IOS IPsec VPN Hub with spokes that need to talk to each other

Unanswered Question
Aug 31st, 2010

Hey All,

  I need a hand with this one. I have a cisco 1841 router acting as the 'hub' for a handful of static VPN sessions (other companies). The physical configuration is fairly straight forward.

  1841 has a direct connection to the outside (ARIN-allocated IPv4 address space), and an inside connection to a DMZ that I reserve for just this particular type of traffic.  The VPN peers are using a mixture of devices on the other side (some cisco, some non-cisco) that I do not manage. Being other companies, the remotes all have their own IP addressing schemes.

  My configuration works fine as-is, until a new requirement came my way recently. I need to allow transport between one remote and another, so I will have to NAT both the source and destination in both directions.

  Since I have no ownership/control over the remotes in terms of design or hardware, I'm not able to use IOS IPsec VTI's, because typical remote will not agree to an SA list of permit any/any. Therefor, I'm using regular crypto maps to support this topology.

  Any advice is appreciated. Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Sat, 09/04/2010 - 03:45


Did you crack this one already?

I'm a littble bit puzzled as to how the two remote sites will differentiate traffic to your local network and other remote networks without changing proxy ACLs. Or maybe I missed the point?


gshearer72 Sun, 09/05/2010 - 09:35

I haven't had a chance to lab this out yet, but as of now I don't think it's possible with crypto maps. I'm pretty sure I can allow spokes to talk with each other via my hub, if the spokes had compatible addressing schemes.

Basically, I need site A to be able to initiate connections to site B, but site B will not know about Site A's existance.

Typically, an "extranet" connection with an outside organization is setup, what source/destination addresses will be used per application / flow is negotiated. It may not look anything like what was negotiated for other extranet connections.

So, it's the double nat'ing I don't know how to do in IOS. I'm able to do this by bouncing off of my next hop. (an ASA with hairpin routing enable) I'd just like to do this all in one device.


Marcin Latosiewicz Sun, 09/05/2010 - 14:12


If it's only a question of one site being able to reach another, you can try to PAT all traffic from site going to site B to you local IP address (inside for example).

This would require puting A->B traffic to a loopback interface (to hit "ip nat inside") but I think it could work, it's not tested ;-)

If we're talking about A-B and B-A communication - that will be tricky without adding new proxy ids.



This Discussion