Competencies: Networking > VPN & Tunneling
VPN & Tunneling
Body of Knowledge
| Topic | Description | Relevance | Career Tracks |
|---|---|---|---|
IPsec Fundamentals |
Security associations, IKE phases (1/2), ESP vs AH, tunnel vs transport mode, encryption algorithms (AES-GCM), PFS. |
Critical |
Network Engineer, Security Engineer |
Site-to-Site IPsec VPN |
Policy-based vs route-based tunnels, crypto maps, VTI, traffic selectors, redundancy with IPsec failover, troubleshooting. |
Critical |
Network Engineer, Security Engineer |
IKEv2 |
Improved key exchange, EAP integration, MOBIKE for mobility, simplified negotiation, asymmetric authentication, anti-DoS cookies. |
High |
Network Engineer, Security Engineer |
WireGuard |
Modern VPN protocol, ChaCha20-Poly1305 encryption, minimal attack surface, UDP-based, cryptokey routing, performance advantages. |
High |
DevOps Engineer, SRE, Network Engineer |
Tailscale/Headscale |
WireGuard-based mesh VPN, zero-config connectivity, ACL policies, MagicDNS, exit nodes, subnet routing, SSO integration. |
High |
DevOps Engineer, SRE, Systems Administrator |
DMVPN |
Dynamic Multipoint VPN, NHRP, hub-and-spoke to spoke-to-spoke tunnels, OSPF/EIGRP over DMVPN, phases 1/2/3. Cisco proprietary. |
Medium |
Network Engineer (Cisco) |
SD-WAN Fundamentals |
Application-aware routing, transport independence, centralized orchestration, policy-based traffic steering, SaaS optimization. |
High |
Network Engineer, Network Architect |
Cisco SD-WAN (Viptela) |
vManage/vSmart/vBond/vEdge architecture, control and data policies, OMP routing, secure tunnels, analytics. |
Medium |
Network Engineer (Cisco) |
SSL/TLS VPN |
Remote access via HTTPS, clientless vs AnyConnect-style, portal-based access, split tunneling, posture assessment. |
High |
Network Engineer, Security Engineer |
GRE Tunnels |
Generic Routing Encapsulation, multiprotocol support, GRE over IPsec, keepalives, MTU considerations, PMTUD. |
Medium |
Network Engineer |
MPLS L3VPN |
Provider-edge VPN, VRF, route distinguishers, route targets, MP-BGP for VPNv4, inter-AS options. WAN connectivity. |
Medium |
ISP Engineer, Network Architect |
Overlay Networking |
SDN overlays, VXLAN tunneling, Geneve, network virtualization, multi-tenancy, underlay/overlay separation. |
High |
Cloud Network Architect, Data Center Engineer |
Personal Status
| Topic | Level | Evidence | Active Projects | Gaps |
|---|---|---|---|---|
VPN / IPsec |
Advanced |
Site-to-site IPsec tunnels on VyOS; Tailscale mesh VPN across all lab nodes and mobile; WireGuard configuration; understand IKEv2 negotiation |
No DMVPN, no FlexVPN, no GETVPN — Cisco proprietary VPN technologies |
|
Tailscale |
Advanced |
Mesh VPN connecting all lab nodes, CHLA laptop, mobile devices; ACL policy management, exit nodes, subnet routing, MagicDNS integration |
No Headscale self-hosted, no custom DERP relay deployment |