USD ($)
United States Dollar
India Rupee

What is VPN and How It Works & Its Types

Created by Kumar Pal in Articles 15 Jun 2024
«CCIE Security Lab Exam Preparation Guide

Every other individual is hungry of knowledge for one or the other topic but if you are hungry to get knowledge on VPN, you are at the right platform. Today we will e discussing about VPN (virtual private network) and its type in brief do that you can get some information what VPN is with an example. You all might be working from home these days, this is one of the best example to understand VPN.


A virtual private network (VPN) is an encrypted connection that is completely isolated from the rest of the Internet. For instance, many videos are saved on Youtube and it is somewhere stored in data centre either it is in US, Australia, Japan or India. You can view that video from your home. Every webpage either it’s Google or any link has been assigned a particular IP address. Moreover, this process has advantages and disadvantages too.

Moving on the advantages, the first advantage is that you can use internet very easily through this IP Address and you can access any information sitting at your home. It provides organizations, people, and businesses to use network resources easily. If you are doing work from home it is also using VPN network as it allow you to work with wireless internet which is isolated from the rest of the world.

Now sharing the disadvantages, the main disadvantage is that they track our IP addresses and know which IP address you use frequently or even your government might be keeping an eye on your work. Secondly, if you are using open network from somewhere, your data can be hacked in some cases. In most of the cases VPNs are free now.

Types of VPN network

Now coming on to types of Virtual Private Network (VPN), there are basically two types of networks:

1) Remote Access VPN

Remote Access VPN allow a user to connect to a private network. Similarly, VPN access all its services and resources remotely. Due to the internet the connection between the user and the private network occurs and the connection is secure and private. Remote Access VPN is useful for home users and business users both to bypass regional restrictions on the internet and access blocked website.

For example, an employee of a company or some organization goes out of station uses VPN to connect to the company or to send or access some files or data.

2) Site to Site VPN

A Site-to-Site VPN is also called as Router-to-Router VPN and is commonly used in the corporates. Enterprises, with branch offices in different locations, use Site-to-site virtual private network to connect the network of one office location to the network at another office location.

It is further divided into two types i.e., Intranet based VPN or extranet based VPN.

What is VPN tunnel?

A VPN tunnel is a encrypted link between your device and the internet or between two private networks connected on internet. A VPN tunnel created using some tunneling protocols:

●  PPTP (point-to-point Tunneling Protocol)

●  L2TP (Layer 2 Tunneling Protocol)

●  SSL (Secure Sockets Layer)

●  TLS (Transport Layer Security)

●  IPsec (Internet Protocol Security)

●  OpenVPN

Now let's understand each one of these one by one.

PPTP (Point-to-Point Tunneling Protocol) is a VPN protocol which is developed by Microsoft. It is supported across various operating systems and devices. PPTP allows secure transmission of data over an IP network by encapsulating data packets within IP packets.

banner image

Key Components of PPTP:

Control Connection: PPTP establishes a control connection between the client and the server. This connection is responsible for managing the setup, maintenance, and termination of the VPN tunnel.

Data Tunnel: PPTP creates a data tunnel for transmitting user data. The data tunnel encapsulates the user's data packets within PPTP packets, which are then encapsulated within IP packets for transmission over the network.

GRE (Generic Routing Encapsulation): PPTP uses GRE to encapsulate the data packets. GRE provides a mechanism for encapsulating various network layer protocols, allowing them to be transmitted over an IP network.

Encryption: PPTP supports encryption to ensure the confidentiality of data transmitted over the VPN tunnel. It uses Microsoft Point-to-Point Encryption (MPPE), which provides encryption for the data packets.

PPTP Operation:

Connection Establishment: The PPTP client initiates a connection to the PPTP server. This involves establishing a TCP connection (typically on port 1723) for the control connection.

Authentication: Client and server are authenticated using either CHAP (Challenge Handshake Authentication Protocol) or MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) protocols.  That means only authorized users can establish the VPN connections.

Tunnel Setup: After successful authentication, the client and server negotiate the parameters for the VPN tunnel, including encryption settings. This is done through the control connection.

