Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
957
Views
5
Helpful
6
Replies

Hub and spoke VPN

dave.cook
Level 1
Level 1

‎10-15-2003 08:10 AM - edited ‎02-21-2020 12:49 PM

Hi,

I' trying to create a hub and spoke VPN so two remote sites can have a ipsec tunnel to the central office.

Is it possable to create this situation using a pix 501 at each site?

As I have one of my remote sites that can connect to the central site and one that cant. I am not getting any debug information to help me fix the failing tunnel. Where as the other tunnel is giving me information all the time.

I have put another pix at the failing remote site but that has not helped.

TIA

Dave

Labels:
0 Helpful
6 Replies 6

p.mcgowan
Level 3
Level 3

‎10-16-2003 07:12 AM

Dave,

a 501 at each site should be fine.

Can the failing remote site normaly ping the central site?

are the configurations of both remote sites the same?

is the central site configured to accept a vpn from failing site?

0 Helpful

dave.cook
Level 1
Level 1
In response to p.mcgowan

‎10-20-2003 01:36 AM

Hi,

Yes both sites are the same. I have followed a sample config on the cisco web site, under the sample config section for the PIX firewall. This is a new VPN infrastructure, so they never had a link to ping across.

I have configued the central site to accept conections from both remote sites. Would it help if I post the configs

Many thanks for your reply

Dave

0 Helpful

jmia
Level 7
Level 7
In response to dave.cook

‎10-20-2003 03:59 AM

Dave -

Please do post your config but remember to exclude real IPs and passwords or if you want e-mail direct to me: jmia@ohgroup.co.uk

Thanks - Jay

0 Helpful

pkapoor
Level 3
Level 3

‎10-20-2003 12:55 PM

If you are talking about having a PIX as the hub and have communication between the spokes via the hub, forget it. Will not work with PIX as hub. You can do this with a router or a concentrator as the hub....PIXs do not have a problem as spokes.

If you are talking about hub-and-spoke with no communication between the spokes via the hub, then that should work with a PIX as the hub.

Hope this helps.

Paras

0 Helpful

x-guo
Level 1
Level 1
In response to pkapoor

‎10-21-2003 07:12 AM

Thanks, I just want to ask such questions. Because I used pix as hub and let spokes communicate through pix. of course, I failed, they just can communicate with hub lan.

Now I know we should use router or concentrator, do we need special configs in order to let spokes communicate through router or concentrator? eg some special maps. or we just config each spoke to hub, once they can communicate with hub, then they can communicate with each other through hub?

A example is prefered. thanks again.

0 Helpful

pkapoor
Level 3
Level 3
In response to x-guo

‎10-21-2003 09:04 AM

Configuring IPSec Router-to-Router Hub and Spoke with Communication Between the Spokes

http://www.cisco.com/warp/public/707/ios_hub_spoke2.html

If you want to use concentrators, then the setup is similar to building site-to-sites from the hub to the spokes. The difference is, in the tunnel with spoke 1, have the local/remote proxy identities include the network behind spoke 2 and in the tunnel with spoke 2 include network behind spoke 1 as local/remote identity.

Then you need to add routes to each of the spoke to direct them to the hub for the remote sites, if required.

Paras

Customers Also Viewed These Support Documents