cerf
Vendor-neutral pattern

Vendor-neutral pattern

Site-to-site IPsec VPN between headquarters and a branch office

Two private LANs, one untrusted internet in between, and a pair of gateways that make the whole thing behave like a single routed network.

One tunnel, two whole sites

A site-to-site VPN joins two entire networks rather than a single roaming user. In this pattern a company runs a private LAN at headquarters (10.1.0.0/16) and a second private LAN at a branch office (10.2.0.0/16), and it needs the two to reach each other as if they shared a cabinet, even though the only path between them is the public internet.

The work is done by a VPN gateway at each site, usually the edge firewall or router. The gateways hold the tunnel configuration, the keys, and the encryption policy; the end devices behind them run no VPN software at all. A branch workstation simply routes toward a headquarters IP, its default gateway recognizes that the destination belongs to the far LAN, and the tunnel is applied transparently. Because the tunnel is always on and gateway-to-gateway, users never log in to it and never notice it.

Two whole sites joined by one always-on tunnel
Two whole sites joined by one always-on tunnelHeadquarters 10.1.0.0/16Branch office 10.2.0.0/16HQ LANHQ edgeBranch edgeBranch LANLANLANLANroute to 10.2.0.0/16public IPpublic IProute to 10.1.0.0/16LANLANalways-on IPsec tunnel (10.1/16 <-> 10.2/16)HQ clients10.1.10.0/24HQ file server10.1.20.15HQ app server10.1.20.30HQ core routerdefault gw 10.1.0.1HQ VPN gateway203.0.113.10Public internetuntrusted transitBranch VPNgateway198.51.100.20Branch routerdefault gw 10.2.0.1Branch clients10.2.10.0/24Branchworkstation10.2.10.55
Trace
Two entire private LANs joined by an always-on, gateway-to-gateway tunnel. A branch workstation routes toward an HQ IP with no VPN software installed; its default gateway hands the packet to the branch VPN gateway, which carries it across the public internet to HQ, so the two sites behave like one routed network.

How IPsec builds the tunnel

IPsec is a suite, not a single protocol. Its two data-protecting members are Authentication Header (AH), IP protocol 51, which provides integrity and origin authentication but no confidentiality, and Encapsulating Security Payload (ESP), IP protocol 50, which provides confidentiality plus integrity and authentication. Because a site-to-site link crossing the internet must keep the payload secret, this design uses ESP.

Before any data is protected, the peers must agree on keys and parameters using Internet Key Exchange (IKE), which runs over UDP port 500, moving to UDP 4500 when NAT traversal is needed. IKE happens in two stages: phase 1 authenticates the two gateways to each other (with a pre-shared key or certificates) and builds a secure management channel, and phase 2 negotiates the actual IPsec security associations that encrypt user traffic. The gateways run ESP in tunnel mode, which wraps the entire original IP packet inside a new packet addressed from one gateway's public IP (203.0.113.10) to the other's (198.51.100.20). Transport mode, which protects only the payload and leaves the original header exposed, is meant for host-to-host protection and is not used for gateway-to-gateway links.

How IPsec builds the tunnel: IKE phases and ESP encapsulation
How IPsec builds the tunnel: IKE phases and ESP encapsulationBranch office 10.2.0.0/16Headquarters 10.1.0.0/16IKE control plane (UDP 500 / 4500)IPsec data plane (ESP, IP proto 50)LAN, default routepublic IPpublic IPUDP 4500 (NAT-T)LAN1. initiate IKE2. after peer auth3. install IPsec SAsencapsulated to 203.0.113.10ESP tunnel mode (encrypted)Branch client10.2.10.55Branch gateway(initiator)198.51.100.20HQ gateway(responder)203.0.113.10HQ server10.1.20.15Public internetuntrusted transitNAT deviceIKE phase 1UDP 500IKE phase 2over the phase-1 ch…ESP tunnel modeIP protocol 50
Trace
Before user data flows, the branch gateway (initiator) runs IKE with the HQ gateway (responder): phase 1 authenticates the peers over UDP 500 and builds a management channel, phase 2 negotiates the IPsec security associations. ESP then wraps each original packet in tunnel mode inside a new header between the two public IPs, shifting to UDP 4500 when a NAT device sits in the path.

Interesting traffic, and where site-to-site ends

Each gateway carries a policy that defines interesting traffic: the source and destination ranges that must be encrypted. Here the policy matches 10.1.0.0/16 to and from 10.2.0.0/16, so a packet from a branch client to the HQ file server is encrypted, while that same client browsing the public internet is routed normally in the clear. Getting this match wrong on either peer is a classic cause of a tunnel that builds but passes no traffic.

This is the seam the exam tests between the two remote-access styles. Site-to-site VPN is always-on and gateway-to-gateway, joining whole subnets with no per-user client. Client-to-site VPN (remote access) is the opposite: an individual user runs a VPN client to reach the corporate network, and its own sub-choice is split tunnel (only corporate subnets go through the tunnel) versus full tunnel (all of the user's traffic does). When a scenario connects two fixed offices with no software on the endpoints, it is describing site-to-site; when it connects a single traveling laptop, it is describing client-to-site.

Interesting traffic, and the client-to-site contrast
Interesting traffic, and the client-to-site contrastBranch office 10.2.0.0/16Client-to-site (the contrast)Headquarters 10.1.0.0/16default routeper-packet lookuppublic IPpublic IPclear web trafficmatched 10.1/16 <-> 10.2/16: ESP tunnelLANLANpublic IPclient-to-site VPN (per-user client)Branch client10.2.10.55Branch VPNgateway198.51.100.20Interesting-trafficpolicyPublic internetuntrusted transitHQ VPN gateway203.0.113.10HQ file server10.1.20.15HQ clients10.1.10.0/24Public website203.0.113.200Travelinglaptop
Trace
The branch gateway checks every packet against its interesting-traffic policy. Traffic matching 10.1.0.0/16 to and from 10.2.0.0/16 is encrypted into the ESP tunnel to HQ; the same client browsing a public website does not match and is routed in the clear. A single traveling laptop running a VPN client is the client-to-site contrast the section draws.

Sources

Practice what you just read

6 questions from this architecture

Loading…