Site-to-Site vs. Remote-Access VPN – Complete Comparison

1. What Is a VPN?

A Virtual Private Network (VPN) creates an encrypted tunnel across a public or untrusted network — typically the Internet — so that data travels as securely as if it were on a private dedicated link. Three core properties define every VPN:

  • Confidentiality (Encryption): Data is encrypted so that anyone who intercepts it in transit cannot read it. Common algorithms: AES-256, AES-128, 3DES.
  • Integrity: A cryptographic hash (HMAC-SHA256, SHA-1) appended to each packet lets the receiver verify no one tampered with the data in transit.
  • Authentication: Both sides prove they are who they claim to be before the tunnel is established — using pre-shared keys, digital certificates, or user credentials.

There are two fundamentally different VPN models used in enterprise networking, with entirely different purposes, endpoints, and protocols: Site-to-Site VPN and Remote-Access VPN.

Related pages: IPsec Basics | IPsec VPN | DMVPN Overview | Applying ACLs | ACL Overview | NAT | WAN Technologies | AAA Overview | Site-to-Site IPsec VPN Lab

2. Site-to-Site VPN

A Site-to-Site VPN permanently connects two or more entire networks at different geographic locations through the Internet or a service provider WAN. The VPN tunnel is established between network devices (routers or firewalls) at each site — not between individual user devices. Once the tunnel is up, every host on either LAN can communicate with every host on the other LAN transparently; end users do not need any VPN software or credentials. 

  Site A (Riyadh HQ)              Internet             Site B (Jeddah Branch)
  [PC 192.168.1.x]                                     [PC 192.168.2.x]
        |                                                     |
  [Router/Firewall] ———— IPsec encrypted tunnel ———— [Router/Firewall]
  WAN: 203.0.113.1                                     WAN: 198.51.100.1

Typical use cases:

  • Connecting branch offices to headquarters over the Internet
  • Business-to-business (B2B) network integration with partners
  • Extending a corporate LAN across multiple data centres
  • Replacing expensive MPLS leased lines with IPsec over broadband

Common site-to-site VPN technologies:

Technology Description Best For
IPsec Most common; encrypts and authenticates IP packets at Layer 3 Standard internet-based site-to-site tunnels
GRE over IPsec GRE tunnel carries multicast and routing protocol traffic; IPsec encrypts the GRE packets Sites that need to run dynamic routing (OSPF, EIGRP) over the VPN
DMVPN Dynamic Multipoint VPN — a Cisco scalable solution where spokes can build dynamic tunnels directly to each other via a hub Large hub-and-spoke topologies with many branch offices
MPLS VPN Service-provider managed VPN; traffic travels over the SP’s MPLS network rather than the public Internet Enterprises requiring guaranteed SLAs and QoS

3. Remote-Access VPN

A Remote-Access VPN allows individual users to connect securely to the corporate network from any Internet location — home, hotel, coffee shop. Unlike site-to-site VPNs, the tunnel terminates on the user’s device (laptop, phone, tablet), not on a network device. The user must actively initiate the connection and authenticate before gaining access. 

  [Employee laptop at home]
        |
  VPN client (AnyConnect) ——— SSL/TLS or IPsec tunnel ——— [VPN Gateway / ASA]
        |                                                                  |
  Dynamic IP (hotel/home)                                    Corporate LAN 10.0.0.0/8

Typical use cases:

  • Work-from-home and hybrid remote work
  • Mobile engineers accessing internal systems from the field
  • Contractors or third-party vendors with scoped temporary access
  • BYOD (Bring Your Own Device) scenarios with per-user access policies

Remote-access VPN types:

Type How It Works Protocol Client Required?
Client-based VPN User installs VPN software on their device; software establishes a full tunnel to the corporate network SSL/TLS (TCP 443), IKEv2/IPsec Yes (e.g., Cisco AnyConnect, OpenVPN)
Clientless SSL VPN User accesses an HTTPS portal in a web browser; no installed software needed; access is typically limited to web-based applications HTTPS / SSL No — just a browser

