IOS IPsec VPN Hub with spokes that need to talk to each other
I need a hand with this one. I have a cisco 1841 router acting as the 'hub' for a handful of static VPN sessions (other companies). The physical configuration is fairly straight forward.
1841 has a direct connection to the outside (ARIN-allocated IPv4 address space), and an inside connection to a DMZ that I reserve for just this particular type of traffic. The VPN peers are using a mixture of devices on the other side (some cisco, some non-cisco) that I do not manage. Being other companies, the remotes all have their own IP addressing schemes.
My configuration works fine as-is, until a new requirement came my way recently. I need to allow transport between one remote and another, so I will have to NAT both the source and destination in both directions.
Since I have no ownership/control over the remotes in terms of design or hardware, I'm not able to use IOS IPsec VTI's, because typical remote will not agree to an SA list of permit any/any. Therefor, I'm using regular crypto maps to support this topology.
Re: IOS IPsec VPN Hub with spokes that need to talk to each othe
I haven't had a chance to lab this out yet, but as of now I don't think it's possible with crypto maps. I'm pretty sure I can allow spokes to talk with each other via my hub, if the spokes had compatible addressing schemes.
Basically, I need site A to be able to initiate connections to site B, but site B will not know about Site A's existance.
Typically, an "extranet" connection with an outside organization is setup, what source/destination addresses will be used per application / flow is negotiated. It may not look anything like what was negotiated for other extranet connections.
So, it's the double nat'ing I don't know how to do in IOS. I'm able to do this by bouncing off of my next hop. (an ASA with hairpin routing enable) I'd just like to do this all in one device.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :