Psec can be used in tunnel mode or transport mode, but most VPNs use IPsec in tunnel mode. IPsec in tunnel mode works just like I've described with respect to encapsulation and traversing intervening networks. But IPsec ALSO uses security measures to protect the inner IP packet from eavesdropping, replay, insertion, or modification. For example, IPsec ESP in tunnel mode encrypts the entire inner packet (including the inner packet's IP header) so that nobody in between can see the ultimate source or destination, type of application, or data payload. IPsec ESP and AH in tunnel mode use a hashed message authentication code to detect any change to the inner IP packet. Your "normal tunnels" probably do not have this type of cryptographic protection, which means that someone could inject modified packets or intercept your data in transit. If you are sending confidential information and need to be sure that no one (including your ISP) can tamper with that information, you should use IPsec tunnels.
Bandwidth management is independent of tunneling method. Products without bandwidth management features don't allocate any specific bandwidth to each tunnel -- all tunnels share the aggregate bandwidth of the data link, first-come first-serve. On the other hand, if your firewall or router provides bandwidth management, it may do so in a wide variety of ways. It might let you prioritize tunnels so that one tunnel gets "first dibs" on available bandwidth (i.e., packets for that tunnel get processed first). Or it might let you assign a maximum throughput to each tunnel, or possibly burstable throughputs. For example, if your link supports 100 Mbps, you might configure a 10 Mbps limit for each of your 6 tunnels. Depending on the product, the tunnels might share any unused capacity on a FCFS or priority basis, or spare capacity might go unused if 10 Mbps is treated as an absolute upper bound. Because bandwidth management features vary widely and are product specific, you'll need to consult your firewall or router's documentation to learn about bandwidth controls (if any) applied to your tunnels.
This was first published in April 2004