Cisco Support Community

Hub-Spoke IPSEC

Dear All,

I have centeral Firewall (PIX535) in HQ peering via IPSEC tunnles with other 3 branches, all branches using Cisco 1700 with IOS feature set currently there is IPSEC tunnel between each branch and HQ FW, i need to configure the centeral FW to doing routing between all branches, so if branch x need to communicate with branch y it should establish it's IPSEC with HQ, then the HQ using the incoming traffic to initiate IPSEC tunnel with y (if idel) then routed the traffic between both branches.

Mainly i need to do Hub-Spoke IPSEC tunnels due to lack of hardware in the remote branches routers.

Is that allowed, If yes kindly advice.


Best Reagrds,

Mounir Mohamed


Re: Hub-Spoke IPSEC

Use PIX Software ver 7 on the 535 and allow the traffic that comes in through an interface to go out through the same interface.

Re: Hub-Spoke IPSEC



i found the URL yesterday, thanks :)

Re: Hub-Spoke IPSEC

Hi Munir,

Just to add a short note to your environment, if you are presently using IPSec Direct Encapsulation (traditional IPSec Tunnels), you may encounter issues with respect to Multicasting Applications like Routing Protocols.

If not deployed already, you should consider migration from IPSec Direct Encap to Point to Point GRE over IPSec Tunnels.

Aleternatively you may consider implementing a DMVPN also which can take care of all the issues.

You may like to refer the following link for additional information:


Kind Regards,

Wilson Samuel

CreatePlease to create content