all 3 comments

[–]servidge 1 point2 points  (0 children)

should be easily possible. you should search for "crypto map ipsec-isakmp dynamic"

[–]packetthriller 0 points1 point  (0 children)

Yes, easy to do. You need to include the crypto destination subnet on each side of the tunnel, client hub and remote.

Client --> Hub ---> Remote

Client needs to have the route pushed down to the client from the hub. Hub crypto policy ACL for remote tunnel needs client subnet added to it. Remote crypto policy ACL also needs client subnet added to it.

If you're running NAT on any of these, you'll need to exempt NAT for any destination you add to the crypto ACL.

[–]sg4rb0sss 0 points1 point  (0 children)

Yes 100%. You need to just be careful with your NAT exemption statements, and double check your routing, and VPN injected networks