Hub-and-Spoke VPN Configuration Overview

For the hub router to be able to distinguish between packets going to and coming from the spoke routers, you must configure it with two routing instances.

The following instructions describe how to configure both the hub and the spokes in a hub-and-spoke VPN:

Configure Phase 1 of the IPsec tunnel:
1. Configure proposals. In Phase 1 proposal configuration, set the authentication method and authentication and encryption algorithms that will be used to open a secure channel between participants.
  Note: When configuring a Phase 1 proposal for the dynamic VPN feature, note that you must set the authentication method to preshared keys.
2. Configure policies. During policy configuration, you must set the mode in which the Phase 1 channel will be negotiated, specify the type of key exchange to be used, and reference the Phase 1 proposal.
3. Configure the gateway. When creating the gateway, you must reference the Phase 1 policies.
Configure Phase 2 of the IPsec tunnel:
1. Configure proposals. In Phase 2 proposal configuration, you must create proposals for the two spokes, specify a security protocol, and select authentication and encryption algorithms for the traffic that will flow through the tunnel.
2. Configure policies. In Phase 2 IPsec policy configuration, you must create policies and reference the Phase 2 proposals.
3. Configure the AutoKey IKE. In Phase 2 AutoKey IKE configuration, you must create a VPN tunnel name, specify a gateway, and reference a Phase 2 policy. For route mode, you must bind the tunnel to an interface.
Configure a security policy.
Configure routing options.
Enable Next Hop Tunnel Binding (nhtb).

Hub-and-Spoke VPN Configuration Overview

Related Topics