Virtual Private Networks

Chapter Overview

Virtual Private Networks are foundational to enterprise security — enabling secure communication across untrusted public networks for remote workforces, branch offices, and partner connections. VPNs create encrypted tunnels that protect data from eavesdropping, tampering, and unauthorised access, effectively building a private road within the public highway.

The relevance of VPNs has only grown with the rise of remote work, distributed branches, and cloud-first strategies. Mastering VPN concepts equips you to design and implement resilient security architectures that keep businesses running safely and efficiently — and is a core requirement for the SCOR 350-701 exam.

Core Concepts

VPN Fundamentals: Confidentiality, Integrity, and Authentication

At its core, a VPN creates a secure encrypted tunnel over an unsecured network, providing three critical security services:

• Confidentiality — data is encrypted so only authorised parties can read it.
• Integrity — hashing algorithms verify the data has not been altered in transit.
• Authentication — confirms the identity of communicating parties, preventing impersonation.

💡 Real-world Example: A pharmaceutical company sends sensitive research data from its European lab to its US headquarters over the public internet. A VPN ensures the data remains encrypted and untampered with, and verifies that both endpoints are legitimate — preventing industrial espionage or data corruption.

Site-to-Site VPNs

Site-to-site VPNs connect entire networks at different geographical locations, making them appear as a single contiguous private network. These VPNs are established between network infrastructure devices — routers or firewalls — at each site. Traffic is automatically routed through the secure tunnel without requiring individual user action.

💡 Real-world Example: A retail chain with a main corporate office and multiple branch stores uses a site-to-site VPN. Each branch’s point-of-sale systems connect securely to the central data centre over an IPsec tunnel, allowing seamless and secure transaction processing and data synchronisation across all locations.

Remote-Access VPNs

Remote-access VPNs allow individual users to securely connect to the organisation’s private network from remote locations. They require client software on the user’s device (such as Cisco Secure Client) that establishes a secure tunnel to a VPN headend device — enabling remote users to access internal resources as if physically present in the office.

💡 Real-world Example: During a global pandemic, a company enables its entire workforce to work from home. Each employee installs Cisco Secure Client on their laptop, which establishes an SSL or IPsec tunnel to the corporate firewall — granting secure access to internal file servers, applications, and collaboration tools.

IPsec Protocol Suite

IPsec provides cryptographic security at the IP layer and operates in two modes:

• Tunnel mode — encrypts the entire original IP packet and encapsulates it in a new IP packet. Used for site-to-site VPNs between gateways.
• Transport mode — encrypts only the payload of the original IP packet. Used for end-to-end host security.

IPsec relies on IKE (Internet Key Exchange) for key management, and uses ESP (Encapsulating Security Payload) for confidentiality and integrity, or AH (Authentication Header) for integrity and authentication only.

💡 Real-world Example: Two partner companies exchange confidential design specifications. They establish an IPsec site-to-site tunnel between their firewalls — ensuring all data is encrypted and authenticated at the network layer, providing robust end-to-end security regardless of the underlying transport.

SSL/TLS VPNs

SSL/TLS VPNs provide secure remote access using the SSL/TLS protocol and are available in two forms:

• Clientless — browser-based access to web applications without installing persistent software. Suitable for unmanaged or temporary devices.
• Client-based — deploys a lightweight client (Cisco Secure Client) for full network layer access to all internal IP resources.

💡 Real-world Example: A consultant needing occasional access to a client’s CRM system while travelling uses a clientless SSL VPN — opening a browser, navigating to the VPN portal, authenticating, and accessing the web-based application without installing any software.

DMVPN (Dynamic Multipoint VPN)

DMVPN simplifies IPsec VPN deployment in hub-and-spoke topologies. It uses mGRE (multipoint GRE) tunnels and NHRP (Next Hop Resolution Protocol) to allow spoke sites to dynamically build direct tunnels to each other — eliminating the need to route all spoke-to-spoke traffic through the hub and significantly reducing latency in large deployments.

💡 Real-world Example: A logistics company with a central warehouse (hub) and hundreds of delivery depots (spokes) uses DMVPN. When a delivery needs to be rerouted between depots, those spokes communicate directly over a dynamically built tunnel rather than routing all traffic back through the central warehouse — improving efficiency and reducing WAN costs.

