I am looking for possible design solution to propose to a customer. He has a HQ and 10 remote offices/business partners. The remotes need to be connected to HQ and other remotes with VPN tunnels (IPSEC 3dES). The way we want to implement this is :
1) All the remotes will have one and only one Tunnel to the HQ router. IF they want to talk to the other remote it has to go through the HQ router. I know the Altiga boxes support the "router on a stick" topology but am not sure how to do it.
2) Since there are business partners involved in the design; there is no control on the IP addressing on their private network. It could be possible that a remote office and a business partner might be having the same private IP address range. How does one make the VPN configs on CISCO routers / Altiga immune to this ?
Assuming u r using 3000 series concentrator at both
the HQ and remote offices.Then its not possible to
create hub and spoke scenario.From each site you
have to create a link to every other site u require
Also if u r using Altiga boxes then each site requires unique ip addressing scheme.
Thanks for the response.... I had posed this question to a CISCO/Altiga guy and he said that this hub and spoke topology is supported by altiga ; I think they call it "SPLIT TUNNELING". Do you have any idea about that ?
i had my fears about unique IP addressing schemes but the scenario demands such a requirement. Do you know of any work arounds.
Split tunneling is something different.Suppose a
remote user with vpn client has connected to his
corporate network and at the same time he wants
to browse the internet also,it won't work.Because
all the packets are forwarded to the corporate network through the vpn tunnel.By enabling split
tunnel feature ,he can remain connected to his
corporate network through the tunnel and at the
same time he can browse the internet.
You must have unique ip addressing scheme.May
be the designers at Cisco/Altiga should think about
it and try to implement in their software as this
is more of a necessity when creating extranets
Using NAT you can connect two private networks having same addressing.But I am not aware
how can u integrate NAT with VPN and get rid of
unique ip addressing