VPN

IPsec - WebBased - Client - (L2F, PPTP, L2TP, GRE, IPsec, VLL, VPLS, PWE3, BGP MPLS)

This article is a wrok in progress, if you've stumbled in this direction, it's best not to believe anything here!!!


Gentelemen, this is a VPN... 

VPN's take many forms, and protocols.

In their essence regardless of what they are, or how they work, they all have one purpose; To overlay traffic through the use of another protocol.

Let's get clear about what the word overlay means. To understand it we need to define what an underlay network is. 

When you think of what an underlay network is, it's easy to think L1 networking is the underlay.
It's the physical infrastructure responsible for carrying a connection, right?

These physical connections can be wireless in your home (though an underlay it's not just L1 by the time it's up and running.)
Go back to your books and figure out what RA TA DA SA is, or if your in 5G, 6G, and beyond you may also need a reminder.
Ethernet networks also operate at layer2. (In many cases, the L2 network is what needs to be extended.) 

To properly consider the underlay, we properly consider the physical infrastructure available for data packets to traverse as the underlay.
(So, yes your wifi, and Cellular connections can be considered underlay.)  

What VPNs DON'T do for IP based networks:

1.  A VPN will NOT protect your identity.  

2. Most VPNs will NOT protect your network from timing-based attacks

3. VPNs will not hide the fact you have traffic going between either endpint from your service provider, or other providers that are responsible for the Underlay used by a VPN. ( In other words, a VPN will not truly protect you from revealing your originating IP address. ) 

4. Not all VPNs encrypt traffic, and if they do, are they doing it properly? 

What VPNs do for IP based networks: ( In other words... what are they good for? ) 

1. A VPN will allow traffic to flow from one VPN endpoint to another VPN endpoint, once it's setup properly.

2. A Remote Access VPN will allow access to a private network. ( I.e. you have a VPN server with internet access, and access to an internal network. ) 

3. A Remote Access VPN May have policies to tunnel all traffic to the VPN Endpoint, and allow that traffic to assume the VPN Server's IP address. 

4. A Site to Site VPN without Relay may allow you to route directly between dissimilar networks to join each other.
   (i.e. your office @10.10.10.0/24, and your home office @10.10.11.0/24) 

5. A Site to Site VPN with Relay  may allow two similar subnets to join each other at a distance.
   (This would only be if both VPN Endpoints support L2 Proxy Arp Mobility and Aware Broadcast Relay, PIM, and the IPs used in the joined subnet can't overlap.)
   (i.e. you want to use 50 devices as if you were directly connected to the Datacenter, but you are in a secondary office and they both Networks use 10.10.10.0/24)
   There is a small warning here, Somve vendors simpley call this IP Mobility, and the features / capabilities may vary or have limitations, or be discussing an entirely different with an entirely different architecture.) It's really better to change your subnet.

6.  Anycast Assistance.
   Let's presume you have a /24 you've advertised to t1 providers in Seattle, Sacramento, Los Angelas, Envver, Dallas, Atlanta, 
   
   

Site - to - Site VPNs:

Remote Access VPNs:

CPE Base VPN ( L2) L2F, PPTP, L2TP
CPE Base VPN (L3) GRE, IPsec
Network Base VPN: MPLS (L2) VLL, VPLS, PWE3
Network Base VPN: MPLS (L3) BGP-MPLS.