Topologies for policy-based VPNs

The topology of policy-based VPNs is determined by selecting whether individual VPN gateways are central or satellite gateways in each particular policy-based VPN.

  • A central gateway establishes VPN tunnels with any other central or satellite gateway in the VPN, unless you specifically disable the tunnels.
  • A satellite gateway establishes VPN tunnels only with central gateways.
  • You can also create a VPN hub by adding a gateway so that it is listed under some other (central or satellite) gateway in the topology. Other gateways connect to the higher-level gateway, which forwards the connections to the lower-level gateway.

Tunnels are generated from each central gateway to all other gateways based on the overall topology. You can adjust the tunnels to limit which gateways and endpoints form tunnels with each other.

You can define policy-based VPN tunnels using different topologies:

Figure: Full mesh VPN topology



Full-mesh topology connects each site to every other site in the same VPN. All gateways are central gateways, which means that all gateways can establish tunnels with all other gateways in the VPN.
The full mesh topology is formed between sites that must all be able to connect to any other site.

Figure: Star VPN topology



Star topology connects sites behind satellite gateways to the sites behind central gateways. No VPN tunnels are established between the satellite gateways.
In VPNs with partner organizations or remote offices, VPN connectivity is often needed between remote sites and a main site, but not from one remote site to another. This topology is a star topology.
The star topology is defined with satellite gateways that connect only to the central gateway. There is no VPN between the satellite gateways. This topology reduces the number of VPN tunnels that the gateways maintain compared to full-mesh topology. Having fewer tunnels can save resources on the remote gateways.
Sometimes the star topology is preferred even if VPN connectivity is needed between the remote offices. In this case, the central gateway can be used as a hub that relays traffic from one VPN tunnel to another. Traffic can be forwarded from either a site-to-site tunnel or a mobile VPN tunnel.

Figure: Hub VPN topology



VPN hub topology routes site-to-site or mobile VPN connections to other sites through a central (hub) gateway using other site-to-site VPNs. The hub is usually a central gateway, but it can also be a satellite gateway.
The hub topology simplifies VPN client use if the clients connect to several gateways. It can also make setting up site-to-site VPNs easier, especially if the satellite gateways are third-party devices. VPN encryption and decryption require heavy computing. Consider hardware performance before high volumes of traffic are concentrated at a hub gateway.

Because the connectivity requirements vary from location to location, the VPN configuration can be a mix of the different topologies. This illustration shows an example of a mixed topology:

Figure: Combination of different topologies



Replacing two of the central gateways from the full mesh example with satellite gateways results in a VPN where all but two gateways still have a VPN with each other.