By definition, as per RFC 2828—VPN is "a restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network."
Stated more simplistically, a VPN can be defined as
Virtual: Logical networks, independent of physical architecture.
Private: Independent of IP addressing and routing schemes (noncryptographic approaches). Secure confidentiality, message integrity, authentication, privacy (cryptographic approaches).
Network: Interconnected computers, devices, and resources grouped to share information.
A VPN carries private traffic over a public or shared infrastructure (such as the Internet). The most common and effective VPN technology is applied at the network layer of the OSI model to encrypt traffic flow among specific users, applications, or IP subnet pairs. VPN at the network layer is transparent to intermediate network devices and independent of network topology.
VPN designs can be constructed in a variety of scenarios. The most common deployment scenarios are
Internet VPN: The most common application that protects private communications over the shared (insecure) public access Internet.
Intranet VPN: Protection for private communications within an enterprise or organization that may or may not involve traffic traversing a WAN.
Extranet VPN: Protection for private communications between two or more separate entities that may involve data traversing the Internet or some other WAN medium.
In all cases, the VPN consists of two endpoints that may be represented by routers, firewalls, or individual client workstations or servers.
VPN employs the cryptographic and noncryptographic approaches to create a secure communication over insecure channels.
Cryptographic VPN technologies include
IP Security (IPsec)
Generic Routing Encapsulation (GRE): (Protected by IPsec)
Point-to-Point Tunneling Protocol (PPTP): (Protected by MPPE: Microsoft Point-to-Point Encryption Protocol, see RFC 3078)
Noncryptographic VPN technologies include
Multiprotocol Label Switching (MPLS VPN): (Protected by L2VPN and L3VPN)
Generic Routing Encapsulation (GRE) or IP-in-IP Tunneling
The next chapter will cover details of IPsec VPNs with a focus on Cisco VPN solutions that use cryptographic approaches. This chapter builds the foundation of cryptographic algorithms and protocols, which is required before moving on to the IPsec VPN solutions in the next chapter.