← Concepts
Security ArchitectureSY0-701 · Task 3.2

VPN and tunneling — SY0-701

CompTIA Security+ SY0-701: master VPN and tunneling — tunnel vs. transport mode, ESP, split tunneling, and the IPsec Security Association model.

WHAT IT IS

A virtual private network (VPN) is "a restricted-use, logical computer network constructed from system resources of a relatively public, physical network (such as the Internet), often by using encryption and tunneling links across the real network." (NIST SP 800-82r3, adapted from RFC 4949)

Tunneling is the mechanism underneath: "technology enabling one network to send its data via another network's connections. Tunneling works by encapsulating a network protocol within packets carried by the second network." (CNSSI 4009-2015)

Together, a VPN wraps traffic in an encrypted tunnel so that a logically private channel is carried across a public network.

Mental model

Think of tunneling as placing a sealed, addressed envelope inside a public postal envelope. The outer envelope carries it through the postal system; the inner envelope is invisible to anyone who only sees the outer. The outer header routes the packet; the inner header reveals the real source and destination only at the endpoints.

IPsec makes this concrete. Tunnel mode "creates an additional outer IP header for each protected packet." (NIST SP 800-77 Rev. 1) The entire original IP packet — including its original header — becomes the payload, and a new outer header governs routing. This matches the sealed-envelope model.

Transport mode, by contrast, "does not create an additional IP header for each protected packet." (NIST SP 800-77 Rev. 1) The original IP header remains; only the payload (and optionally some header fields) is protected.

When to use it

The exam frequently asks candidates to choose the right mode or identify a scenario. The cleanest frame is who the endpoints are and whether the original IP header must be hidden.

Tunnel modeTransport mode
Extra IP header?Yes — outer header addedNo — original header kept
What is protected?Entire original IP packetPayload of the original packet
Typical endpointsSecurity gateway ↔ security gatewayHost ↔ host (end-to-end)
Use caseSite-to-site VPN across untrusted networkHost-to-host communication within a protected network
Original header visibilityHidden inside the tunnelVisible in transit

RFC 4301 states that "an SA between two security gateways is typically a tunnel mode SA." Transport mode is "typically deployed between host pairs for end-to-end protection."

Split tunneling adds another decision layer. NIST SP 800-53 Rev. 5 defines it as "the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network." When split tunneling is enabled, only some traffic goes through the VPN; the rest flows directly to the internet. When it is disabled, all traffic is forced through the VPN.

What carries the protection: ESP and AH

Two IPsec security protocols do the actual work inside a tunnel or transport-mode SA:

  • ESP (Encapsulating Security Payload): "The core IPsec security protocol; can provide integrity protection and (optionally) encryption protection for packet headers and data." (NIST SP 800-77 Rev. 1) RFC 4301 notes that "most security requirements can be met through the use of ESP by itself."

  • AH (Authentication Header): Provides integrity and data origin authentication but not confidentiality. RFC 4301 notes that support for AH "has been downgraded to MAY" because ESP can replicate most of those security services.

The choice matters: only ESP can provide confidentiality (encryption). AH cannot encrypt.

Security Association model

A Security Association (SA) is "a set of values that define the features and protections applied to a connection." (NIST SP 800-77 Rev. 1) Per RFC 4301, an SA is a simplex ("one-way") construct — bidirectional communication requires a pair of SAs. Each SA is identified by a Security Parameters Index (SPI).

COMMON MISCONCEPTION

The exam exploits a conflation of tunnel mode with encryption. Tunnel mode defines how the packet is encapsulated (a new outer header is added); it does not, by itself, specify that encryption is applied. Encryption is a service provided by ESP, not by tunnel mode itself. A tunnel-mode SA using only AH would encapsulate the packet without encrypting it.

The reverse trap also appears: candidates assume transport mode provides weaker security than tunnel mode. In reality, transport mode with ESP still provides confidentiality for the payload — the distinction is about header handling and endpoint type, not about the presence or absence of encryption.

A related misconception involves split tunneling: candidates sometimes assume that enabling a VPN means all traffic is protected. Split tunneling can create a condition where a device simultaneously holds a connection to a corporate network and an uncontrolled external network — precisely the scenario NIST SP 800-53 Rev. 5 flags in its definition. Disabling split tunneling is a control choice, not a default.

How it shows up on the exam

Security+ 3.2 targets security architecture decisions. For this concept, the cognitive target is applying knowledge to select or evaluate a tunneling configuration for a described scenario rather than simply recalling a definition.

Candidates are often asked to match a scenario description to the correct mode or configuration. Signal phrases to notice:

  • "gateway-to-gateway" or "site-to-site" → points toward tunnel mode between security gateways (RFC 4301 grounding)
  • "end-to-end between hosts" → points toward transport mode
  • "all traffic forced through VPN" vs. "some traffic goes directly to internet" → the split tunneling distinction (NIST SP 800-53 Rev. 5 grounding)
  • "confidentiality" as a requirement → points toward ESP rather than AH (NIST SP 800-77 Rev. 1 grounding)

A common error is selecting transport mode for a scenario where the original IP header must be hidden from the transit network — tunnel mode exists precisely to address that need, as expressed in RFC 4301's description of the outer/inner header structure.

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.