cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9704
Views
0
Helpful
78
Replies

Spoke to Spoke routing (VIGOR to CISCO)

markyd1985
Level 1
Level 1

Hi All,

I have a problem with my config, it's a hub and spoke setup with 7 spokes. The hub network address is 192.168.6.0.

I would like the spoke sites to be able to communicate to other spokes via the hub. The spoke site are vigor routers and the hub is a cisco 1842, the routing table is present on the vigors. I'm presuming it's an ACL problem but i've spent the last 3 hrs trying to figure this one out and have got no where, can anyone assist?

Also I have nat'd ports 80, 443 which work fine from outside the local lan but do not work inside? Anyone got any suggestions?

Thanks

Mark

192.168.6.0 HUB

192.168.18.0 SPOKE

192.168.23.0 SPOKE

192.168.28.0 SPOKE

192.168.48.0 SPOKE

192.168.78.0 SPOKE

192.168.88.0 SPOKE

192.168.108.0 SPOKE

10.0.0.0 SPOKE

Current configuration : 4558 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname BURTON

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxxxxxxxx

!

no aaa new-model

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

ip name-server 62.xx.x.2

ip name-server 195.xxx.xxx.10

!

!

crypto pki trustpoint TP-self-signed-692553461

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-692553461

revocation-check none

rsakeypair TP-self-signed-692553461

!

!

crypto pki certificate chain TP-self-signed-692553461

certificate self-signed 01

  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 36393235 35333436 31301E17 0D313031 31323530 39353934

  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 32353533

  34363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308xxx 02818100

  BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED

  B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43

  20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387

  FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67

  02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D

  11040A30 08820642 5552544F 4E301F06 03551D23 04183016 8014645E 3FDE4E90

  A8773580 81EE4217 F4821238 993A301D 0603551D 0E041604 14645E3F DE4E90A8

  77358081 EE4217F4 82123899 3A300D06 092A8648 86F70D01 01040500 03818100

  914EE910 C1EFCDB3 2C3B277B 45E4149F B8A78E94 94D6558F 7A1D5B45 D057DC02

  1FCF0C28 5B29728B 9480E807 D7E7DF9E 751DD005 E108D94B 6B3FC03B 8EB1603B

  49067084 9AF1E4CA 5B906C74 4D07217A 13FD0113 B721068A 3EC6C990 54101B4B

  FC9860E4 3xxxB064 586EC91D EF7C5A8F 8BBF33C6 29BCF148 A7E2B987 F2A028F8

  quit

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxx address 77.xxx.xxx.176

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.85

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.9

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.81

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.228

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.153

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.10

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.61

!

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs

crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs

crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac

crypto ipsec transform-set this_should_work esp-des esp-sha-hmac

!

crypto map VPN-Map-1 10 ipsec-isakmp

set peer 77.xxx.xxx.176

set transform-set this_should_work

match address stores

!

crypto map VPN-Map-1 11 ipsec-isakmp

set peer 85.xxx.xxx.85

set transform-set this_should_work

match address dalby

!

crypto map VPN-Map-1 12 ipsec-isakmp

set peer 85.xxx.xxx.9

set transform-set this_should_work

match address braintree

!

crypto map VPN-Map-1 13 ipsec-isakmp

set peer 85.xxx.xxx.81

set transform-set this_should_work

match address corby

!

crypto map VPN-Map-1 14 ipsec-isakmp

set peer 85.xxx.xxx.228

set transform-set this_should_work

match address glasgow

!

crypto map VPN-Map-1 15 ipsec-isakmp

set peer 85.xxx.xxx.153

set transform-set this_should_work

match address hadleigh

!

crypto map VPN-Map-1 16 ipsec-isakmp

set peer 85.xxx.xxx.10

set transform-set this_should_work

match address northwich

!

crypto map VPN-Map-1 17 ipsec-isakmp

set peer 85.xxx.xxx.61

set transform-set this_should_work

match address wycombe

!

