2.9 Configure and verify site-to-site and remote access VPN
📘CompTIA Security+ (SY0-701)
1. What Is a Site-to-Site VPN?
A Site-to-Site VPN is a secure connection between two different networks (sites) over an untrusted network, usually the Internet.
In an IT environment:
- One site could be a head office
- Another site could be a branch office
- Both sites have Cisco routers
- The routers create a secure encrypted tunnel
- Internal devices communicate as if they are on the same private network
The end devices do not know a VPN exists.
The routers handle everything.
2. Why Site-to-Site VPN Is Used
Site-to-Site VPN is used to:
- Secure data sent over the Internet
- Connect branch offices to headquarters
- Reduce the need for expensive private WAN links
- Protect traffic using encryption, authentication, and integrity
3. Key Characteristics (Exam Important)
- VPN is always on
- Tunnel is created router to router
- No user login is required
- Uses IPsec
- Transparent to end devices
- Works at Layer 3
4. Technologies Used in Cisco Site-to-Site VPN
Cisco IOS site-to-site VPN mainly uses:
1. IPsec (Internet Protocol Security)
Provides:
- Encryption – hides data
- Integrity – ensures data is not changed
- Authentication – verifies peers
- Anti-replay protection
5. IPsec VPN Architecture
IPsec Works in Two Main Phases
6. Phase 1 – IKE (Internet Key Exchange)
Phase 1 creates a secure management tunnel.
Purpose:
- Authenticate VPN peers
- Establish a secure channel
- Agree on encryption and hashing methods
Phase 1 Protocols
- IKEv1 (older, still tested)
- IKEv2 (newer, preferred)
Phase 1 Authentication Methods
- Pre-Shared Key (PSK)
- Same password configured on both routers
- Easy to configure
- Common in exams
- Digital Certificates
- Uses PKI and CA
- More secure
- Less common in basic exam questions
Phase 1 Parameters (Must Match on Both Routers)
- Encryption (AES, 3DES)
- Hashing (SHA-1, SHA-256)
- Authentication method
- Diffie-Hellman group
- Lifetime
7. Phase 2 – IPsec Tunnel
Phase 2 creates the actual data tunnel.
Purpose:
- Protect user traffic
- Encrypt packets
- Define what traffic is protected
Phase 2 Uses:
- IPsec Security Associations (SA)
- Transform Sets / Proposals
8. IPsec Protocols
1. ESP (Encapsulating Security Payload) – Most Important
Provides:
- Encryption
- Integrity
- Authentication
Used in almost all Cisco VPNs.
2. AH (Authentication Header)
Provides:
- Integrity
- Authentication
Does NOT provide encryption
Rarely used
9. Tunnel Modes
Tunnel Mode (Most Common)
- Encrypts entire original IP packet
- Used for site-to-site VPN
- Recommended and tested in exam
Transport Mode
- Encrypts only payload
- Rarely used in site-to-site
10. Traffic Selection – Interesting Traffic
Routers must know which traffic to encrypt.
This is defined using:
- Crypto ACL (Access Control List)
The ACL:
- Matches source and destination networks
- Determines what traffic goes into the VPN tunnel
Only traffic that matches the crypto ACL is encrypted.
11. Site-to-Site VPN Configuration Components (Exam Critical)
A typical Cisco IOS site-to-site VPN includes:
1. ISAKMP / IKE Policy (Phase 1)
Defines:
- Encryption
- Hash
- Authentication
- DH group
- Lifetime
2. Pre-Shared Key
Configured per peer IP address
3. IPsec Transform Set (Phase 2)
Defines:
- ESP encryption
- Hashing algorithm
- Tunnel mode
4. Crypto ACL
Defines interesting traffic
5. Crypto Map
Binds everything together:
- Peer IP
- Transform set
- ACL
Applied to the outgoing interface
12. High-Level Configuration Flow (No Commands Needed for Exam)
- Configure IKE Phase 1 policy
- Configure pre-shared key
- Configure IPsec Phase 2 proposal
- Define crypto ACL
- Create crypto map
- Apply crypto map to interface
13. Static vs Dynamic Site-to-Site VPN
Static VPN
- Peer IP address is fixed
- Most common
- Easier to configure
- Preferred in enterprise networks
Dynamic VPN
- Peer IP may change
- Uses dynamic crypto maps
- Less common in site-to-site
14. Routing and VPN
VPN does not replace routing.
- Routing decides where traffic goes
- VPN decides whether traffic is encrypted
Common routing methods:
- Static routes
- OSPF / EIGRP (over VPN)
15. NAT and Site-to-Site VPN
NAT Exemption (Important Concept)
- VPN traffic must not be translated
- NAT exemption ensures:
- Traffic keeps original IPs
- VPN encryption works correctly
16. Verification and Monitoring (Exam Focus)
Common Verification Commands (Conceptual)
- Check IKE Phase 1 status
- Check IPsec Phase 2 status
- Verify Security Associations
- Verify packet counters
- Verify encrypted/decrypted packets
Common Issues Seen in Exam Questions
- Phase 1 mismatch
- Phase 2 mismatch
- Incorrect crypto ACL
- NAT applied to VPN traffic
- Crypto map not applied to interface
- Peer IP incorrect
17. Security Best Practices (Know for Exam)
- Use IKEv2 instead of IKEv1
- Use AES instead of DES/3DES
- Use SHA-256 instead of MD5
- Use strong PSK
- Limit interesting traffic
- Monitor VPN logs
18. How Site-to-Site VPN Fits in Enterprise Security
In a real IT environment:
- Connects remote offices securely
- Protects internal data
- Works with firewalls, ACLs, IDS/IPS
- Often combined with:
- Routing protocols
- Network segmentation
- Centralized monitoring
19. Exam Summary – Must Remember
For CCNP Security 350-701, you must understand:
✔ What site-to-site VPN is
✔ Why it is used
✔ IPsec purpose
✔ Phase 1 vs Phase 2
✔ IKEv1 vs IKEv2
✔ ESP vs AH
✔ Tunnel mode
✔ Crypto ACL concept
✔ Crypto map role
✔ Verification concepts
✔ Common failure reasons
20. One-Line Exam Definition (Very Important)
A site-to-site VPN using Cisco IOS creates a permanent, encrypted IPsec tunnel between two routers to securely connect separate networks over an untrusted network.
