I am looking for possible design solution to propose to a customer. He has a HQ and 10 remote offices/business partners. The remotes need to be connected to HQ and other remotes with VPN tunnels (IPSEC 3dES). The way we want to implement this is :
1) All the remotes will have one and only one Tunnel to the HQ router. IF they want to talk to the other remote it has to go through the HQ router. I know the Altiga boxes support the "router on a stick" topology but am not sure how to do it.
2) Since there are business partners involved in the design; there is no control on the IP addressing on their private network. It could be possible that a remote office and a business partner might be having the same private IP address range. How does one make the VPN configs on CISCO routers / Altiga immune to this ?
Your 'router on a stick' method will work OK for the site to site config, although to get around the duplicate IP LANS you would probably have to implement a router running NAT before the traffic gets to the VPN device.
Joel is correct. As I see it, you will have to implement NAT/DHCP at each site that is using private IP space in their LAN environment.
Question for you? Why are they using an internet VPN? With the star topology, it might be more cost effective and easier to implement/manage if it were a Frame Relay environment. Depending on where the sites are, maybe even a private line environment.