cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4879
Views
0
Helpful
77
Replies
Highlighted
Beginner

Spoke to Spoke routing (VIGOR to CISCO)

Hi All,

I have a problem with my config, it's a hub and spoke setup with 7 spokes. The hub network address is 192.168.6.0.

I would like the spoke sites to be able to communicate to other spokes via the hub. The spoke site are vigor routers and the hub is a cisco 1842, the routing table is present on the vigors. I'm presuming it's an ACL problem but i've spent the last 3 hrs trying to figure this one out and have got no where, can anyone assist?

Also I have nat'd ports 80, 443 which work fine from outside the local lan but do not work inside? Anyone got any suggestions?

Thanks

Mark

192.168.6.0 HUB

192.168.18.0 SPOKE

192.168.23.0 SPOKE

192.168.28.0 SPOKE

192.168.48.0 SPOKE

192.168.78.0 SPOKE

192.168.88.0 SPOKE

192.168.108.0 SPOKE

10.0.0.0 SPOKE

Current configuration : 4558 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname BURTON

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxxxxxxxx

!

no aaa new-model

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

ip name-server 62.xx.x.2

ip name-server 195.xxx.xxx.10

!

!

crypto pki trustpoint TP-self-signed-692553461

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-692553461

revocation-check none

rsakeypair TP-self-signed-692553461

!

!

crypto pki certificate chain TP-self-signed-692553461

certificate self-signed 01

  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 36393235 35333436 31301E17 0D313031 31323530 39353934

  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 32353533

  34363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308xxx 02818100

  BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED

  B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43

  20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387

  FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67

  02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D

  11040A30 08820642 5552544F 4E301F06 03551D23 04183016 8014645E 3FDE4E90

  A8773580 81EE4217 F4821238 993A301D 0603551D 0E041604 14645E3F DE4E90A8

  77358081 EE4217F4 82123899 3A300D06 092A8648 86F70D01 01040500 03818100

  914EE910 C1EFCDB3 2C3B277B 45E4149F B8A78E94 94D6558F 7A1D5B45 D057DC02

  1FCF0C28 5B29728B 9480E807 D7E7DF9E 751DD005 E108D94B 6B3FC03B 8EB1603B

  49067084 9AF1E4CA 5B906C74 4D07217A 13FD0113 B721068A 3EC6C990 54101B4B

  FC9860E4 3xxxB064 586EC91D EF7C5A8F 8BBF33C6 29BCF148 A7E2B987 F2A028F8

  quit

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxx address 77.xxx.xxx.176

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.85

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.9

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.81

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.228

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.153

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.10

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.61

!

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs

crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs

crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac

crypto ipsec transform-set this_should_work esp-des esp-sha-hmac

!

crypto map VPN-Map-1 10 ipsec-isakmp

set peer 77.xxx.xxx.176

set transform-set this_should_work

match address stores

!

crypto map VPN-Map-1 11 ipsec-isakmp

set peer 85.xxx.xxx.85

set transform-set this_should_work

match address dalby

!

crypto map VPN-Map-1 12 ipsec-isakmp

set peer 85.xxx.xxx.9

set transform-set this_should_work

match address braintree

!

crypto map VPN-Map-1 13 ipsec-isakmp

set peer 85.xxx.xxx.81

set transform-set this_should_work

match address corby

!

crypto map VPN-Map-1 14 ipsec-isakmp

set peer 85.xxx.xxx.228

set transform-set this_should_work

match address glasgow

!

crypto map VPN-Map-1 15 ipsec-isakmp

set peer 85.xxx.xxx.153

set transform-set this_should_work

match address hadleigh

!

crypto map VPN-Map-1 16 ipsec-isakmp

set peer 85.xxx.xxx.10

set transform-set this_should_work

match address northwich

!

crypto map VPN-Map-1 17 ipsec-isakmp

set peer 85.xxx.xxx.61

set transform-set this_should_work

match address wycombe

!

!

