Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec Site to Site VPN tunnels intercommunication

I was looking for solution for below problem:

We have HeadOffice and 2 Branches. 2 branches are connected to Head office with IPSec Site-To-Site VPN.

In that we have Branch 1 as a Windows AZure Site-To-Site VPN whereas Branch 2 is connected with Cisco RV042 VPN router's IPSec Site-To-Site VPN, and Head office have Cisco ASA 5510 Firewall.

Now my problem is that, both branches can be communicate by Head Office, but both branches neither communicate with each other directly nor via Head office, i.e. Interbranch communication is not establishing.

Here the limitation of Microsoft Windows Azure is that, it can create only 1 Site-to-Site Tunnel on single Virtual NIC. So I cannot create full mash topology of Site-to site VPN.

So my question is, can both branches communicate each other via head office, if yes than how it can possible? And in future can I extend number of Interbranch communication as number of branches increases?

Note: We cannot add any ACLs on both branches, and other configuration other than what site-to-site VPN creates. So we have to do any type of changes only at Head office level on ASA 5510 Firewall.

For reference I am attaching topology of present scenario.


My suggestion is to run DMVPN

My suggestion is to run DMVPN which uses GRE on your network. But as the ASA can't terminate GRE on itself, you will need to get another router and put it behind the ASA. DMVPN will be terminated on that router. 

To answer your question, with DMVPN you can run routing protocols (OSPF for example, as you have Windows device). This means that your sites can talk to each other via the headquarter/hub if you want it. Or they can talk to each other directly, but they will still need to get the information about the other site from the hub for the initial connection. 

DMVPN is scalable and makes your life easier as an admin. The modification to the configuration is not much for each branch that is needed to be added. 

Here are couple links that explained DMVPN: link1, link2.


New Member

Thanks Rudy for your reply

Thanks Rudy for your reply.

But as we know DMVPN is cisco proprietary, and we have cisco products only on branch 2 and on Head Office. Whereas on Branch 1 i.e. Windows Azure site, they have their IPSec Site-To-Site VPN technology.

So, as we know Windows Azure is cloud service by Microsoft and we cannot put any device at Branch 1.

So I think we cannot implement DMVPN for this multi-vendor IPSec Site-To-Site VPN scenario.

Judging from your response I

Judging from your response I guess you don't want to replace that Windows Azure service with Cisco? :) If that's the case I don't know any the solution for you. But this is interesting, I am interested if anyone has a solution for this multi-vendor scenario.

New Member

I search many forums over

I search many forums over internet, I think Cisco ASA have feature of Hairpining, which is able to route 2 VPN encrypted traffic via ASA’s Outside interface. It’s like U turn of traffic.

If you have any Idea about ASA VPN Hairpining, than let me know how I can implement on my Cisco ASA

And Sorry for scenario, There is little correction in topology which I posted earlier:

ISP ---> Branch-2 Network is