Data Transmission: With the VPN tunnel established, the client can now send data securely over the connection. When client sends data, it first encapsulates the data in PPTP packets followed by another encapsulation of IP packets and then transmitted over the network. The server receives the packets, decapsulates them, and forwards the original data to the appropriate destination.

Tunnel Termination: The control connections are closed as soon as VPN session is completed by either by client or server. 

Advantages of PPTP:

Widely Supported: It is supported on different platforms like most operating systems and other devices. That's why it is easier to implement across platforms.

Easy to Configure: PPTP is relatively simple to configure, requiring minimal configuration settings on client and server devices.

Good Performance: PPTP has low overhead and provides good performance for most applications.

Disadvantages of PPTP:

Security Concerns: PPTP is not that secure as compared to IPsec and OpenVPN.

Limited Encryption Options: PPTP supports the Microsoft Point-to-Point Encryption (MPPE) protocol with a maximum 128 bits of key size.

NAT Traversal Issues: PPTP can encounter difficulties when used in conjunction with network address translation (NAT), potentially leading to connection issues in certain network environments.

Overall, while PPTP is widely supported and easy to configure, its security vulnerabilities and limited encryption options have led to its declining usage in favor of more secure protocols such as IPsec and OpenVPN.

L2TP (Layer 2 Tunneling Protocol) operates at the data link layer of the OSI model and provides a secure tunnel for transmitting data over an IP network. L2TP provides better security and flexibility by combining the best features of PPTP and L2F.

banner image

Key Components of L2TP:

Control Connection: L2TP establishes a control connection between the client and the server. The control connection is responsible for managing the setup, maintenance, and termination of the VPN tunnel.

Data Tunnel: L2TP creates a data tunnel for transmitting user data. The data tunnel encapsulates the user's data packets within L2TP packets, which are then encapsulated within IP packets for transmission over the network.

L2TP Tunnel: It has two components.

L2TP Access Concentrator (LAC)

L2TP Network Server (LNS). 

The LAC resides on the client's side, while the LNS is located on the server's side. These components work together to establish and maintain the VPN connection.

PPP (Point-to-Point Protocol): L2TP uses PPP for authentication, encryption, and encapsulation. PPP provides a reliable and secure method for transmitting data over the VPN connection.

L2TPv3: L2TPv3 is an extension of L2TP transports non-IP protocols over an IP network. This allows L2TP to be used for various types of traffic, not just IP-based data.

L2TP Operation:

Connection Establishment: The L2TP client initiates a connection to the L2TP server. This involves establishing a control connection using the UDP protocol (typically on port 1701).

Authentication and Tunnel Setup: PPP protocol like PAP and CHAT are used to authenticate between client and server. After successful authentication, the L2TP tunnel is established, and the session is initiated.

PPP Session: Within the L2TP tunnel, PPP sessions are created. These sessions provide the framework for transmitting data securely between the client and server. PPP negotiates various parameters such as authentication methods, encryption settings, and IP addresses.

Data Transmission: With the L2TP tunnel and PPP session established, the client can now send data securely over the connection.  When client sends data, it is encapsulated in L2TP, and it again encapsulated in IP packets an then transmitted over the network. The server receives the packets, decapsulates them, and forwards the original data to the appropriate destination.

Tunnel Termination: When the VPN session is complete or terminated by either the client or the server, the control connection is closed, and the L2TP tunnel and associated PPP sessions are dismantled.

Advantages of L2TP:

Enhanced Security: L2TP provides enhanced security compared to PPTP by using the more secure PPP protocol for authentication and encryption.

Wide Platform Support: It is supported on multiple operating systems and other devices. 

Support for Non-IP Protocols: L2TPv3 extends the functionality of L2TP and can transport of non-IP protocols.

Disadvantages of L2TP:

Potential Performance

Overhead: L2TP adds an additional layer of encapsulation, which can introduce some overhead and potentially impact performance compared to other VPN protocols.

Limited Encryption Options: L2TP itself does not provide encryption. It relies on the PPP protocol for encryption, which offers limited encryption options compared to other protocols like IPsec and OpenVPN.