!

!

interface FastEthernet0/0

description $ETH-LAN$

ip address 192.168.6.40 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface ATM0/1/0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp reliable-link

ppp authentication chap callin

ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ppp chap password 0 xxxxxxxx

ppp ipcp dns request

ppp link reorders

ppp multilink

ppp multilink slippage mru 16

ppp multilink fragment delay 10

ppp multilink interleave

ppp multilink multiclass

crypto map VPN-Map-1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http secure-server

ip nat inside source list 100 interface Dialer0 overload

!

ip access-list extended corby

permit ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255

ip access-list extended northwich

permit ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255

ip access-list extended wycombe

permit ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255

ip access-list extended hadleigh

permit ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255

ip access-list extended stores

permit ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255

ip access-list extended dalby

permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255

ip access-list extended glasgow

permit ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255

ip access-list extended braintree

permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255

ip access-list extended Internet-inbound-ACL

permit udp host 77.xxx.xxx.176 any eq isakmp

permit esp host 77.xxx.xxx.176 any

permit udp host 85.xxx.xxx.85 any eq isakmp

permit esp host 85.xxx.xxx.85 any

permit udp host 85.xxx.xxx.9 any eq isakmp

permit esp host 85.xxx.xxx.9 any

permit udp host 85.xxx.xxx.81 any eq isakmp

permit esp host 85.xxx.xxx.81 any

permit udp host 85.xxx.xxx.228 any eq isakmp

permit esp host 85.xxx.xxx.228 any

permit udp host 85.xxx.xxx.153 any eq isakmp

permit esp host 85.xxx.xxx.153 any

permit udp host 85.xxx.xxx.10 any eq isakmp

permit esp host 85.xxx.xxx.10 any

permit udp host 85.xxx.xxx.61 any eq isakmp

permit esp host 85.xxx.xxx.61 any

!

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255

access-list 100 permit ip 192.168.6.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community public RO

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password xxxxxxxxxxxxxxx

login

!

scheduler allocate 20000 1000

end

78 Replies 78

Hmmm okay, im not too sure how to do that

access-list EXEMPT permit ip 192.168.108.0 255.255.255.0 any
access-list EXEMPT permit ip 192.168.78.0 255.255.255.0 any

Anything like this?

Nevermind the ACL , just paste debug crypto ipsec sa output when pinging.

Manish

Extended IP access list 100
    10 deny ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255 (673 matches)
    20 deny ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255 (2 matches)
    30 deny ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255 (233 matches)
    40 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255 (661 matches)
    50 deny ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255 (470 matches)
    60 deny ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255 (3092 matches)
    70 deny ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255 (875 matches)
    80 deny ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255 (763 matches)
    90 permit ip 192.168.6.0 0.0.0.255 any (1318 matches)

Not alot came up just

BURTON#debug crypto ipsec
Crypto IPSEC debugging is on
BURTON#term monitor

*Nov 30 21:13:34.311: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
*Nov 30 21:13:35.523: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
*Nov 30 21:13:36.311: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
*Nov 30 21:13:38.315: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
*Nov 30 21:13:40.323: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check

Nevermind the ACL ( It is already denying everything else ), just paste debug crypto ipsec sa output when pinging.

Manish

Ok Mark , the error you are getting is because the CRYPTO ACL on cisco is

not match on other end Vigor.

for example :-

hostname house
match address 101
access-list 101 permit ip host 11.11.11.12 host 11.11.11.11
!

hostname light
match address 100
access-list 100 permit ip host 12.12.12.12 host 14.14.14.14

This output is taken from the side_A initiating ping:

nothing

light#show crypto engine connections active

  ID Interface       IP-Address      State  Algorithm           Encrypt  Decrypt
2000 Ethernet2/1     11.11.11.11     set    DES_56_CBC                5        0
2001 Ethernet2/1     11.11.11.11     set    DES_56_CBC                0        0

This output is taken from the side_B when side_A is initiating ping:

house#
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

Check and try to Match the acl's on Vigor side with the one you have cisco side.

