Hello everyone,
Today I will share with you how to deal with IPSec over DSVPN while spokes have no public address.
Customer request
1. Spoke 1 can visit HUB and spoke 2
2. Spoke can access the internet through HQ
Noted: spoke router Wan interface is private address and Firewall denies tunnel traffic in the export.
Spoke 1
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0
Spoke 2
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0
Hub
Handling Process
Check with the customer, finding the firewall blocks GRE traffic, so we just enable IPSEC in the GRE tunnel.
Display IP route in spoke 1, finding that spoke 2 internal subnets next hop is spoken 2 tunnel address, but both spokes have no public IP, they cannot build VPN, they visit each other have to through HUB. So we just change the OSPF network type.
Display IP route in spoke, finding that the route to the internet next hop is local wan interface but not to HUB tunnel address, so we have to modify the route.
Solution
Create an IPSEC in the GRE tunnel.
Change the OSPF network type.
Change the route to the internet.
That is all I want to share with you! Thank you!