VPN Solutions

Protect Your Data in Transit

Learn more about secure VPN solutions built right into your Cisco router. (PDF - 291 KB)

Protect Your Data in Transit

Keep Your Data Safe with VPN Solutions

Cisco VPN solutions protect various types of WAN designs, and help organizations safeguard their most important asset - data.

VPN solutions protect various types of WAN designs (public, private, wired, or wireless transports) and the data they carry.

Data can be divided into two categories:

  • Data in transit
  • Data at rest

As an organization’s most important asset, data needs to be secured.

By securing all types of data, organizations can achieve privacy, confidentiality, and compliance (HIPAA, PCI DSS, and SOX)*. With mutual authentication, man-in-the-middle attacks are averted, and senders and receivers can trust each other when exchanging data.

Cryptography is the science that helps us achieve these goals. It also helps to enable origin authentication, topology hiding, and strong encryption. Cryptography is available on Cisco routing platforms as VPN solutions.

IOS and IOS-XE software includes both IP Security (IPsec)- and Transport Layer Security (TLS)-based encryption technologies offered on the enterprise routing platforms:

  • Cisco Integrated Services Routers for branch offices
  • Cisco ASR 1000 Series Aggregation Services Routers for data centers and other head-end locations
  • Cisco Cloud Services Router 1000V

The VPN portfolio includes solutions such as DMVPN, GETVPN, FlexVPN, and SSLVPN:


Dynamic Multipoint VPN is dual-stacked (IPv4/IPv6). It uses multipoint Generic Routing Encapsulation (mGRE) for overlay and Internet Key Exchange version 1 or 2 (IKEv1 or IKEv2) for authentication and key exchange. DMVPN allows hub-spoke and on-demand spok- to-spoke communication.


Group Encrypted Transport VPN is a tunnel-less VPN solution that provides highly secure communication between any systems grouped together in a network.


FlexVPN is an IPsec based Remote Access encryption solution that employs IKEv2 for origin authentication and key exchange. FlexVPN uses a centralized policy management infrastructure using the RADIUS framework.


Secure Socket Layer VPN is a remote access encryption solution that uses Transport Layer Security (TLS) to protect data communication between a software client (such as AnyConnect) and the corporate network.

With the advent of the Internet of Things (IoT) the world is getting increasingly connected and accessible. It can also be more vulnerable. Companies need to authenticate and safeguard IoT devices and protect sensitive data in transit. VPNs can be used in an IoT environment to help secure sensitive data travelling through the cloud and the network.

Types of VPN Solution Designs

Cisco VPN solution connections are designed as:

  • Hub-spoke
  • Hub-spoke with spoke-to-spoke communication
  • Remote access


Hub-spoke VPN allows remote devices and locations to connect more securely. It uses a centralized hub located at the headquarters or in the data center. Hub-spoke VPN does not allow direct spoke-to-spoke communication, but does allow communication through the hub. Both DMVPN and FlexVPN can be used in this type of network design.

Hub-Spoke with Spoke-to-Spoke communication:

Hub-Spoke with Spoke-to-Spoke communication:

With this VPN design, remote devices or locations can connect to the headquarters and to each other directly. DMVPN and GETVPN can be used. These VPN solutions treat members as a group and do not support different policies on a per-spoke endpoint basis, except for the per-tunnel Quality of Service (QoS) feature.

Remote Access:

Remote Access:

Remote access VPNs provide end user software clients with highly secure access to the corporate network and resources. They help to ensure privacy and integrity of sensitive information. This is accomplished through user authentication and encryption of transmitted data between the user’s device (mobile or desktop running a VPN client such as Cisco AnyConnect) and the corporate network. Primary remote-access VPN solutions are FlexVPN and SSLVPN. Remote access VPN solutions also allow dynamic settings on a per user or remote access endpoint basis.

*Compliance Standards

HIPAA –Health Insurance Portability and Accountability Act
PCI DSS - Payment Card Industry Data Security Standard
Sarbanes-Oxley (SOX) Compliance

The table below summarizes the recommended VPN solutions for the network designs described above: