What Is a Site-to-Site VPN?

3 min. read

A site-to-site virtual private network (VPN) is a connection between two or more networks, such as a corporate network and a branch office network. Organizations use site-to-site VPNs to leverage an internet connection for private traffic as an alternative to private MPLS circuits.

Site-to-site VPNs are frequently used by companies with multiple offices in different geographic locations that need to access the corporate network. With a site-to-site VPN, a company can securely connect its corporate network with remote offices to communicate and share resources as a single network.

How Does a Site-to-site VPN Work?

Site-to-site VPN connecting a main office with three branch offices securely via the internet.

A site-to-site VPN provides access from one network to another over the internet. It works by creating a secure, encrypted tunnel between two networks located at different sites. The tunnel acts as a direct link through which data can be securely transmitted.

The VPN uses routing tables to direct data packets along the correct path within the tunnel. Site-to-site tunnels rely on encryption protocols to ensure data cannot be intercepted or read by unauthorized parties.

The process involves establishing a gateway at each network end, effectively connecting entire networks rather than individual clients to a VPN server. The VPN gateway manages data encryption and decryption as it enters and exits the tunnel.

Data travels through the public internet within this tunnel. Encryption makes the data opaque to outsiders, appearing as unintelligible gibberish. Upon reaching the destination gateway, data is decrypted and transmitted to the receiving internal network.

This secure bridge allows seamless, secure information flow between networks. Resources can be shared as though they are on the same local network.

What Is a VPN?

Site-to-site VPN Benefits

Enhanced Security

Site-to-site VPNs establish a secure connection between networks using encryption, safeguarding data from unauthorized access as it travels over the internet. Encryption ensures sensitive corporate information remains confidential.

Site-to-site VPNs allow organizations to provide employees working remotely with access to the corporate network from alternate locations, like public networks. This supports operational continuity and reduces potential downtime in an emergency.

Simplified Resource Sharing

By connecting networks, a site-to-site VPN facilitates the sharing of resources such as file servers and databases without direct internet exposure. It allows employees to work with the same tools and data regardless of their physical location, promoting efficiency and collaboration.

Cost-Effective Network Expansion

The ability to use the internet as a conduit for connecting multiple networks helps organizations reduce the need for expensive leased lines. For organizations looking to connect multiple sites without major infrastructure investments, site-to-site VPNs can be more cost-effective initially.

Agile Deployment

Site-to-site VPNs can offer agile deployment capabilities initially. Businesses can easily add new sites to the network. The flexibility is helpful for rapidly growing companies or those needing to establish temporary sites.

Site-to-site VPN Limitations

Site-to-site VPN benefits (security, resource sharing, cost, agility) & limitations (scaling, routing, complex, visibility, cloud, static environments)

Scalability Challenges

Site-to-site VPNs can face scalability issues as each new site requires its own dedicated VPN connection. This can lead to a complex web of tunnels that demand meticulous management. As the organization grows, site-to-site VPNs may result in network performance inefficiencies.

Inefficient Routing

The traditional hub-and-spoke architecture of site-to-site VPNs often results in inefficient routing, where all traffic must pass through a central location. This can burden the central hub and lead to unnecessary latency, impacting overall network performance.

Complex Configuration

Setting up a site-to-site VPN involves configuration and ongoing management of VPN gateways and routes over time. Each tunnel requires individual attention, which can accumulate into a considerable administrative overhead as the number of sites increases.

Limited Visibility

With independent VPN connections for each site, gaining a comprehensive view of the network traffic and detecting distributed threats can be challenging. This fragmentation can lead to potential security risks as it complicates consistent monitoring and threat management.

Restricted Cloud Integration

As businesses increasingly move services to the cloud, site-to-site VPNs may not offer the most direct or efficient path to cloud resources. This can result in suboptimal network designs that do not align with modern cloud-centric workflows.

Dependence on Static Environments

Site-to-site VPNs are less suited for dynamic or remote working scenarios where users may not consistently operate from static locations. Lack of flexibility can be a disadvantage in today's mobile work environments.

Site-to-site VPN vs. Remote Access VPN

The main difference between site-to-site and remote access VPNs is their respective network connectivity structures and intended use cases.

Site-to-site VPNs are designed to connect entire networks to each other. This type of VPN encrypts traffic at the network perimeter and allows for resources to be shared across locations, behaving as a single, unified network.

Remote access VPNs focus on individual users who need to connect to a network from a remote location. They are based on VPN clients, so they require software to be installed on each user’s device. The VPN software then establishes an encrypted connection to the network. Remote access VPNs are ideal for businesses that need to provide secure access to their network from any location.

Site-to-site VPN vs. Point-to-site VPN

Site-to-site VPNs are about connecting networks. Point-to-site VPNs focus on connecting users to a network, emphasizing flexibility and individual access rather than inter-office connectivity.

