The routs are on routers 179.

What do you mean network 3 and 9 are included?

In 3 network VPN Source 192.168.3.0/24, destination 192.168.179.0/24

In 9 network VPN Source 192.168.9.0/24, destination 192.168.179.0/24

Correct me if I'm wrong...

There's communication between network 179 and networks 3 and 9 (this works fine).

The problem is that networks 3 and 9 won't talk to remote VPN networks through R4?

This VPN is established from R4 to another remote device?

If so, besides having the route on R4 to reach networks 3 and 9, networks 3 and 9 should be part of the traffic to be encrypted when going through the tunnel.

Federico.

There is communication only between 179 and 3, and 179 and with 9.

There are no communication between 3 and 9 through 179.

The routing and the gateway for R0 and R2 are configured on R4:

ip route 192.168.3.0 255.255.255.0 192.168.179.12

ip route 192.168.9.0 255.255.255.0 192.168.179.14

R4 have configured VPN but to another network (2 which is not on drawing).

So if the network 3 could reach network 9 the source for the VPN should be 192.168.0.0/16 destination 192.168.179.0/24 ??

I see now... but since the communication between 3 and 9 should be via VPN, the VPN tunnel should

communicate both networks (should include both networks in the interesting traffic).

Question:

Are these IPsec L2L tunnels between the Cisco routers?

Do you have the source and destination networks defined under those tunnels?

Federico.

This the config of the R3

Building configuration...

Current configuration : 6100 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname CISCO

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200

logging console critical

!

no aaa new-model

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

dot11 syslog

no ip source-route

!

ip dhcp pool ccp-pool1

   import all

   network 192.168.9.0 255.255.255.0

   dns-server 194.204.152.34 8.8.8.8

   default-router 192.168.9.1

!

!

ip cef

no ip bootp server

ip domain name yourdomain.com

ip name-server 194.204.152.34

ip name-server 8.8.8.8

!

!

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key test address 10.10.10.214

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to10.10.10.214

set peer 10.10.10.214

set security-association idle-time 300

set transform-set ESP-3DES-SHA

match address 100

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address 20.20.20.234 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.9.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 20.20.20.225

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map ISP1 interface FastEthernet4 overload

!

ip sla enable reaction-alerts

logging trap debugging

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.9.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.9.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 192.168.9.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list 101 permit ip 192.168.9.0 0.0.0.255 any

no cdp run

!

!

!

route-map ISP1 permit 10

match ip address 101

match interface FastEthernet4

set ip next-hop 20.20.20.225

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

session-timeout 30

exec-timeout 0 0

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end