You need to have three public IP addresses. The HQ is going to send encrypted packets to both branches, and the branches will either communicate back to HQ or even directly to each other - but this communication requires you to use at least a single IP address on each of your locations.
I assume that the HQ and branches are interconnected using a common internet access (i.e. no MPLS VPN or some other kind of pre-existing private interconnection).
While the response from my colleague Peter does represent the common solution to the question of how to configure an HQ and two spoke routers, I must take exception with his suggestion that 3 public addresses are required. Using dynamic VTI tunnels I believe that it is quite possible to implement this with 1 public IP for HQ and with private IP used at the spoke. This will introduce a requirement that the tunnel will be initiated from the spoke to HQ and HQ will not have the ability to initiate the tunnels.
Using dynamic VTI tunnels I believe that it is quite possible to implement this with 1 public IP for HQ and with private IP used at the spoke
I have actually thought of doing some kind of DMVPN with spokes dynamically registering their current public IP with the HQ routers. Nevertheless, this setup still requires 3 public IPs, even though only one of them has to be stable - the one on the HQ. Branch routers may be using dynamically assigned public IPs. Perhaps I was looking on the problem in a too definitoric way - that regardless of whether there is a static or dynamic public IP address, each site has to hide itself behind one
In any case, Rick, thank you for pointing this out. While in the end, there will be three public IP addresses communicating to each other after the VPN is configured, only one of them has to be stable and static. The others may not even be known to the branch offices.
I was reacting to my assumption that we were talking about needing the public IP configured on the router interface. And with VTI that is not a requirement (I have a customer with a couple of sites doing VTI where the address on the remote router interface is in 10 address space). But your response helps set me straight and to realize that in the perspective of the question in the original post my response was a bit off the mark. You are quite correct that he will need to have at least one public IP provisioned for each of the locations.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.