How To: Ipsec Vpn - Hub And Spoke Configuration; Architectures Shown; Case No. 1: Internal Traffic Via Ipsec Tunnels415; Case No.2: All Traffic Via Ipsec Tunnels - Stormshield SN series Configuration Manual

HOW TO: IPSec VPN - Hub and Spoke Configuration

Architectures shown

The authentication method chosen for this tutorial is based on certificates.
For details on operations regarding the PKI, please refer to the tutorial "IPSec VPN - authentication
by certificate".
Further on in this document, the central site will be named "Hub", and both satellite sites will be
represented by "Spoke A" and "Spoke B". Needless to say, this type of architecture is not
restricted to just two satellite sites.
Case no. 1: internal traffic via IPSec tunnels
Only internal traffic between the three sites (Hub, Spoke A and Spoke B) goes through tunnels via
the Hub. Internet traffic is managed locally on each site.
This infrastructure may sometimes be preferred over the one presented in case no.2 for economic
reasons, in particular: centralized internet access on the Hub may require a lot of throughput and
end up being much costlier than a set of lower-capacity internet access channels.

Case no.2: all traffic via IPSec tunnels

All the traffic goes through the Hub through tunnels. Internet access is centralized at the Hub
level.
Page 415/448
SNS - USER CONFIGURATION MANUAL V.3
HOW TO: IPSEC VPN - HUB AND SPOKE CONFIGURATION
sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016