H1-----SG1=====R1=====INTERNET=====Rn=====SG2-----H2Where:
H1 and H2 do not necessarily know about the internet and vice versa.
H1/SG1=====R1=====INTERNET=====Rn=====SG2-----H2H1/SG1 knows about the internet, but H2 does not necessarily know about it, and vice versa. This could be used for accessing servers behind a firewall from a laptop user on the road.
H1/SG1=====R1=====INTERNET=====Rn=====SG2/H2H1/SG1 and H2/SG2 do know about the internet. This could be a server-to-server connection or simply host-to-host.
H1-----SG1=====R1=====.....=====Rn=====SG2-----INTERNETThis allows a routable IP subnet to appear behind a SG to which that subnet could not previously be routed. This could be used to locate branch offices of an organisation physically distant, but logically next door. It could also be used to loan some routable IP addresses to another site or to conceal the true net-location of machines belonging to certain IP addresses.
H1-----SG1=====R1=====INTERNET======Rn=====SG2------H2H1 and/or H2 are non-routable addresses (RFC1918) which have been masqueraded by SG1 and/or SG2, respectively, preventing incoming internet access, allowing outgoing internet access while providing Classical VPN functionality.