[SOLVED] IPSEC VPN and Internet Access (hub n spokes)

Forum|Forum|5 years ago
September 18, 2020
1 reply
14133 views

Hello,

We have an Hub n spoke architecture.

Each spoke (3) can ping networks each other (NAT disabled). When NAT enabled on spoke zone to spoke zone, spokes can't ping each other.

At this time, Internet access on spoke sites pass throught their Internet connection (WAN interface on each spokes)

We want to pass Internet access throught HUB to manage all Internet Policies from the HUB.

Is it possible?

Thanks.

Regards.

Waaalex.

Best answer by boneyard

yes, that is possible.

some things to consider.

you need to set your default route to the VPN. but dont forget the put a static route to the VPN IP of the hub to the ISP gateway else you loose your connection.

your phase2 will have to contain the 0.0.0.0/0 as destination as you will have to encrypt all addresses.

boneyardAnswer

Valued Contributor

yes, that is possible.

some things to consider.

you need to set your default route to the VPN. but dont forget the put a static route to the VPN IP of the hub to the ISP gateway else you loose your connection.

your phase2 will have to contain the 0.0.0.0/0 as destination as you will have to encrypt all addresses.

waaalexAuthor

New Member

Thank you.

I will test this solution on 10/09/2020.

I will mark as answer at this time.

ede_pfau

SuperUser

Refering to your original post, to which address do you NAT then? Did you assign IP addresses to both ends of the VPN? might be that this address range is not "known" on the hub, or the phase2 selectors or the policies do not allow them across.

For your central internet setup, NAT is only employed on the hub in the outbound policy. No NAT on any spoke.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded