A site-to-site virtual private network (VPN) is a connection between two or more networks, such as a corporate network and a branch office network. Organizations use site-to-site VPNs to leverage an internet connection for private traffic as an alternative to private MPLS circuits.
Site-to-site VPNs are frequently used by companies with multiple offices in different geographic locations that need to access the corporate network. With a site-to-site VPN, a company can securely connect its corporate network with remote offices to communicate and share resources as a single network.
How Does a Site-to-site VPN Work?
A site-to-site VPN provides access from one network to another over the internet. It works by creating a secure, encrypted tunnel between two networks located at different sites. The tunnel acts as a direct link through which data can be securely transmitted.
The VPN uses routing tables to direct data packets along the correct path within the tunnel. Site-to-site tunnels rely on encryption protocols to ensure data cannot be intercepted or read by unauthorized parties.
The process involves establishing a gateway at each network end, effectively connecting entire networks rather than individual clients to a VPN server. The VPN gateway manages data encryption and decryption as it enters and exits the tunnel.
Data travels through the public internet within this tunnel. Encryption makes the data opaque to outsiders, appearing as unintelligible gibberish. Upon reaching the destination gateway, data is decrypted and transmitted to the receiving internal network.
This secure bridge allows seamless, secure information flow between networks. Resources can be shared as though they are on the same local network.
What Is a VPN?
Site-to-site VPN Benefits
Enhanced Security
Site-to-site VPNs establish a secure connection between networks using encryption, safeguarding data from unauthorized access as it travels over the internet. Encryption ensures sensitive corporate information remains confidential.
Site-to-site VPNs allow organizations to provide employees working remotely with access to the corporate network from alternate locations, like public networks. This supports operational continuity and reduces potential downtime in an emergency.
Simplified Resource Sharing
By connecting networks, a site-to-site VPN facilitates the sharing of resources such as file servers and databases without direct internet exposure. It allows employees to work with the same tools and data regardless of their physical location, promoting efficiency and collaboration.
Cost-Effective Network Expansion
The ability to use the internet as a conduit for connecting multiple networks helps organizations reduce the need for expensive leased lines. For organizations looking to connect multiple sites without major infrastructure investments, site-to-site VPNs can be more cost-effective initially.
Agile Deployment
Site-to-site VPNs can offer agile deployment capabilities initially. Businesses can easily add new sites to the network. The flexibility is helpful for rapidly growing companies or those needing to establish temporary sites.
Site-to-site VPN Limitations
Scalability Challenges
Site-to-site VPNs can face scalability issues as each new site requires its own dedicated VPN connection. This can lead to a complex web of tunnels that demand meticulous management. As the organization grows, site-to-site VPNs may result in network performance inefficiencies.
Inefficient Routing
The traditional hub-and-spoke architecture of site-to-site VPNs often results in inefficient routing, where all traffic must pass through a central location. This can burden the central hub and lead to unnecessary latency, impacting overall network performance.
Complex Configuration
Setting up a site-to-site VPN involves configuration and ongoing management of VPN gateways and routes over time. Each tunnel requires individual attention, which can accumulate into a considerable administrative overhead as the number of sites increases.
Limited Visibility
With independent VPN connections for each site, gaining a comprehensive view of the network traffic and detecting distributed threats can be challenging. This fragmentation can lead to potential security risks as it complicates consistent monitoring and threat management.
Restricted Cloud Integration
As businesses increasingly move services to the cloud, site-to-site VPNs may not offer the most direct or efficient path to cloud resources. This can result in suboptimal network designs that do not align with modern cloud-centric workflows.
Dependence on Static Environments
Site-to-site VPNs are less suited for dynamic or remote working scenarios where users may not consistently operate from static locations. Lack of flexibility can be a disadvantage in today's mobile work environments.
Site-to-site VPN vs. Remote Access VPN
The main difference between site-to-site and remote access VPNs is their respective network connectivity structures and intended use cases.
