Home Page

VPN & Cryptography


Email & Spam

Security Terminology


VPN Terminology

VPN Tutorial Guide



Aggressive Mode

Authentication Header

Asymmetric Encryption


Certification Authority

Data Integrity



Digital Certificate

Dynamic IP addresses





IPSec Quick Mode


Main Mode







Pre-Shared Key

Remote Access User


Security Association


Site to Site VPN


Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel


VPN Topologies Guide



IPsec VPN tunnels enable organisations to communicate securely in a cost effective manner. Depending on the size of the organisation and the specific requirements, there are a number of different topology options when it comes to deploying VPN devices, and we will take a look at these below.

Site-Site VPN Connectivity

Site-to-Site VPN, also known as Gateway-to-Gateway VPN, is a VPN tunnel between two sites. This would allow two organisations or two sites within an organisation to share files and other resources with each other. A VPN tunnel is established using a VPN gateway device on each end of the tunnel, using the IPsec framework to secure the VPN connection over the internet, or over any other connectivity means, such as a private leased line or MPLS circuit. When a tunnel has been established between two sites, users are then able to access and share files and resources between the sites.

VPN Hub and Spoke Connectivity

VPN connections can be setup in a Hub and Spoke VPN topology, or also known as Site-to-Multi site VPN topology. In this scenario, all branch offices are connected to the head office. This topology does not only support traffic between the head office and its branch offices, but any traffic between the branch offices can communicate with each other via the head office VPN device. In this topology, the head office is the hub, and the branch offices are the spokes connecting to the hub. The head office VPN appliance would need to be powerful and scalable to provide secure connectivity to all branch offices. This is a secure and best practice method when providing connectivity between branches and branches to the head office. This is because the hub is able to see and control all traffic between all sites.

Full Mesh VPN Connectivity

In this topology, every office\VPN device has a VPN tunnel to every other office\VPN device, and therefore there is a direct connection between all branch offices and the head office. This would mean branch offices communicate directly with each other without traversing the head office VPN device. A use case to this topology is better performance, and this tends to be the case when the central hub VPN device at the head office is not capable of handling all of the traffic from each branch office. Another use case of using a Full Mesh VPN topology is where IT staff at the branch offices require full control of their own VPN devices.

Transparent VPN

VPN devices can be deployed using a concept known as transparent mode where the devices participate in layer two routing. You would deploy a VPN device in transparent mode in situations where you are not able to deploy the solution in layer three routed mode. The most common situation where you are not able to deploy the VPN device in routed layer three mode is when you are not able to redesign the layer three addressing schema of your network.

VPN Redundancy & Resilience

Sometimes VPN tunnels are configured using multiple ISP connections which would provide redundancy in the event of an ISP failure. The primary ISP would usually be a faster internet connection, and a slower ISP link would be connected as a back-up link. The backup link would come into effect if the primary ISP was to experience a failure.

To provide further fault tolerance, VPN devices can be deployed in pairs, where if one of the VPN devices experienced a hardware failure or failed to connect to any parts of the network, the second device in the pair would automatically start to handle all the VPN traffic in a matter of seconds.

Using multiple ISP links and additional VPN devices in an Active-Standby high availability pair, ensures VPN connectivity will remain active in the event of any failures. With that being said however, this still does not provide any fault tolerance in the scenario if there was a data centre wide failure, in which in that case, you would need to think about a backup data centre to ensure your covered from all angles.


Further Reading

Wikipedia's guide to VPN