Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IOS IPsec VPN Hub with spokes that need to talk to each other

Hey All,

  I need a hand with this one. I have a cisco 1841 router acting as the 'hub' for a handful of static VPN sessions (other companies). The physical configuration is fairly straight forward.

  1841 has a direct connection to the outside (ARIN-allocated IPv4 address space), and an inside connection to a DMZ that I reserve for just this particular type of traffic.  The VPN peers are using a mixture of devices on the other side (some cisco, some non-cisco) that I do not manage. Being other companies, the remotes all have their own IP addressing schemes.

  My configuration works fine as-is, until a new requirement came my way recently. I need to allow transport between one remote and another, so I will have to NAT both the source and destination in both directions.

  Since I have no ownership/control over the remotes in terms of design or hardware, I'm not able to use IOS IPsec VTI's, because typical remote will not agree to an SA list of permit any/any. Therefor, I'm using regular crypto maps to support this topology.

  Any advice is appreciated. Thanks!

Everyone's tags (5)
Cisco Employee

Re: IOS IPsec VPN Hub with spokes that need to talk to each othe


Did you crack this one already?

I'm a littble bit puzzled as to how the two remote sites will differentiate traffic to your local network and other remote networks without changing proxy ACLs. Or maybe I missed the point?


New Member

Re: IOS IPsec VPN Hub with spokes that need to talk to each othe

I haven't had a chance to lab this out yet, but as of now I don't think it's possible with crypto maps. I'm pretty sure I can allow spokes to talk with each other via my hub, if the spokes had compatible addressing schemes.

Basically, I need site A to be able to initiate connections to site B, but site B will not know about Site A's existance.

Typically, an "extranet" connection with an outside organization is setup, what source/destination addresses will be used per application / flow is negotiated. It may not look anything like what was negotiated for other extranet connections.

So, it's the double nat'ing I don't know how to do in IOS. I'm able to do this by bouncing off of my next hop. (an ASA with hairpin routing enable) I'd just like to do this all in one device.


Cisco Employee

Re: IOS IPsec VPN Hub with spokes that need to talk to each othe


If it's only a question of one site being able to reach another, you can try to PAT all traffic from site going to site B to you local IP address (inside for example).

This would require puting A->B traffic to a loopback interface (to hit "ip nat inside") but I think it could work, it's not tested ;-)

If we're talking about A-B and B-A communication - that will be tricky without adding new proxy ids.


СоздатьДля создания публикации, пожалуйста в систему