GET VPN (Group Encrypted Transport VPN)

GET VPN provides any-to-any secure connectivity within a closed group of routers without requiring explicit tunnels between every pair. It uses a group key to encrypt traffic between all group members while preserving the original IP headers — making it ideal for multicast traffic and routing protocol preservation across a private WAN.

💡 Real-world Example: A utility company secures SCADA traffic between substations using GET VPN. All substation routers belong to the same VPN group and encrypt traffic without the overhead of maintaining individual IPsec tunnels between every pair — providing mesh-like security efficiently across a managed WAN.

VPNs in Cisco SD-WAN

Cisco SD-WAN integrates IPsec VPN as a core component of its secure overlay network. Edge devices (vEdge or cEdge routers) automatically establish encrypted IPsec tunnels to other edge devices and data centres, forming a fully meshed or hub-and-spoke topology managed centrally by vManage — providing encrypted transport across all WAN links.

💡 Real-world Example: A global manufacturing company deploys Cisco SD-WAN across all factories and offices. The SD-WAN solution automatically builds and manages IPsec tunnels between all sites, ensuring sensitive manufacturing data is encrypted in transit over both public and private WAN links — all orchestrated from a single management plane.

Real World Analogy

🚇 Think of a VPN like a private tunnel under a busy public road. Anyone driving on the road above (the internet) can see the traffic on the surface, but your vehicle (data) travels through the tunnel, invisible and protected from outside view. Site-to-site VPNs are like permanent tunnels connecting two cities. Remote-access VPNs are like a portable tunnel entrance each employee carries — connecting them to the city whenever they need access, from wherever they are.

Chapter Recap

This chapter explored VPN fundamentals — confidentiality, integrity, and authentication — and the two primary deployment models: site-to-site for fixed network connections and remote-access for individual users. IPsec with IKEv1/v2 and SSL/TLS VPNs form the protocol foundation. Cisco’s advanced solutions — DMVPN for scalable hub-and-spoke, FlexVPN for unified IKEv2-based deployments, and GET VPN for any-to-any encrypted connectivity — address complex enterprise requirements. VPNs are also integral to Cisco SD-WAN’s secure overlay architecture, managed centrally through vManage.

Key Exam Points

• IPsec operates at Layer 3; SSL/TLS VPNs operate at Layer 4/7.
• IPsec components: IKE (key exchange), ESP (confidentiality + integrity), AH (integrity + auth, no encryption).
• Recommended IPsec parameters: AES-256 encryption, SHA-384/512 hashing, DH Groups 19/20/21 for PFS.
• Site-to-site VPNs connect router/firewall to router/firewall; remote-access connects client to headend.
• GRE and L2TP are tunnelling protocols only — they provide no security without IPsec.
• DMVPN uses mGRE and NHRP for dynamic spoke-to-spoke tunnel formation.
• GET VPN uses a group key; preserves original IP headers; designed for closed private WAN groups.
• IKEv2 is the modern preferred standard — more efficient, better NAT traversal, built-in DPD, mobility support.
• ASA/Secure Firewall remote-access VPN elements: tunnel-groups, group-policies, address pools, auth server integration.
• Cisco SD-WAN uses IPsec overlays managed by vManage across vEdge/cEdge devices.

Common Mistakes to Avoid

⚠️ GRE and L2TP are not secure by themselves — Both are tunnelling protocols without encryption, integrity, or authentication. They must be combined with IPsec to provide security.

⚠️ Don’t use weak DH groups — DH Groups 1 and 2 are cryptographically weak and should never be used in production. Always use Groups 19, 20, or 21 for modern deployments.

⚠️ Clientless SSL VPN ≠ full network access — Clientless mode provides access only to web-based applications through the browser. Full network layer access requires client-based SSL or IPsec VPN.

⚠️ IKEv1 and IKEv2 are not the same — IKEv2 offers significant improvements: simpler negotiation, better NAT traversal, built-in Dead Peer Detection, and mobility support. Always prefer IKEv2 for new deployments.

⚠️ Split-tunnelling vs full-tunnelling has security implications — Split-tunnelling routes only corporate traffic over the VPN; internet traffic goes direct. If the user’s local network is compromised, this can expose the session. Full-tunnelling routes all traffic through the VPN for comprehensive protection but increases headend load.