Overall, L2TP is a widely supported VPN protocol that offers improved security compared to PPTP. While it may have some performance overhead and limited encryption options, its compatibility with various platforms and support for non-IP protocols make it a viable choice for many VPN deployments.

SSL (Secure Sockets Layer). It was created to enhance the security of network communication over the internet. SSL ensures privacy, accuracy, and trustworthiness of data. TLS is an improved SSL form of TLS but still SSL is commonly used.

banner image

Key Features of SSL:

Encryption: SSL uses encryption algorithms to secure data in transit. Encrypted data is transmitted between client and server which is highly secured using SSL.

Authentication: SSL provides mechanisms for mutual authentication between the client and the server. In order to ensure that client always connect to the intended server, both the parties verify the identities of each other.

Data Integrity: SSL employs cryptographic algorithms to verify the integrity of transmitted data. That means nobody has modified the data in the transit.

Trust and Certificates: Digital certificate provided by trusted CAs are used in the SSL to ensure trust between two parties. Certificates are public keys which are used for encryption and authentication.

Secure Handshake: The client and server perform a secure handshake process to establish connection between them. During the handshake, the client and server negotiate encryption algorithms, exchange certificates, and verify each other's identities.

SSL Operation:

Client Hello: The SSL handshake begins with the client sending a Client Hello message to the server. This message includes the SSL version supported by the client, a random number, and a list of supported cipher suites.

Server Hello: Upon receiving the Client Hello, the server responds with a Server Hello message. This message contains the SSL version chosen by the server, another random number, and the chosen cipher suite from the client's list.

Certificate Exchange: The server sends its digital certificate to the client, which contains the server's public key. The client verifies the authenticity of the certificate using trusted certificate authorities.

Client Key Exchange: The client generates a pre-master secret and encrypts it using the server's public key from the certificate. The client sends this encrypted pre-master secret to the server.

Session Key Generation: Both the client and the server independently derive the session key from the pre-master secret and other random values exchanged during the handshake. This session key is used for encrypting and decrypting data transmitted during the SSL session.

Session Established: With the session key generated, the client and server complete the handshake process. They exchange messages to confirm that the SSL connection has been successfully established.

Secure Data Exchange: The client and server exchange data securely. SSL encrypts the data using the session key to ensure confidentiality and integrity.

Advantages of SSL:

Data Security: SSL provides encryption, confidentiality and integrity of the transmitted data.

Authentication and Trust: SSL provides trust between client and server by verifying the identities the two parties.

Widely Supported: SSL is widely supported by web browsers, servers, and various network applications, making it accessible for secure communication.

Disadvantages of SSL:

Performance Overhead: The encryption and decryption processes of SSL introduce some performance overhead, which may impact the speed of data transmission.

Vulnerabilities: The new versions of SSL are released in order to ensure the improvements in the older versions which may have some security vulnerabilities. The best case is to use TLS latest version.

Overall, SSL offers encryption, authentication, and data integrity hence securing communications over the internet. 

TLS and SSL are protocol which ensures secure communication over a network. TLS has replaced SSL as the industry standard. Below are the differences between TLS and SSL:

Development and Versions:

SSL: SSL was developed by Netscape in the 1990s and slowly improved to SSL 3.0.

TLS: TLS 1.0 was based on SSL 3.0, first TLS was intended to upgrade SSL. 


SSL: SSL was later depreciated due to several vulnerabilities. These vulnerabilities included POODLE (Padding Oracle On Downgraded Legacy Encryption) and BEAST (Browser Exploit Against SSL/TLS).

TLS: TLS has undergone significant improvements in security over its various versions. 

Handshake Process:

SSL: The handshake process in SSL involves a series of steps, including the exchange of supported cipher suites, negotiation of encryption algorithms, and verification of the server's certificate. SSL handshake messages are sent in plain text.

TLS: The TLS handshake process is similar to SSL but with additional features and improvements. One significant change is that the handshake messages are encrypted, providing better security against eavesdropping and tampering.

Cipher Suite Support:

SSL: SSL supports a limited set of cipher suites compared to TLS. 

TLS: TLS supports cipher suites which are more secure encryption algorithms. TLS cipher suites are designed to provide better security and meet modern cryptographic standards.


