Hub & Multi-Spoke VPN - allow communication between spokes?

  • I currently have a hub and spoke ipsec vpn set up with communication working only from each spoke to the hub not the other spokes. I would like to have the spokes communicate with each other with out destroying the current configuration and moving to a mesh (tinc) but id be open to some feedback on the benefits of tinc over my current configuration so maybe in the future I will migrate to that.

    I have read that adding another phase 2 to the spoke I wish to communicate with then repeat that on the other spoke will accomplish this but I have been unsuccessful getting that to work. Do I need to add another phase 2 to the each spoke in the hub as well? I have 7 spokes and it seems like to get them to communicate will be a lot of phase 2 entries…

    Here is my current vpn



    Let me know if what I want to accomplish with what I have set up is feasible.

  • Since you cannot create static routes over IPsec, you need to add Phase2 entries linking the remote and local subnets, on every spoke.

    Yes, they will be a lot. If you want full connectivity you will need 8 Phase2's on each spoke.

    OpenVPN makes it easier.

  • @Derelict:

    OpenVPN makes it easier.

    Do you have an example of this setup or some kind of a guide? I've been trying to get my open vpn setup this way but cannot get more than 1 site to connect to the server successfully.

