Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Contributor

Spoke to Spoke Communication - IPsec VPNs

Hello all... I'm trying to make something work and need a little help.  Ultimately if I can get a working solution for our office and 3 satellite locations... I plan to deploy the same setup to a customer that has 8 different sites.  Figured I'd rather break our inter-site connectivity first in the event something goes south rather than break a customer's site and cause a lot of trouble for my company. I consider myself to have pretty good working understanding of AOS (have my ATSP/IN) but I know there are users out there with a stronger knowledge than I... and I'll be honest... I haven't much experience in trying to accomplish what I'm trying to do outside what was encompassed in the ATSP/IN course, but I am up for the learning adventure.

Here is a little background...  About a week or 2 ago I was searching for a solution on the support forums here and came across a write-up for DMVPN from Oct '15.  I figured I'd give it a whirl and well... the document references how to setup spoke sites (NHCs) but not the hub (NHS).  For our setup, we have 3 satellite locations, hub and spoke, all with an IPsec VPN back to the main site.

1 site uses a NV-4430 running vR12.3.1.E ----- let's call this "Site 1"

1 site uses a NV-3140 running vR13.1.0.HA.E ----- let's call this "Site 2"

1 site uses a NV-4305 running v17.06.02.00.E (old...I know)  ----- let's call this"Site 3"

The main site is a NV-4430 running vR12.3.1.E  ----- let's call this"Site 4"

For the sake of figuring out a solution, I'm only trying to setup spoke-to-spoke communication between Site 1 and 2 for now.  The end goal, once a solution is confirmed, would be for the individual sites to be able to talk directly to the other sites, whether it is facilitated by the main site (hub... Site 4) by use of static routes or not.

I would like to have each site with only a single VPN tunnel back to main site rather than creating a full mesh topology if at all possible. For my company's size, it's not too bad... but for a larger deployment I don't see it scaling very well even though these routers can handle quite a few VPNs. I've read you cannot do any protocols aside from GRE over IPsec due to lack of multi-casting so is there a way I can make the VPN's do what I need them to do?  Or can I in fact use routing protocols to make this happen?  The only problem I foresee with using routing protocols and/or static routes is that Sites 1 and 3 operate on a DHCP address from the ISP, and both run as a NAT behind a Comcast gateway. Sites 2 and 4, however, have static blocks from the ISP. My boss and I have tried something like this before, but haven't had much luck so we tabled it for the time being until recently.

If I need to clarify anything in particular, let me know.  What I'm trying to do seems to make sense right now, but by time some of you read it... it might not.

Any help would be much appreciated!!

Labels (3)
0 Kudos