VPNs

veena_kompal · ‎02-06-2008

Hi,

Whats the difference between the site-to-site and the internet VPN. I do know that the internet vpn is for remote access and the site-to-site is to connect the branch office to the main office. But I would want to know the exact differece in configuring these 2 vpns.

Thanks

husycisco · ‎02-06-2008

Hi Veena

There is no such term called "Internet VPN". There are two types.

1)Remote Access VPN (RA)

In this scenario, clients connect to VPN endpoint individually via VPN Client software

2)Site-To-Site VPN (L2L)

In this scenario, two VPN endpoints establish a tunnel between them. In most cases, endpoints have static IPs

The main difference in configuration side between these two, RA VPN clients are not static like a remote site. All clients are individual and dynamic, they have changing IPs. Thats why you should define dynami crypto map entries for RA VPN. Following is an example crypto entry for RA VPN

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

In L2L VPN, you should specify the remote peer IP, the traffic which should flow through tunnel (match address acl). Another thing in L2L VPN to keep in mind is, tunnel-group name and the remote peer IP address must be the same. If you have a remote peer IP of 69.23.231.54, then you should define tunnel-group 69.23.231.54 type ipsec-l2l

And here is an example config for L2L VPN

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 200 match address outside_200_cryptomap

crypto map outside_map 200 set peer x.x.x.x

crypto map outside_map 200 set transform-set ESP-3DES-SHA

Regards