Hi,

Really appreciate your help on this.

I could find Hub-and-Spoke and Full Mesh VPN Topologies on the link http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/3-2-2/user/guide/UserGuide/vpchap.html#wp586112

Please could you let me know if there are some configuration examples available for these two types?

I would like to configure Standard IPsec VPN over the network. Also would like to know how the routing part is configured in this scenario.

Thanks.

With the ASA at your head office you cannot use DMVPN as your overlay so we typically fall back to the IPsec LAN-LAN VPN (sometimes referred to as site-site). There are many many configuration examples for this - see, for example, the ones under the heading "Site to Site VPN" here:

http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-configuration-examples-list.html

Withe respect to routing, the simplest method is if the 5505 and the remote site 1900 ISR routers are the default gateway for their respective site. If so, the the access-lists on each device identify traffic destined for one of the remote sites and encapsulate it into IPsec for transmission to the peer's public IP address. At the distant end it is received, decapsulated and passed on the the remote hosts.

Hi Marvin,

Many thanks for your reply.

So if I use 1900 ISR in Head Office could I perform a configuration similar to the example mentioned in http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/7912-ios-hub-spoke2.html ?

Also can you advice whether the following is a good approach http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html ?

Or is there any other way I can configure a mesh topology using ISR routers alone (without using ASA)?

Thanks again.

Of the two you mentioned just now, the DMVPN is more scalable. The first example is a 7 year old document and many organizations find it much more labor intensive to keep up all of those manually configured access-lists and other configuration bits.

An even more flexible approach, although less well-documented due to its relative age, is FlexVPN. See the FlexVPN data sheet for an overview of its advantages:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-spoke.html

Here are a couple of FlexVPN configuration examples:

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-spoke.html

Both DMVPN and FlexVPN allow you to route dynamically and establish tunnels in a mesh fashion as needed to reach all the sites, whether spoke-hub or spoke-spoke.

Hi Marvin,

Thank you for your help.

I will try FlexVPN and let you know if I face any issues. Your advises are much appreciated.

Many thanks.