!

interface FastEthernet0/0

description $ETH-LAN$

ip address 192.168.6.40 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface ATM0/1/0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp reliable-link

ppp authentication chap callin

ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ppp chap password 0 xxxxxxxx

ppp ipcp dns request

ppp link reorders

ppp multilink

ppp multilink slippage mru 16

ppp multilink fragment delay 10

ppp multilink interleave

ppp multilink multiclass

crypto map VPN-Map-1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http secure-server

ip nat inside source list 100 interface Dialer0 overload

!

ip access-list extended corby

permit ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255

ip access-list extended northwich

permit ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255

ip access-list extended wycombe

permit ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255

ip access-list extended hadleigh

permit ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255

ip access-list extended stores

permit ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255

ip access-list extended dalby

permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255

ip access-list extended glasgow

permit ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255

ip access-list extended braintree

permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255

ip access-list extended Internet-inbound-ACL

permit udp host 77.xxx.xxx.176 any eq isakmp

permit esp host 77.xxx.xxx.176 any

permit udp host 85.xxx.xxx.85 any eq isakmp

permit esp host 85.xxx.xxx.85 any

permit udp host 85.xxx.xxx.9 any eq isakmp

permit esp host 85.xxx.xxx.9 any

permit udp host 85.xxx.xxx.81 any eq isakmp

permit esp host 85.xxx.xxx.81 any

permit udp host 85.xxx.xxx.228 any eq isakmp

permit esp host 85.xxx.xxx.228 any

permit udp host 85.xxx.xxx.153 any eq isakmp

permit esp host 85.xxx.xxx.153 any

permit udp host 85.xxx.xxx.10 any eq isakmp

permit esp host 85.xxx.xxx.10 any

permit udp host 85.xxx.xxx.61 any eq isakmp

permit esp host 85.xxx.xxx.61 any

!

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255

access-list 100 permit ip 192.168.6.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community public RO

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password xxxxxxxxxxxxxxx

login

!

scheduler allocate 20000 1000

end

4 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Also Check this Important Information about Vigor holding ipsec sa.

https://supportforums.cisco.com/thread/257320?decorator=print&displayFullThread=true

Manish

View solution in original post

Highlighted

I think what he is trying to say is to create the crypto ACL on both ends to be something like :-

Vigor 1 :-

local lan = 192.168.78.0/24

remote lan = 0/0 ( any ) and then statically route 192.168.x.x to vpn tunnel and rest to default gateway.

on cisco =

crypto acl should be something like :-

access-list crypto_1 permit any 192.168.78.0 0.0.0.255

you can try this out but I am not sure how it will work out. Even though it solves the problem of SA Identity Check.

Manish

View solution in original post

Highlighted

Yup I feared that it will stop your internet access as it will start sending all traffic to the hub. try replacing 0/0 on the routers with 192.168.0.0/16 ( 192.168.0.0 0.0.255.255 ) . This will do it i think & hope .

Manish

View solution in original post

Highlighted

ok , you will need to make changes on both HUB and Spoke ( since non of them is Vigor anymore ) :-

Hub :-

from

ip access-list extended dalby

permit ip any 192.168.88.0 0.0.0.255

to

ip access-list extended dalby

permit ip 192.168.0.0 0.0.255.255 192.168.88.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 192.168.88.0 0.0.0.255

Spoke :-

from :

ip access-list extended dalby
permit ip 192.168.88.0 0.0.0.255 any

to :

ip access-list extended dalby
permit ip 192.168.88.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 192.168.88.0 0.0.0.255 10.0.0.0 0.0.0.255

Reapply the crypto map

Manish

View solution in original post

77 REPLIES 77
Highlighted
Frequent Contributor

Hi Mark,

If your Hub to Spoke communication is working fine and all you need is spoke to spoke via Hub, then please follow this Link :-

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml

Manish

Highlighted

Thanks for the reply.

I've added these in but still cannot access? Do i need to add the local network address in also?

Also do i need to add ip route 172.16.2.0 255.255.255.0 FastEthernet0/0

I tried teh above also and still couldn't get it to work, any ideas?