Site-to-site VPNs are designed to connect entire networks to each other. This type of VPN encrypts traffic at the network perimeter and allows for resources to be shared across locations, behaving as a single, unified network.
Remote access VPNs focus on individual users who need to connect to a network from a remote location. They are based on VPN clients, so they require software to be installed on each user’s device. The VPN software then establishes an encrypted connection to the network. Remote access VPNs are ideal for businesses that need to provide secure access to their network from any location.
Site-to-site VPN vs. Point-to-site VPN
Site-to-site VPNs are about connecting networks. Point-to-site VPNs focus on connecting users to a network, emphasizing flexibility and individual access rather than inter-office connectivity.
Site-to-site VPNs connect entire networks to each other, enabling multiple sites within an enterprise to share resources securely over the internet. They work for organizations with fixed locations looking to establish a continuous, secure connection between offices.
Point-to-site VPNs provide secure connections from individual devices to the network. They are suited for remote workers who need to access corporate resources from various locations.
Site-to-site VPN Protocols
Site-to-site VPNs can operate using various VPN protocols depending on network configuration and security policies.
IPsec is often used in tandem with other protocols such as L2TP (Layer 2 Tunneling Protocol) to provide encryption, secure communication between networks. GRE (Generic Routing Encapsulation) is sometimes used with IPsec for creating tunnels, although GRE by itself does not provide encryption.
OpenVPN is also capable of creating secure point-to-point connections in routed or bridged configurations.
How to Set Up a Site-to-site VPN
The process of setting up a site-to-site VPN varies significantly based on the specific technologies and devices being used. Always follow guidelines tailored to the VPN provider and network configuration at hand.
This example outlines a streamlined process for setting up a site-to-site VPN using PAN-OS, focusing on a scenario with static routing. While these instructions provide a general framework, they may need to be adjusted to align with the network environment specification and VPN solution features.
1. Configure the physical interfaces on both VPN endpoints.
This is done by accessing the network interface settings, selecting Ethernet, and defining the interface as Layer 3. Assign it to an appropriate security zone, typically outside your trust network, and set an IP address.
2. Create the tunnel interfaces.
This involves specifying a tunnel interface name, associating it with a virtual router and a security zone dedicated to VPN tunnels, and assigning an IP address that serves as the endpoint for traffic routing.
3. Define crypto profiles for IKE (for phase 1) and IPSec (for phase 2).
This is necessary to secure the VPN connection. Ensure that both VPN peers have identical crypto profiles for a successful handshake.
4. Configure OSPF on the virtual routers for dynamic routing.
Attach the appropriate interfaces to the OSPF areas, selecting the right link types and ensuring that the OSPF router IDs are correctly assigned.
5. Establish IKE gateways for both VPN peers.
Set up local and peer IP addresses. Apply the pre-shared keys for authentication.
6. Configure the IPSec tunnels.
Select the tunnel interfaces and define the auto key type with the corresponding IKE gateway and IPSec crypto profile.
7. Implement policy rules to permit traffic between the sites.
Specifying the traffic's source and destination IP addresses. Associate these with the appropriate security zones.
After configuring both endpoints, verify the OSPF adjacencies and routes to ensure that the VPN peers recognize each other and establish the necessary routes for traffic. Testing connectivity is crucial. Utilize tunnel monitoring and the PAN-OS command line interface to check the status and ensure traffic flows securely between the sites.
SASE: The Modern Alternative to Site-to-site VPNs
Secure access service edge (SASE) is a modern, cloud-native architecture which delivers the networking and network security services businesses need. SASE offers multiple security capabilities including advanced threat prevention, credential theft prevention, web filtering, sandboxing, DNS security, data loss prevention (DLP) and more from one cloud-delivered platform.
SASE allows companies to connect remote offices easily. Using this model, it is easier to securely route traffic and manage access control.
Site-to-site VPN FAQs