Site-to-site VPNs connect entire networks to each other, enabling multiple sites within an enterprise to share resources securely over the internet. They work for organizations with fixed locations looking to establish a continuous, secure connection between offices.

Point-to-site VPNs provide secure connections from individual devices to the network. They are suited for remote workers who need to access corporate resources from various locations.

Site-to-site VPN Protocols

Site-to-site VPNs can operate using various VPN protocols depending on network configuration and security policies.

IPsec is often used in tandem with other protocols such as L2TP (Layer 2 Tunneling Protocol) to provide encryption, secure communication between networks. GRE (Generic Routing Encapsulation) is sometimes used with IPsec for creating tunnels, although GRE by itself does not provide encryption.

OpenVPN is also capable of creating secure point-to-point connections in routed or bridged configurations.

How to Set Up a Site-to-site VPN

A site-to-site VPN with static routing, showing two VPN Peers, A and B, connected via IPsec tunnels with designated IP addresses and zones.

The process of setting up a site-to-site VPN varies significantly based on the specific technologies and devices being used. Always follow guidelines tailored to the VPN provider and network configuration at hand.

This example outlines a streamlined process for setting up a site-to-site VPN using PAN-OS, focusing on a scenario with static routing. While these instructions provide a general framework, they may need to be adjusted to align with the network environment specification and VPN solution features.

1. Configure the physical interfaces on both VPN endpoints.

This is done by accessing the network interface settings, selecting Ethernet, and defining the interface as Layer 3. Assign it to an appropriate security zone, typically outside your trust network, and set an IP address.

2. Create the tunnel interfaces.

This involves specifying a tunnel interface name, associating it with a virtual router and a security zone dedicated to VPN tunnels, and assigning an IP address that serves as the endpoint for traffic routing.

3. Define crypto profiles for IKE (for phase 1) and IPSec (for phase 2).

This is necessary to secure the VPN connection. Ensure that both VPN peers have identical crypto profiles for a successful handshake.

4. Configure OSPF on the virtual routers for dynamic routing.

Attach the appropriate interfaces to the OSPF areas, selecting the right link types and ensuring that the OSPF router IDs are correctly assigned.

5. Establish IKE gateways for both VPN peers.

Set up local and peer IP addresses. Apply the pre-shared keys for authentication.

6. Configure the IPSec tunnels.

Select the tunnel interfaces and define the auto key type with the corresponding IKE gateway and IPSec crypto profile.

7. Implement policy rules to permit traffic between the sites.

Specifying the traffic's source and destination IP addresses. Associate these with the appropriate security zones.

After configuring both endpoints, verify the OSPF adjacencies and routes to ensure that the VPN peers recognize each other and establish the necessary routes for traffic. Testing connectivity is crucial. Utilize tunnel monitoring and the PAN-OS command line interface to check the status and ensure traffic flows securely between the sites.

SASE: The Modern Alternative to Site-to-site VPNs

SASE model showing SaaS, clouds, data center, layered with FWaaS, CASB, ZTNA, SWG, and SD-WAN for various endpoints.

Secure access service edge (SASE) is a modern, cloud-native architecture which delivers the networking and network security services businesses need. SASE offers multiple security capabilities including advanced threat prevention, credential theft prevention, web filtering, sandboxing, DNS security, data loss prevention (DLP) and more from one cloud-delivered platform.

SASE allows companies to connect remote offices easily. Using this model, it is easier to securely route traffic and manage access control.

Site-to-site VPN FAQs

The purpose of a site-to-site VPN is to securely connect networks at different locations, enabling them to communicate and share resources over the internet as if within a single network.
A site-to-site VPN setup entails configuring network interfaces, establishing secure tunnels, and implementing encryption protocols. Specific steps vary based on the solution and network configuration.
Point-to-site VPN allows individual devices to connect to a network remotely, while site-to-site connects entire networks to each other.
The difference between site-to-site and remote access VPNs is their purposes. Remote access VPNs connects individual users to a network. Site-to-site VPNs connect two networks.
A site-to-site VPN is a type of setup that connects two networks. A tunnel is a secure passage through which the encrypted VPN traffic travels.
Disadvantages of a site-to-site VPN include setup complexity, limited scalability, and potential inefficiency in bandwidth usage.
The two types of VPNs with site-to-site configurations are intranet-based (for connecting remote locations within the same organization) and extranet-based (for connecting with external partners).
To know if a site-to-site VPN is up, check the VPN device's dashboard for tunnel status indicators or use command line tools to verify connectivity and traffic flow.
Site-to-site VPN speed depends on the underlying internet connection, encryption overhead, and hardware capabilities. It can be fast but is subject to these factors.
For site-to-site VPN, AES (Advanced Encryption Standard) is commonly recommended because of its strong security and efficiency.
A site-to-site VPN connection is not encrypted by default. It requires configuration with security protocols such as IPsec to secure the data.