Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Multi Site-to-Site VPN

Hey guys;

I have just switched over from using SonicWALL routers, to Cisco RV130W.

I have multiple sites connected via VPN.

Site 1 is the main site

Site 2, 3 and 4 all connect to site 1 via the VPN.

Currently all sites can communicate with Site 1.

However I need site 2 for instance to be able to communicate with Site 3/4.

Currently each site can only communicate with Site 1.

How do I allow this?

14 REPLIES
Community Member

From my limited understanding

From my limited understanding of VPN's, I'm trying to setup a hub and spoke site to site vpn.

as mentioned previously each spoke can move traffic back to the hub.

i understand that the spokes however can communicate via the hub.

any help on this with the RV130W?

Hi scud.89@gmail.com,

Hi scud.89@gmail.com,

There are two ways to achieve this

1) Mesh VPN tunnels :- In this ways, you need to configure VPN tunnels from one site to all other sites.

2) Hub and spoke:- In this way, you need to allow traffic from one site to all others sites travel through the tunnel to HUB and then HUB will forward the traffic to other sites. All traffic will flow through HUB.

Let me know which type you want to achieve. 

SD-WAN Specialist
Spooster IT Services
Community Member

Thanks for your reply. I'm

Thanks for your reply. I'm happy with the hub and spoke solution.

as mentioned I can get each spoke to pass traffic back to the hub. However I cannot get the traffic between spokes

Can you post the running

Can you post the running configuration of HUB and let me know the LAN subnets of all the sites you want communication between.

SD-WAN Specialist
Spooster IT Services
Community Member

Four sites. Using the site-to

Four sites. Using the site-to-site menu on the RV130W.

Site A - 192.168.1.0 / 255.255.255.0

Site B - 192.168.2.0 / 255.255.255.0

Site C - 192.168.3.0 / 255.255.255.0

Site D - 192.168.4.0 / 255.255.255.0

Site B,C,D are all connected directly to site A.

You need to do changes in

You need to do changes in crypto ACL/interested traffic like the following 

Let say the tunnel is between Site A and site B

At site B you need to define interested traffic as 

Source is - 192.168.2.0 / 255.255.255.0

Destination is -  192.168.1.0 / 255.255.255.0, 192.168.3.0 / 255.255.255.0, 192.168.4.0 / 255.255.255.0

At site A for tunnel with B, 

Source is - 192.168.1.0 / 255.255.255.0, 192.168.3.0 / 255.255.255.0, 192.168.4.0 / 255.255.255.0

Destination is -  192.168.2.0 / 255.255.255.0

=====================

Tunnel between Site A and site C

At site C  you need to define interested traffic as

Source is - 192.168.3.0 / 255.255.255.0


Destination is - 192.168.1.0 / 255.255.255.0, 192.168.2.0 / 255.255.255.0, 192.168.4.0 / 255.255.255.0

At site A for tunnel with C,

Source is - 192.168.1.0 / 255.255.255.0, 192.168.2.0 / 255.255.255.0, 192.168.4.0 / 255.255.255.0

Destination is - 192.168.3.0 / 255.255.255.0

=====================

Tunnel between Site A and site D

At site D  you need to define interested traffic as

Source is - 192.168.4.0 / 255.255.255.0


Destination is - 192.168.1.0 / 255.255.255.0, 192.168.2.0 / 255.255.255.0, 192.168.3.0 / 255.255.255.0

At site A for tunnel with D,

Source is - 192.168.1.0 / 255.255.255.0, 192.168.2.0 / 255.255.255.0, 192.168.3.0 / 255.255.255.0

Destination is - 192.168.4.0 / 255.255.255.0

SD-WAN Specialist
Spooster IT Services
Community Member

Re: Four sites. Using the site-to

I may have asked already.  Sorry if this is redundant.

Can you tell me how you got B and C to communicate with A?   I don't need B and C to communicate.  Only communicate back to A where the server is located.

 

Thanks

 

Community Member

I do not mind if traffic is

I do not mind if traffic is required to travel via hub.

Any ideas on how I can set this up to allow spokes to communicate via hub?

Cisco Employee

Hi,

Hi,

I think the answer that you are looking for is DMVPN or Dynamic Multipoint VPN. In this set up, the remote sites will not need to pass traffic to the hub.  In your case, Site 2,3, and 4 will be able to communicate to hub and spoke sites.

see link below

http://searchenterprisewan.techtarget.com/definition/Dynamic-multipoint-VPN-DMVPN

Community Member

Re: Multi Site-to-Site VPN

There are two types of site-to-site VPN, one being policy-based and the other being route-based. If you are talking policy-based, you'll need to configure access lists that would allow one site to talk to another, but they would all have to filter through the hub, unless you setup s2s between each site.

 

If this is a routed tunnel, you have two options, use VTI or setup DMVPN, using Multipoint GRE. Then all you have to do is route between the sites, using OSPF or BGP etc... The beauty of DMVPN is that you can create dynamic s2s tunnels, using NHRP shortcut technique.