SSL: Due to security concerns and the deprecation of older SSL versions, many modern systems and applications have dropped support for SSL or have limited support for specific SSL versions.

TLS: TLS is widely supported by modern systems and applications. Most web browsers, servers, and network devices prefer TLS over SSL due to its enhanced security and better compatibility with current security standards.

IPsec (Internet Protocol Security) is a protocol suite used to secure IP communication by providing confidentiality, integrity, and authenticity at the IP packet level. It is mainly used to establish secure connections over public networks such as internet. IPsec operates at the network layer of the OSI model and can be implemented in both transport mode and tunnel mode.

banner image

Components of IPsec:

Authentication Header (AH): AH provides data integrity, authentication, and protection against replay attacks. It adds an integrity check value (ICV) to the IP packet, ensuring that the data has not been tampered with during transmission. AH does not provide confidentiality, as it does not encrypt the packet contents.

Encapsulating Security Payload (ESP): ESP provides confidentiality, data integrity, and authentication. It encrypts the IP packet's payload, ensuring that the data remains confidential. ESP also adds an ICV to protect against tampering and includes authentication mechanisms to verify the packet's origin.

Security Associations (SA): An SA is a unidirectional relationship between two IPsec peers, defining the parameters for secure communication. Each SA includes security protocol (AH or ESP), cryptographic algorithms, encryption keys, and other parameters needed for secure communication.

Key Management: IPsec relies on key management protocols to establish and maintain encryption keys used for securing the communication. Key management protocols, such as Internet Key Exchange (IKE), enable peers to negotiate and exchange encryption keys securely.

IPsec Modes:

Transport Mode: In transport mode, IPsec secures only the IP packet's payload, leaving the IP header unchanged. It provides secure communications between end-to-end hosts. Transport mode does not protect the IP header, which means that some information, such as source and destination IP addresses, remains visible to potential eavesdroppers.

Tunnel Mode: In this mode entire IP packet including IP head is encapsulated in new IP packet. The original IP packet becomes the payload of the new IP packet, which is encrypted and authenticated. Tunnel mode is commonly used for VPNs, where the original IP addresses are hidden, and the secure communication is established between gateways or endpoint-to-gateway scenarios.

IPsec Operation:

Security Association (SA) Negotiation: IPsec peers negotiate the parameters for secure communication, including the security protocol (AH or ESP), cryptographic algorithms, keys, and other security-related information. This negotiation is typically done using key management protocols such as IKE.

Key Exchange: Peers exchange encryption keys securely through key management protocols. The keys are used to encrypt and decrypt the IPsec packets.

Secure Communication: Once the SAs and encryption keys are established, IPsec encrypts and/or authenticates the IP packets according to the defined security parameters. The IPsec implementation adds the necessary headers (AH and/or ESP) to the IP packet, encapsulating the payload and protecting it during transmission.

Packet Processing: At the receiving end, the IPsec implementation verifies the integrity and authenticity of the received packets. It decrypts the encrypted payload and performs additional checks to ensure the packet's integrity and protect against replay attacks.

Advantages of IPsec:

Strong Security: IPsec provides encryption, authentication, and integrity of data transmitted over IP networks.

Wide Industry Support: IPsec is widely supported by various operating systems, routers, and network devices, making it a popular choice for secure communication.

Compatibility: IPsec can be used with existing IP-based applications and does not require modifications to the applications themselves. It operates at the network layer, making it transparent to higher-layer protocols.

Disadvantages of IPsec:

Complex Configuration: IPsec can have complex configuration requirements, particularly when deploying large-scale VPNs or complex network architectures. Setting up IPsec tunnels and managing security associations can be challenging.

Potential Performance Impact: The encryption and decryption processes of IPsec can introduce some performance overhead, which may impact the speed of data transmission, particularly on lower-end devices.

Despite these considerations, IPsec remains a widely adopted and robust protocol suite for securing IP communication, particularly in enterprise networks and VPN deployments.

OpenVPN provides a private and secure connection over the internet. It is an open-source protocol. OpenVPN is is compatible with different operating systems and devices. It achieves its security by using special techniques, like secret codes and secure communication methods, to establish safe connections between your device and the network you're connecting to.

