Imagine your company has grown from a single office to three branch offices and a fleet of road warriors. You need to connect them all securely over the internet without leasing expensive private lines. That's where VPNs come in. The CCNA 200-301 exam (objective 5.7) expects you to understand the two fundamental VPN categories—site-to-site and remote access—including their use cases, underlying protocols, and key differences. Mastering this topic is essential for designing secure, cost-effective WAN connectivity.
Jump to a section
Think of a site-to-site VPN as a dedicated mailroom between two company buildings. Building A and Building B each have a mailroom that automatically sorts, encrypts, and sends all inter-office mail in bulk through a secure tunnel. Employees just drop letters in the internal mailbox; they don't need to know about the tunnel. The mailroom handles everything: it collects all outgoing mail, seals it in a tamper-evident bag, and ships it via a secure courier. On the other side, the receiving mailroom opens the bag and delivers each letter to the correct department. This is exactly how a site-to-site VPN works: the routers at each site automatically encrypt all traffic destined for the other site and send it over the internet. End users don't install any special software; their traffic is encrypted transparently.
Now consider a remote access VPN, which is like a personal courier service for each individual employee working from home. Each employee calls a central dispatch (the VPN gateway) and requests a secure connection. The dispatcher verifies the employee's identity (authentication) and then assigns a dedicated courier who picks up the employee's documents, seals them in a secure envelope, and delivers them to the office. The employee must actively request this service each time and may need to use a special app or client. Similarly, remote access VPNs require a VPN client on the user's device, which initiates a secure tunnel to the corporate VPN gateway. Unlike the mailroom, which handles all traffic automatically, the personal courier only handles traffic for that specific user. The key difference: site-to-site is always-on, transparent, and connects entire networks; remote access is on-demand, user-initiated, and connects individual hosts.
What Are VPNs and Why Do We Need Them?
A Virtual Private Network (VPN) creates a secure, encrypted tunnel over an untrusted network—typically the internet. Without a VPN, any data sent over the internet is visible to intermediate devices. VPNs provide three critical security services: confidentiality (encryption), integrity (ensuring data hasn't been tampered with), and authentication (verifying the identity of the communicating parties). For the CCNA, you need to understand two main deployment models: site-to-site and remote access.
Site-to-Site VPNs
A site-to-site VPN connects entire networks, such as a branch office to a corporate headquarters. It is implemented on network devices like routers or firewalls. Traffic between the two sites is encrypted and encapsulated, then sent over the internet. End users are unaware of the VPN; their devices send packets as if the remote network were directly connected.
How It Works Step by Step:
Traffic Trigger: A host in Branch A sends a packet to a host in HQ. The destination IP falls within the HQ network.
Routing Decision: The branch router has a route pointing to the HQ network via the VPN tunnel interface (e.g., a virtual tunnel interface like Tunnel0).
Encryption and Encapsulation: The branch router encrypts the original packet using IPsec (Internet Protocol Security). It then wraps the encrypted packet in a new IP header with the branch router's public IP as source and the HQ router's public IP as destination.
Transmission: The encrypted packet travels over the internet. Intermediate routers only see the outer IP header; they cannot decrypt the payload.
Decryption and Forwarding: The HQ router receives the packet, removes the outer header, decrypts the inner packet, and forwards it to the destination host.
Key Protocols: IPsec is the standard suite for site-to-site VPNs. It uses two main protocols: Authentication Header (AH) for integrity and Encapsulating Security Payload (ESP) for both encryption and integrity. In practice, ESP is almost always used. IPsec operates in two modes: Transport mode (encrypts only payload) and Tunnel mode (encrypts entire original packet). For site-to-site, Tunnel mode is used.
IKE (Internet Key Exchange): Before IPsec can encrypt traffic, the two peers must establish a secure channel and agree on encryption keys. This is done via IKE (also called ISAKMP). IKE has two phases: - Phase 1: Creates a secure management tunnel (IKE SA). Uses either Main Mode (6 messages) or Aggressive Mode (3 messages). Main mode is more secure and is the default on Cisco devices. The peers authenticate each other using pre-shared keys or digital certificates. - Phase 2: Negotiates the IPsec SA (Security Association) that will protect actual data traffic. Uses Quick Mode (3 messages). The IPsec SA includes parameters like encryption algorithm (e.g., AES-256), hash algorithm (e.g., SHA-256), and lifetime (default 3600 seconds or 4608000 kilobytes).
