CCNA Topic 3.6 — VPN Fundamentals

 

CCNA Topic 3.6 — VPN Fundamentals

Blueprint Verb: Explain the purpose and use of VPNs
Mastery Level: Conceptual — understand operation and purpose; no configuration memorization required.

---

🔹 1. What Is a VPN?

A Virtual Private Network (VPN) is a secure, encrypted “tunnel” through an untrusted network (usually the Internet) that allows private communication between two or more endpoints.

It provides:

• Confidentiality → Encryption protects data from eavesdropping

• Integrity → Hashing verifies the data wasn’t altered

• Authentication → Ensures peers are who they claim to be

• Encapsulation → Wraps original packets inside another header for delivery

---

🔹 2. Core VPN Concepts

Concept	Description
Encryption	Scrambles data using algorithms (e.g., AES, DES, 3DES)
Encapsulation	Hides original packet inside another (GRE, IPsec)
Tunneling	Logical path through a network (VPN tunnel)
Authentication	Validates peers (pre-shared keys, digital certs)
Integrity Checking	Uses hash algorithms (MD5, SHA) to prevent tampering

---

🔹 3. VPN Types (CCNA Scope)

VPN Type	Description	Example Use
Site-to-Site VPN	Connects entire networks securely over the Internet	Corporate office ↔ Branch office
Remote Access VPN	Connects individual users securely into a network	Work-from-home user connecting to HQ
Clientless SSL VPN	Uses a browser (HTTPS/SSL) — no software client	Temporary access for contractors
MPLS VPN (service provider concept)	Private routing separation using labels	Enterprise WAN from ISP (concept only)

---

🔹 4. Common VPN Protocols

Layer	Protocol	Notes
L2	PPTP, L2TP, PPP, GRE	Older or simpler encapsulations
L3	IPsec	Most common enterprise VPN; secures IP traffic
L4+	SSL/TLS, DTLS	Used for SSL VPNs and web-based access

---

🔹 5. IPsec (Most Important for CCNA)

IPsec (Internet Protocol Security) is a suite of protocols that protect IP traffic.
Two main modes:

Mode	Description	Use Case
Transport Mode	Encrypts only payload; keeps original IP header	Host-to-host
Tunnel Mode	Encrypts entire IP packet; new IP header added	Gateway-to-gateway (most common)

Key IPsec Components:

• IKE (Internet Key Exchange) – negotiates keys & security parameters

• ESP (Encapsulating Security Payload) – encrypts & authenticates data

• AH (Authentication Header) – authenticates only, no encryption

• SA (Security Association) – defines encryption/authentication parameters for a session

---

🔹 6. GRE vs. IPsec

Feature	GRE	IPsec
Encryption	❌ None (plain encapsulation)	✅ Yes
Multiprotocol Support	✅ Yes (can carry multicast, routing protocols)	❌ IP only
Use Together?	Yes → GRE over IPsec = secure + multiprotocol tunnel

---

🔹 7. Site-to-Site VPN Topology

Typical flow:

LAN-A → VPN Gateway → Internet → VPN Gateway → LAN-B

• Each gateway encrypts & encapsulates packets before sending them.

• On arrival, the receiving gateway decrypts and forwards them internally.

---

🔹 8. Remote-Access VPN Flow

Example:

User Laptop → VPN Client (IPsec or SSL) → Internet → VPN Gateway → Corporate LAN

• User authenticates with credentials or certificates.

• Data is encrypted end-to-end between client and gateway.

---

🔹 9. VPN vs. GRE Summary Table

Feature	VPN	GRE
Provides Encryption	✅	❌
Supports Multiprotocol	Usually IP only	✅
Uses Tunnel Interface	✅	✅
Protects Data Confidentiality	✅	❌

---

🔹 10. CCNA-Level Command Recognition (FYI)

You don’t need to configure VPNs, but you should recognize related IOS terms:

crypto isakmp policy
crypto ipsec transform-set
tunnel mode ipsec ipv4
show crypto ipsec sa

Just know what they’re for — not the full syntax.

