5.3 VPN Fundamentals
Key Takeaways
- A VPN builds an encrypted tunnel across an untrusted network, giving private-network security over the public internet.
- Site-to-site VPNs join whole networks via routers/firewalls and stay always-on; remote-access VPNs connect individual users on demand.
- IPsec works at Layer 3: ESP (IP protocol 50) gives encryption plus authentication; AH (IP protocol 51) gives authentication only.
- IKE (UDP 500) runs Phase 1 to build the management tunnel and Phase 2 to build the data tunnel; tunnel mode is the site-to-site default.
- SSL/TLS VPNs use TCP 443, are firewall-friendly, and support clientless (browser) or full-tunnel (Cisco Secure Client/AnyConnect) remote access.
What a VPN Solves
A VPN (Virtual Private Network) creates an encrypted tunnel across an untrusted network — almost always the public internet — so two endpoints communicate as if they were on the same private LAN. It delivers confidentiality (encryption), integrity (hashing), and authentication (proving each peer is genuine) over a link you do not control.
Site-to-Site vs. Remote-Access
| Attribute | Site-to-site VPN | Remote-access VPN |
|---|---|---|
| Connects | Two whole networks (HQ ↔ branch) | One user device to the network |
| Endpoints | Routers or firewalls at each site | User device ↔ VPN gateway |
| State | Always-on, permanent tunnel | On-demand, user initiates |
| Typical protocol | IPsec | SSL/TLS or IPsec |
| User awareness | Transparent — users don't know | User must launch a client |
Scenario clue: "a branch office automatically reaches HQ resources with no user action" = site-to-site. "A travelling salesperson opens a client to reach the intranet" = remote-access.
IPsec — Security at Layer 3
IPsec (Internet Protocol Security) is a suite, not a single protocol, and it secures traffic at the Network layer (Layer 3). It is the default for site-to-site tunnels.
| Protocol | Service provided | Identifier |
|---|---|---|
| ESP (Encapsulating Security Payload) | Encryption + authentication + integrity | IP protocol 50 |
| AH (Authentication Header) | Authentication + integrity only (no encryption) | IP protocol 51 |
| IKE (Internet Key Exchange) | Negotiates keys and security associations | UDP port 500 (4500 for NAT-T) |
ESP is used in virtually all real deployments because confidentiality requires encryption; AH alone leaves data readable. A favorite trap question: only ESP provides encryption — AH does not.
Tunnel Mode vs. Transport Mode
| Mode | What gets encrypted | Use case |
|---|---|---|
| Tunnel | The entire original IP packet, then a new IP header is added | Site-to-site VPN (default) |
| Transport | Only the payload; original IP header stays | Host-to-host within a trusted core |
IKE Phase 1 and Phase 2
| Phase | Goal | Result |
|---|---|---|
| Phase 1 (IKE/ISAKMP SA) | Authenticate the peers, agree on encryption for management | A secure management tunnel |
| Phase 2 (IPsec SA) | Negotiate the keys that protect user data | The encrypted data tunnel |
Think of Phase 1 as building the secure room and Phase 2 as agreeing how to encrypt the actual conversation inside it.
SSL/TLS VPNs
An SSL/TLS VPN operates higher in the stack (Layers 4-7) and rides the same TCP port 443 as HTTPS, which makes it far more firewall- and NAT-friendly than IPsec (whose UDP 500 / protocol 50 traffic is often blocked).
- Clientless SSL VPN — reached through a web browser, no install needed; limited to web apps, email, and file shares. Ideal for contractors and bring-your-own-device.
- Full-tunnel SSL VPN — uses a client (Cisco Secure Client, formerly AnyConnect); all device traffic enters the tunnel, giving on-site-equivalent access.
Side-by-Side Comparison
| Feature | IPsec site-to-site | IPsec remote-access | SSL/TLS remote-access |
|---|---|---|---|
| Layer | 3 | 3 | 4-7 |
| Client needed | No (router-to-router) | Yes (IPsec client) | Optional (browser or Secure Client) |
| Access scope | Full network | Full network | Full or web-limited |
| Ports | UDP 500/4500, IP 50/51 | UDP 500/4500, IP 50/51 | TCP 443 |
| Firewall traversal | Often blocked | Often blocked | Very friendly (HTTPS) |
Split Tunnel vs. Full Tunnel
For remote-access VPNs, the exam distinguishes two traffic models. With a full tunnel, all of the client's traffic — including web browsing — is forced through the corporate gateway, giving central inspection at the cost of bandwidth. With a split tunnel, only traffic destined for corporate subnets enters the tunnel while general internet traffic goes directly out the local connection, saving bandwidth but reducing visibility and control. Choose full tunnel when policy demands inspecting everything; choose split tunnel when only internal resources need protection.
The Cryptographic Building Blocks
IPsec is configured from a menu of algorithms, and CCNA expects you to recognize the categories:
| Function | Examples | Notes |
|---|---|---|
| Symmetric encryption | AES (128/256), 3DES (legacy) | Fast; same key both ways; protects confidentiality |
| Hashing/integrity | SHA-256, SHA-1 (legacy), MD5 (avoid) | Detects tampering |
| Key exchange | Diffie-Hellman (DH groups 14+) | Safely derives a shared secret over an open link |
| Authentication | Pre-shared key (PSK) or digital certificates | Proves each peer is genuine |
Diffie-Hellman is the elegant part: it lets two peers compute the same shared secret across the public internet without ever transmitting that secret, which is how IKE Phase 1 bootstraps the encrypted tunnel. AES with a SHA-2 hash and a strong DH group is the modern recommendation; 3DES, SHA-1, and MD5 are legacy choices a question may flag as weak.
On the Exam: Lock in three facts — IPsec = Layer 3 with ESP (encrypt+auth) and AH (auth only); IKE rides UDP 500; SSL/TLS VPN rides TCP 443 and is the firewall-friendly choice. Distinguish always-on site-to-site from user-initiated remote-access by the scenario wording.
A company needs a permanent, always-on encrypted connection between its headquarters router and a branch-office router so internal subnets reach each other transparently. Which solution fits?
Which IPsec component provides BOTH encryption and authentication and is used in nearly all production tunnels?
Why are SSL/TLS remote-access VPNs often easier to deploy through corporate firewalls than IPsec VPNs?