Hub and spoke VPN to access other branches via Head Office
Posted by Gabriel Yu on 02 April 2008 11:30 PM
Lets say you have a Head Office with LAN IP Addresses 192.168.0.x, and three branch offices with LAN IP Addresses:|
* Site 1 Network: 192.168.1.x
* Site 2 Network: 192.168.2.x
* Site 3 Network: 192.168.3.x
You want to use IPSec VPN tunnels to connect all of the branch offices back to the Head Office, and use the Head Office as a hub for all of the offices (aka "hub and spoke" network methodology).
For the VPN definitions in the Head Office router, in each LAN-to-LAN VPN profile, under section 4. TCP/IP Network Settings, please set the "Remote Network Mask" value to 255.255.255.0.
In each of the branch routers, "Remote Network IP" of 192.168.0.1 and "Remote Network Mask" of 255.255.255.0 tells the router that only the 192.168.0.x addressess are located through the VPN. This results in each branch being able to access Head Office servers, but not the other branches; and Head Office can access all branch machines.Â
However, you can use the "netmask" to indicate the scope of the network at the end of the VPN link.
In each of the branch routers, leave the "Remote Network IP" as 192.168.0.1 but change the "Remote Network Mask" to 255.255.0.0 to tell the Vigor to send packets for any 192.168.*.* address through the VPN.Â Now each branch can contact every other branch via the VPN to Head Office.