---

Would you like me to follow this with a “VPN Gotchas” section (exam traps and wording Cisco uses), or jump straight into a 10-question VPN quiz next?

You said:

Define each of these terms/commands and describe its use: crypto isakmp policy crypto ipsec transform-set tunnel mode ipsec ipv4 show crypto ipsec sa

ChatGPT said:

Perfect, Lou — this is exactly how Odom would have you go beyond the verb “explain” to achieve inferred mastery.
Let’s define and describe each of these, clearly tied to CCNA exam-level understanding.

---

🔹 1. crypto isakmp policy

Definition:
A configuration command that defines the IKE Phase 1 policy for establishing a secure control channel between VPN peers.
ISAKMP = Internet Security Association and Key Management Protocol.

Purpose / Use:

• It sets the rules for negotiating how VPN peers authenticate and create the initial secure tunnel used by IPsec.

• Both peers must have matching parameters (though priority numbers can differ).

Common Parameters:

Router(config)# crypto isakmp policy 10
Router(config-isakmp)# encryption aes
Router(config-isakmp)# hash sha256
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# group 14
Router(config-isakmp)# lifetime 86400

• Encryption – method (DES, 3DES, AES)

• Hash – integrity check (MD5, SHA)

• Authentication – pre-shared key or RSA signatures

• Group – Diffie-Hellman group for key exchange

• Lifetime – how long before renegotiation

➡️ Think of this as the “handshake parameters” before the actual data tunnel exists.

---

🔹 2. crypto ipsec transform-set

Definition:
Defines the Phase 2 (data plane) security parameters — the IPsec policies that protect actual user data once the IKE tunnel is established.

Purpose / Use:

• Specifies how the data is encrypted and authenticated inside the IPsec tunnel.

• A transform set combines one or more IPsec protocols and algorithms.

Example:

Router(config)# crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

• esp-aes → Encryption method

• esp-sha-hmac → Authentication (integrity) method
  The transform set is then applied to a crypto map, which binds it to an interface.

➡️ Think of this as “how the data is protected once the tunnel is up.”

---

🔹 3. tunnel mode ipsec ipv4

Definition:
Specifies the encapsulation mode of the IPsec tunnel.

• Transport mode: encrypts only the payload (used host-to-host).

• Tunnel mode: encrypts entire IP packet and adds a new IP header.

Purpose / Use:

• The CCNA expects you to know that tunnel mode is used for site-to-site VPNs (gateway-to-gateway).

• ipv4 simply indicates it’s encapsulating IPv4 packets.

Example:

Router(config-ipsec-profile)# tunnel mode ipsec ipv4

➡️ Tunnel mode = full protection; the new IP header routes the encrypted packet across the Internet.

---

🔹 4. show crypto ipsec sa

Definition:
A verification command that displays the current IPsec Security Associations (SAs) on the router.

Purpose / Use:

• Used to confirm that a VPN tunnel is up and passing encrypted traffic.

• Shows details like:

  • Source and destination peers

  • Encapsulation/encryption methods

  • Packet counters (encaps/decaps)

  • Lifetimes and SPI (Security Parameter Index)

Example Output:

Router# show crypto ipsec sa
interface: GigabitEthernet0/0
    local  addr 10.10.10.1
    remote addr 203.0.113.2
    encrypted: 1520, decrypted: 1499
    local crypto endpt: 10.10.10.1
    remote crypto endpt: 203.0.113.2

➡️ If you see incrementing “encrypted/decrypted” counters, the tunnel is active.

---

🧩 Summary Table

Command	Phase	Function	Description
crypto isakmp policy	Phase 1	Negotiation	Defines peer authentication & key exchange parameters
crypto ipsec transform-set	Phase 2	Data protection	Defines encryption & hashing for user data
tunnel mode ipsec ipv4	Phase 2	Encapsulation	Encrypts the full IP packet (typical for site-to-site VPNs)
show crypto ipsec sa	Verification	Monitoring	Displays tunnel status, counters, and SA details

---

Would you like me to show you how these commands link together in the VPN creation sequence (Phase 1 → Phase 2 → Crypto Map → Interface binding)?

