Solved: spoke to spoke VPN without GRE

tato386 · ‎12-10-2009

Our current VPN is IPSec based with several SOHO sites connecting to corporate via IPSec tunnels. The routers at these sites do not have GRE capable routers. However we would still like to try to have connectivity between spoke sites using the corporate site as a routing hub.

The only thing that I have tried is to use bigger subnets on the ACLs defining the interesting traffic but this did not work. I also tried messing around with statics with no luck.

Is this going to be possible?

Thanks,
Diego

Laurent Aubert · ‎12-11-2009

Hi Diego,

The spoke should have a route to join the other spokes ( I assume the hub already have all the routes to join all the spokes). Then as you said, the crypto ACL on spokes and hub router should match the spoke-to-spoke traffic.

In this case it should work but the hub will decrypt and encrypt again the packet so be careful with the impact on the performance.

HTH

Laurent.

View solution in original post

Laurent Aubert · ‎12-11-2009

Hi Diego,

The spoke should have a route to join the other spokes ( I assume the hub already have all the routes to join all the spokes). Then as you said, the crypto ACL on spokes and hub router should match the spoke-to-spoke traffic.

In this case it should work but the hub will decrypt and encrypt again the packet so be careful with the impact on the performance.

HTH

Laurent.

tato386 · ‎12-14-2009

I don't think it's a routing issue because there is only one route at each site and it is the def gateway. However, reading your message and going over the config gave me an idea. I am using dynamic IPSec at the hub end. I will try to create individual ACL crypto maps for each site to see what happens and will let you know.

Thanks,

Diego

tato386 · ‎12-14-2009

Got my setup working using specific ACL for each subnet-subnet connection instead of the dynamic ACLs. Kinda complicates the ACL stuff but it works!

Thanks,

Diego