I have a hub and spoke configuration with a number of site-to-site IPsec VPNs from 857's terminating on an 1811 at the hub. Also in the mix is a client-to-site (EZVPN) which also terminates at the hub.
I need to ensure all traffic destined for the internet goes out through the hub 1811. I've looked at trying to use a form of hairpinning so that "interesting traffic" from remote sites gets NATted at the hub router to the internet.
I have seen a number of configurations (in these forums) where internet-directed traffic from EZVPN clients is forced via a hairpin out via the hub router. I am trying to emulate that feature with the site-to-site IPSec VPNs - where internet directed traffic from spokes must go through the hub router, and not be permitted to go directly to the internet from the spoke routers.
Attached are configs for the hub router and one of the spoke routers, and a pdf diagram.
I can get traffic to the internet (in my test lab) from the lookback connector (188.8.131.52) by extended command pings, I have connectivity from the spoke1 lan to the hub lan (pings again); but not from the spoke1 lan to the internet via the hub router.
Thanks in advance for any help