📘 CCNA 200-301 v1.1
5.5 Describe IPsec Remote Access and Site-to-Site VPNs
🔹 What is a VPN (Virtual Private Network)?
A VPN (Virtual Private Network) is a secure tunnel that allows data to travel safely over an untrusted network, such as the Internet.
It provides confidentiality, integrity, and authentication for data moving between two devices or networks.
Without a VPN, when data travels through the Internet, it can be intercepted or altered.
A VPN solves this by encrypting the data and securing the communication between the endpoints.
🔹 Two Main Types of VPNs in the CCNA Exam
- Site-to-Site VPN
- Remote Access VPN
Let’s explain both in detail.
🏢 1. Site-to-Site VPN
🔸 Definition
A site-to-site VPN connects entire networks (sites) together over the Internet.
For example:
- One VPN connects a Head Office network to a Branch Office network securely.
Both routers (or firewalls) act as VPN gateways that handle encryption and decryption.
🔸 Key Characteristics
| Feature | Description |
|---|---|
| Connection Type | Permanent or always-on connection between sites |
| Endpoints | Routers or firewalls |
| User Interaction | None (automatic tunnel between sites) |
| Purpose | To securely connect LAN-to-LAN over the Internet |
| Protocols Used | Typically uses IPsec for encryption and security |
🔸 How It Works (Step-by-Step)
- VPN tunnel setup:
The routers at both sites negotiate a secure tunnel using IPsec. - Data encryption:
Data leaving Site A is encrypted by the router before sending it across the Internet. - Transmission:
The encrypted data travels through the Internet. - Decryption:
The receiving router at Site B decrypts the data and delivers it inside the LAN.
This way, data travels securely even though the Internet is being used.
🔸 Common Use Cases
- Connecting branch offices to main offices securely.
- Linking data centers in different cities.
- Intranets of the same organization.
💻 2. Remote Access VPN
🔸 Definition
A remote access VPN allows individual users (such as employees working from home or on travel) to securely connect to the corporate network over the Internet.
The connection is made from the user’s computer or device to a VPN gateway (router or firewall) at the company.
🔸 Key Characteristics
| Feature | Description |
|---|---|
| Connection Type | On-demand (user-initiated) |
| Endpoints | Client device ↔ VPN gateway |
| User Interaction | User must start VPN connection and authenticate |
| Purpose | Securely connect a single remote user to the internal network |
| Protocols Used | Uses IPsec or SSL/TLS depending on VPN type |
🔸 How It Works (Step-by-Step)
- User connects to the Internet.
The remote user connects from home or another location. - VPN client software runs.
The user opens a VPN client (like Cisco AnyConnect or Windows built-in VPN). - Authentication.
The user enters credentials (username/password, certificates, or multifactor authentication). - Tunnel establishment.
The client and VPN gateway negotiate a secure IPsec tunnel. - Data transmission.
All traffic between the user and company is encrypted and secured.
🔸 Common Use Cases
- Employees working remotely.
- Network administrators managing devices from outside.
- Contractors connecting temporarily to the network.
🔐 Understanding IPsec (Internet Protocol Security)
🔸 What is IPsec?
IPsec is a suite (collection) of protocols used to secure IP communication by authenticating and encrypting each IP packet.
It is the most common protocol for creating VPNs.
🔸 IPsec Core Functions
| Security Function | Description |
|---|---|
| Confidentiality | Encrypts data so only authorized parties can read it |
| Integrity | Ensures data is not changed during transit |
| Authentication | Verifies that the data comes from a trusted source |
| Anti-Replay | Prevents attackers from reusing old captured packets |
🔸 IPsec Components
- Protocols used:
- AH (Authentication Header): Provides integrity and authentication, no encryption.
- ESP (Encapsulating Security Payload): Provides encryption, integrity, and authentication — most commonly used.
- Modes of Operation:
- Transport Mode: Encrypts only the data (payload) of the IP packet.
Used between end devices. - Tunnel Mode: Encrypts the entire IP packet and adds a new IP header.
Used for VPNs between networks (like routers/firewalls).
🔹 In remote access VPNs, both modes can be used depending on the setup. - Transport Mode: Encrypts only the data (payload) of the IP packet.
🔸 IPsec Framework – The Two Phases
- Phase 1 – IKE (Internet Key Exchange) Phase 1
- Builds the first secure channel between VPN peers.
- Authenticates the peers.
- Establishes a secure method for exchanging keys.
- Creates the ISAKMP (Internet Security Association and Key Management Protocol) tunnel.
- Phase 2 – IKE Phase 2
- Uses the secure channel from Phase 1.
- Negotiates IPsec security associations (SAs).
- Defines how data will be protected (encryption & hashing methods).
- Sets up the actual IPsec tunnel for data transfer.
🔸 Encryption and Hashing in IPsec
| Function | Common Algorithms |
|---|---|
| Encryption | AES, DES, 3DES |
| Hashing (Integrity) | SHA, MD5 |
| Authentication | Pre-shared keys, digital certificates |
| Key Exchange | Diffie-Hellman (DH) algorithm |
⚙️ Comparison Summary: Site-to-Site vs Remote Access VPN
| Feature | Site-to-Site VPN | Remote Access VPN |
|---|---|---|
| Purpose | Connects entire networks | Connects individual users |
| Endpoints | Router/Firewall ↔ Router/Firewall | Client device ↔ VPN Gateway |
| Connection Type | Always-on | User-initiated |
| Scalability | Good for many sites | Good for many remote users |
| Setup Complexity | Higher (network-based) | Easier (user-based) |
| IPsec Mode | Tunnel Mode | Tunnel or Transport Mode |
🔒 Why Use IPsec VPNs?
Because they:
- Secure sensitive traffic over the Internet.
- Provide encrypted communication between branches or users.
- Reduce costs compared to private leased lines.
- Maintain confidentiality and trust across untrusted networks.
🧠 Summary for CCNA Exam
Be sure you understand:
When each VPN type is used in an IT network.
The difference between site-to-site and remote access VPNs.
The main IPsec functions: encryption, authentication, integrity, anti-replay.
IPsec modes (Transport vs Tunnel).
IKE Phases 1 & 2 purpose.
The common algorithms used in IPsec.
