- VPNs based on Multi-Protocol Label Switching (MPLS) carve virtual switched paths out of the provider's network to carry customer traffic between edge routers. MPLS does not provide data encryption, but can be used in conjunction with IPsec when encryption is required.
- VPNs based on the Layer Two Tunneling Protocol (L2TP) relay dial-up (PPP) sessions terminated by an ISP's Network Access Server to an L2TP Gateway at the customer's network. L2TP does not provide data encryption, but is commonly used over IPsec transport mode to provide confidentiality (for example, within Windows XP/2000).
- Network-based IPsec VPN services often use a carrier-class VPN switch at the provider's point of presence (POP) to initiate and terminate VPN tunnels across the provider's backbone. The "tail circuit" between the customer's premises and the provider's POP (for example, a dedicated T1 link or a Frame Relay PVC) may or may not be encrypted.
If you require end-to-end confidentiality from your VPN service -- that is, encryption from customer premises to customer premises, without any point in the middle at which your data is cleartext -- then it's important to explicitly look for a secure VPN service that provides this. For example, most managed IPsec VPN services can deliver end-to-end encryption. But whether or not they actually do encrypt end-to-end is determined by the VPN's security policy configuration.
This question was asked at Ask the Experts on SearchNetworking.com.