Thanks

access-list 130 permit ip 192.168.18.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 130 permit ip 192.168.23.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 130 permit ip 192.168.28.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 130 permit ip 192.168.48.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 130 permit ip 192.168.78.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 130 permit ip 192.168.108.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 130 permit ip 10.0.0.0 0.0.0.255 192.168.88.0 0.0.0.255

Highlighted

Try this configuration part on spokes 77.xxx.xxx.176 & 85.xxx.xxx.85 for communication via HUB

On Spoke 77.xxx.xxx.176 :-

Make 192.168.88.0 0.0.0.255 Part of interesting traffic

Deny it on dynamic PAT as well.

on spoke 85.xxx.xxx.85 :-

Make 192.168.78.0 0.0.0.255 Part of interesting traffic

Deny it on dynamic PAT as well.

On the Hub :-

ip access-list extended stores
permit ip 192.168.88.0 0.0.0.255 192.168.78.0 0.0.0.255

ip access-list extended dalby

permit ip 192.168.78.0 0.0.0.255 192.168.88.0 0.0.0.255

!--- It is important to remove and re-apply the crypto
!--- map to this interface if it is used for the termination of other
!--- spoke VPN tunnels.

Don't worry about pointing routes that were specific to the cisco documentation example. The whole purpose of that documentation was to set up tunnel

using more if  hairpin design.

Manish

Highlighted

Okay i've added the ACL's in to the relevant areas, but it's still not working. The spoke routers are not cisco's there vigor 2600/2800, all that is configured on these is a static route for the other spoke LAN's which go via the hub.

Any more ideas what could be stopping the traffic?

ip access-list extended dalby
permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
permit ip 192.168.78.0 0.0.0.255 192.168.88.0 0.0.0.255
ip access-list extended stores
permit ip 192.168.88.0 0.0.0.255 192.168.78.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255

Highlighted

Is your hub to spoke working fine ? can you post some config from that Vigor  ( have no idea about Vigor but still helpful ) ?

Manish

Highlighted

Yeah hub and spoke is working fine, it's difficult to give you a copy of the config because it's just a simple GUI.

But it's one of these http://www.draytek.com/user/SupportAppnotesDetail.php?ID=180

Thanks

Highlighted

Try changing the remote network address and mask in the TCP/IP setting on the spokes to 192.168.0.0/16. do this on both the spokes as well as the commands that I sent you earlier on the cisco.

It appears the the spoke is only qualifiing HUB network traffic for ipsec as that what you have in the remote network setting ( I assume ).

let me know if i am thinking wrong.

Manish

Highlighted

The remote subnet area of the vigor router have a more button where I added all the other spoke network addresses in, 192.168.78.0/24 is included in the vigor on subnet 182.168.88.0.

It was working previously with the vigor as spokes, in the last few days I have replaced the hub router with the cisco (previously this was a vigor also). So thats why im presuming thats where the problem is.

Thanks

Highlighted

I've just done show ip route and none of my spoke network addresses appear?

I can communicate with them from the hub though.

Also I have PPTP passthrough on this hub which connects to our internal VPN server for external clients, when they connect in they are able to access all of the spokes, i'm not sure if this is relevent or not.

show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

C    192.168.6.0/24 is directly connected, FastEthernet0/0
     78.0.0.0/32 is subnetted, 1 subnets
C       78.XX.XXX.48 is directly connected, Dialer0
     62.0.0.0/32 is subnetted, 1 subnets
C       62.XXX.XX.194 is directly connected, Dialer0
S*   0.0.0.0/0 is directly connected, Dialer0

Highlighted

I am also getting this when i turn ipsec debugging on, could this be dropping the packets to the other spokes?

IPSEC(epa_des_crypt): decrypted packet failed SA identity
check

Highlighted

Hey Mark,

Could you share the outputs of "show cry isa sa" and "show cry ips sa" from the router?

