Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

spoke to spoke VPN without GRE

Our current VPN is IPSec based with several SOHO sites connecting to corporate via IPSec tunnels.  The routers at these sites do not have GRE capable routers.  However we would still like to try to have connectivity between spoke sites using the corporate site as a routing hub.

The only thing that I have tried is to use bigger subnets on the ACLs defining the interesting traffic but this did not work.  I also tried messing around with statics with no luck.

Is this going to be possible?

Thanks,
Diego

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: spoke to spoke VPN without GRE

Hi Diego,

The spoke should have a route to join the other spokes ( I assume the hub already have all the routes to join all the spokes). Then as you said, the crypto ACL on spokes and hub router should match the spoke-to-spoke traffic.

In this case it should work but the hub will decrypt and encrypt again the packet so be careful with the impact on the performance.

HTH

Laurent.

3 REPLIES
Cisco Employee

Re: spoke to spoke VPN without GRE

Hi Diego,

The spoke should have a route to join the other spokes ( I assume the hub already have all the routes to join all the spokes). Then as you said, the crypto ACL on spokes and hub router should match the spoke-to-spoke traffic.

In this case it should work but the hub will decrypt and encrypt again the packet so be careful with the impact on the performance.

HTH

Laurent.

New Member

Re: spoke to spoke VPN without GRE

I don't think it's a routing issue because there is only one route at each site and it is the def gateway.  However, reading your message and going over the config gave me an idea.  I am using dynamic IPSec at the hub end.  I will try to create individual ACL crypto maps for each site to see what happens and will let you  know.

Thanks,

Diego

New Member

Re: spoke to spoke VPN without GRE

Got my setup working using specific ACL for each subnet-subnet connection instead of the dynamic ACLs.  Kinda complicates the ACL stuff but it works!

Thanks,

Diego

225
Views
0
Helpful
3
Replies
CreatePlease to create content