Cisco IOS Configuration Example (Site-to-Site):
! Configure IKE Phase 1 policy
crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 14
lifetime 86400
!
! Configure pre-shared key
crypto isakmp key cisco123 address 203.0.113.2
!
! Configure IPsec transform set
crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac
mode tunnel
!
! Configure crypto ACL (interesting traffic)
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
!
! Configure crypto map
crypto map MYMAP 10 ipsec-isakmp
set peer 203.0.113.2
set transform-set MYSET
match address 100
!
! Apply crypto map to interface
interface GigabitEthernet0/0
crypto map MYMAPVerification Commands:
show crypto isakmp sa ! Shows IKE Phase 1 SAs
show crypto ipsec sa ! Shows IPsec Phase 2 SAs, including packet encrypt/decrypt stats
show crypto map ! Displays configured crypto mapsRemote Access VPNs
Remote access VPNs allow individual users (e.g., teleworkers) to connect securely to a corporate network. The user initiates the connection using a VPN client installed on their device. The corporate network has a VPN gateway (often a router or ASA firewall) that terminates the tunnels.
How It Works Step by Step:
Client Initiation: The user launches the VPN client (e.g., Cisco AnyConnect) and enters the gateway's IP address or URL.
Authentication: The client and gateway authenticate each other. This can use a username/password, digital certificates, or multi-factor authentication.
Tunnel Establishment: The client and gateway negotiate encryption parameters and establish an IPsec or SSL/TLS tunnel. Cisco AnyConnect typically uses SSL/TLS (port 443) or IPsec IKEv2.
Address Assignment: The gateway assigns an IP address to the client from a pool (e.g., 10.3.3.0/24). This address is used for the virtual interface on the client.
Traffic Forwarding: The client sends traffic to the corporate network through the tunnel. The gateway decrypts and forwards it. Optionally, the client can be configured to send all internet traffic through the tunnel (full tunnel) or only corporate traffic (split tunnel).
Key Protocols: Two main technologies are used for remote access VPNs: - IPsec (IKEv2): More secure and faster, but requires client configuration. Used by many native VPN clients. - SSL/TLS (DTLS): Often easier to deploy because it uses port 443 (same as HTTPS), which is rarely blocked. Cisco AnyConnect primarily uses SSL/TLS with DTLS for better performance.
Cisco IOS Configuration Example (Remote Access with AnyConnect):
! Configure IP address pool
ip local pool VPNPOOL 10.3.3.1 10.3.3.100
!
! Configure AAA authentication
aaa new-model
aaa authentication login VPN_AUTH local
username admin password cisco123
!
! Configure SSL certificate (self-signed for lab)
crypto pki trustpoint LOCAL
enrollment selfsigned
subject-name CN=VPNGateway
revocation-check none
!
! Configure WebVPN (SSL VPN)
webvpn gateway GATEWAY
ip address 198.51.100.1 port 443
ssl trustpoint LOCAL
!
webvpn context CONTEXT
gateway GATEWAY
policy group POLICY
functions svc-enabled
!
! Enable AnyConnect client
webvpn install svc flash:/anyconnect-win-4.10.01075-webdeploy-k9.pkgVerification Commands:
show webvpn gateway ! Shows SSL VPN gateway status
show webvpn session ! Lists active VPN sessions
show ip local pool ! Displays address pool usageKey Differences and Exam Focus
Site-to-Site: Always-on, connects networks, transparent to users, uses IPsec Tunnel mode, configured on routers/firewalls.
Remote Access: On-demand, connects individual hosts, requires client software, can use IPsec or SSL/TLS, configured on VPN gateways.
The CCNA exam will test your ability to choose the correct VPN type for a given scenario and understand basic configuration and verification.
Identify the VPN Requirement
Read the scenario carefully. Are you connecting two entire offices (site-to-site) or allowing individual teleworkers to connect (remote access)? Look for keywords like 'branch office,' 'HQ,' 'always-on connectivity' for site-to-site; 'teleworker,' 'VPN client,' 'on-demand' for remote access. Also note if the solution must be transparent to users (site-to-site) or requires client software (remote access).