You said:

Where do you configure the remote host for the tunnel, the encryption domains, and the crypto map, and give example configs for each

ChatGPT said:

Excellent, Lou — this is the perfect next step, moving from conceptual mastery into topology-level understanding.
You’re now learning how the VPN components interlock — which is exactly what Cisco expects you to interpret for CCNA.

Let’s break this down cleanly:

---

🧭 VPN Configuration Flow (CCNA-Level Overview)

A site-to-site IPsec VPN between two routers requires these key pieces:

Step	Component	Function
1	Define ISAKMP (IKE Phase 1) policy	Establishes the secure control channel
2	Define IPsec transform set	Defines how data will be protected (Phase 2)
3	Define interesting traffic / encryption domains	Determines what traffic gets encrypted
4	Create crypto map	Ties everything together (peer, transform set, traffic ACL)
5	Apply crypto map to interface	Activates the VPN tunnel

---

🔹 1. Define the Remote Host (Peer)

This is done inside the crypto map, using the set peer command.
That’s how you specify who the tunnel connects to.

Example:

crypto map VPN-MAP 10 ipsec-isakmp
 set peer 203.0.113.2

➡️ This tells the local router:
“When traffic matches my VPN ACL, send it to 203.0.113.2 as the remote VPN peer.”

---

🔹 2. Define the Encryption Domains (a.k.a. “Interesting Traffic”)

Defined using an access list, this identifies which local and remote subnets should be encrypted.
Each side must mirror the other (source/destination swapped).

Example:

access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

➡️ This ACL says:
“Encrypt all traffic from 192.168.10.0/24 (local LAN) to 192.168.20.0/24 (remote LAN).”

Each side’s “encryption domain” must match exactly or Phase 2 will fail.

---

🔹 3. Create the Crypto Map (the Glue)

The crypto map combines:

• The peer address

• The transform set

• The ACL defining interesting traffic

Example:

crypto map VPN-MAP 10 ipsec-isakmp
 set peer 203.0.113.2
 set transform-set MYSET
 match address 110

➡️ The map entry “10” corresponds to sequence number and priority.
If multiple tunnels exist, each gets its own numbered entry.

---

🔹 4. Bind the Crypto Map to the Interface

This is where the tunnel “comes alive.”
Usually applied to the outbound Internet-facing interface:

Example:

interface GigabitEthernet0/0
 ip address 198.51.100.1 255.255.255.0
 crypto map VPN-MAP

➡️ Any traffic exiting Gi0/0 that matches ACL 110 will now be encrypted and sent to 203.0.113.2.

---

🔹 5. Optional: Pre-Shared Key for Authentication

Each peer needs a matching key to authenticate the ISAKMP session:

crypto isakmp key MySecretKey address 203.0.113.2

---

🧩 Putting It All Together

Here’s a complete CCNA-level site-to-site VPN example (Router A side):

! Phase 1 – IKE policy
crypto isakmp policy 10
 encryption aes
 hash sha256
 authentication pre-share
 group 14
 lifetime 86400

crypto isakmp key MySecretKey address 203.0.113.2

! Phase 2 – Transform set
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

! Encryption domain (interesting traffic)
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

! Crypto map tying it together
crypto map VPN-MAP 10 ipsec-isakmp
 set peer 203.0.113.2
 set transform-set MYSET
 match address 110

! Apply map to outgoing interface
interface GigabitEthernet0/0
 ip address 198.51.100.1 255.255.255.0
 crypto map VPN-MAP

---

🔹 Verification

show crypto isakmp sa      ← IKE Phase 1 status
show crypto ipsec sa       ← Data tunnel status

If you see:

QM_IDLE
encrypted: <incrementing counters>

✅ your VPN tunnel is up and passing traffic.

---

Would you like me to walk through how each side (Router A and Router B) must mirror the configuration — including what exactly must match and what can differ (common exam question)?

You said:

Will the CCNA level exam ask me those type ofquestions?

ChatGPT said:

Excellent instinct asking that, Lou — this is exactly how you should filter your study under the Assimilation Directive: know what’s exam-relevant versus what’s engineering depth.

