Two Hubs, dynamic spoke, that may be in the hub.

martinbuffleo · ‎10-15-2010

I have a network with two hubs. Linked by site to site IPSEC

I am looking to use dynamic VPN to connect my spokes tried and test using Certificates.

SA configured:

Hub to hub 192.168.1.0 /24 to 192.168.2.0/24

Hub1 to spoke 192.168.1.0/24 to 10.1.1.0/24

Hub2 to spoke 192.168.2.0/24 to 10.1.1.0/24

Now here is my problem:

The spokes may at some point sit behind one of the hub VPN endpoints.

Is there any way to dynamicly modify an SA, so that when the spoke is behind hub1 the SA changes to "192.168.1.0 /24, 10.1.1.0/24 to 192.168.2.0/24"

Hope that make sense?

Thanks for your help.

nseshan · ‎10-18-2010

Hi,

From what I gather, when the spoke sits behind hub1, you want just one IPSEC tunnel between the two hubs with the SA being from 10.1.1.0/24 and 192.168.1.0/24 to 192.168.2.0/24. Please correct me if i am wrong. Also i wanted to know as to how often you are going to encounter this kind of situation.

martinbuffleo · ‎10-20-2010

Yes you are correct

Hub 1 has subnet 192.168.1.0/24

Hub 2 has subnet 192.168.2.0/24

Spoke has subnet 10.1.1.0/24

When Spoke is behind hub one the SA between HUB 1 and HUB 2 will be between

(10.1.1.0/24 and 192.168.1.0/24) to 192.168.2.0/24

But when the spoke is back on the internet the SAs will be between

10.1.1.0/24 to 192.168.1.0/24

10.1.1.0/24 to 192.168.2.0/24

This problem could happen on a regular basis so I'm hoping for as little reconfiguration as possible.