Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1700
Views
5
Helpful
2
Replies

Full Mash VPN Network

krishan.saran
Level 1
Level 1

‎08-03-2011 06:31 PM

Hi Team

We have 4 remote locations, all these locations are connected to Head Office via Site to site VPN tunnels, i have one tunnel to each location form head office,

HQ 10.10.1.0/24  (Cisco 851)

Site 1 10.10.2.0/24  (Cisco 861)

Site 2 10.10.4.0/24 (Cisco 861)

Site 3  192.168.10.0/24 (Linksys RV4102)

Site 4 192.168.1.0/24  (Some Linksys )

We are using these VPN tunnels for IP phones at remote locations, Every thing works fine except when some body want to make a call form any remote locations to another remote location e..g site 1 call site 2 there is no audio, to over come this problem we need to a fully mesh network, each location should be able to access each other or in other words we can say that i should be able to ping LAN IP of Site 1 form Site 2, so to get it working i need to create vpn tunnel form each location to each location, in that way we have to create 4 tunnels in each router, or we can have DMVPN, but due to mix of equipments we cant have DMVPN, because only cisco 851 supports DMVPN, not even cisco 861)

So my question to all experts is that there is any way i can do some thing in HQ, so that it can route traffic from one remote site to another site, or it can work as hub so that i dont have to create 4 vpn tunnels in each router, because of the cisco 851 and cisco 861, i can have only 5 VPN tunnels, if i will create 4 VPN tunnels in each router i will be ran out very soon,

I am attaching the Edited Running config of HQ router, Sorry i edited it due to security reasons

Labels:
111111-Aug 03 2011 edited version.txt.zip
0 Helpful
2 Replies 2

raga.fusionet
Level 4
Level 4

‎08-03-2011 07:28 PM

Krishan,

You can enable comunication between the spokes by modifying the Interesting traffic (Crypto ACLs).

I will give you an example with Spokes 1 and 2.

Your Hub's ACL for Spoke 1 should have:

permit 10.10.1.0 to 10.10.2.0  (you probably have this already)

and

permit 10.10.4.0 to 10.10.2.0

And the ACL For Spoke 2:

permit 10.10.1.0 to 10.10.4.0  (you probably have this already)

and

permit 10.10.2.0 to 10.10.4.0 

Now Spoke 1's ACL shoud have :

permit 10.10.2.0 to 10.10.1.0

and

permit 10.10.2.0 to 10.10.4.0

Spoke 2 ACL should have

permit 10.10.4.0 to 10.10.1.0

and

permit 10.10.4.0 to 10.10.2.0

Just think of it as if the other Spokes networks were other networks residing at the HQ. Also Make that if you are doing NAT you add all the necesary "denys"  to the NAT ACLs.

Here is config example of what you are trying to acomplish, in case you need some clarification:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml

Since you have several spokes I would advice you to do them on pairs so that you dont get messed up with the configs . It might get a little messy if you try to do them all at once.

I hope this helps.

Raga

krishan.saran
Level 1
Level 1
In response to raga.fusionet

‎08-03-2011 09:13 PM

It make sence to me, I will give a try and get back to you thanks

0 Helpful
Customers Also Viewed These Support Documents