Let’s clarify precisely what the CCNA 200-301 expects for VPNs:

---

🎯 Blueprint Topic 3.6 — “Explain the purpose and use of VPNs”

Primary Verb: → Explain
That means:
✅ Conceptual understanding only.
❌ No configuration syntax or memorized commands required.

---

🔹 What You Will Be Asked

Cisco wants you to recognize or interpret:

• What a VPN is and why it’s used (secure communications over untrusted networks)

• Types of VPNs: site-to-site, remote-access, clientless SSL

• Protocols: IPsec, SSL/TLS, GRE (and how they differ)

• Functions: encryption, authentication, integrity, encapsulation

• Modes: IPsec tunnel vs. transport

• Real-world purpose: branch office connectivity, secure telework, etc.

• Basic recognition of terms like ISAKMP, transform-set, crypto map (you should know what they do, not how to configure them)

💡 Example CCNA-style question:
“Which protocol provides encryption and authentication for VPNs?”
→ Answer: IPsec

💡 Or:
“What is the purpose of a crypto map in a site-to-site VPN?”
→ Answer: It links the peer, transform set, and traffic selector to apply IPsec protection.

---

🔹 What You Will Not Be Asked

You will not have to:

• Recall exact IOS syntax (crypto isakmp policy, crypto map VPN-MAP 10, etc.)

• Match specific parameter names (AES-256 vs AES-128, DH group numbers, etc.)

• Troubleshoot SA states (show crypto ipsec sa)

• Build a working configuration

Those tasks fall into CCNP Enterprise or Security levels, not CCNA.

---

🧩 How to Study This for CCNA

• Understand purpose → not commands.

• Be able to diagram a site-to-site VPN showing encapsulation and encryption.

• Know key terms and their roles in plain English:

  • ISAKMP = phase 1 negotiation

  • Transform set = data protection methods

  • Crypto map = policy binder

  • IPsec = protocol suite providing security

---

If you can look at a configuration snippet and explain what each part does in concept — without needing to recreate it — you’re at exactly the right CCNA mastery level.

Would you like me to build you a 10-question conceptual VPN quiz next, precisely calibrated to this “explain” exam depth?

You said:

yes

ChatGPT said:

Perfect, Lou — we’ll keep this VPN quiz strictly at the “Explain” mastery level (conceptual, not configuration).
I’ll give you one question at a time, in CCNA exam format.

Here’s Question 1 of 10:

---

Question 1:
What is the primary purpose of a Virtual Private Network (VPN)?

A. To increase Internet bandwidth
B. To securely connect private networks over an untrusted network
C. To provide redundancy between two ISPs
D. To assign public IP addresses to private hosts

---

Your answer?

You said:

B

ChatGPT said:

✅ Correct, Lou.

Answer: B — To securely connect private networks over an untrusted network.

• A VPN allows secure communication over the Internet or other shared networks, using encryption and tunneling to protect data confidentiality and integrity.

---

Question 2 of 10:
Which protocol suite provides encryption, authentication, and integrity for VPN traffic at the network layer?

A. GRE
B. IPsec
C. SSL
D. MPLS

---

Your answer?

You said:

b

ChatGPT said:

✅ Correct again.

Answer: B — IPsec

• IPsec (Internet Protocol Security) operates at Layer 3 and provides:

  • Encryption (confidentiality)

  • Authentication (peer verification)

  • Integrity (hash-based protection against tampering)

• It’s the most common protocol suite for site-to-site VPNs.

---

Question 3 of 10:
Which statement best describes GRE (Generic Routing Encapsulation)?

A. GRE encrypts IP traffic end-to-end.
B. GRE encapsulates various network protocols but provides no encryption.
C. GRE provides authentication only.
D. GRE is used exclusively for clientless SSL VPNs.

---

Your answer?

✅ Correct again, Lou.

Answer: B — GRE encapsulates various network protocols but provides no encryption.

