Understand Remote Access VPN Options

Learn about IPSec VPN and SSL VPN options and the pros and cons of each.


IPSec VPN is a layer 3 protocol that communicates over IP protocol 50, Encapsulating Security Payload (ESP). It might also require UDP port 500 for Internet Key Exchange (IKE) to manage encryption keys, and UDP port 4500 for IPSec NAT-Traversal (NAT-T). Sometimes, if the UDP ports are blocked, VPN devices try to use TCP port 500 and TCP port 4500.

Because of the variables of Phase 1 and Phase 2 settings, it might be difficult to get two different vendors to establish a stable and scalable tunnel. Also, some vendors might support only route-based or policy-based tunnels. The best practice is to use the same vendor on both ends of the IPSec tunnel.

IPSec VPN has the following pros and cons.

  • Quick to deploy
  • Built-in encryption and authentication
  • Site-to-site tunnels can stay up as long as interesting traffic flows across the links
  • Security algorithms are refreshed over time
  • Can establish connectivity over exiting internet connections
  • IKEv2 enables better support for NAT-T and public cloud connectivity use cases
  • Interoperability issues make it challenging to get stable connectivity
  • Requires dedicated hardware, software clients, or both to enable connectivity
  • Because the entire payload is encrypted, Path MTU Discovery should be enabled to ensure that packets are not being fragmented
  • Complexity of the protocol can make troubleshooting difficult
  • Access lists or route filtering is required to restrict network access


SSL VPNs operate at OSI layer 4, the application layer. As a result, clients and servers can connect to each other more easily. TCP port 443 is open on many web servers across the internet, and most network-based firewalls permit TCP port 80 (HTTP) and TCP port 443 (HTTPS/SSL) to enable web-based traffic.

SSL VPN has the following pros and cons.

  • No client software required
  • SSL/TLS is standardized between most vendors and applications
  • Supported by most web browsers
  • Server-side certificates can be centrally managed
  • Can build tunnels to specific applications rather than the entire network
  • Optional user authentication (versus built in with IPSec)
  • Can access only web-based applications unless you enable Java/ActiveX controls
  • Can be processor-intensive, which leads to poor performance under high loads
  • Often permit VPN split tunneling features, which can be exploited by hackers and weak web browser security settings