 

There are many ways to do this; please let me know if you need help with decision or configuration.

 

-Shawn

fencepencil, a Boise SEO company

Community Member

Re: Multi Site-to-Site VPN

do you have a document on how to setup multiple sites?   my situation is one store where server resides and two warehouses; the first warehouse was easy to vpn back to store; the second warehouse doesn't want to connect.

or do you have some steps I can follow?

notes: i copied the config from warehouse 1 to warehouse 2 router; i changed the static, gateway, name, and local ip address range; should have been all to do;   i don't think I setup the main store router correctly  to work with 2nd warehouse.

 

thanks,

darryl

 

Community Member

Re: Multi Site-to-Site VPN

Darryl,

 

I've attached an image with a simple topology, using 10.0.0.0/24 for the tunnel network and "public addresses" of 1.1.1.1, 2.2.2.2, and 3.3.3.3. The 1.1.1.1 represents the hub and the other two represent sites, R2 and R3. 

 

Let's say your server and both warehouses reside behind router 2 (2.2.2.2). This router will have connected routes to each subnet. I imagine one warehouse is using one VLAN and the other warehouse is on another, with the server on either VLAN or its own. In any case, R2 should be able to reach all three resources. 

 

Now, for hub or router 3 to be able to reach those subnets/vlans, you will need to setup routing over the tunnel. Depending on what your needs are, you can probably get away with using OSPF over the tunnel. You'll have to use a broadcast network type, and an area connected to area 0 for the tunnel network (in my examples, it's area 1). You will need to make sure you are advertising all VLAN's into OSPF for this to work.

 

You could also use iBGP, or simple static routes, but routing is what is controlling all the traffic. NHRP is what is really creating the dynamic tunnels here, and will end up updating the next hop, depending on where the destination is.

 

Example Hub Config:

interface Tunnel 0

 ip address 10.0.0.1 255.255.255.0

 no ip redirects

 ip nhrp authentication cisco123

 ip nhrp map multicast dynamic

 ip nhrp network-id 1

 ip nhrp redirect

 

 ip ospf network broadcast

 ip ospf priority 255

 ip ospf 1 area 1

 tunnel source GigabitEthernet0/0

 tunnel mode gre multipoint

 tunnel key 1234

 tunnel protection ipsec profile PROFILE (optional)

 

Example R2:

interface Tunnel 0

 ip address 10.0.0.2 255.255.255.0

 no ip redirects

 ip nhrp authentication cisco123

 ip nhrp map 10.0.0.1 1.1.1.1

 ip nhrp nhs 1.1.1.1

 ip nhrp network-id 1

 ip nhrp shortcut

 

 ip ospf network broadcast

 ip ospf priority 0

 ip ospf 1 area 1

 tunnel source GigabitEthernet0/0

 tunnel mode gre multipoint

 tunnel key 1234

 tunnel protection ipsec profile PROFILE

 

Example R3:

interface Tunnel 0

 ip address 10.0.0.3 255.255.255.0

 no ip redirects

 ip nhrp authentication cisco123

 ip nhrp map 10.0.0.1 1.1.1.1

 ip nhrp nhs 1.1.1.1

 ip nhrp network-id 1

 ip nhrp shortcut

 ip ospf network broadcast

 ip ospf priority 0

 ip ospf 1 area 1

 tunnel source GigabitEthernet0/0

 tunnel mode gre multipoint

 tunnel key 1234

 tunnel protection ipsec profile PROFILE

 

Example OSPF config (where the server and warehouse subnets are)

router ospf 1

network server vlan > inverse mask area 1

network warehouse 1 vlan > inverse mask area 1

network warehouse 2 vlan > inverse mask area 1

 

Hope this helps :)

Shawn

fencepencil

Community Member

Re: Multi Site-to-Site VPN

Excellent.  And I acutally understood most of that.

 

But using the Cisco RV130W menu system and not cisco o/s, do you have any screen shots how this would be done?   I did cisco routers from the ios years ago, but couldn't do that today.

 

Thanks for the information and the diagram.

 

Darryl

Community Member

Re: Multi Site-to-Site VPN

Hi Darryl,

 

It appears that device will only support policy-based IPSec, meaning you will have to configure tunnels between hub to each spoke and spoke to each spoke. Depending on how many sites you have, this could get up to 6 or so tunnels, or more... 

I found a good video, explaining this process, because it's more than I could ever type - https://supportforums.cisco.com/t5/small-business-support-videos/rv130w-to-rv325-router-site-to-site-ipsec-vpn-configuration/ba-p/3104490

 

If you have more than one subnet behind a site/spoke, you will just need to add the additional subnets to the hub sides "remote policy" and the spokes site "local policy" if that makes sense. Usually site to site tunnels are just connecting two LAN's but in your case it's connecting 1 LAN to 3 LAN's. A small adjustment to the local and remote policy, and you should be good to go. 

Hope this helps.

 

Shawn 

fencepencil

1211
Views
10
Helpful
14
Replies
CreatePlease to create content