"Hub & Spoke" Configuration

This article discusses how one can configure an IPSec WAN that allows branch offices connected to a central office to route traffic to each other.

For example: "Office A" ( and "Office B" ( are both connected to "Headquarters" (10.0.0/16) vian an IPSec tunnel. By default, Office A and Office B can pass traffic to Headquarters, but not to each other.

To Accomplish this you could create a third tunnel between Office A and Office B directly. However, support for multi-subnet IPSec configurations, added in Core 95, makes this possible without creating separate tunnels between each of the offices. While this is not a significant advantage with only one or two offices, it allows you to reduce the number of tunnels in remote offices, which does reduce management overhead and hardware requirements.

Initial Configuration

Begin with the intial configuration described below and as outlined in the main IPSec documentation. Once you have confirmed that you are able to send traffic from Office A and Office B to Headquarters and back, then proceed to the next step.

Changes to the Basic IPsec Configuration

You will make the following changes to the IPSec configurations for each office:

  1. Office A: Add Office B's subnet to the "Remote subnet" field. Separate it from Headquarter's subnet with a comma.
  2. Office B: Add Office A's subnet to the "Remote subnet" field.
  3. Headquarters: Add Office A's subnet to the "Local subnet" field in the tunnel configuration for "Office B".
  4. Headquarters: Add Office B's subnet to the "Local subnet" field in the tunnel configuration for "Office A".

This will make it so that each of the remote offices now knows to send traffic destined to the other remote office via the IPSec tunnel. However, we need to tell the central office IPFire box how to handle this traffic.

Firewall Rules to Add to Headquarters

You now need to add two rules to the firewall on the "Headquarters" machine.

  • Source:
  • Enable the "Use Network Address Translation (NAT)" check box and choose the "Source NAT" radio button.
  • In the "New source IP address" drop-down menu, choose the green address of the Headquarters machine.
  • Destination:
  • Protocol: All
    Ensure that the rule is activated, and save your settings.

Create another rule that is identical, except reverse the source and destination.

Apply the firewall rules.

Test Your Setup

If all is properly configured, you should now be able to reach devices devices on the LAN in Office B from Office A, and vice versa.

Edit Page ‐ Yes, you can edit!

Older Revisions • July 29, 2022 at 10:39 pm • Jon