Site to Site VPN
A Site-to-Site VPN (Virtual Private Network) is a type of VPN used to connect networks over Internet at different geographical locations, creating a single, cohesive, and secure network.
Two or more sites: It connects different office locations over the internet. like connecting a headquarter and branch office, or to connect Client and Vendor networks.
Secured & Encrypted Tunnels: It uses encrypted tunnels to securely transmit data between these sites.
Routers/Firewalls: Each site typically required VPN router or a VPN enabled firewall that establishes and manages the secure connection.
IPsec Protocol: S2S VPN users IPsec protocol to ensure data integrity and confidentiality.
This setup allows users to access resources and data as if they were on the same local network, enhancing productivity and collaboration while ensuring security
Where Site to Site VPN is used?
Site-to-Site VPNs are preferred in several scenarios, including:
Connecting Multiple Offices: Ideal for organizations with multiple branch offices or remote sites that need secure communication and resource sharing
Data Center Connectivity: Useful for securely connecting data centers located in different geographical locations
Permanent Connectivity: Suitable for environments where continuous and reliable connectivity between sites is necessary
Hub and Spoke Configuration: When a central site (hub) needs to connect to multiple remote sites (spokes) securely
Secure Remote Access: Ensures that remote sites can access the main network securely over the internet
Setting up S2S Tunnel:
Scenario: To enable project users to access client resources, the IT Team needs to establish WAN connectivity to the customer network over the Internet. The client utilizes a Fortigate Firewall on their end. Only identified project users should have VPN access to the client’s network, while access should be restricted for all other employees. Additionally, employees require access to the company network for Active Directory, Microsoft 365, secure internet browsing, and endpoint management with security controls and endpoint restrictions applied.
Solution:-
For sizable networks, it's recommended to use a NextGen-featured firewall or router. I suggest a secure VPN appliance, such as the Cisco ASA 5550 Firewall, to establish secure tunnels with client networks over the Internet. The secure IPSec tunnel will be established between the VPN device at our end and the VPN device at the customer's end. The firewall should be placed in the DMZ (De-Militarized Zone) of your enterprise network. .
A dedicated VLAN and IP segment should be created for the new Customer ODC users. Ensure that this IP segment, which serves as the encryption domain, does not conflict with the client's IP segment. Similarly, the client's provided encryption domains should not conflict with our IP segments. If there is a conflict, it's recommended to choose a different segment. As a last resort, NAT can be used, though it's not the preferred option for me.
Firewall rules Shill be configured to allow IKE and ESP VPN protocols between your organization's network and the customer's network. IKE (Pre-shared Keys) will be used for tunnel authentication, and ESP will be used for encryption (3DES or AES). Once the IPSec tunnel is established, data will be encrypted between your VPN device and the customer's VPN device over the Internet.
Based on the number of project users and their application usage, it's essential to plan for bandwidth reservation. If you have a WAN Optimization and Application Traffic Management device such as Blue Coat PacketShaper or Packeteer, you can utilize these devices for bandwidth reservation. If you don't have such a device, you can still achieve bandwidth reservation using Quality of Service (QoS) settings for your new tunnel, furhter, inbound and outbound access list has to be defined for specific IP address.
Access Control Lists (ACLs) should be implemented between the Customer ODC VLAN at our office to segregate the network. This will ensure that ODC users have restricted intranet access, allowing them to use intranet applications and browse the internet securely.
