IPsec VPN: Hub and Spoke Configuration

Architectures shown

The authentication method chosen for this tutorial is based on certificates.

For details on operations regarding the PKI, please refer to the tutorial “IPsec VPN - authentication by certificate”.

Further on in this document, the central site will be named “Hub”, and both satellite sites will be represented by “Spoke A” and “Spoke B”. Needless to say, this type of architecture is not restricted to just two satellite sites.

Please note that in the configuration we will describe in this document, each remote site owns only one local network.

Case no. 1: internal traffic via IPsec tunnels

Only internal traffic between the three sites (Hub, Spoke A and Spoke B) goes through tunnels via the Hub. Internet traffic is managed locally on each site.

This infrastructure may sometimes be preferred over the one presented in case no.2 for economic reasons, in particular: centralized internet access on the Hub may require a lot of throughput and end up being much costlier than a set of lower-capacity internet access channels.

Case no.2: all traffic via IPsec tunnels

All the traffic goes through the Hub through tunnels. Internet access is centralized at the Hub level.


This infrastructure presents the advantage of the centrally managing internet access and the associated security policy.