Thanks for the reply.

I've added these in but still cannot access? Do i need to add the local network address in also?

Also do i need to add ip route 172.16.2.0 255.255.255.0 FastEthernet0/0

I tried teh above also and still couldn't get it to work, any ideas?

Thanks

access-list 130 permit ip 192.168.18.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 130 permit ip 192.168.23.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 130 permit ip 192.168.28.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 130 permit ip 192.168.48.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 130 permit ip 192.168.78.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 130 permit ip 192.168.108.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 130 permit ip 10.0.0.0 0.0.0.255 192.168.88.0 0.0.0.255

Try this configuration part on spokes 77.xxx.xxx.176 & 85.xxx.xxx.85 for communication via HUB

On Spoke 77.xxx.xxx.176 :-

Make 192.168.88.0 0.0.0.255 Part of interesting traffic

Deny it on dynamic PAT as well.

on spoke 85.xxx.xxx.85 :-

Make 192.168.78.0 0.0.0.255 Part of interesting traffic

Deny it on dynamic PAT as well.

On the Hub :-

ip access-list extended stores
permit ip 192.168.88.0 0.0.0.255 192.168.78.0 0.0.0.255

ip access-list extended dalby

permit ip 192.168.78.0 0.0.0.255 192.168.88.0 0.0.0.255

!--- It is important to remove and re-apply the crypto
!--- map to this interface if it is used for the termination of other
!--- spoke VPN tunnels.

Don't worry about pointing routes that were specific to the cisco documentation example. The whole purpose of that documentation was to set up tunnel

using more if  hairpin design.

Manish

Okay i've added the ACL's in to the relevant areas, but it's still not working. The spoke routers are not cisco's there vigor 2600/2800, all that is configured on these is a static route for the other spoke LAN's which go via the hub.

Any more ideas what could be stopping the traffic?

ip access-list extended dalby
permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
permit ip 192.168.78.0 0.0.0.255 192.168.88.0 0.0.0.255
ip access-list extended stores
permit ip 192.168.88.0 0.0.0.255 192.168.78.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255

Is your hub to spoke working fine ? can you post some config from that Vigor  ( have no idea about Vigor but still helpful ) ?

Manish

Yeah hub and spoke is working fine, it's difficult to give you a copy of the config because it's just a simple GUI.

But it's one of these http://www.draytek.com/user/SupportAppnotesDetail.php?ID=180

Thanks

Try changing the remote network address and mask in the TCP/IP setting on the spokes to 192.168.0.0/16. do this on both the spokes as well as the commands that I sent you earlier on the cisco.

It appears the the spoke is only qualifiing HUB network traffic for ipsec as that what you have in the remote network setting ( I assume ).

let me know if i am thinking wrong.

Manish

The remote subnet area of the vigor router have a more button where I added all the other spoke network addresses in, 192.168.78.0/24 is included in the vigor on subnet 182.168.88.0.

It was working previously with the vigor as spokes, in the last few days I have replaced the hub router with the cisco (previously this was a vigor also). So thats why im presuming thats where the problem is.

Thanks

I've just done show ip route and none of my spoke network addresses appear?

I can communicate with them from the hub though.

Also I have PPTP passthrough on this hub which connects to our internal VPN server for external clients, when they connect in they are able to access all of the spokes, i'm not sure if this is relevent or not.

show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

C    192.168.6.0/24 is directly connected, FastEthernet0/0
     78.0.0.0/32 is subnetted, 1 subnets
C       78.XX.XXX.48 is directly connected, Dialer0
     62.0.0.0/32 is subnetted, 1 subnets
C       62.XXX.XX.194 is directly connected, Dialer0
S*   0.0.0.0/0 is directly connected, Dialer0

I am also getting this when i turn ipsec debugging on, could this be dropping the packets to the other spokes?

IPSEC(epa_des_crypt): decrypted packet failed SA identity
check

Hey Mark,

Could you share the outputs of "show cry isa sa" and "show cry ips sa" from the router?