4. Architecture Comparison

Aspect Site-to-Site VPN Remote-Access VPN
What connects Network to network (LAN to LAN) Individual device to network (client to gateway)
VPN endpoints Router or firewall at each site VPN client on user device; VPN gateway/concentrator at HQ
Tunnel persistence Always-on — tunnel stays up permanently (or re-establishes automatically) On-demand — user initiates and terminates the connection
User awareness Transparent — end users have no idea a VPN exists; they just access resources normally Visible — user must launch client, authenticate, and connect before accessing resources
Number of connections Few, fixed (one per site) Many, dynamic (one per active user; can be thousands simultaneously)
IP addressing Both endpoints typically have static public IPs; NAT traversal needed if behind NAT Remote user typically has a dynamic IP; VPN gateway assigns an internal IP from a pool

5. IPsec – How Site-to-Site VPN Tunnels Are Built

IPsec is the dominant protocol for site-to-site VPNs. It establishes a secure tunnel through a two-phase negotiation process:

IKE Phase 1 – Management Tunnel (ISAKMP SA)

The two VPN peers establish a secure, authenticated channel to protect the Phase 2 negotiation. They agree on:

  • Encryption algorithm (AES, 3DES)
  • Hash/integrity algorithm (SHA-256, SHA-1, MD5)
  • Authentication method (pre-shared key or digital certificate)
  • Diffie-Hellman group for key exchange (Group 2, 5, 14, 19…)
  • ISAKMP SA lifetime

IKE Phase 2 – Data Tunnel (IPsec SA)

Using the Phase 1 channel, the peers negotiate the actual data-protection parameters (transform set) and establish the IPsec Security Association (SA) that will encrypt the user traffic. They agree on:

  • IPsec protocol: ESP (Encapsulating Security Payload — encrypts + authenticates) or AH (Authentication Header — authenticates only; rarely used)
  • Transform set encryption and hash (e.g., esp-aes esp-sha-hmac)
  • IPsec SA lifetime
  • Perfect Forward Secrecy (PFS) using a new Diffie-Hellman exchange
  IKE Phase 1:  Router A <——— ISAKMP SA (management) ———> Router B
                      Encryption + Authentication of Phase 2 negotiation

  IKE Phase 2:  Router A <——— IPsec SA (data)       ———> Router B
                      Actual user traffic is encrypted through this SA

6. Authentication and Access Control

Aspect Site-to-Site VPN Remote-Access VPN
Who authenticates Devices (routers or firewalls) authenticate each other Individual users authenticate to the VPN gateway
Pre-shared keys Both routers configured with the same key; simple but key management can be difficult at scale Not typical — user credentials are used instead
Digital certificates PKI-based; each device has a certificate signed by a CA; more scalable and secure than pre-shared keys Can be used for machine authentication; commonly used with user certificate on managed devices
Username / password Not used for tunnel establishment Primary user authentication method; typically integrated with Active Directory via RADIUS or LDAP
Multi-factor authentication (MFA) Rare — device identity is the factor Common best practice; adds a second factor (OTP, push notification, smart card) to username/password
AAA integration Sometimes used for device authentication Standard — VPN gateway queries RADIUS or TACACS+ server; enables per-user policies and accounting

7. Tunneling Protocols

Protocol Site-to-Site VPN Remote-Access VPN Notes
IPsec (IKEv1/IKEv2) Very common — primary protocol Used in client-based VPNs (IKEv2 preferred) IKEv2 is more efficient and resilient than IKEv1; supports MOBIKE for roaming users
GRE Often combined with IPsec to carry routing protocol multicast Not typical GRE adds no encryption on its own; always pair with IPsec in production
DMVPN Cisco scalable hub-and-spoke solution; spokes create on-demand spoke-to-spoke tunnels Not used Uses mGRE + NHRP + IPsec; reduces full-mesh config overhead
SSL/TLS (port 443) Rare; sometimes used for cloud-based site-to-site Very common — works through firewalls that block UDP/500 (IKE) Cisco AnyConnect defaults to SSL/TLS; failsafe when IPsec is blocked
L2TP/IPsec Not typical Built into Windows/iOS/Android natively; L2TP provides tunnelling; IPsec provides encryption Older approach; largely superseded by IKEv2 and SSL VPN
Cisco AnyConnect Not used Cisco’s premier remote-access VPN client; supports SSL/TLS and IPsec IKEv2; agent-based Requires Cisco ASA, FTD, or ISR with SSL/IKEv2 licence

