | Detail |
|---|---|
| Connects | Two networks (e.g., headquarters ↔ branch office) |
| Endpoints | Routers or firewalls at each site |
| Status | Always on (permanent tunnel) |
| Protocol | IPsec (most common) |
| Users | Transparent to end users — they don't know they're using a VPN |
Remote Access VPN
| Feature | Detail |
|---|---|
| Connects | Individual user to the corporate network |
| Endpoints | User's device ↔ VPN gateway (firewall/router) |
| Status | On-demand (user initiates connection) |
| Protocol | SSL/TLS (clientless or AnyConnect) or IPsec |
| Users | Must initiate the VPN connection |
IPsec (Internet Protocol Security)
IPsec is a suite of protocols that provides security at Layer 3 (Network layer). It is the standard for site-to-site VPNs.
IPsec Protocols
| Protocol | Function | IP Protocol |
|---|---|---|
| ESP (Encapsulating Security Payload) | Encryption + authentication + integrity | IP protocol 50 |
| AH (Authentication Header) | Authentication + integrity only (no encryption) | IP protocol 51 |
| IKE (Internet Key Exchange) | Negotiates encryption keys and security associations | UDP port 500 |
ESP is used in most deployments because it provides both encryption and authentication. AH provides only authentication without encryption.
IPsec Modes
| Mode | Description | Use Case |
|---|---|---|
| Tunnel mode | Encrypts the entire original IP packet and adds a new IP header | Site-to-site VPN (default) |
| Transport mode | Encrypts only the payload, original IP header remains | Host-to-host communication |
IPsec Phase 1 and Phase 2
| Phase | Purpose | Result |
|---|---|---|
| Phase 1 (IKE SA) | Authenticate peers, negotiate encryption parameters | Secure management tunnel |
| Phase 2 (IPsec SA) | Negotiate data encryption parameters | Encrypted data tunnel |
SSL/TLS VPN
SSL/TLS VPNs operate at Layer 4-7 and use the same encryption technology as HTTPS (port 443).
Clientless SSL VPN
- Access through a web browser — no software installation needed
- Limited to web applications, email, file shares
- Good for contractors and BYOD devices
Full-Tunnel SSL VPN (Cisco AnyConnect)
- Requires client software (AnyConnect) on the user's device
- All traffic from the device goes through the VPN tunnel
- Provides full network access similar to being on-site
VPN Comparison
| Feature | IPsec Site-to-Site | IPsec Remote Access | SSL/TLS Remote Access |
|---|---|---|---|
| Layer | Layer 3 | Layer 3 | Layer 4-7 |
| Client needed | No (router-to-router) | Yes (IPsec client) | Optional (browser or AnyConnect) |
| Access type | Full network | Full network | Full or limited (web-based) |
| Port | UDP 500, IP 50/51 | UDP 500, IP 50/51 | TCP 443 |
| Firewall friendly | May be blocked | May be blocked | Very friendly (uses HTTPS port) |
On the Exam: Know the difference between site-to-site and remote access VPNs. Understand that IPsec operates at Layer 3 with ESP (encryption + auth) and AH (auth only). SSL/TLS VPNs use TCP 443 and are more firewall-friendly.
Which IPsec protocol provides both encryption AND authentication?
What type of VPN connects two networks (e.g., headquarters to a branch office) and is always on?