how to IPSec tunnel endpointsare the VPN client

In an end-to-end VPN, the IPSec tunnel endpointsare the VPN client and the enterprise VPN gateway.This means, as shown in Figure 2, that the innerIP header, the transmission control protocol (TCP)header, and the application payload are not visible atthe IPSS. The IPSS is simply a router that routes packets based on the destination IP address on the outer IPheader. Thus, the IPSS cannot provide any valueadded services to client sessions.In a network-based VPN, there are two IPSec tunnels, one from the VPN client to the IPSS and anotherfrom the IPSS to the enterprise VPN gateway. When apacket is received at the IPSS, the IPSS decrypts theinner IP header, the TCP header, and the applicationpayload. These data are now available in the clear atthe IPSS, as shown in Figure 3. The packet is thenencrypted and put in an IPSec tunnel to the VPN gateway. The aggregation of traffic on IPSec tunnels frommultiple clients onto one IPSec tunnel to the VPNgateway is itself a value-added service provided bythe IPSS. In addition, by using information containedin the headers and the payload, the IPSS can provideother value-added services to the client session; theseare described in the next section. The overhead incurred in providing these services is the cost of thedecryption and encryption of packets at the IPSS