8. Encryption and Security

Security Feature Common Algorithms / Options Notes
Encryption AES-256 (recommended), AES-128, 3DES (legacy) AES-256 is NIST-recommended; avoid DES and 3DES in new deployments
Integrity (HMAC) HMAC-SHA-256 (recommended), HMAC-SHA-1, MD5 (deprecated) MD5 and SHA-1 are considered weak; use SHA-256 or higher
Key exchange Diffie-Hellman Group 14 (2048-bit) or higher; Group 19/20 (ECDH) Avoid DH Group 1 and 2 (768/1024-bit); insufficient for modern security
Perfect Forward Secrecy (PFS) New DH exchange for each IPsec SA Ensures past sessions remain secure even if long-term keys are compromised
Split tunnelling Tunnel-all vs. split-tunnel (send only corporate traffic through VPN) Split tunnelling reduces VPN gateway load but internet traffic is not protected; tunnel-all is more secure

9. Cisco IOS Site-to-Site IPsec VPN Configuration

! ===== ROUTER A (203.0.113.1) =====

! Phase 1: Define ISAKMP (IKE) policy
crypto isakmp policy 10
 encryption aes 256
 hash sha256
 authentication pre-share
 group 14
 lifetime 86400
!
! Pre-shared key for the remote peer
crypto isakmp key MyStr0ngKey! address 198.51.100.1
!
! Phase 2: Define IPsec transform set
crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac
 mode tunnel
!
! ACL to define which traffic triggers the tunnel (interesting traffic)
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
! Crypto map ties everything together
crypto map VPNMAP 10 ipsec-isakmp
 set peer 198.51.100.1
 set transform-set MYSET
 set pfs group14
 match address 101
!
! Apply the crypto map to the WAN-facing interface
interface GigabitEthernet0/0
 ip address 203.0.113.1 255.255.255.252
 crypto map VPNMAP

Router B at the Jeddah office requires a mirror configuration with its own WAN IP (198.51.100.1), the same pre-shared key and policy parameters, and a matching ACL with the source/destination IPs reversed.

10. Scalability and Performance

Aspect Site-to-Site VPN Remote-Access VPN
Scaling model Scales to a fixed number of sites; each new site adds one tunnel (or fewer with DMVPN hub) Scales to hundreds or thousands of simultaneous users; limited by VPN gateway CPU, memory, and licences
Tunnel management overhead Static; typically configured once and largely self-managing Dynamic; tunnels created and torn down per user session; requires user provisioning
Performance bottleneck Router CPU (encryption) and WAN link bandwidth between sites VPN gateway CPU/ASICs and bandwidth; can become a single point of contention for all remote users
Adding capacity Add sites by configuring new tunnels; DMVPN hub simplifies spoke addition Upgrade gateway hardware, add VPN concentrators, or move to cloud-based VPN

11. Monitoring and Troubleshooting

Site-to-Site IPsec VPN

! Check Phase 1 (ISAKMP) security associations
Router# show crypto isakmp sa
! Expected output: state = QM_IDLE (healthy Phase 1)

! Check Phase 2 (IPsec) security associations
Router# show crypto ipsec sa
! Look for: pkts encaps/decaps incrementing = traffic flowing

! View crypto map configuration
Router# show crypto map

! Debug Phase 1 negotiation (use with caution in production)
Router# debug crypto isakmp
Router# undebug all          ! disable immediately after capturing output

Remote-Access VPN (Cisco ASA)

! View all active VPN sessions (SSL and IPsec)
ASA# show vpn-sessiondb

! View active IPsec sessions only
ASA# show crypto session

! View SSL VPN sessions
ASA# show vpn-sessiondb anyconnect

! Check licence utilisation (important for capacity planning)
ASA# show vpn-sessiondb summary

Common Problems and Solutions

Problem Likely Cause Resolution
Phase 1 fails to establish (no SA in show crypto isakmp sa) Mismatched ISAKMP policy (encryption, hash, DH group, or lifetime on one side) Verify both peers use identical policy parameters; check pre-shared key matches exactly
Phase 1 up but Phase 2 fails Mismatched transform-set parameters or mismatched interesting-traffic ACL Ensure both sides define the same transform-set; verify ACLs are mirror images of each other
Tunnel up but no traffic flows NAT translating traffic before it reaches the crypto ACL; routing missing Add NAT exemption (crypto ACL traffic must be excluded from NAT); verify routing to remote subnet
Remote-access user cannot connect Wrong credentials; firewall blocking TCP/UDP 443 or UDP 500/4500; licence exhausted Verify username/password; check firewall rules allow AnyConnect ports; check VPN licence count
Tunnel drops intermittently SA lifetime mismatch; ISP dropping UDP; unstable WAN link Match SA lifetimes; enable NAT traversal (UDP 4500); check WAN interface error counters