Manish

Also Check this Important Information about Vigor holding ipsec sa.

https://supportforums.cisco.com/thread/257320?decorator=print&displayFullThread=true

Manish

So the vigors can only keep one IPSEC SA between two hosts. That explains the message "decrypted packet failed SA identity check".

It does say

"After some other testing I changed Local LANs to 172.27.241.96/27  (spoke) and 0.0.0.0/0 (hub) and statically routed necessary traffic to  IPSEC tunnel on Vigor and it started to work."


Any ideas what this means?

Thanks

Mark

I think what he is trying to say is to create the crypto ACL on both ends to be something like :-

Vigor 1 :-

local lan = 192.168.78.0/24

remote lan = 0/0 ( any ) and then statically route 192.168.x.x to vpn tunnel and rest to default gateway.

on cisco =

crypto acl should be something like :-

access-list crypto_1 permit any 192.168.78.0 0.0.0.255

you can try this out but I am not sure how it will work out. Even though it solves the problem of SA Identity Check.

Manish

Right, we have progress. That works, but...


The client pc on 192.168.108.0 cannot access the internet any longer?

    Key: C - connected, S - static, R - RIP, * - default, ~ - private

    *             0.0.0.0/         0.0.0.0 via 85.xxx.xxx.246, IF3
    C~      192.168.108.0/   255.255.255.0 is directly connected, IF0
    S~       192.168.78.0/   255.255.255.0 via 78.xx.xxx.48, IF5
    S        78.25.240.48/ 255.255.255.255 via 85.xx.xxx.246, IF3
    S~        192.168.6.0/   255.255.255.0 via 78.xx.xxx.48, IF5
    C       192.168.208.0/   255.255.255.0 is directly connected, IF0

Yup I feared that it will stop your internet access as it will start sending all traffic to the hub. try replacing 0/0 on the routers with 192.168.0.0/16 ( 192.168.0.0 0.0.255.255 ) . This will do it i think & hope .

Manish

Hi Manish

Well what can I say, amazing!

That worked great, can ping the remote site and access the internet. Tomorrow i'll change the other spokes to the same configuration and hopefully it will all work fingers crossed.

I would like to say thanks as well, without your expertise I would have been well and truly in the dark.

Thanks you very much.

Mark

Happy to help Mark, also please mark this thread answered , it will be helpful for others trying to figure out VIGOR routers

Manish

Hi Manish


One of our subnet's is 10.0.0.0 and it looks like these vigors can only handle ona sa.

When i try and ping from 10.0.0.0 Spoke A to 192.168.78.0 to Spoke B it drops the sa and creates one between these two hosts but then the hub cannot talk to 192.168.78.0.


I think we may have to change this subnet to begin with 192.168.x.x

Do you think 10.0.0.0 is the problem?

Thanks

Mark

Hello Mark,

umm , we missed 10.x.x.x network , anyways here are few options that we can you use ( starting from the easiest -- from Network point of view   ) :-

1> Change the 10.x.x.x subnet to 192.168.x.x Network ( I know system guys would hate this ) .

2> change our network on all Vigors to 0.0.0.0/0 and place 253 static routes on each of the vigor router like :-

1.0.0.0/8

2.0.0.0/8

3.0.0.0/8 all pointing to the default gateway of the vigor for Internet traffic. just do not include 10.0.0.0/8 & 192.168.0.0/16 in that static routing table.

3> do a destination based NAT on the 10.x.x.x vigor that nat the source ip from 10.0.0.0/24 to something in 192.168.x.x network when the destination is 192.168.x.x ( don't know how it will be done on the vigor --or if its even possible on vigor ).

I hope that someone else can input as well if I missed any option.

Manish