You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Virtual Private Networks (VPNs) and secure remote access technologies allow users and sites to communicate securely over untrusted networks such as the public internet. In modern network security architecture, remote access is no longer optional — it is a core design requirement.
A VPN creates an encrypted tunnel between two endpoints over an untrusted network, providing confidentiality, integrity, and authentication for the traffic that passes through it.
graph LR
R["Remote User"] -- "Encrypted VPN Tunnel over the public internet" --> C["Corporate Network"]
| Type | Description | Use Case |
|---|---|---|
| Remote Access VPN | Connects individual users to the corporate network | Remote workers, travelling employees |
| Site-to-Site VPN | Connects two entire networks | Branch office to headquarters |
| Client-to-Site | Software client on user device connects to VPN gateway | BYOD, contractors |
| Clientless VPN | Browser-based access to specific applications (typically SSL/TLS) | Quick access without client software |
| Protocol | Encryption | Performance | Security | Notes |
|---|---|---|---|---|
| IPsec | AES-256, 3DES | Good | Strong | Industry standard for site-to-site |
| IKEv2/IPsec | AES-256 | Excellent | Strong | Fast reconnection, good for mobile |
| OpenVPN | AES-256-GCM | Good | Strong | Open source, highly configurable |
| WireGuard | ChaCha20, Poly1305 | Excellent | Strong | Modern, simple codebase (~4,000 lines) |
| SSL/TLS VPN | AES-256 | Good | Strong | Browser-based or lightweight client |
| L2TP/IPsec | AES via IPsec | Moderate | Moderate | Legacy — being replaced by IKEv2 |
| PPTP | MPPE (broken) | Fast | Broken | Never use — deprecated |
IPsec operates in two modes:
| Mode | Encrypts | Use Case |
|---|---|---|
| Transport Mode | Payload only (original IP header preserved) | Host-to-host communication |
| Tunnel Mode | Entire original packet (new IP header added) | Site-to-site VPNs, gateway-to-gateway |
| Component | Purpose |
|---|---|
| IKE (Internet Key Exchange) | Negotiates security associations and exchanges keys |
| ESP (Encapsulating Security Payload) | Provides encryption, integrity, and authentication |
| AH (Authentication Header) | Provides integrity and authentication only (no encryption) |
| SA (Security Association) | Defines the parameters (algorithms, keys, lifetime) for a connection |
sequenceDiagram
participant A as Site A
participant B as Site B
Note over A,B: Phase 1 (IKE SA)
A->>B: Negotiate encryption, authenticate
B->>A: Negotiate encryption, authenticate
Note over A,B: Secure management channel established
Note over A,B: Phase 2 (IPsec SA)
A->>B: Negotiate data encryption parameters
B->>A: Negotiate data encryption parameters
Note over A,B: Encrypted data tunnel active
graph TD
R["Remote User"] --> VC["VPN Client"]
VC -- "Encrypted tunnel over internet" --> VG["VPN Concentrator / Gateway"]
VG --> IFW["Internal Firewall"]
IFW --> RES["Internal Network Resources"]
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.