Egress:
1. IKE from Branch IP to Main Office IP -> Permit
2. ESP from Branch IP to Main Office IP -> Permit
3. IKE from Branch IP to First Branch IP -> Permit
4. ESP from Branch IP to First Branch IP -> Permit
5. ICMP from local tunnel endpoint to any IP address -> Permit
Note:
This allows the PMTUD application to work.
Note:
6. All allowed services from any local subnet to any IP address-> Permit
Note:
This traffic is tunnelled using VPN.
Note:
7. Default -> Deny
3. Configure the VPN Hub (Main Office) as follows:
Static routing: Branch subnets -> Internet interface.
●
The VPN policy portion for the branch is configured as a mirror image of the branch, as
●
follows:
Traffic from any IP address to branch local subnets -> encrypt, using tunnel mode IPSec.
The remote peer is the VPN Spoke (Branch Internet address).
Typical installations
Issue 1.1 June 2005
399