The purpose of a Virtual Private Network is to allow the secure transmission of traffic over a non-secure network. To accomplish this, the firewall feature uses a standard called IPSec (IP Security Architecture).
Unlike many application-layer security protocols (such as SOCKS, SSH or S-HTTP), IPSec is implemented on the network layer, within the IP protocol stack. This means that all IP-based network traffic may be transmitted securely, without any application software needing to be aware of the process.
An IPSec tunnel is a bidirectional secure logical connection between two systems. IPSec tunnels form the means by which Virtual Private Networks are established. Traffic which is transmitted through an IPSec tunnel is encoded to provide the necessary security when passing through an untrusted network.
There are three general scenarios in which IPSec tunnels are used:
In this case, the workstation would be considered the 'client', and the firewall would be considered the 'server'. These terms are used occasionally when discussing IPSec connections of this type (although IPSec itself has no inherent concept of clients and servers).
The basic principles of configuring and establishing IPSec tunnels are the same in all three scenarios.
Note that it is also possible to combine these scenarios by nesting tunnels inside other tunnels; in effect, establishing one VPN inside another.