Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two Hubs, dynamic spoke, that may be in the hub.

I have a network with two hubs. Linked by site to site IPSEC

I am looking to use dynamic VPN to connect my spokes tried and test using Certificates.

SA configured:

Hub to hub     192.168.1.0 /24 to 192.168.2.0/24

Hub1 to spoke       192.168.1.0/24 to 10.1.1.0/24

Hub2 to spoke       192.168.2.0/24 to 10.1.1.0/24

Now here is my problem:

  • The spokes may at some point sit behind one of the hub VPN endpoints.

Is there any way to dynamicly modify an SA, so that when the spoke is behind hub1 the SA changes to "192.168.1.0 /24, 10.1.1.0/24 to 192.168.2.0/24"

Hope that make sense?

Thanks for your help.

2 REPLIES
New Member

Re: Two Hubs, dynamic spoke, that may be in the hub.

Hi,

From what I gather, when the spoke sits behind hub1, you want just one IPSEC tunnel between the two hubs with the SA being from 10.1.1.0/24 and 192.168.1.0/24 to 192.168.2.0/24. Please correct me if i am wrong. Also i wanted to know as to how often you are going to encounter this kind of situation.

New Member

Re: Two Hubs, dynamic spoke, that may be in the hub.

Yes you are correct

Hub 1 has subnet 192.168.1.0/24

Hub 2 has subnet 192.168.2.0/24

Spoke has subnet 10.1.1.0/24

When Spoke is behind hub one the SA between HUB 1 and HUB 2 will be between

(10.1.1.0/24 and 192.168.1.0/24)  to  192.168.2.0/24

But when the spoke is back on the internet the SAs will be between

10.1.1.0/24 to 192.168.1.0/24

10.1.1.0/24 to 192.168.2.0/24

This problem could happen on a regular basis so I'm hoping for as little reconfiguration as possible.

297
Views
0
Helpful
2
Replies