JT
JT Exams
Log inStart Free Trial
NetworkingCCNA

CCNA IPsec VPN: Site-to-Site vs Remote Access VPN Explained

VPNs (Virtual Private Networks) create encrypted tunnels over untrusted networks like the internet. The CCNA 200-301 exam tests site-to-site VPN and remote access VPN concepts, IPsec fundamentals (AH vs ESP, IKE), and GRE tunneling. This guide covers the conceptual and practical differences between VPN types, what IPsec provides, and how these appear on the exam.

8 min
4 sections · 6 exam key points
5 practice questions

Site-to-site VPN

A site-to-site VPN connects two or more networks over the internet, creating a permanent tunnel between them. The VPN endpoints — routers or firewalls at each site — negotiate the VPN, encrypt traffic, and decrypt it on the other end. End devices at each site have no awareness that a VPN is in use; they communicate as if directly connected.

Site-to-site VPNs replace or supplement dedicated WAN links (MPLS, leased lines). A company with headquarters and a branch office uses a site-to-site VPN so branch employees can access HQ resources securely over internet connectivity — which is cheaper than a dedicated private WAN link.

Configuration requires matching parameters at both ends: the same encryption algorithm, hashing algorithm, authentication method, and Diffie-Hellman group. Mismatched parameters are the most common reason VPN tunnels don't establish.

Remote access VPN

A remote access VPN connects individual users to the corporate network from anywhere — home, hotel, coffee shop. The user runs a VPN client (Cisco AnyConnect, OpenVPN) that creates a tunnel to the VPN concentrator at the corporate edge.

Remote access VPNs use either IPsec or SSL/TLS. SSL VPNs (like Cisco AnyConnect with SSL mode) work over HTTPS (TCP 443), which is rarely blocked by firewalls. IPsec remote access VPNs use IKE (UDP 500) and ESP (IP protocol 50), which some firewalls block.

Split tunneling controls whether all traffic from the client goes through the VPN or only corporate-destined traffic. With split tunneling enabled, a remote user's internet traffic goes directly to the internet while only traffic destined for corporate subnets traverses the VPN. This reduces VPN gateway load but removes corporate security policy inspection for internet traffic.

IPsec components: AH, ESP, and IKE

IPsec is a framework of protocols for securing IP communications. The two core protocols: AH (Authentication Header, IP protocol 51) provides data integrity and authentication but no encryption. ESP (Encapsulating Security Payload, IP protocol 50) provides data integrity, authentication, AND encryption. In practice, ESP is almost always used because AH doesn't encrypt — AH by itself offers no confidentiality.

IKE (Internet Key Exchange) negotiates the parameters and keys used by AH/ESP. IKE operates in two phases: Phase 1 establishes a secure management channel (ISAKMP SA) used to protect Phase 2 negotiations. Phase 2 negotiates the actual IPsec tunnel parameters (IPsec SA). IKEv2 (the modern version) is more efficient, more secure, and supports MOBIKE for mobile clients.

Transport mode vs Tunnel mode: Transport mode encrypts only the payload (used between hosts, typically for host-to-host encryption). Tunnel mode encapsulates the entire original IP packet (header + payload) and adds a new outer IP header — this is what site-to-site VPNs use. The original packet is hidden inside the tunnel.

GRE tunnels

GRE (Generic Routing Encapsulation, IP protocol 47) is not a VPN protocol — it doesn't encrypt. GRE creates logical point-to-point tunnels that can carry any Layer 3 protocol (IPv4, IPv6, OSPF multicast) between two routers. GRE tunnels allow routing protocols to run over the internet between sites that are separated by NAT or different network types.

GRE is often combined with IPsec: GRE provides the tunnel that allows routing protocol packets (which IPsec alone cannot carry) to flow between sites, and IPsec provides encryption. GRE over IPsec is the combination — IPsec encrypts the GRE-encapsulated packets.

For CCNA, understand that GRE by itself provides no security but solves the multicast/routing protocol problem. IPsec by itself doesn't support multicast. GRE + IPsec provides both tunneling flexibility and encryption.

VPN type comparison

AspectSite-to-Site VPNRemote Access VPN
EndpointsRouters/firewalls at each siteVPN client on end-user device + VPN concentrator
PermanenceAlways-on tunnelOn-demand (user initiates)
User awarenessTransparent to usersUser installs and connects VPN client
Use caseBranch office to HQRemote workers, travelers
ProtocolsIPsec (IKE + ESP)IPsec or SSL/TLS (AnyConnect)
Split tunnelingNot typically applicableCommon option — only corporate traffic via VPN

Key exam facts — CCNA

  • Site-to-site: router-to-router, permanent tunnel, transparent to users
  • Remote access: client-to-concentrator, on-demand, user runs VPN client
  • ESP (IP 50): encryption + integrity. AH (IP 51): integrity only, no encryption
  • IKE Phase 1: ISAKMP SA (management channel). Phase 2: IPsec SA (data tunnel)
  • GRE: no encryption, encapsulates any Layer 3 protocol, supports multicast
  • GRE + IPsec: routing protocols (via GRE) + encryption (via IPsec)

Common exam traps

GRE is a secure tunneling protocol

GRE provides no encryption or authentication. It simply encapsulates packets in another IP packet. GRE must be combined with IPsec to provide security.

