hub-and-spoken VPN

Unanswered Question
Jul 12th, 2007

In hub-and-spoken topology,all hubs can set up ipsec vpn tunnel to spoken.When station from one hub wants to visit station from other hub,do I only change acl to implement it?

for example:

hub,spokenA and spokenB start to set up vpn tunnel when traffic fit to below acl

spokenA:

access-list 101 permit ip <spokenA subnet> <hub subnet>

access-list 101 permit ip <spokenA subnet> <hub subnet>

hub:

access-list 101 permit ip <hub subnet> <spokenA subnet>

access-list 101 permit ip <hub subnet> <spokenB subnet>

access-list 101 permit ip <spokenA subnet> <spokenB subnet>

access-list 101 permit ip <spokenB subnet> <spokenA sbunet>

spokenB:

access-list 101 permit ip <spokenB subnet> <hub subnet>

access-list 101 permit ip <spokenB subnet> <hub subnet>

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Hello,

What platform and version are you using?

Your configuration above would not work so well, as your not defining at each spoke access to the other spoke.

Update the acls on the spokes to include

spoke A

access-list 101 permit ip

Spoke B

access-list 101 permit ip

this is very dependant on platform and version. I.e pix 515 running software version 6 will not work.

Tim

Actions

This Discussion