Peer-to-Peer VPN
A Peer-to-Peer VPN (also called Site-to-Site VPN) allows two or more geographically separated locations to be securely connected over the Internet as if they were a single private network — for example branch offices and the headquarters.
Typical use cases
- Site networking: Two offices or branches share a common network for file shares, printers and internal applications.
- Remote access to servers: Access to a file server or database at the other location.
- Centralised backups: Data from a branch is backed up to the main site via the VPN tunnel.
- VoIP between sites: Internal telephony between two offices without costs via the public network.
Set up VPN
In the router portal under Network → Peer-to-Peer VPN:
- Activate and save the Peer-to-Peer VPN function
- Add a new VPN site
- Enter and add the VPN connection data of the remote site
Encryption
Centro Business to Centro Business
When a VPN is set up between two Centro Business routers, the encryption selection is made automatically. No manual configuration is required.
Centro Business to any VPN remote site
If the remote site does not use a Centro Business, the encryption must be configured manually. The following profiles are available (PFS is always recommended):
| Parameter | Swisscom-IKEv2-PFS | Swisscom-IKEv2 |
|---|---|---|
| IKE Exchange Mode | Main | Main |
| Phase 1 Encr. Algs | AES-CBC-256, AES-CBC | AES-CBC-256, AES-CBC |
| Phase 1 Integrity Algs | HMAC-SHA2-256-128, HMAC-SHA1-160 | HMAC-SHA2-256-128, HMAC-SHA1-160 |
| Phase 1 DH Transforms | Curve25519, MODP-8192, ECP-384, MODP-2048 | Curve25519, MODP-8192, ECP-384, MODP-2048 |
| Phase 1 SA Lifetime | 86400 | 86400 |
| Phase 2 Encr. Algs | AES-CBC-256, AES-CBC | AES-CBC-256, AES-CBC |
| Phase 2 Integrity Algs | HMAC-SHA2-256-128, HMAC-SHA1-160 | HMAC-SHA2-256-128, HMAC-SHA1-160 |
| Phase 2 SA Lifetime | 86400 | 86400 |
| PFS | Curve25519, MODP-8192, ECP-384, MODP-2048 | Disabled |
Performance optimisation (NAT-T)
For VPN connections established via a separate router or firewall behind the Centro Business, activating NAT-T (NAT Traversal) is recommended.
Technical advantages:
- Increased throughput: The transmission speed of the VPN tunnel increases.
- Hardware acceleration: NAT-T encapsulates IPsec packets in UDP packets. This allows the Centro Business to accelerate packets via hardware.
Prerequisite: NAT-T must also be activated on the remote site for the connection to be established successfully and for the performance benefits to take effect.
Limitations
- Not available with BNS/EC-S contract
- IKEv1 is not supported (only IKEv2)
FAQ - Peer-to-Peer VPN
What should be considered when connecting networks via VPN?
- If security vulnerabilities exist at one of the VPN sites, VPN tunnels give an attacker the opportunity to access further infrastructure (the risk of damage increases).
- If the remote site does not use a Centro Business router, configuring the VPN requires technical expertise.
What is PFS?
PFS stands for "Perfect Forward Secrecy". It ensures that even if the keys of a communication channel are compromised, past sessions cannot be decrypted. PFS is always recommended.
Why is IKEv1 no longer supported?
IKEv2 offers significant improvements over IKEv1: simplified protocol structure, better encryption algorithms, MOBIKE support for mobile devices and fixed vulnerabilities. For security reasons, only IKEv2 is supported.
Is something missing? Give us your feedback!
Help us improve the CB Guide. Let us know what content you are missing or what we can optimise.
Send feedback