• GRE creates a tunnel between endpoints and can carry multicast, broadcast, and non-IP protocols,

• but it does not encrypt traffic — that’s why enterprises often run GRE over IPsec for both flexibility and security.

---

Question 4 of 10:
In a site-to-site IPsec VPN, what is the function of the IKE (Internet Key Exchange) process?

A. It encrypts user data packets.
B. It negotiates and establishes security associations between peers.
C. It routes packets through the VPN tunnel.
D. It compresses data before encryption.

---

Your answer?

You said:

B

ChatGPT said:

✅ Exactly right.

Answer: B — It negotiates and establishes security associations between peers.

• IKE is the Phase 1 process in IPsec.

• It handles peer authentication, agrees on encryption and hashing algorithms, and creates a secure channel for later key exchanges.

• Once that’s complete, Phase 2 (IPsec) takes over to encrypt actual data traffic.

---

Question 5 of 10:
Which statement correctly describes IPsec Tunnel Mode?

A. Encrypts only the IP payload while leaving the original header intact.
B. Encrypts the entire original IP packet and adds a new IP header.
C. Operates only between individual hosts on the same LAN.
D. Provides Layer 2 encryption using VLAN tags.

---

Your answer?

You said:

b

ChatGPT said:

✅ Correct again.

Answer: B — Encrypts the entire original IP packet and adds a new IP header.

• Tunnel mode is used for gateway-to-gateway (site-to-site) VPNs.

• It fully encapsulates and encrypts the original packet, then adds a new IP header for routing across the Internet.

• By contrast, Transport mode only encrypts the payload and is typically used for host-to-host connections.

---

Question 6 of 10:
What is the main difference between a site-to-site VPN and a remote-access VPN?

A. Site-to-site VPNs require public IPs, while remote-access VPNs do not.
B. Site-to-site VPNs connect entire networks; remote-access VPNs connect individual users.
C. Site-to-site VPNs use SSL, while remote-access VPNs use IPsec.
D. Site-to-site VPNs cannot cross the Internet.

---

Your answer?

You said:

b

ChatGPT said:

✅ Correct — spot on, Lou.

Answer: B — Site-to-site VPNs connect entire networks; remote-access VPNs connect individual users.

• Site-to-site: Router/firewall ↔ Router/firewall — links entire LANs securely over the Internet.

• Remote-access: Individual user (VPN client) ↔ VPN gateway — for teleworkers or mobile users.

• Both can use IPsec or SSL depending on design, but the scope of connection differs.

---

Question 7 of 10:
Which component in an IPsec VPN defines the encryption and hashing algorithms used to protect data traffic?

A. Security Association (SA)
B. Transform set
C. Crypto map
D. ISAKMP policy

---

Your answer?

You said:

b

ChatGPT said:

✅ Correct again, Lou.

Answer: B — Transform set

• The transform set defines how traffic will be protected in Phase 2 of the IPsec tunnel.

• It specifies the encryption algorithm (e.g., AES, 3DES) and the hashing method (e.g., SHA, MD5) used to verify integrity.

• Each peer must have compatible transform sets for the tunnel to form.

---

Question 8 of 10:
Which protocol operates at the application layer and provides VPN access through a web browser using HTTPS?

A. GRE
B. SSL/TLS
C. IPsec
D. L2TP

---

Your answer?

You said:

b

ChatGPT said:

✅ Correct — perfectly stated.

Answer: B — SSL/TLS

• SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) operate at Layer 7 (Application Layer).

• These protocols enable clientless VPN access through a web browser over HTTPS (TCP 443).

• Commonly used for temporary or remote user access without needing a dedicated VPN client.

---

Question 9 of 10:
Which statement best describes a Security Association (SA) in an IPsec VPN?

A. It defines the specific encryption and authentication parameters for one-way communication between peers.
B. It is the access control list used to identify interesting traffic.
C. It is the interface where the VPN tunnel is applied.
D. It represents a GRE tunnel encapsulation method.

---

Your answer?

You said:

b

ChatGPT said:

❌ Not quite this time, Lou — but you’re close in thinking.

Correct Answer: A — It defines the specific encryption and authentication parameters for one-way communication between peers.

