From Layer 2 to Layer 3 and the Role of IPSec

A VPN (Virtual Private Network) allows private traffic to flow securely over shared or public networks by creating a virtualized communication path. VPNs come in many forms, and not all of them imply encryption. At its core, a VPN is about separation, not necessarily security, though many VPN technologies include robust encryption as a bonus.

Layer 3 VPNs

L3 VPNs operate at the network layer and are commonly used for site-to-site and remote access deployments. Common L3 VPN technologies include:

  • IPSec (for site-to-site and remote access)
  • SSL VPNs (often used for remote access)
  • IP VPNs, VRFs, GRE, PPTP, IPVPN, and others

These technologies enable the creation of isolated IP routing domains across a shared infrastructure and are frequently used by both enterprises and ISPs.

Layer 2 VPNs

L2 VPNs, on the other hand, operate at the data link layer. Technologies like:

  • VPLS (with XConnect or pseudowire)
  • VLANs (as the simplest form of L2 VPN)
  • MPLS, VXLAN, and PVLAN

These VPNs allow networks to extend Ethernet domains over WANs. MPLS is exceptionally versatile, as it can support both Layer 2 (via VPLS) and Layer 3 (via L3 VPN) functionality depending on the implementation.

Again, it’s worth noting: VPN ≠ encryption. For example, IP VPNs often provide isolation without encryption. Some VPN types do support encryption, integrity checking, and origin authentication, but these features aren’t inherent to all VPNs. IPSec is one of the few VPN protocols that is inherently focused on Layer 3, providing strong encryption and security services.

The State of VPNs Before IPSec

Before IPSec became a standard, establishing an encrypted VPN between two private networks over a public network required both sides to manually coordinate key information, such as subnet details, encryption algorithms, and a shared symmetric key. This approach had critical flaws:

  • Security: Keys had to be manually exchanged out of band with no secure mechanism for delivery.
  • Integrity: There was no way to verify the true identity of the remote endpoint, which left connections vulnerable to impersonation attacks.

This lack of trust and automation severely limited the scalability of early VPN deployments

IPSec Security Services

Enter IPSec, which addresses these issues head-on with a suite of built-in security services:

  • Access Control: Dictates what traffic is allowed, blocked, or inspected.
  • Anti-Replay Services: Prevents attackers from capturing and resending traffic by using sequence numbers.
  • Confidentiality: Encrypts data into an unreadable ciphertext using secure algorithms.
  • Connectionless Integrity: Verifies that data hasn’t been modified in transit using HMAC and integrity check values (ICV).
  • Data Origin Authentication: Confirms the true identity of the sender, ensuring that the traffic isn’t spoofed.
  • Traffic Flow Confidentiality (TFC): Obscures identifying details such as source and destination IPs, message length, or frequency, which is especially useful in tunnel mode where inner headers are encrypted.

IPSec not only provides secure site-to-site connectivity but also supports remote access, VRF-aware VPNs, and complex deployments like L2L (LAN-to-LAN) VPNs. It’s a cornerstone of modern secure networking and remains one of the most widely deployed VPN technologies today.