Vendor-neutral pattern
Site-to-site IPsec VPN between headquarters and a branch office
Two private LANs, one untrusted internet in between, and a pair of gateways that make the whole thing behave like a single routed network.
One tunnel, two whole sites
A site-to-site VPN joins two entire networks rather than a single roaming user. In this pattern a company runs a private LAN at headquarters (10.1.0.0/16) and a second private LAN at a branch office (10.2.0.0/16), and it needs the two to reach each other as if they shared a cabinet, even though the only path between them is the public internet.
The work is done by a VPN gateway at each site, usually the edge firewall or router. The gateways hold the tunnel configuration, the keys, and the encryption policy; the end devices behind them run no VPN software at all. A branch workstation simply routes toward a headquarters IP, its default gateway recognizes that the destination belongs to the far LAN, and the tunnel is applied transparently. Because the tunnel is always on and gateway-to-gateway, users never log in to it and never notice it.
How IPsec builds the tunnel
IPsec is a suite, not a single protocol. Its two data-protecting members are Authentication Header (AH), IP protocol 51, which provides integrity and origin authentication but no confidentiality, and Encapsulating Security Payload (ESP), IP protocol 50, which provides confidentiality plus integrity and authentication. Because a site-to-site link crossing the internet must keep the payload secret, this design uses ESP.
Before any data is protected, the peers must agree on keys and parameters using Internet Key Exchange (IKE), which runs over UDP port 500, moving to UDP 4500 when NAT traversal is needed. IKE happens in two stages: phase 1 authenticates the two gateways to each other (with a pre-shared key or certificates) and builds a secure management channel, and phase 2 negotiates the actual IPsec security associations that encrypt user traffic. The gateways run ESP in tunnel mode, which wraps the entire original IP packet inside a new packet addressed from one gateway's public IP (203.0.113.10) to the other's (198.51.100.20). Transport mode, which protects only the payload and leaves the original header exposed, is meant for host-to-host protection and is not used for gateway-to-gateway links.
Interesting traffic, and where site-to-site ends
Each gateway carries a policy that defines interesting traffic: the source and destination ranges that must be encrypted. Here the policy matches 10.1.0.0/16 to and from 10.2.0.0/16, so a packet from a branch client to the HQ file server is encrypted, while that same client browsing the public internet is routed normally in the clear. Getting this match wrong on either peer is a classic cause of a tunnel that builds but passes no traffic.
This is the seam the exam tests between the two remote-access styles. Site-to-site VPN is always-on and gateway-to-gateway, joining whole subnets with no per-user client. Client-to-site VPN (remote access) is the opposite: an individual user runs a VPN client to reach the corporate network, and its own sub-choice is split tunnel (only corporate subnets go through the tunnel) versus full tunnel (all of the user's traffic does). When a scenario connects two fixed offices with no software on the endpoints, it is describing site-to-site; when it connects a single traveling laptop, it is describing client-to-site.
Sources
Practice what you just read