IPSec VPN Design

Unanswered Question
Apr 28th, 2007


Attached is my network topology. I want to encrypt the traffic comes from site A,B, and C to the main router and visa versa.

I think we have two options:

1- Make the main router the IPSec termination for the sites A,B, and C routers.

2- Make Site A Router the IPSec termination for sites B and C and the main router the IPSec termination for site A.

Which one is preferred and why?

Thanks in advance

Abd Alqader

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Sat, 04/28/2007 - 12:47


There are a number of things to take into acount here.

1) Does router A do any NAT/PAT on packets going through it. If it does it may be easier to terminate VPN's from B, C on A then start new VPN to main router.

2) Processing power of routers. If you use A as a termination point then it needs to VPN not just for users at Site A but also site B & C.

3) Complexity of configuration. I think if you create separate VPN's for each site to the main site your configuration will be easier.

4) Redundancy. At the moment Router A is single point of failure in that if it goes down B & C also lose connectivity. If you were at some future date to have secondary links from B & C it would make sense to have spearate VPN's rather than aggregate via A.

All things being equal i would look to create individual VPN's from each site but this is a recommendation based o what you have supplied. There may be more factors for you to consider.



a.hajhamad Sat, 04/28/2007 - 22:34

Thanks Jon.

I don't have any NAT/PAT at router A.

My case, i will encrypt the traffic that comes from one ip address from all the remote sites, and as i understood from you to make the head-end "IPSes termination" at the main router.


This Discussion