12. Use Cases Summary

Scenario Best VPN Type Reason
Connecting branch offices to HQ Site-to-Site Always-on, transparent to users; full LAN-to-LAN connectivity
Work-from-home employees Remote-Access Dynamic users with varying IPs; per-user authentication and policies
B2B partner network integration Site-to-Site Connects partner network segment to your network; device-to-device authentication
Third-party contractor access Remote-Access Temporary, scoped access; easily provisioned and revoked per user
BYOD mobile workforce Remote-Access (Clientless SSL) No client software needed; browser-based portal limits access to approved resources
Large retail chain (50+ branches) Site-to-Site (DMVPN) DMVPN hub-and-spoke reduces per-site config; spokes build direct tunnels as needed

13. Advantages and Disadvantages

Feature Site-to-Site VPN Remote-Access VPN
Pros Connects entire networks; always-on and transparent to users; no VPN software needed on endpoints; scalable for a fixed number of sites Enables mobile and home working; granular per-user access control; supports MFA; works on any Internet connection
Cons Not suitable for mobile users with dynamic IPs; requires static public IPs at both sites (or NAT traversal); adding new sites requires config changes at both ends Requires VPN client software (except clientless); performance varies by user Internet quality; VPN gateway can become a bottleneck; ongoing user support overhead

14. Quick Comparison Reference

Feature Site-to-Site VPN Remote-Access VPN
Who connects Router/firewall ↔ router/firewall User device ↔ VPN gateway
User experience Transparent — no user action User must launch client and log in
Tunnel persistence Always-on On-demand (per session)
Common protocols IPsec, GRE/IPsec, DMVPN, MPLS SSL/TLS, IKEv2/IPsec, Cisco AnyConnect, L2TP/IPsec
Authentication Pre-shared keys or digital certificates (device) Username/password + MFA (user); optional device certificate
Setup complexity Configured once by IT on both ends; static User provisioning, client distribution, ongoing support
Scalability Fixed sites; scales with DMVPN Thousands of dynamic users; gateway licence-limited
Key Cisco commands show crypto isakmp sa, show crypto ipsec sa show vpn-sessiondb, show crypto session

15. Key Points & CCNA Exam Tips

  • A VPN provides confidentiality (encryption), integrity (HMAC), and authentication across untrusted networks
  • Site-to-Site VPN = network-to-network; endpoints are routers or firewalls; tunnel is always-on; users are unaware; IPsec is the dominant protocol
  • Remote-Access VPN = client-to-network; endpoints are user devices and a VPN gateway; user must initiate; SSL/TLS or IKEv2/IPsec; Cisco AnyConnect is the standard client
  • IPsec negotiation has two phases: Phase 1 (ISAKMP SA — management tunnel, authenticates peers) and Phase 2 (IPsec SA — data tunnel, encrypts user traffic)
  • Common encryption: AES-256 (preferred), AES-128, 3DES (legacy). Common hash: SHA-256 (preferred), SHA-1, MD5 (avoid)
  • Authentication: Site-to-site uses pre-shared keys or certificates; remote-access uses username/password with MFA via RADIUS/TACACS+
  • GRE over IPsec is needed when routing protocols (OSPF, EIGRP) must run across the VPN tunnel — plain IPsec cannot carry multicast
  • DMVPN is Cisco’s scalable site-to-site solution for large branch deployments — uses mGRE + NHRP + IPsec
  • Split tunnelling sends only corporate traffic through the VPN; all other traffic goes directly to the Internet via the user’s local connection
  • Key verification commands: show crypto isakmp sa (Phase 1 status), show crypto ipsec sa (Phase 2 status and packet counters), show vpn-sessiondb (remote-access sessions on ASA)
  • Most common troubleshooting issue: Phase 1 or Phase 2 parameter mismatch (encryption, hash, DH group, or SA lifetime configured differently on the two peers)

Site-to-Site vs. Remote-Access VPN Quiz

1. What is the primary purpose of a VPN?

Correct answer is C. A VPN provides three core security properties: confidentiality (encrypting data so eavesdroppers cannot read it), integrity (detecting any tampering in transit using HMAC), and authentication (verifying the identity of both peers before the tunnel is established). These properties allow private network traffic to traverse the public Internet safely.

