Sorry. There are no results for ""

Return to Blog

What is the difference between MPLS vs IPSec VPN?

What are the differences between MPLS vs IPSec VPN?

MPLS offers built in privacy with comprehensive SLA's (Service Level Agreements) which include latency, jitter and uptime guarantees. Internet IPSec based VPN's are quicker to deploy, offer SD WAN capability with greater flexibility to access public cloud services vis SaaS applications.

Written by Robert Sturt

Robert Sturt is Managing Director of Netify, an SD-WAN, SASE security & connectivity market network where you can login free to compare and shortlist vendors.

Want personalised SD WAN & SASE recommendations?

Complete a short quiz about your needs, and we'll give you a customised list of SD WAN vendors and service providers for your business. It only takes about 90 seconds to complete.

Instantly compare vendors now →

In the early 2000's, the IPSec based VPN was the default service provider product offered within the telecoms marketplace. At its heart, the IPSec based WAN enabled businesses to leverage a single public IP backbone (or the wider Internet) by encrypting data between their office sites and remote users.

“Compare the market by using Netify tools to evaluate MPLS providers vs SD WAN IPsec VPN.”

The Netify SD WAN & MPLS tools are en easy way to compare and evaluate vendors.

The above two screen captures are taken from the SD WAN quick assessment and the more comprehensive comparison tool which allows users to filter features and conduct their own research. Click on the images to go directly to the tools and benefit from our research.

The underlying platform worked well for the smallest business right up to the larger Enterprise multinational organisation. However, a new acronym arrived to disrupt the industry, a contender called MPLS (Multi Protocol Label Switching).

We've written previous articles on the evolution of MPLS and VPLS but suffice to say, the protocol provides telcos with the capability to traffic engineer their internal networks enabling better use of their infrastructure and bandwidth (there are other benefits). Check out this article to learn more. With this interesting information said, the benefits to business surrounded some unique selling points that opened up the possibility of doing more with the WAN. Let us discuss why your organisation might select one technology over the other and why a hybrid of both services is becoming the norm.

The Internet vs Public IP

Visit the Netify MPLS and SD WAN marketplace to view our vendor research.
Learn more

There is a clear distinction to be aware of here - not all IPSec VPN services are equal. The difference surrounds whether your organisation is provisioning WAN services across a single IP backbone or a mixture of multiple service providers. 

Fig 1 shows the potential latency impact of using multiple ISP connections.

MPLS VPN vs IPSec fig 1

The preference would always be provision an IPSec VPN over a single backbone. When traffic traverses a single service provider, performance levels are more predictable offering assurances from traffic throughput to latency and support fix times. Conversely, sending traffic which traverses multiple networks is not predictable thus resulting in application performance issues.

Comparing MPLS vs IPSec VPN


  • Private network
  • Connectionless any to any topology
  • Support for QoS (Quality of Service)
  • Granular per application service levels
  • Support for jitter, important for voice and data
  • End to end separation of traffic


  • Leverage any Internet service connection, though a single backbone is recommended
  • Make use of all available connectivity from a home broadband circuit through to full 1Gbps Ethernet - providing a connection exists, you are good to go with fast start implementation and ease of setup
  • Access to the wide array of productised public cloud based products
  • Split tunneling allows access to both Internet and VPN across a single circuit

With the above in mind, the reasons for the explosive growth of MPLS services is clear.

1. Security

The privacy of MPLS VPN means there is no requirement to encrypt your business traffic unless added security is a requirement. Added encryption over MPLS is mostly found in financial and government institutions where maximum possible security is always of utmost importance. As a default setting, the majority of UK and global business find MPLS VPN security acceptable since each service provider customer is kept separate regarding traffic routing via VRF tables. 

IPSec is fundamentally designed to create secure tunnels through public Internet connectivity. There are a couple of key elements to be aware of when provisioning an Internet VPN. The first surrounds encryption. The current levels of encryption supported by security services such as AES mean that your data is inherently secure. IPSec will operate in VPN only mode which means any traffic outside of an authenticated endpoint will be dropped. The alternative is split tunnel mode which allows companies to benefit from both secure tunnels and local Internet access. The downside? A firewall is required. Whether or not your IT team believe IPSec to be secure enough is open to opinion.

2. Toplogy

One of the key original selling points of an MPLS WAN surrounded the any to any connectionless topology. The ability for every site to communicate with each other was a fundamental shift from legacy technologies such as Frame Relay hub and spoke deployments. On the flip side, an IPSec WAN is capable of any to any topology but at the cost of processing power. As the number of sites increases, the processor takes an additional hit where each new location requires a tunnel to every other site creating overhead. In this respect, an IPSec VPN is not as scalable when compared to an MPLS network architecture.

