Topologies for policy-based VPNs
The topology of policy-based VPNs is determined by selecting whether individual VPN gateways are central or satellite gateways in each particular policy-based VPN.
- A central gateway establishes VPN tunnels with any other central or satellite gateway in the VPN, unless you specifically disable the tunnels.
- A satellite gateway establishes VPN tunnels only with central gateways.
- You can also create a VPN hub by adding a gateway so that it is listed under some other (central or satellite) gateway in the topology. Other gateways connect to the higher-level gateway, which forwards the connections to the lower-level gateway.
Tunnels are generated from each central gateway to all other gateways based on the overall topology. You can adjust the tunnels to limit which gateways and endpoints form tunnels with each other.
You can define policy-based VPN tunnels using different topologies:
- Full-mesh topology connects each site to every other site in the same VPN. All gateways are central gateways, which means that all gateways can establish tunnels with all other gateways in the VPN.
- Star topology connects sites behind satellite gateways to the sites behind central gateways. No VPN tunnels are established between the satellite gateways.
- VPN hub topology routes site-to-site or mobile VPN connections to other sites through a central (hub) gateway using other site-to-site VPNs. The hub is usually a central gateway, but it can also be a satellite gateway.
Because the connectivity requirements vary from location to location, the VPN configuration can be a mix of the different topologies. This illustration shows an example of a mixed topology:
- Replacing two of the central gateways from the full mesh example with satellite gateways results in a VPN where all but two gateways still have a VPN with each other.