Hub and Spoke VPN Network

fdedolph · ‎02-25-2001

I'm designing a hub and spoke VPN network. I have a headquarters with a PIX 515 and 5 remote offices with 1720's running IPSec and IOS firewall. My question is can Remote 1 talk to Remote 2, 3, 4, and 5 by going through it's tunnel to the PIX, or does Remote 1 need to have a direct tunnel to Remote 2, 3, etc... I realize that the PIX for the most part does not route, but can the remote networks talk to each other through the PIX? Any ideas or reference to configs would be very much appreciated. Thanks in advance.

llinney · ‎03-01-2001

You need to have direct tunnels between each site. Refer to http://www.cisco.com/warp/public/707/ios_hub-spoke.html

The easiest way to fully mesh IOS devices is to use Tunnel Endpoint Discovery (TED) - see http://www.cisco.com/warp/public/707/tedpreshare.html as this minimises the amount of configurate needed.

I'm not sure if the pix supports TED so you may need to define a normal crypto map to get to the traffic to behind the pix. And they use dynamic crypto maps with the discovery keywords for all your remote sites.

s.munzani · ‎03-05-2001

He is right about the solution. Only the problem with tunnel end point discovery is it doesn't work with NAT. You have to have legal ip on each desktop since TED uses destination IP address to discover tunnel end point.

Sam Munzani

CCIE # 6479

sblatter · ‎03-01-2001

The Pix acting as the hub will not route traffic between spokes. All spokes will require their own tunnels configured to allow communications to a peer spoke.

bbaley · ‎03-01-2001

I think this link will help you out:

http://www.cisco.com/cpropart/salestools/cc/so/neso/sqso/eqso/iptoc_dg.htm

Bill

selva_vel · ‎03-01-2001

Hi,

One to one tunnel is required to establish the VPN between remote routers. It's like meshed tunnels.

Thanks & Regards,

Selva