AH is preferred over ESP because it provides both authentication and encryption

AH provides authentication and integrity but NO encryption. ESP provides authentication, integrity, AND encryption. ESP is almost always preferred; AH alone is rarely used.

Split tunneling makes remote access VPN more secure

Split tunneling is a performance optimization that reduces VPN load, but it reduces security — internet traffic bypasses corporate security controls. Full tunneling sends all traffic through the VPN for inspection.

Practice questions — IPsec VPN

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.Which IPsec protocol provides both encryption and authentication for VPN traffic?

A.AH (Authentication Header)
B.ESP (Encapsulating Security Payload)
C.GRE (Generic Routing Encapsulation)
D.IKE (Internet Key Exchange)

Explanation: ESP (Encapsulating Security Payload, IP protocol 50) provides both encryption (confidentiality) and authentication (integrity). AH provides only authentication, not encryption. GRE is not an IPsec protocol and provides no security. IKE negotiates keys but doesn't protect data traffic.

Q2.A company wants branch office employees to access HQ resources over the internet without any VPN client software. Which solution is appropriate?

A.Remote access VPN with AnyConnect
B.Site-to-site IPsec VPN between branch and HQ routers
C.GRE tunnel without IPsec
D.Split tunneling

Explanation: A site-to-site VPN between branch and HQ routers creates a permanent encrypted tunnel. Branch users connect normally without VPN client software — they're unaware of the VPN. The tunnel is terminated at the branch router, not on user devices.

Q3.Which protocol is used by IPsec to negotiate security parameters and exchange keys before establishing a VPN tunnel?

A.GRE
B.ESP
C.AH
D.IKE

Explanation: IKE (Internet Key Exchange) negotiates IPsec parameters in two phases: Phase 1 establishes a secure management channel, and Phase 2 negotiates the actual IPsec SA (security association) for data tunnel parameters.

Q4.A GRE tunnel is configured between two routers to carry OSPF traffic. No additional configuration is added. Which statement is true?

A.GRE encrypts the OSPF packets automatically
B.GRE traffic is unencrypted — IPsec must be added for security
C.OSPF cannot run over a GRE tunnel
D.GRE provides authentication but not encryption

Explanation: GRE provides encapsulation only — no encryption, no authentication. OSPF (and other routing protocols, including multicast) can run over GRE, but the traffic is unprotected. IPsec must be layered on top of GRE to provide encryption.

Q5.A remote user has split tunneling enabled on their VPN. Which traffic uses the VPN tunnel?

A.All traffic from the user's device
B.Only traffic destined for internet sites
C.Only traffic destined for corporate network subnets
D.No traffic — split tunneling disables the VPN

Explanation: With split tunneling enabled, only traffic destined for defined corporate subnets is sent through the VPN tunnel. All other traffic (internet browsing, streaming) goes directly to the internet, bypassing the VPN and reducing VPN gateway load.

Frequently asked questions — IPsec VPN

What is the difference between site-to-site and remote access VPN?

Site-to-site VPN connects two networks (branch to HQ) using router/firewall endpoints — users don't install VPN clients and are unaware of the tunnel. Remote access VPN connects individual users from anywhere to the corporate network — each user runs a VPN client that creates a tunnel to the corporate VPN concentrator on demand.

What is the difference between AH and ESP in IPsec?

AH (Authentication Header, IP 51) provides data integrity and authentication but no encryption — traffic is readable. ESP (Encapsulating Security Payload, IP 50) provides integrity, authentication, AND encryption. ESP is used in almost all VPN implementations because confidentiality requires encryption.

Why combine GRE with IPsec?

IPsec alone cannot carry multicast traffic or routing protocol hellos (OSPF, EIGRP use multicast). GRE creates a point-to-point tunnel that can carry any traffic including multicast. IPsec encrypts the GRE packets. The combination gives you routing protocol support (GRE) plus encryption (IPsec).

What is IKE Phase 1 vs Phase 2?

IKE Phase 1 establishes a secure, authenticated management channel (ISAKMP SA) using asymmetric encryption or pre-shared keys. Phase 2 uses this secure channel to negotiate the actual IPsec tunnel parameters (algorithms, keys for data encryption). Phase 2 is faster because Phase 1 already provided a secure channel.

Is SSL VPN better than IPsec VPN?

They serve different needs. SSL VPN (like Cisco AnyConnect in SSL mode) uses HTTPS (TCP 443), which passes through almost any firewall — ideal for remote users on restrictive networks. IPsec VPN uses UDP 500 and IP protocol 50, which may be blocked. IPsec typically offers better performance. Most enterprises support both: IPsec for corporate devices, SSL for unmanaged devices.

Practice this topic

CCNApractice questions

Test yourself on IPsec VPN

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

AAA Framework

CCNA

NAT Types

CCNA

Network Automation

CCNA

Device Management

CCNA