VPN Scenarios

IPSec supports three basic VPN scenarios.

To connect remote offices over the Internet to a central office (top), a company places a VPN gateway at each office and establishes a secure VPN tunnel between the gateways. Traffic is secured only while it moves through the tunnel.

In a remote-user scenario (middle), individual roaming or home users connect to a company’s network over the Internet (middle) through a VPN gateway, using VPN client software on their machines.

In the untrusted private network scenario (bottom), an organization needs to connect workstations or servers over a network that is insecure, such as an 802.11b wireless LAN or a wired LAN in a physically insecure environment like a university campus. Each individual computer establishes a VPN tunnel with each resource (e.g., a file server) it needs to use.

IPSec’s role in all these scenarios is to secure the gateway-to-gateway, computer-to-gateway, or computer-to-computer connection in the VPN tunnel, providing authentication of devices, ensuring integrity of transmitted data, and (optionally) encrypting data for confidentiality. An additional protocol, called the Layer 2 Tunneling Protocol (L2TP), provides user authentication for remote user and some remote office situations.