Explanation:

• An IPsec Security Association (SA) is the negotiated agreement that defines how two peers protect data.

• It includes details like:

  • Encryption method (AES, 3DES)

  • Hashing (SHA, MD5)

  • Keys, SPI (Security Parameter Index), and lifetimes

• Each direction has its own SA, so a full tunnel has two SAs (one per direction).

The ACL that defines interesting traffic is part of the configuration that triggers an SA but is not the SA itself.

---

Question 10 of 10:
Which of the following statements about GRE over IPsec is true?

A. GRE adds encryption and authentication to IPsec tunnels.
B. IPsec adds encryption to GRE tunnels, combining flexibility and security.
C. GRE and IPsec cannot be used together.
D. GRE over IPsec is only used for remote-access VPNs.

---

Your answer?

✅ Correct, Lou — it’s B.

Answer: B — IPsec adds encryption to GRE tunnels, combining flexibility and security.

• GRE supports multiprotocol traffic (e.g., routing updates, multicast), but it lacks encryption.

• IPsec encrypts and authenticates IP packets but doesn’t carry non-IP protocols.

• By running GRE over IPsec, you get the best of both — multiprotocol tunneling and encryption.

---

🧩 Final Score: 9 / 10 — Excellent grasp

You’ve fully mastered VPNs at the CCNA “Explain” level:

✅ Understand why VPNs exist and how they secure traffic
✅ Know the types (site-to-site, remote access, SSL)
✅ Can describe IPsec phases, modes, and components
✅ Recognize the roles of IKE, transform sets, crypto maps, and SAs
✅ Distinguish GRE vs. IPsec vs. SSL/TLS

🎯 CCNA 200-301 Blueprint Reference

Section 3.6 — “Explain the purpose and use of VPNs.”
Keyword: Explain

According to Cisco’s own verb hierarchy and Odom’s interpretation:

Verb	Cognitive Depth	Example Expectation
Describe / Explain	Conceptual	Identify purpose, characteristics, and operation
Configure / Verify / Troubleshoot	Hands-on	Enter commands, debug output, interpret configs

👉 The CCNA only uses “Explain.”
So you are not required to configure or lab GRE over IPsec for the exam.

---

🧩 What You Should Know (Exam-Relevant)

At CCNA level you must be able to recognize and interpret concepts like:

Concept	Exam Expectation
Purpose of VPNs	“Why use a VPN?” – Securely connect over untrusted networks
VPN types	Site-to-site vs Remote-access vs Clientless SSL
Key technologies	IPsec, SSL/TLS, GRE
GRE limitations	Supports multiprotocols but no encryption
GRE over IPsec	Combines GRE flexibility + IPsec encryption
Tunneling vs. Encryption	Tunnel = encapsulation; Encryption = confidentiality
IPsec modes	Transport vs. Tunnel

💡 Sample CCNA question:
“Why would a network engineer deploy GRE over IPsec?”
Answer: To encrypt traffic while still supporting routing protocols and multicast inside the tunnel.

---

🚫 What You Do Not Need

• No crypto isakmp or crypto map syntax

• No tunnel-interface configuration

• No debugging or SA verification

• No hands-on GRE lab requirements

Those belong in CCNP Enterprise (ENCOR) or CCNP Security (SVPN) levels.

---

✅ Recommended CCNA-Level Review

If you want to reinforce your understanding conceptually:

• Draw a simple GRE over IPsec diagram (labels: encryption, encapsulation, peers).

• Be able to explain each phase in plain English:

  1. GRE creates the tunnel.

  2. IPsec encrypts GRE packets.

  3. Router A ↔ Router B exchange encrypted data.

That’s all Cisco expects of you.

---

Would you like me to generate a visual GRE over IPsec concept diagram next (just the packet flow and encapsulation layers) — no commands, pure exam-level visualization?

You said:

yes

ChatGPT said:

Perfect, Lou — here’s your CCNA-level GRE over IPsec visualization.
No configuration, just concept and flow, exactly as Cisco expects you to explain it on the exam.

