A site-to-site IPsec VPN connection allows two or more remote private networks to be “merged” into a single network as shown in the following figure.

With RA VPN, the Vyatta router acts as a VPN server to a remote user with a client PC. A typical use for this capability is a traveling employee accessing the corporate network over the Internet. In this scenario, the remote employee's computer appears as another host on the corporate private subnet and is able to access all resources within that subnet. This scenario is shown in the following figure.

The Vyatta router RA VPN implementation supports the built-in Windows VPN client: Layer 2 Tunneling Protocol (L2TP)/IPsec VPN.

The Windows L2TP/IPsec client supports two IPsec authentication mechanisms:

• Pre-shared key (PSK), where the two IPsec peers can use a PSK to authenticate each other based on the assumption that only the other peer knows the key.
• X.509 certificates, which are based on public key cryptography—specifically, digital signatures.

The Vyatta router supports both pre-shared key and X.509 certificate authentication for L2TP/IPsec client; consequently, the Vyatta router supports two different RA VPN deployments:

• L2TP/IPsec authenticated with pre-shared key
• L2TP/IPsec authenticated with X.509 certificates