Architectures shown

Case no. 1: internal traffic via IPsec tunnels

Only internal traffic between the three sites (Hub, Spoke A and Spoke B) goes through tunnels via the Hub. Internet traffic is managed locally on each site.

This infrastructure may sometimes be preferred over the one presented in case no.2 for economic reasons, in particular: centralized internet access on the Hub may require a lot of throughput and end up being much costlier than a set of lower-capacity internet access channels.

Case no.2: all traffic via IPsec tunnels

All the traffic goes through the Hub through tunnels. Internet access is centralized at the Hub level.

This infrastructure presents the advantage of the centrally managing internet access and the associated security policy.