---

🧭 GRE over IPsec — Conceptual Flow

┌───────────────────────────────┐
│     LAN A (192.168.10.0/24)   │
│   Host A ───── Router A        │
└──────────┬────────────────────┘
           │
           │   1️⃣ GRE Encapsulation
           ▼
      [GRE Tunnel Interface]
           │
           │   2️⃣ IPsec Encryption
           ▼
═══════════════════════════════════════
        🌐  UNTRUSTED NETWORK
        (e.g., Internet)
═══════════════════════════════════════
           ▲
           │   3️⃣ IPsec Decryption
           │
      [GRE Tunnel Interface]
           ▲
           │   4️⃣ GRE Decapsulation
┌──────────┴────────────────────┐
│     LAN B (192.168.20.0/24)   │
│   Router B ───── Host B        │
└───────────────────────────────┘

---

🧩 Layer-by-Layer Encapsulation

Stage	Encapsulation	Description
1. Original Packet	[IP(src=192.168.10.10 → dst=192.168.20.10)]	Internal traffic between LAN hosts
2. GRE Encapsulation	[GRE][IP(src=RtrA_tun → dst=RtrB_tun)][Inner IP Payload]	GRE wraps the packet, allowing routing/multicast
3. IPsec Encryption	[ESP Header][Encrypted GRE Packet][ESP Trailer]	IPsec encrypts the entire GRE packet
4. Outer IP Header Added	[IP(src=RtrA_public → dst=RtrB_public)][ESP][Encrypted GRE Packet]	Routed across the Internet securely

So what travels across the Internet is an encrypted GRE packet, not the original LAN IP addresses — protecting your internal network and enabling protocols like EIGRP or OSPF inside the tunnel.

---

🧠 Key Takeaways for CCNA

• GRE: Creates the logical tunnel, supports routing/multicast, no encryption.

• IPsec: Adds encryption, integrity, authentication, and confidentiality.

• Together = Flexible, secure site-to-site tunnel.

• Only Tunnel mode is used for this combination.

• No config memorization — just know the purpose and process.

---

🧭 CCNA VPN Types – Summary Chart

VPN Type	OSI Layer / Protocol	Purpose	Encryption?	Typical Use Case	CCNA Key Points
IPsec VPN	Layer 3 (Network)	Provides secure, authenticated communication between two networks or hosts	✅ Yes (ESP)	Site-to-site VPN between corporate offices	Most common enterprise VPN; uses IKE, SA, ESP, and tunnel mode.
SSL / TLS VPN	Layer 7 (Application)	Provides secure browser-based or client-based access for remote users	✅ Yes	Remote-access VPN via HTTPS	Runs over TCP 443; “clientless” option needs only a web browser.
GRE (Generic Routing Encapsulation)	Layer 3 (Encapsulation)	Encapsulates any Layer 3 protocol (IPv4, IPv6, multicast) into IP	❌ No	Tunnel to carry routing protocols or multicast	No encryption; often paired with IPsec → GRE over IPsec.
GRE over IPsec	Layer 3 + Security	Combines GRE flexibility with IPsec security	✅ Yes	Secure site-to-site tunnel supporting dynamic routing	GRE handles multiprotocol; IPsec adds confidentiality & integrity.
MPLS VPN	Between L2 & L3 (Service-Provider Core)	Creates private WAN using label switching (not encryption)	⚠️ No (private by design)	Enterprise WAN via ISP (e.g., carrier-managed VPN)	Conceptual only for CCNA — know it’s provider-managed, not customer-configured.
Remote-Access IPsec VPN	Layer 3	Individual user connects to network via IPsec client	✅ Yes	Work-from-home or mobile users	Uses software client; authenticates via pre-shared key or cert.

---

🧩 Key Exam Takeaways

• VPN = secure tunnel over an untrusted network.

• IPsec = encryption + authentication + integrity.

• SSL/TLS = application-layer encryption (browser-based).

• GRE = tunneling without encryption.

• GRE over IPsec = GRE’s flexibility + IPsec’s security.

• MPLS VPN = carrier-provided separation (no encryption).