Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn encryption

Hello, Would you please advise the difference between an encrypted tunnel between two cisco routers ( crypto map namex 1 ipsec-isakmp; ....) and a vpn site to site between two cisco firewalls? And which one u would prefer and why :) ! BR,
  • VPN
Everyone's tags (1)
New Member

Your question is a little

Your question is a little vague?

Do you mean what's the different mehods of setup? of how do the tunnels differ? The tunnles DO NOT differ if they use the same VPN policy at both ends.

But to setup an IPEC tunnel on both platforms see the following links;

Cisco Router - Configure Site to Site IPSEC VPN

Cisco ASA 5500 Site to Site VPN (From CLI)



New Member

there are different kind of

there are different kind of VPN methods in that If you are using IPSEC vpn the both are same , means router and firewall.


but router has some different method of doing the VPN like DMVPN and GRE over IPSEC and GET VPN.

so it depends what kind of VPN are you going to Use.


but the encryption wise all are same.



Hall of Fame Super Silver

It seems to me that the

It seems to me that the original question was fairly straightforward and asked for comparison of IPSec tunnel configured between routers and between firewalls. I believe that the question was asking about implementing equivalent technologies on each platform and for that question I agree with previous answers that the results come out about the same. Given a choice I would prefer to do the site to site IPSec VPN on the router. I feel that the tools to manage and to troubleshoot the VPN are somewhat better on the router than on the firewall.


If we consider a slightly different version of the question and ask about implementing site to site VPN on routers and on firewalls without specifying the equivalent technology on each then I believe that we get a significantly different answer. The firewall has one way of implementing the site to site tunnel while the router gives us quite a few options. On the router we can do the traditional IPSec encryption (with no tunnel interface) and we can also do the GRE tunnel with IPSec encryption (using crypto map etc). We can also implement VTI for site to site VPN with the tunnel protection profile and also have options for GET VPN, and DMVPN. With these other technologies we also have the ability to run a routing protocol over the site to site VPN and the firewall does not give us this option. So in the more general form of the question I would prefer to do site to site VPN on the router because it gives so many more options to choose.





New Member

Thank you all guys for ur

Thank you all guys for ur answers, i think to what i am looking for both are ok but i am looking for preference. As the tunnel is between 2 companies i would prefer it between two firewalls especially i am not looking for other options like gre or others... Thus What option would you take assuming that a router and a firewall are already present on both sides for different reasons.. Maybe the firewall as a peer can help for better mgt like nat0, or building a kind of vpn peer profile for my company, or maybe benefit from the state-full fail-over we can implement on redundant firewalls. Maybe it is better to reformulate my question to ask is there a kind of standard for establishing vpn site to site between companies? :) Br,
This widget could not be displayed.