Re: VPN hub and spoke with communication between spokes

andyirving · ‎11-27-2003

I know the limitations of PIX in doing this, I would rather not use a router to do this. Does anyone know if the VPN Concentrator would work in this setup. ie VPN remote sites connect into a centralised hub VPN Concentrator. Remote sites can then communicate with each other. I am looking at deploying IP Telephony over VPNs but need end stations to communicate with each other as well as the main site.

andyirving · ‎11-27-2003

Good old CCO found the answer it can be done using what is known as Reverse Route Injection (RRI) on the VPN Concentrator. Right better get it running then.

dlac455 · ‎12-05-2003

Be Careful!

I spent many hours debugging this. We do what you are trying to implement. The problem is the VPN concentrator will NOT communicate between spokes. However, it will spit the packets out the inside interface. Using a router behind the concentrator as the default next hop address, I turned off ICMP redirects on the router interface. This allows the packets to come out of the 3030 to the router, turn around and be sent back to the 3030. Kluge? yes! Now that TAC support has moved to Mexico, I can't even get the TAC guy to understand the problem. I gave up. A Cisco SE in Houston gave me this workaround and his sympathy. Good Luck!