VPN 3000 spoke to spoke communication

Unanswered Question
Jun 24th, 2009

We'll be upgrading to an ASA soon, but I have an immediate issue I need assistance with.

We have multiple spoke sites with only DHCP addresses establishing a VPN to our VPN 3000 box (using the default group). The site-to-site VPN's work fine. However, no sites can communicate with one another.

Does anyone know how to configure spoke-to-spoke communications in this scenario? Both spokes in question encapsulate the packets and sends them to the VPN 3000. But, the VPN 3000 is not passing the data to the other spoke site.

I know that I could get a static IP at one site and then do a direct VPN between the 2, but don't want to do that if I don't have to.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ldardon Tue, 06/30/2009 - 12:51

This illustrates how to create a LAN-to-LAN VPN tunnel between central and remote VPN 3000 Concentrators. Concurrent to the LAN-to-LAN VPN, the central concentrator also accepts remote access VPN connections. Communication is then enabled between the remote access VPN Client and the local LAN, behind the remote concentrator, through the central concentrator. The communication between spokes is enabled through the use of Reverse Route Injection (RRI), a feature introduced in version 3.5 of the VPN 3000 Concentrator code:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094a86.shtml

Actions

This Discussion