Case no.2: configuring the satellite sites Spoke A and Spoke B
In a Hub and Spoke configuration, a satellite site only knows one IPsec peer: the Firewall of the Hub site.
Spoke A site
Following the method described in the paragraph Creating the Site_Spoke_A and Site_Spoke_B peers in Case no. 1, create the peer Site_FW_Hub using the following values:
- remote gateway: Firewall of the Hub (object Pub_FW_Hub),
- certificate: the certificate of the Spoke A Firewall.
Spoke B site
Following the method described in the paragraph Creating the Site_Spoke_A and Site_Spoke_B peers in Case no. 1, create the peer Site_FW_Hub using the following values:
- remote gateway: Firewall of the Hub (object Pub_FW_Hub),
- certificate: the certificate of the Spoke B Firewall.
Spoke A site
Follow the method described in the paragraph Creating tunnels in Case no. 1 to define the following VPN tunnel:
Spoke B site
Follow the method described in the paragraph Creating tunnels in Case no. 1 to define the following VPN tunnel:
In this tutorial, traffic between private networks is voluntarily not specified (destination port: ANY). To optimize performance (save bandwidth and machine resources), it is important to refine the filtering on satellite sites (authorized protocols, ports, etc) in order to prevent unnecessary packets from going through the tunnels. This filtering policy will also be on the Hub site.
Spoke A site
Define the filtering rules needed for exchanges between Spoke A and Spoke B, Spoke A and the Hub as well as local traffic to the Internet (centralized on the Hub):
Spoke B site
Define the filtering rules needed for exchanges between Spoke B and Spoke A, Spoke B and the Hub as well as local traffic to the Internet (centralized on the Hub):