Key Features of OpenVPN:

Security: OpenVPN uses encryption algorithms to ensure confidentiality and integrity of data.

Flexibility: Network configurations such as site-to-site, client-to-site and point-to-point are supp. 

Cross-Platform Compatibility: OpenVPN is compatible across all devices to establish secure connections. 

Scalability: OpenVPN can scale from small-scale and large-scale deployments. It can handle a significant number of concurrent connections, making it suitable for enterprise-level VPN solutions.

Client Authentication: OpenVPN pre-shared keys, username/password combinations, certificates, and two-factor authentication for client authentication. This allows for flexible and strong authentication mechanisms.

Network Address Translation (NAT) Traversal: OpenVPN includes NAT traversal capabilities, enabling secure communication between hosts behind NAT devices or firewalls.

OpenVPN Operation:

Connection Establishment: OpenVPN uses a combination of SSL/TLS protocols for the initial connection establishment. The client and server negotiate encryption algorithms, exchange certificates, and perform mutual authentication.

Session Key Exchange: OpenVPN negotiates a session key that is used for encrypting and decrypting data after initial connections are established. The session key is periodically rekeyed to maintain security.

Data Encryption: OpenVPN encrypts the data payload of IP packets using symmetric-key encryption. The data is encapsulated in SSL/TLS  before transmitted over the network.

Data Integrity and Authentication: OpenVPN ensures data integrity and authentication by adding a message authentication code (MAC) to each packet. The MAC is computed using a hash function and shared keys.

Compression: OpenVPN includes an optional data compression feature that can reduce bandwidth usage by compressing the data before encryption. Compression can improve performance in scenarios where data transfer is a bottleneck.

Routing and Configuration: OpenVPN can configure routing tables to direct traffic through the VPN tunnel. It can also manage network configurations, such as IP address assignment and DNS (Domain Name System) settings, to ensure seamless connectivity.

Advantages of OpenVPN:

Security: OpenVPN provides robust encryption and authentication which ensures secure and private communication over public networks.

Flexibility: OpenVPN supports various network configurations and can operate over different protocols, making it adaptable to diverse network environments.

Cross-Platform Compatibility: OpenVPN is compatible with major operating systems and other devices.

Open-Source and Audited: OpenVPN's open-source nature allows for continuous community review and security audits, contributing to its reliability and trustworthiness.

Disadvantages of OpenVPN:

Configuration Complexity: Setting up OpenVPN and configuration and troubleshooting may be difficult and complex as compared to other VPN solutions.

Performance Overhead: OpenVPN may introduce some performance overhead due to encryption and encapsulation processes, which can affect data transfer speeds, especially on lower-end devices.

Despite these considerations, OpenVPN is a VPN protocol which offers a high security and flexibility for establishing secure connections over public networks.

IPSec over GRE on Cisco IOS Routers»
Kumar Pal

Kumar Pal is a Senior Network Solution Architect and an expert on Riverbed WAN optimization and Routing and Switching technologies. He has been working in IT networking industry since 2010. Kumar Pal has done CCNA, CCNP Enterprise, CCIE Enterprise, F5, LTM, F5 DNS, Riverbed certification courses that makes him most versatile professional in ...

More... | Author`s Bog | Book a Meeting

Related Articles

#Explore latest news and articles

Configuring IPSec VPN in Checkpoint 15 Jun 2024

Configuring IPSec VPN in Checkpoint

Step-by-step guide for Checkpoint IPSec VPN configuration. Learn how to set up IPSec VPN in Checkpoint Firewall. Secure your network now!
How is CCNP Security Advancing Career? 13 Jun 2024

How is CCNP Security Advancing Career?

Discover how CCNP Security certification paves the way for career advancement. Learn the ways CCNP Security can boost your professional journey.
Cisco ASA and Firewall Best Practices 16 Jun 2024

Cisco ASA and Firewall Best Practices

Explore best practices for securing your network via Cisco ASA. Learn essential tips and configurations to enhance your network's defense against cyber threats.

Comments (0)


Share this post with others

Contact learning advisor

Captcha image