2. Which devices act as endpoints in a Site-to-Site VPN?

Correct answer is A. In a Site-to-Site VPN, the tunnel is established between a router or firewall at each site — not between user devices. This makes the VPN completely transparent to end users: they simply use network resources normally without any VPN software or login required. The network devices handle all encryption and tunnel management on behalf of all hosts on their respective LANs.

3. What is a typical use case for a Remote-Access VPN?

Correct answer is B. Remote-Access VPNs are designed for individual users who need to connect their device (laptop, phone, tablet) to the corporate network from any Internet location. The user must initiate the connection by launching VPN client software (such as Cisco AnyConnect) and authenticating. This is ideal for remote workers, travelling employees, and vendors requiring temporary access.

4. Which tunneling protocol suite is most commonly used for Site-to-Site VPNs?

Correct answer is D. IPsec is the dominant protocol suite for site-to-site VPNs. It uses IKE (Internet Key Exchange) for peer authentication and key negotiation (Phase 1), then ESP (Encapsulating Security Payload) for encrypting and authenticating the actual data (Phase 2). IKEv2 is the modern recommended version. SSL/TLS is common for remote-access; PPTP is obsolete; L2TP needs IPsec to provide encryption.

5. What is the key authentication difference between Site-to-Site and Remote-Access VPNs?

Correct answer is A. The authentication model reflects who is connecting. Site-to-Site VPNs authenticate the devices themselves — each router or firewall proves its identity using a pre-shared key or a PKI digital certificate. Remote-Access VPNs authenticate the individual user — typically via username/password checked against Active Directory through RADIUS, often combined with a second factor (OTP, push notification) for MFA.

6. Which is Cisco’s proprietary remote-access VPN client that supports both SSL and IPsec?

Correct answer is C. Cisco AnyConnect is Cisco’s enterprise remote-access VPN client. It supports both SSL/TLS (TCP port 443) and IKEv2/IPsec, automatically selecting or falling back between protocols depending on what the network allows. It integrates with Cisco ASA and FTD gateways and supports advanced features like posture assessment (checking endpoint security health before granting access), MFA, and split tunnelling policies.

7. What is a major scalability difference between Site-to-Site and Remote-Access VPNs?

Correct answer is B. Site-to-Site VPNs are ideal for a fixed, relatively small number of locations; each new site requires a new tunnel to be configured (unless using DMVPN, which reduces this overhead). Remote-Access VPNs are designed for a large, dynamic population of users — the VPN gateway handles thousands of simultaneous sessions, limited by hardware capacity and licence count. Remote users have dynamic IPs; the gateway assigns each session an internal IP from a pool.

8. Which command verifies IPsec Phase 1 (ISAKMP) security association status on Cisco IOS?

Correct answer is D. show crypto isakmp sa displays the current Phase 1 (ISAKMP/IKE) Security Associations. A healthy Phase 1 SA shows state QM_IDLE. If Phase 1 has not established, the output will be empty or show an error state. To check Phase 2 (IPsec SA) and see packet counters (encaps/decaps), use show crypto ipsec sa. show vpn-sessiondb is the remote-access session command on Cisco ASA.

9. Which encryption algorithms are commonly used to secure VPN traffic?

Correct answer is A. AES (Advanced Encryption Standard) is the NIST-recommended symmetric encryption algorithm for VPNs. AES-256 provides the highest security; AES-128 is acceptable for most use cases. 3DES (Triple DES) is a legacy algorithm still supported for backward compatibility but should not be used in new deployments. DES is obsolete and broken. SHA-1/MD5 are hashing algorithms used for integrity (HMAC), not encryption. HTTP and FTP are application protocols, not encryption algorithms.

10. What is a key advantage of Site-to-Site VPN over Remote-Access VPN?

Correct answer is C. The defining advantage of a Site-to-Site VPN is that it is always-on and completely transparent to end users. Once configured by IT on the routers/firewalls at both sites, the tunnel maintains itself automatically — users simply access resources as if both networks were local with no login required. This is ideal for branch-to-HQ connectivity where all employees need seamless access all day. Remote-Access VPNs require users to actively initiate and authenticate each session.

← Back to Home