Between two sites, what is the primary purpose of setting up IPsec VPNs?

IPsec VPNs secure traffic by encrypting and authenticating IP packets as they travel between sites, operating at the network layer. This means the protection covers all IP traffic across the VPN tunnel, not just data from a single application. In site-to-site deployments, the VPN encapsulates whole IP packets (often in tunnel mode), providing confidentiality and integrity for the payload and, if desired, authentication and anti-replay protection. Because it works at layer 3, IPsec protects multiple protocols and services running between networks, which is exactly what you want when linking two sites over an untrusted network. Securing only application-layer data would rely on protocols like TLS, which protects specific applications rather than the entire IP stream. Replacing TLS for all web traffic isn’t the goal of IPsec, since TLS is designed for end-to-end application security. Monitoring traffic without encryption contradicts the purpose of a VPN, which is to protect data in transit through encryption.