Problem with VPN Spokes routing

Wojciech Zuk · ‎02-01-2015

Hello,

please help me figure it out.

In Hub - Site A there is Draytek 3900 (10.1.0.0/16) it have Ipsec VPN to:

-VPN Site B - 192.168.2.0/24 (cisco 1841)

VPN Site C - 192.168.5.0/24 (cisco 1841)

Now I have connection from A to B and A to C without problem, but I want that site B could reach C through A.

Because not all devices are draytek so I couldn't use "more subnet" setting in Ipsec profile,

so I have created additional Ipsec profiles for any subnet so:

Hub A have Ipsec profiles:

(10.1.0.0 - 192.168.2.0),

(10.1.0.0 - 192.168.5.0)

(192.168.5.0 - 192.168.2.0)

(192.168.2.0 - 192.168.5.0)

Site B have profiles:

(192.168.2.0 - 10.1.0.0)

(192.168.2.0 -192.168.5.0)

Site C have:

(192.168.5.0 - 10.1.0.0)

(192.168.5.0 - 192.168.2.0)

every Ipsec profiles are UP, on Cisco too but i Can't still reach C from B and vice-versa

could anyone help me?

AllertGen · ‎02-02-2015

Can you show output of the command "show crypto ipsec sa" from each Cisco device after sending some traffic from C to B (or from B to C)?

Poonam Garg · ‎02-02-2015

Hi Zuk,

Normally it should work with all cisco devices/or all Draytek Devices.

Not pretty sure with compatibility in different vendor environment.

Try to debug isakmp on Draytek Router, as well as on cisco devices while sending traffic from B to C.

HTH

Wojciech Zuk · ‎02-02-2015

Problem Solved!

On Cisco routers I didn't excluded these new networks from NAT,

so they weren't encrypted but forwarded throught default route to internet.

thanks for all.

Poonam Garg · ‎02-02-2015

Great!! Happy to hear that