Get started Bring yourself up to speed with our introductory content.

How do I choose between SD-WAN, DMVPN and IPsec tunnels?

Software-defined WAN, DMVPN and IPsec tunnels each have a place among enterprises. Our network expert compares each one and explains where they can be most beneficial.

While software-defined WAN is currently the hot technology in the IT networking field, not everyone can take advantage...

of it. IPsec tunnels and dynamic multipoint virtual private networks, or DMVPNs, still have a place in the enterprise in 2018 and will continue to be viable options for years to come.

That said, IT leaders should figure out which remote connectivity options are optimal for each individual use case. Let's look at SD-WAN vs. DMVPN vs. IPsec tunnels and go over the pros and cons of each.


If you need to connect your network to untrusted or temporary locations, however, IPsec tunnels are still the way to go.

SD-WAN is touted as a cost-saving technology for connecting to remote sites that require ultra-reliable connectivity for low-latency and business-critical applications. SD-WAN requires two or more methods of connectivity between locations. This connectivity commonly consists of MPLS, internet broadband or both. The goal is to stretch the use of lower-cost connectivity, while meeting the same latency and throughput requirements.

So, if you have remote sites that require low-latency connectivity, yet can benefit from WAN connectivity cost savings, SD-WAN might be a good fit. Keep in mind, however, that SD-WAN often requires specialized hardware, software and licensing to operate.


DMVPN can be thought of as an evolution of the standard IPsec tunnel. While IPsec VPN tunnels are hardcoded and essentially nailed-up between two locations, DMVPN builds tunnels between locations as needed. DMVPN tunnels are designed as a mesh network, as opposed to hub and spoke. That means DMVPN can take a direct route from one remote site to another when transporting data, as opposed to being forced to route traffic through a hub location first.

This type of WAN design is ideal when you want to build transport efficiencies between remote locations, yet don't truly need the low-latency advancements found in SD-WAN. Note, however, that DMVPN uses dynamic routing protocols as its routing mechanism. Incorrect use of dynamic routing protocols can cause serious security and reliability risks when not managed properly. As a result, it's not advisable to build DMVPN tunnels to networks you don't fully manage.

IPsec tunnels

IPsec VPN tunnels used to dominate remote site connectivity. Because network managers could build tunnels across low-cost broadband internet links, IPsec tunnels were incredibly cheap compared to private WAN connectivity options like MPLS. They're also easy to set up, and nearly everyone can acquire the capability to build an IPsec tunnel, even low-cost firewalls and routers.

Technologies like DMVPN and SD-WAN are taking over remote site connectivity because they provide more efficient paths and lower latency between locations -- as long as you control both sides of the WAN. If you need to connect your network to untrusted or temporary locations, however, IPsec tunnels are still the way to go. This includes connectivity from your corporate network to third-party vendors and infrastructure-as-a-service and platform-as-a-service cloud providers, for example. IPsec tunnels are universal, and you can build one to virtually anywhere. The same cannot be said for DMVPN or SD-WAN.

This was last published in March 2018

Dig Deeper on WAN technologies and services

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Which WAN design does your enterprise use, and why?
Andrew, SDWAN does not require two internet connections, and while it usually includes on-prem hardware, this isn't any different than other CPE required for connecting to the internet. Also, with SDWAN I can create tunnels to any third party; Amazon, Azure, Cisco ASA devices, and way easier than IPSEC mesh network management with legacy routers. Many vendors provide other routing protocols in their equipment, so the traditional routers for SMB's are being replaced by SDWAN hardware. Which is why I feel Cisco just released SDWAN capabilities in its IOS for ASR/ISR platform.