Cheers,

Prapanch

Highlighted

Hi Prapanch,

Thanks for your reply, here's show cry isa sa

78.25.240.48    85.xxx.xxx.228  QM_IDLE             76    0 ACTIVE
78.25.240.48    85.xxx.xxx.81   QM_IDLE             79    0 ACTIVE
78.25.240.48    85.xxx.xxx.9    QM_IDLE             77    0 ACTIVE
78.25.240.48    85.xxx.xxx.10   QM_IDLE             78    0 ACTIVE
78.25.240.48    78.xx.xxx.82    QM_IDLE             80    0 ACTIVE
78.25.240.48    85.xxx.xxx.153  QM_IDLE             81    0 ACTIVE
78.25.240.48    85.xxx.xxx.85   QM_IDLE             82    0 ACTIVE


show cry ips sa (just one of the ipsec tunnels)

BURTON#show cry ips sa

interface: Dialer0
    Crypto map tag: VPN-Map-1, local addr 78.xx.xxx.48

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.48.0/255.255.255.0/0/0)
   current_peer 85.xxx.xxx.153 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 57873, #pkts encrypt: 57873, #pkts digest: 57873
    #pkts decaps: 61881, #pkts decrypt: 61881, #pkts verify: 61881
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 2131

     local crypto endpt.: 78.xx.xxx.48, remote crypto endpt.: 85.xxx.xxx.153
     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access4
     current outbound spi: 0xFCF8F1F7(4244173303)

     inbound esp sas:
      spi: 0x187893F5(410555381)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3007, flow_id: FPGA:7, crypto map: VPN-Map-1
        sa timing: remaining key lifetime (k/sec): (4468917/1553)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xFCF8F1F7(4244173303)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3008, flow_id: FPGA:8, crypto map: VPN-Map-1
        sa timing: remaining key lifetime (k/sec): (4468318/1548)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Highlighted

Mark,

as you mentioned :-

"The remote subnet area of the vigor router have a more button where I added all the other spoke network addresses in, 192.168.78.0/24 is included in the vigor on subnet 182.168.88.0."

on each of the Vigor , you need to point all internal subnets to the HUB not to any other Vigor, as you are trying to do routing between the Vigors to use HUB as next hop. so that this exmaple :-

vigor1  has subnet 192.168.20.0/24

HUB has 192.168.21.0/24

Vigor 2 has 192.168.22.0/24

so if you want the Traffic to from vigor1 to Vigor2 should use HUB as its transit then :-

1> On Vigor 1 , you will define interesting as 192.168.20.0/24 -- > 192.168.21.0/24

                                                                                         --> 192.168.22.0/22   but the remote endpoint will only be HUB.

2> on the Hub , you will define interesting traffic as 192.168.21.0/24 --> 192.168.20.0/24

                                                                           192.168.22.0/24 --> 192.168.20.0/24   for Vigor 1

          and     192.168.21.0/24  --> 192.168.22.0/24

                     192.168.20.0/24 -- > 192.168.22.0/24  for Vigor 2

3> On Vigor 2 , you will define interesting traffic as 192.168.22.0/24 --> 192.168.21.0/24 & 192.168.20.0/24 to remote end point as HUB only.

This will send traffic from Vigor 1 destined for Vigor 2 to the HUB and then the Hub will forward it to the Vigor 2 & vice versa.

Since your hub to spoke is working fine , then there isn't any issue with ipsec configuration , It just need proper interesting Traffic on site to encrypt and send it on its way.

Manish

Highlighted

I here what your saying, i've removed all references to the other subnets on one of the spokes...

SPOKE 192.168.78.0 ROUTING TABLE

    Key: C - connected, S - static, R - RIP, * - default, ~ - private

    *             0.0.0.0/         0.0.0.0 via 62.xxx.x.204, IF3
    C~       192.168.78.0/   255.255.255.0 is directly connected, IF0
    C         192.168.2.0/   255.255.255.0 is directly connected, IF0
    S~        192.168.6.0/   255.255.255.0 via 78.xx.xxx.48, IF4

It doesn't work, on the client PC in subnet 192.168.78.0 i try and ping 192.168.108.44 (router) and it times out.


Here is the hub ACL, the hub subnet is 192.168.6.0 and above shows that it's connected via static route. From 192.168.78.0 I can communicate with 192.168.6.0 but not with 192.168.108.0.

ip access-list extended burtonstores
permit ip 192.168.108.0 0.0.0.255 192.168.78.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255

ip access-list extended glasgow
permit ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
permit ip 192.168.78.0 0.0.0.255 192.168.108.0 0.0.0.255