1. PPTP/L2TP + windows build in software - simple to configure, CAN use Internet while suing VPN router
2. IPSec (EZVPN) + Cisco VPN Client software - reletively simple to setup, VPN traffic via VPN router, Internet traffic via local router (by enable Split Tunnelling)
3. Web SSL VPN + NO software needed - complicated to setup, flexible, can send ALL traffic to VPN router (or offload Internet traffic via local router), can bypass firewall as it is utelising HTTPS, this is the furture.
Web SSL VPN delivers the following three modes of SSL VPN access:
• Clientless -
Clientless mode provides secure access to private web resources and
will provide access to web content. This mode is useful for accessing
most content that you would expect to access in a web browser such as
Internet access, web-based intranet, webmail etc.
• Thin Client
(port-forwarding Java applet) - Thin client mode extends the capability
of the cryptographic functions of the web browser to enable remote
access to TCP-based applications such as Post Office Protocol version 3
(POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access
protocol (IMAP), Telnet and Secure Shell (SSH).
• Tunnel Mode (AnyConnect Secure Mobility Client) - Full tunnel client mode offers extensive application support through its dynamically downloaded Cisco AnyConnect VPN Client
(next-generation SSL VPN Client) for SSL VPN. Full tunnel client mode
delivers a lightweight, centrally configured and easy-to-support SSL VPN
tunneling client that provides network layer access to virtually any
application.
The advantage of SSL VPN comes from its
accessibility from almost any Internet-connected system without needing
to install additional desktop software.
Port reference
- IP Protocol ID 50:
For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded. - IP Protocol ID 51:
For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded. - UDP Port 500:
For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.
http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol
http://support.microsoft.com/kb/233256
http://technet.microsoft.com/library/cc768084.aspx
http://www.cisco.com/en/US/products/ps6659/prod_configuration_examples_list.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bdf.pdf
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/904-cisco-router-anyconnect-webvpn.html