What Is a Site to Site VPN?

Many organizations have multiple physical sites, each with their own corporate local area network (LAN). While geographically separated, these multiple sites need a single corporate WAN to support secure cross-site communication.

A site-to-site Virtual Private Network (VPN) provides this by creating an encrypted link between VPN gateways located at each of these sites. A site-to-site VPN tunnel encrypts traffic at one end and sends it to the other site over the public Internet where it is decrypted and routed on to its destination.

Harmony Connect (SASE) VPN Trial

What Is a Site to Site VPN?

Benefits of Site-to-Site VPN

Site-to-site VPNs are in use by many organizations. The reason for this is that they provide a number of benefits to enterprises and their employees, such as:


  • Secure Connectivity: All traffic flowing over a site-to-site VPN is encrypted. This means that any business data crossing over the public Internet is encrypted, protecting it against eavesdropping and modification.
  • Simplified Network Architecture: Organizations commonly use internal IP address ranges for devices within their LANs. These addresses need to be converted to external IP addresses to be accessible from the public Internet. With site-to-site VPNs, traffic from one LAN to another remains “internal”, meaning that all sites can use internal addresses for each others’ resources.
  • Access Control: Some network resources are intended to only be accessible internally, meaning that employees at other sites should have access but not external users. Since site-to-site VPN users are “internal” users, access control rules are simpler to define because any traffic not originating from inside the network or entering via VPN tunnels can be blocked from accessing these resources.

Limitations of Site-to-Site VPN

Site-to-site VPNs are effective at providing secure connectivity between multiple business sites. However, they are not a perfect solution and have their limitations, such as:


  • Limited Scalability: A VPN provides point-to-point connectivity, meaning that a unique connection is required for each pair of connected sites. As a result, the number of VPNs required for a fully-connected network grows exponentially with the number of sites.
  • Inefficient Routing: The limited scalability and lack of built-in security of VPNs drives some organizations to implement a “hub and spoke” network architecture, where all connections pass through the headquarters site for security inspection. While this reduces the number of VPN tunnels required within an organization, it can create significant network latency and additional load on the headquarters network.
  • Fragmented Visibility: Each site-to-site VPN connection is independent from all of the others. This means that it can be difficult for an organization to maintain full, integrated visibility into its network traffic. As a result, attacks distributed across the corporate WAN may be more difficult to detect and respond to effectively.
  • Complex Configuration and Management: The independence of each site-to-site VPN tunnel makes a VPN-based corporate WAN complex to configure and manage. Each VPN tunnel must be individually set up, monitored, and managed.
  • Lack of Integrated Security: A site-to-site VPN is only designed to provide an encrypted connection between two points. The VPN performs no security inspection of content or access control, providing the VPN user with unrestricted access to the target network.

Site-to-Site VPN vs. Remote Access VPN

Implementing site-to-site connections is not the only application of a VPN. Another common application of VPN technology is providing secure network access to remote users.


In this scenario, the remote user runs a VPN client that connects it to a VPN gateway within the enterprise network (the same as one end of a site-to-site VPN tunnel). As with site-to-site VPNs, a remote access VPN provides data encryption for traffic flowing over the public Internet between the remote user and the corporate network. This has the benefits of protecting confidentiality, providing a user experience similar to being directly connected to the corporate LAN, and ensuring that all business traffic flows through the corporate network for security inspection before being permitted to continue on to its destination.

Secure Access Service Edge (SASE): A VPN Alternative

Site-to-site VPNs are a solution designed when the majority of a company’s employees and IT infrastructure were located at these physical sites. With the move to cloud computing and remote work, companies require a networking solution that is not so tied to physical sites. Secure Access Service Edge (SASE) replaces VPN endpoints with cloud-based SASE appliances. Each of these SASE nodes includes an integrated security stack and SD-WAN functionality, enabling traffic to be optimally routed between nodes. Additionally, SASE integrates software-defined perimeter (SDP) capabilities, enabling organizations to easily and effectively implement zero trust network access.


To learn more about secure remote access options, contact us. Then, request a trial license to see how Check Point solutions can help to optimize and secure your corporate WAN.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.