Q

What are the differences between a site-to-site VPN and a VPN client connecting to a VPN server?

What are the differences between a site-to-site VPN and a VPN client connecting to a VPN server? What protocols

are used for these?

Site-to-site VPNs connect entire networks to each other -- for example, connecting a branch office network to a company headquarters network. In a site-to-site VPN, hosts do not have VPN client software; they send and receive normal TCP/IP traffic through a VPN gateway. The VPN gateway is responsible for encapsulating and encrypting outbound traffic, sending it through a VPN tunnel over the Internet, to a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet towards the target host inside its private network.

Remote access VPNs connect individual hosts to private networks -- for example, travelers and teleworkers who need to access their company's network securely over the Internet. In a remote access VPN, every host must have VPN client software (more on this in a minute). Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. Upon receipt, that VPN gateway behaves as described above for site-to-site VPNs. If the target host inside the private network returns a response, the VPN gateway performs the reverse process to send an encrypted response back to the VPN client over the Internet.

The most common secure tunneling protocol used in site-to-site VPNs is the IPsec Encapsulating Security Payload (ESP), an extension to the standard IP protocol used by the Internet and most corporate networks today. Most routers and firewalls now support IPsec and so can be used as a VPN gateway for the private network behind them. Another site-to-site VPN protocol is Multi-Protocol Label Switching (MPLS), although MPLS does not provide encryption.

Remote access VPN protocols are more varied. The Point to Point Tunneling Protocol (PPTP) has been included in every Windows operating system since Windows 95. The Layer 2 Tunneling Protocol (L2TP) over IPsec is present in Windows 2000 and XP and is more secure than PPTP. Many VPN gateways use IPsec alone (without L2TP) to deliver remote access VPN services. All of these approaches require VPN client software on every host, and a VPN gateway that supports the same protocol and options/extensions for remote access.

Over the past few years, many vendors have released secure remote access products that use SSL and ordinary web browsers as an alternative to IPsec/L2TP/PPTP VPNs. These "SSL VPNs" are often referred to as "clientless," but it is more accurate to say that they use web browsers as VPN clients, usually in combination with dynamically-downloaded software (Java applet, ActiveX control, or temporary Win32 program that is removed when the session ends). Also, unlike PPTP, L2TP, and IPsec VPNs, which connect remote hosts to an entire private network, SSL VPNs tend to connect users to specific applications protected by the SSL VPN gateway.

To learn more about VPN protocols and topologies, watch my New directions in VPN searchSecurity webcast, or read this InfoSec Magazine article on SSL VPNs.

This was first published in January 2005

Dig deeper on IP Networking

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close