Choose the Appropriate Technology
For site-to-site, IPsec is the standard. You must decide on IKE version (v1 or v2; v2 is preferred for new deployments), encryption algorithms (AES-256 recommended), and authentication method (pre-shared keys or certificates). For remote access, decide between IPsec IKEv2 (more secure, faster) and SSL/TLS (easier to deploy, often uses port 443). Cisco AnyConnect supports both but typically uses SSL with DTLS for performance.
Configure IKE Phase 1 (ISAKMP) Policy
On Cisco IOS, create an ISAKMP policy with `crypto isakmp policy <priority>`. Set encryption (e.g., `encryption aes 256`), hash (e.g., `hash sha256`), authentication (`authentication pre-share`), Diffie-Hellman group (e.g., `group 14`), and lifetime (default 86400 seconds). For pre-shared keys, use `crypto isakmp key <key> address <peer-ip>`. Verify with `show crypto isakmp policy`.
Configure IPsec Transform Set and Crypto ACL
Define a transform set with `crypto ipsec transform-set <name> <encryption> <hash>` (e.g., `esp-aes 256 esp-sha256-hmac`). Set mode to `tunnel`. Then create a crypto ACL that defines interesting traffic (traffic to be encrypted). For example, `access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255`. The ACL is used to match traffic that will trigger the VPN.
Configure and Apply a Crypto Map
Create a crypto map with `crypto map <name> <seq-num> ipsec-isakmp`. Inside, specify the peer IP (`set peer <ip>`), transform set (`set transform-set <name>`), and match the ACL (`match address <acl>`). Optionally set PFS (Perfect Forward Secrecy) with `set pfs group14`. Apply the crypto map to the outgoing interface (e.g., `interface GigabitEthernet0/0` then `crypto map MYMAP`). Verify with `show crypto map`.
Configure Remote Access VPN (SSL/TLS)
For remote access with AnyConnect, first configure an IP pool (`ip local pool <name> <start>-<end>`). Enable AAA authentication (`aaa new-model`, `aaa authentication login <name> local`, create local usernames). Create a PKI trustpoint for SSL certificate (`crypto pki trustpoint <name>`, `enrollment selfsigned`). Configure a webvpn gateway (`webvpn gateway <name>`, `ip address <int> port 443`, `ssl trustpoint <name>`). Then create a webvpn context (`webvpn context <name>`, `gateway <name>`, `policy group <name>`, `functions svc-enabled`). Install AnyConnect client package (`webvpn install svc <url>`).
Verify VPN Operation
For site-to-site, use `show crypto isakmp sa` to see IKE Phase 1 SAs (state should be MM_ACTIVE). Use `show crypto ipsec sa` to see IPsec SAs (encaps and decaps counters should increment). For remote access, use `show webvpn session` to see active sessions. Also check `show ip local pool` to see address usage. If the VPN is not working, check ACLs, routing, and firewall rules. Common issues: incorrect peer IP, mismatched transform sets, or ACL not matching traffic.
Scenario 1: Connecting a Branch Office to HQ
A retail company with 50 stores needs to connect each store's network to the central data center for inventory and payment processing. The stores have a single internet connection via a small Cisco router. The solution: site-to-site IPsec VPNs. The network engineer configures each store router with a crypto map pointing to the HQ router's public IP. The HQ router terminates all 50 tunnels. This is a hub-and-spoke topology. The engineer must ensure the HQ router has enough processing power (CPU) to handle 50 simultaneous IPsec tunnels. A common mistake is forgetting to add routes on the store routers pointing to the HQ network via the tunnel interface. Also, NAT must be configured to exclude VPN traffic; otherwise, the router might NAT the encrypted packets before sending them, breaking the tunnel. In production, the engineer would also implement QoS to prioritize voice traffic over the VPN.
