Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

hub and spoke vpn

I have two spokes sites with 3002 hardware clients and a hub site with a 3005. Is it possible to configure hub site to allow each spoke to reach each others internal network via the vpn tunnels? The spokes are running in network extension mode.

4 REPLIES
Cisco Employee

Re: hub and spoke vpn

If you're not doing split tunnelling then the two sites should be able to talk to each other without you doing anything. Make sure you're running 3.6(7)F or earlier than 3.6 to get around a couple of bugs with this (CSCea41973 in particular).

If you're doing split tunnelling, then you need to include the network from behind one spoke in the list that will be sent to the other spoke, and vice versa. This will ensure that traffic for the other spoke will be encrypted and sent to the hub.

New Member

Re: hub and spoke vpn

I am doing split tunneling. I currently have both sites in the same group. I guess I need to create two seperate groups to pass the network information for each site down to the spokes?

Cisco Employee

Re: hub and spoke vpn

Yeah. Theoretically you could add both remote subnets into the current network list and pass that list down to both sites. If data is destined for the same site it should never hit the 3002 anyway, so it shouldn't matter if that network is in the network list. Probably cleaner to have two separate groups, but then it'll get messy if you add more and more 3002's (you'd need to create another group plus add that remote network to each of the other network lists, yuk!)

New Member

Re: hub and spoke vpn

I think I'll just add the networks to the list and let it go at that. Thanks for your help,

regards,

Christian

100
Views
0
Helpful
4
Replies
CreatePlease to create content