2. IPsec VPN Full Tunnel IPsec VPN Originally designed for inter-communication over non-secure networks (ie, the internet) Each endpoint (software or hardware) consumes full GRE resources All traffic routed to the VPN is passed as IP traffic: applications typically do not need to be customized to work over a VPN Notable exceptions: multicast traffic, NAT’d client traffic (ESP in transport mode or IPsec authentication headers) Operates in tunnel or transport mode Tunnel encapsulates the full packet including src.ip, dst.ipetc, and rewrites this with a new header Transport mode only encrypts the payload of the packet, leaving all source IP address information in cleartext
3. SSL VPN Full/Split Tunnel SSL VPN Operates at the Transport Layer of the network protocol stack, encapsulating application-specific protocols such as HTTP, FTP, SMTP Often requires applications to be rewritten or extended in order to make native use Luckily, most web browsers include SSL libraries/most applications Requires no software installation or configuration for clients Never functions as a site to site tunnel, Non-resource intensive