Scenario 2: Teleworkers Using AnyConnect
A consulting firm has 200 employees who work remotely. They need secure access to internal applications and file servers. The firm deploys a Cisco ASA (or IOS router) as a VPN gateway with AnyConnect. Employees install the AnyConnect client on their laptops. The gateway authenticates users via RADIUS (e.g., Microsoft NPS) and assigns IP addresses from a pool. Split tunneling is configured: only traffic destined for the corporate network goes through the VPN; internet traffic goes directly to the internet. This reduces gateway load and improves user experience. The engineer must ensure the gateway's SSL certificate is from a trusted CA to avoid client warnings. A common issue is users forgetting to connect the VPN before accessing internal resources. Also, if the gateway runs out of IP addresses in the pool, new connections will fail. Monitoring with show webvpn session helps track usage.
Scenario 3: DMVPN for Dynamic Branches
For large-scale site-to-site with many branches that have dynamic public IPs (e.g., cable modems), DMVPN (Dynamic Multipoint VPN) is used. It combines IPsec, mGRE, and NHRP to allow branches to dynamically establish tunnels directly to each other (spoke-to-spoke) without manual configuration. This is beyond CCNA but shows how site-to-site scales. In the exam, you might see DMVPN as a concept. The key takeaway: site-to-site can be static (traditional) or dynamic (DMVPN).
What the CCNA 200-301 Tests:
Objective 5.7 asks you to "compare site-to-site and remote access VPNs." This means you must be able to:
Identify the correct VPN type for a given scenario (e.g., connecting two offices vs. a teleworker).
Understand the basic configuration steps for each (especially IPsec site-to-site).
Know the key protocols: IPsec (ESP, AH, IKE), SSL/TLS.
Recognize verification commands and their output.
Understand the differences in deployment, transparency, and client requirements.
Common Wrong Answers and Why:
"Remote access VPNs use IPsec only." Wrong. Remote access can use IPsec or SSL/TLS. SSL/TLS is actually more common for client-based VPNs because it bypasses most firewalls. The right answer: remote access VPNs can use either IPsec (IKEv2) or SSL/TLS.
"Site-to-site VPNs require client software on each PC." Wrong. Site-to-site VPNs are transparent; users don't install anything. The router handles encryption. This confusion arises because remote access VPNs do require clients.
"IKE Phase 2 is used for authentication." Wrong. IKE Phase 1 handles authentication and creates the secure management tunnel. Phase 2 negotiates the IPsec SA for data. Candidates often mix up the phases.
"IPsec Tunnel mode encrypts only the payload." Wrong. Tunnel mode encrypts the entire original IP packet, including headers. Transport mode encrypts only the payload. For site-to-site, Tunnel mode is used.
Specific Values and Commands to Know:
Default IKE lifetime: 86400 seconds (1 day)
Default IPsec SA lifetime: 3600 seconds (1 hour) or 4608000 kilobytes
Common transform set: esp-aes 256 esp-sha256-hmac
Verification commands: show crypto isakmp sa, show crypto ipsec sa, show crypto map
For remote access: show webvpn session
Elimination Strategy:
When a question asks "Which VPN type?" look for clues: if the scenario mentions "branch office" or "site," it's site-to-site. If it mentions "teleworker" or "remote user," it's remote access. If the question asks about "transparency," site-to-site is transparent; remote access requires client software. If the question asks about "always-on," site-to-site is always-on; remote access is on-demand.
Site-to-site VPNs connect entire networks transparently; remote access VPNs connect individual hosts using a client.
IPsec is the primary protocol for site-to-site VPNs; it uses IKE (UDP 500) for key exchange and ESP (IP protocol 50) for encryption.
IKE has two phases: Phase 1 (ISAKMP SA, 6 messages in Main Mode) and Phase 2 (IPsec SA, 3 messages in Quick Mode).
Default IKE lifetime is 86400 seconds; default IPsec SA lifetime is 3600 seconds or 4608000 KB.
Common verification commands: 'show crypto isakmp sa', 'show crypto ipsec sa', 'show crypto map'.
Remote access VPNs can use SSL/TLS (port 443) or IPsec IKEv2; Cisco AnyConnect typically uses SSL with DTLS.
Crypto ACLs define interesting traffic that triggers IPsec encryption; they must match the source and destination networks.
These come up on the exam all the time. Here's how to tell them apart.