Build your shortlist in 90 seconds or less. To help you find the top SD WAN vendors that will fit your needs, complete our short quiz. After you answer just a few questions, we'll instantly provide a handful of recommended vendors. Learn more →

3. MPLS Application Priority - QoS (Quality of Service)

When MPLS hit the market, the marketing would have us believe that QoS (Quality of Service) was going to be the cure for all application performance woes. In short, QoS allows the Enterprise to protect their critical apps such as voice, video and Citrix (as an example). To help IT Managers relate the power of QoS back into business benefits, most SLA's reflect latency, jitter and throughput per QoS setting. As of writing this article, QoS is still a crucial aspect of WAN provision but is becoming less of a selling point for high bandwidth Ethernet services avoiding congestion issues. With this said, bandwidth is only part of the story as using QoS enables us to predict and ensure performance. All organisations will have a varying experience with some reporting Ethernet ISP bandwidth providing more than adequate performance and others stating that QoS was a miraculous network enhancing feature.

IPSec VPNs do not, as a rule, allow Quality of Service. As with everything in life, there is always an exception. This Cisco article explains how QoS is achieved within IPSec WAN deployments. However - I have personally not witnessed a public based VPN using QoS over IPSec. With this in mind, the general service provider implementation will not prioritise your applications which will mean there is a level of trust required when provisioning services such as voice and video. In the majority of tier1 ISP networks, we would be somewhat confident in the performance of delay-sensitive apps over national VPN deployments. In the Global space, it may be difficult to deploy an international IPSec VPN without using multiple provider backbones (as we mentioned at the beginning of this article) which would not be recommended unless your application performance does not need to reach a certain level of general performance. The Enterprise business will not trust any technology outside of private based QoS enabled VPN for their mission critical voice, video and commercial applications.

4. SLA (Service Level Agreements)

Our discussion on SLAs leads on from point 3 - QoS. A key fundamental difference between a public based VPN and private WAN surrounds the guarantees on performance and fix times. A private based MPLS network is more predictable from the perspective of service provider traffic usage. Therefore, the perception is that the core network is better engineered for current and future capacity. When combined with end to end application quality of service, the performance SLA can cover latency and jitter on a global basis. The public VPN will often provide latency service levels between global locations, but these are an average between regions rather than city areas. The fix times for both IPSec VPN and MPLS are similar in many respects with each service provider offering flexible capability. When using multiple ISPs, the SLA will vary depending on the providers ability.

5. Cloud based services

One of the biggest advantages of public based VPNs is access to the massive growth of productised cloud-based services. If you have recently read up on MPLS, you may have been surprised by blog posts suggesting the product's demise. In part, this is due to the growth of cloud services which are not widely available from closed off private VPN services. It is true that some MPLS service providers are offering cloud services, but these products are limited when compared to the wider Internet. The cloud is creating the resurgence of Internet and public WAN services as organisations rush to gain a competitive edge from new applications and increase in user productivity. Voice, video, collaboration, CRM, storage, backup and so forth are all available for a low monthly OPEX fee. The challenge for the Enterprise is to adopt the cloud while maintaining particular performance levels for intersite applications. As IPSec often operates in tunnel only mode (i.e. no split tunneling), the tunnel will need to terminate within a cloud provider's infrastructure. This way of working is highly prevalent and pretty much supported by most cloud services.

6. The Hybrid WAN outcome

The hybrid VPN is now a buzz topic in the industry alongside technologies such as SDN (Software Defined Networks). The hybrid capability allows business to procure a single circuit (or diverse) into a hybrid WAN providers network with access to MPLS, The Internet, Point to Point / Multipoint and so forth. The reasons why IPSec remains a traditional VPN method are clear, largely because of an ability to terminate connectivity over low-cost circuits including fast start solutions. And, the benefits of a private based MPLS capability are also clear as we have discussed.

The hybrid solution allows organisations to take advantage of multiple connectivity types including ADSL broadband, 3G and 4G from one provider and one hardware device. While the MPLS vs VPN (IPSec) conundrum will always be a discussion point, the marketplace is moving forward allowing the best of both worlds in the form of hybrid connectivity.


Robert Sturt Last Updated: 22.10.2021
Forbes Netify Business Council

Written by Netify's and writer

Download the SD WAN Playbook

Download our in-depth comparison of SD WAN vendors & providers. Need to compare the SD WAN market? Learn more about of free tool to help create your own solution shortlist.