As organizations grow, they establish branches in different parts of the world to optimize their operations and outdo their competitors. As a result, they develop multiple proprietary networks to man all their offices.
The biggest challenge is to link them for smooth and safe communication. The main reason is that private networks cannot extend to cover an extensive geographical area. As a result, they need to connect their local area networks (LANs) to a wide area network (WAN) or the internet so that they eliminate the geographical constraints. This is only possible through implementing the site-to-site VPN.
As we all know, organizations implement VPNs to make sure that the exchange of data passing through an insecure path (WAN or Internet), is protected from various vulnerabilities. This is made possible by the creation of a secure tunnel. The data will be encrypted to ensure there is a high level of data integrity.
So what is site-to-site VPN? In simple terms, it is just a type of VPN connection between two distant locations. It is not just a connection but a secure connection. The data exchange via site-to-site VPN is masked to keep away any vulnerability that may arise. It is a very economical venture, especially for businesses such as banks. All that they need is to connect their personal computers to the internet and they can access their headquarters intranet.
In the case of limited branch resources, where available, employees can also access the other branches. Use of site-to-site VPN eliminates the need for VPN client software on each of the devices as is the case with remote access VPN. All you need is dedicated equipment that serves all devices. For this reason, we can say site-to-site VPN is economical.
How site-to-site VPN works
For us to understand how site-to-site VPN works, we need to consider two offices (office A and B) located in different towns. The employee in office A needs to access a database, which is stored on a server that is in office B. Both offices are connected with peer VPNs. The two peers are connected via the internet.
VPN A must initiate a connection request to VPN B. If the security configurations and policy permits, VPN A authenticates VPN B. VPN A then uses IPsec to establish a secure tunnel. The employee can now access the database in office B as if he was physically present. The firewall strictly monitors the flow of data within the tunnel.
Types of site-to-site VPNs
You can classify site-to-site VPNs into either extranet or intranet based. The intranet is used when organizations have more than one branch office and wish to have a single private network connection. What they do is establish an intranet connection via a WAN. Extranet enables companies to extend their LAN to another company, which they trust (for example a supplier). In this case, they share resources without getting into each other’s separate intranets.
How to set up a site-to-site VPN
Before starting, you have to make sure that you have configured all the ethernet interfaces, zones, and virtual routers. You need to then create tunnel interfaces in separate zones to ensure the tunneled traffic will use different policies. In order for the traffic to move to the tunnel, you need to set up static routes to the tunneling interface.
Before a site-to-site VPN tunnel is complete, you need to define the IKE gateways to enable the communication between hosts on each side of the tunnel. Here, you also need to define all the security protocols. You need to configure all the parameters needed for the establishment of the IPSec connection. The last thing is to specify how the firewall monitors the tunnel (by defining security policies to monitor and filter traffic), the connection is now ready.
If two separate VPN peers (A and B) use static routes, there is no need to configure IP addresses in the peers’ tunnel interfaces. The reason is that the configured firewall will make the interface of the tunnel the next hop as it routes traffic through the peers. However, you can configure a static IP address on the tunnel interfaces to monitor tunnel traffic.
In case two VPN peers (A and B) need to share resources and both have dynamic routers. They need to employ the use of Open Shortest Path First Protocol (OSPF) to dynamically route the traffic. You need to assign a static tunnel IP address to each peer, which will serve as the next hop for routing traffic through A and B.
Static and OSPF routing
This is a very complex way to exchange data. In this case, the two peers need to exchange data with one having a static router and the other one having a dynamic router. The two tunnel interfaces must be configured with a static IP address. The firewall between the two peers must have a redistribution profile configured for traffic exchange.
The redistribution profile is essential in this case since the virtual router will be required to redistribute and filter traffic between different protocols (static routes, hosts, and connected routes). Without the redistribution profile, there could be no exchange of routing information between the peers’ since each protocol functions independently without even exchanging routing information with other protocols, even if they are running on the same virtual router.
Cisco routers are the most common on the market. A site-to-site connection can be established between peers connected with Cisco routers using the IPsec protocol. In this case, both routers have a static IP address. Your first configuration is the ISAKMP protocol for messages negotiation. Then, you should configure the IPsec protocol for data protection and authentication across the tunnel.
Benefits of site-to-site VPN
Implementing site-to-site VPN is one of the most cost-effective ways to achieve distant communication between organizations and their branches quickly and efficiently. All the branches can be monitored from the central office without the need to travel. Computers in the LANs do not need to have a VPN client pre-installed (which is costly to purchase and monitor) to communicate.
With the rise of security concerns, every organization needs to have its data secured as it travels via the internet. Site-to-site VPN ensures data is encrypted and access to it requires some form of authentication. The firewall installed on the secure tunnel also filters any threat from the internet. As a result, you are guaranteed a secure, reliable data exchange mechanism.