Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

IPSec VPN Design


Attached is my network topology. I want to encrypt the traffic comes from site A,B, and C to the main router and visa versa.

I think we have two options:

1- Make the main router the IPSec termination for the sites A,B, and C routers.

2- Make Site A Router the IPSec termination for sites B and C and the main router the IPSec termination for site A.

Which one is preferred and why?

Thanks in advance

Abd Alqader

Hall of Fame Super Blue

Re: IPSec VPN Design


There are a number of things to take into acount here.

1) Does router A do any NAT/PAT on packets going through it. If it does it may be easier to terminate VPN's from B, C on A then start new VPN to main router.

2) Processing power of routers. If you use A as a termination point then it needs to VPN not just for users at Site A but also site B & C.

3) Complexity of configuration. I think if you create separate VPN's for each site to the main site your configuration will be easier.

4) Redundancy. At the moment Router A is single point of failure in that if it goes down B & C also lose connectivity. If you were at some future date to have secondary links from B & C it would make sense to have spearate VPN's rather than aggregate via A.

All things being equal i would look to create individual VPN's from each site but this is a recommendation based o what you have supplied. There may be more factors for you to consider.



CreatePlease to create content