Internet acts as the backbone for the Virtual Private Network (VPN). Corporate connect their branch offices and their partners using the logical private network established using VPN. Sufficient network bandwidth and other resources are to be reserved in order to provide uninterrupted and guaranteed VPN services through Internet. Security features required to implement VPN are sufficiently provided by Internet Protocol Security (IPsec). The required characteristics like integrity, confidentiality and availability are provided by IPsec. However, the protection provided by IPsec protocol is up to the network perimeter. The spoofed packet flooding attack directed towards the VPN cannot be prevented by the IPsec protocol on its own. VPN service can be degraded by such spoofed packets. These packets consume the bandwidth allocated to VPN. These also affect the Quality of Service (QoS) defined in the Service Level Agreement (SLA) with the Internet Service Provider (ISP). Protection of VPN traffic from the bandwidth flooding attack can be through a cooperative defense mechanism at the Provider Edge (PE) and Customer Edge (CE) routers. In this paper, we recommend light weight cooperative defense architecture - Pass Encrypted Encapsulating Security Payload (PE-ESP) at the source end. This cooperative defense architecture enables PE router to ascertain the legitimacy of the incoming packets in addition to performing access control decision on the packets. We have simulated and analytically established the effectiveness of our PE-ESP architecture. © 2014 International Information Institute.