Site-to-Site VPN
Connects entire networks (e.g., branch to HQ)
Always-on, transparent to users
No client software needed on hosts
Uses IPsec (usually Tunnel mode)
Configured on routers/firewalls
Remote Access VPN
Connects individual hosts (e.g., teleworkers)
On-demand, user-initiated
Requires VPN client software on each device
Can use IPsec or SSL/TLS
Configured on VPN gateways (ASA, router)
Mistake
Remote access VPNs only use IPsec.
Correct
Remote access VPNs can use either IPsec (IKEv2) or SSL/TLS. SSL/TLS is often preferred because it uses port 443, which is rarely blocked by firewalls.
Many candidates think of IPsec as the only VPN protocol because it's heavily covered in CCNA materials.
Mistake
Site-to-site VPNs require a VPN client on each user's device.
Correct
Site-to-site VPNs are transparent; the router or firewall handles encryption. Users send traffic normally without any client software.
Candidates confuse site-to-site with remote access, where a client is indeed required.
Mistake
IKE Phase 2 creates the management tunnel.
Correct
IKE Phase 1 creates the management tunnel (ISAKMP SA). Phase 2 creates the IPsec SA for data traffic.
The phases are often reversed in memory because Phase 2 sounds like it should come after Phase 1, but Phase 1 is the initial setup.
Mistake
IPsec Tunnel mode encrypts only the payload of the original packet.
Correct
IPsec Tunnel mode encrypts the entire original IP packet, including headers, and then adds a new IP header. Transport mode encrypts only the payload.
The word 'tunnel' might suggest that only the inner part is encrypted, but actually the whole original packet is encapsulated.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
IKEv1 is the original version with two phases (Main/Aggressive Mode and Quick Mode). It uses UDP port 500. IKEv2 is a more efficient and secure replacement; it uses a single exchange (2 messages) to create both the IKE SA and the first IPsec SA. IKEv2 also supports EAP authentication and is more resistant to DoS attacks. For CCNA, you should know that IKEv2 is preferred for new deployments but IKEv1 is still widely used. Both are used for IPsec VPNs.
Technically yes, but it's uncommon. SSL/TLS VPNs are typically used for remote access because they are client-based. For site-to-site, IPsec is the standard because it is more efficient for network-to-network traffic and does not require a web browser. However, some vendors offer SSL-based site-to-site VPNs. On the CCNA exam, assume site-to-site uses IPsec and remote access uses either IPsec or SSL.
A crypto ACL (access control list) defines which traffic should be encrypted by the IPsec VPN. It is used in the crypto map. For example, 'access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255' tells the router to encrypt any IP traffic from 10.1.1.0/24 to 10.2.2.0/24. If the ACL does not match the traffic, the VPN will not encrypt it, and the traffic will be sent in clear text. A common mistake is forgetting to create the ACL or having it incorrectly ordered.
Use 'show crypto isakmp sa' to check that the IKE Phase 1 SA is in MM_ACTIVE state. Then use 'show crypto ipsec sa' to see the IPsec SAs; look for 'encaps' and 'decaps' counters that are incrementing. You can also ping across the tunnel and check the counters. If the tunnel is up but packets are not being encrypted, check the crypto ACL and routing.
Split tunneling allows a remote access VPN client to send only corporate-bound traffic through the VPN tunnel, while all other internet traffic goes directly to the internet. This reduces load on the VPN gateway and improves user performance. The alternative is full tunneling, where all traffic goes through the VPN. Split tunneling is configured on the VPN gateway and can be a security concern because the client is directly exposed to the internet. The CCNA exam may ask about the trade-offs.
Diffie-Hellman (DH) is used to securely establish a shared secret key between two IPsec peers over an insecure channel. In IKE Phase 1, the peers exchange DH public values and compute a shared key. This key is then used to derive encryption and authentication keys for the IKE SA. DH groups (e.g., group 14) determine the strength of the key exchange. Higher group numbers provide stronger security but require more CPU. The CCNA exam expects you to know that DH is used for key exchange.
Yes, but it's not recommended for security reasons. In Cisco IOS, you can configure a global pre-shared key with 'crypto isakmp key <key> address 0.0.0.0' to match any peer. However, this is insecure because if one peer is compromised, all tunnels are compromised. Best practice is to use unique pre-shared keys per peer or use digital certificates. The CCNA exam may test the concept of pre-shared key configuration.
You've just covered Site-to-Site vs Remote Access VPN — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?