Cheers,

Prapanch

Hi Prapanch,

Thanks for your reply, here's show cry isa sa

78.25.240.48    85.xxx.xxx.228  QM_IDLE             76    0 ACTIVE
78.25.240.48    85.xxx.xxx.81   QM_IDLE             79    0 ACTIVE
78.25.240.48    85.xxx.xxx.9    QM_IDLE             77    0 ACTIVE
78.25.240.48    85.xxx.xxx.10   QM_IDLE             78    0 ACTIVE
78.25.240.48    78.xx.xxx.82    QM_IDLE             80    0 ACTIVE
78.25.240.48    85.xxx.xxx.153  QM_IDLE             81    0 ACTIVE
78.25.240.48    85.xxx.xxx.85   QM_IDLE             82    0 ACTIVE

show cry ips sa (just one of the ipsec tunnels)

BURTON#show cry ips sa

interface: Dialer0
    Crypto map tag: VPN-Map-1, local addr 78.xx.xxx.48

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.48.0/255.255.255.0/0/0)
   current_peer 85.xxx.xxx.153 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 57873, #pkts encrypt: 57873, #pkts digest: 57873
    #pkts decaps: 61881, #pkts decrypt: 61881, #pkts verify: 61881
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 2131

     local crypto endpt.: 78.xx.xxx.48, remote crypto endpt.: 85.xxx.xxx.153
     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access4
     current outbound spi: 0xFCF8F1F7(4244173303)

     inbound esp sas:
      spi: 0x187893F5(410555381)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3007, flow_id: FPGA:7, crypto map: VPN-Map-1
        sa timing: remaining key lifetime (k/sec): (4468917/1553)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xFCF8F1F7(4244173303)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3008, flow_id: FPGA:8, crypto map: VPN-Map-1
        sa timing: remaining key lifetime (k/sec): (4468318/1548)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Mark,

as you mentioned :-

"The remote subnet area of the vigor router have a more button where I added all the other spoke network addresses in, 192.168.78.0/24 is included in the vigor on subnet 182.168.88.0."

on each of the Vigor , you need to point all internal subnets to the HUB not to any other Vigor, as you are trying to do routing between the Vigors to use HUB as next hop. so that this exmaple :-

vigor1  has subnet 192.168.20.0/24

HUB has 192.168.21.0/24

Vigor 2 has 192.168.22.0/24

so if you want the Traffic to from vigor1 to Vigor2 should use HUB as its transit then :-

1> On Vigor 1 , you will define interesting as 192.168.20.0/24 -- > 192.168.21.0/24

                                                                                         --> 192.168.22.0/22   but the remote endpoint will only be HUB.

2> on the Hub , you will define interesting traffic as 192.168.21.0/24 --> 192.168.20.0/24

                                                                           192.168.22.0/24 --> 192.168.20.0/24   for Vigor 1

          and     192.168.21.0/24  --> 192.168.22.0/24

                     192.168.20.0/24 -- > 192.168.22.0/24  for Vigor 2

3> On Vigor 2 , you will define interesting traffic as 192.168.22.0/24 --> 192.168.21.0/24 & 192.168.20.0/24 to remote end point as HUB only.

This will send traffic from Vigor 1 destined for Vigor 2 to the HUB and then the Hub will forward it to the Vigor 2 & vice versa.

Since your hub to spoke is working fine , then there isn't any issue with ipsec configuration , It just need proper interesting Traffic on site to encrypt and send it on its way.

Manish

I here what your saying, i've removed all references to the other subnets on one of the spokes...

SPOKE 192.168.78.0 ROUTING TABLE

    Key: C - connected, S - static, R - RIP, * - default, ~ - private

    *             0.0.0.0/         0.0.0.0 via 62.xxx.x.204, IF3
    C~       192.168.78.0/   255.255.255.0 is directly connected, IF0
    C         192.168.2.0/   255.255.255.0 is directly connected, IF0
    S~        192.168.6.0/   255.255.255.0 via 78.xx.xxx.48, IF4

It doesn't work, on the client PC in subnet 192.168.78.0 i try and ping 192.168.108.44 (router) and it times out.

Here is the hub ACL, the hub subnet is 192.168.6.0 and above shows that it's connected via static route. From 192.168.78.0 I can communicate with 192.168.6.0 but not with 192.168.108.0.

ip access-list extended burtonstores
permit ip 192.168.108.0 0.0.0.255 192.168.78.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255

ip access-list extended glasgow
permit ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
permit ip 192.168.78.0 0.0.0.255 192.168.108.0 0.0.0.255