Re: hub and spoke vpn

weisse1 · ‎05-28-2003

I have two spokes sites with 3002 hardware clients and a hub site with a 3005. Is it possible to configure hub site to allow each spoke to reach each others internal network via the vpn tunnels? The spokes are running in network extension mode.

gfullage · ‎05-28-2003

If you're not doing split tunnelling then the two sites should be able to talk to each other without you doing anything. Make sure you're running 3.6(7)F or earlier than 3.6 to get around a couple of bugs with this (CSCea41973 in particular).

If you're doing split tunnelling, then you need to include the network from behind one spoke in the list that will be sent to the other spoke, and vice versa. This will ensure that traffic for the other spoke will be encrypted and sent to the hub.

weisse1 · ‎05-29-2003

I am doing split tunneling. I currently have both sites in the same group. I guess I need to create two seperate groups to pass the network information for each site down to the spokes?

gfullage · ‎05-29-2003

Yeah. Theoretically you could add both remote subnets into the current network list and pass that list down to both sites. If data is destined for the same site it should never hit the 3002 anyway, so it shouldn't matter if that network is in the network list. Probably cleaner to have two separate groups, but then it'll get messy if you add more and more 3002's (you'd need to create another group plus add that remote network to each of the other network lists, yuk!)

weisse1 · ‎06-02-2003

I think I'll just add the networks to the list and let it go at that. Thanks for your help,

regards,

Christian