Your drawing suggests that you are thinking about trying to do 5 separate IPSec tunnels from the remote router to the central router. I do not believe that you can do multiple separate tunnels between the same two peer routers.
I have a question about what your real requirements are. Do you really need to get the 5 VLANs to HQ (as separate VLANs) or do you need to get the traffic from the remotes to HQ?
I think it is very problematic to try to get the VLANs separately to HQ. One way to understand VLANs is that a VLAN is essentially a broadcast domain. It is problematic to try to extend a broadcast domain over an Internet connection. It is usually much better to terminate the VLAN at the edge of the cloud and to route over the Internet to establish connectivity between the remote end stations and the HQ.
What I need to do is just keep the traffic separated in any way until it gets to the HQ.
All Remote sites have 5 VLANs.
but VLAN 2 from site 1 is not allowed to speak with any other VLAN from any other site until it gets back to HQ.
so the VLAN traffic has to be completely separate until it has reached HQ.
what I was thinking about (but did not get to work) was just by using IP addresses from the different VLAN subnets with ACL's to keep the data separate on the Hub router in the middle of the sketch before sending it all as 1 data stream over an IPSec tunnel.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...