We have an L - L IPSEC tunnel between our head office and a hosting company, all works well, solid as a rock. However we now have a requirement for one of our branch offices to also run a tunnel to the hosting company, however for reasons of cost and control it has been decided that the branch office will route via the head office...
We also have a running IPSEC tunnel between the head and branch office so all we need to get the whole thing running is to get the branch office to route to the hosting company via the head office and were done.
Would this be considered as a full mesh but with one of the links removed (branch to hosting), or a hybrid of some sort? BTW both head office and branch run Cisco ASA5550 and 5515 repectively and we have full control over these devices, the hosting company I'm not so sure but may be an ASA..
Any advice or links to documentation would be greatly appreciated...
Glad to hear its working now
Well I am not sure how you have set up the NAT configuration for the traffic between Branch and Hosting.
It would sound according to the above that you are actually adding the actual Branch network to the Head Office to Hosting L2L VPN? If this is true then you would require a NAT configuration on the Head Office that is between "outside" and "outside". In other words a NAT0 configuration for the "outside" interface. (My original suggesting was to do Dynamic PAT for Branch if you wanted to avoid changes to configuration on the Hosting Site)
That would probably be something I would check first.
If that is fine then I would check the VPN Counters
Do this for both of the L2L VPN Connections
show crypto ipsec sa peer
This should show you if the L2L VPN has negotiated for the Branch and Hosting networks on both L2L VPN Connections. This would also tell you if packets are flowing in both directions.
If the problem is outside of your network then at the Head Office you would probably see only decapsulated/decrypted packets for the Head Office - Branch Office L2L VPN and only encapsulated/encrypted packets for the Head Office - Hosting Site L2L VPN