11-29-2010 01:42 PM
Hi All,
I have a problem with my config, it's a hub and spoke setup with 7 spokes. The hub network address is 192.168.6.0.
I would like the spoke sites to be able to communicate to other spokes via the hub. The spoke site are vigor routers and the hub is a cisco 1842, the routing table is present on the vigors. I'm presuming it's an ACL problem but i've spent the last 3 hrs trying to figure this one out and have got no where, can anyone assist?
Also I have nat'd ports 80, 443 which work fine from outside the local lan but do not work inside? Anyone got any suggestions?
Thanks
Mark
192.168.6.0 HUB
192.168.18.0 SPOKE
192.168.23.0 SPOKE
192.168.28.0 SPOKE
192.168.48.0 SPOKE
192.168.78.0 SPOKE
192.168.88.0 SPOKE
192.168.108.0 SPOKE
10.0.0.0 SPOKE
Current configuration : 4558 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BURTON
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxx
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip name-server 62.xx.x.2
ip name-server 195.xxx.xxx.10
!
!
crypto pki trustpoint TP-self-signed-692553461
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-692553461
revocation-check none
rsakeypair TP-self-signed-692553461
!
!
crypto pki certificate chain TP-self-signed-692553461
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36393235 35333436 31301E17 0D313031 31323530 39353934
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 32353533
34363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308xxx 02818100
BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED
B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43
20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387
FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820642 5552544F 4E301F06 03551D23 04183016 8014645E 3FDE4E90
A8773580 81EE4217 F4821238 993A301D 0603551D 0E041604 14645E3F DE4E90A8
77358081 EE4217F4 82123899 3A300D06 092A8648 86F70D01 01040500 03818100
914EE910 C1EFCDB3 2C3B277B 45E4149F B8A78E94 94D6558F 7A1D5B45 D057DC02
1FCF0C28 5B29728B 9480E807 D7E7DF9E 751DD005 E108D94B 6B3FC03B 8EB1603B
49067084 9AF1E4CA 5B906C74 4D07217A 13FD0113 B721068A 3EC6C990 54101B4B
FC9860E4 3xxxB064 586EC91D EF7C5A8F 8BBF33C6 29BCF148 A7E2B987 F2A028F8
quit
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxx address 77.xxx.xxx.176
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.85
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.9
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.81
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.228
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.153
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.10
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.61
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac
crypto ipsec transform-set this_should_work esp-des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 77.xxx.xxx.176
set transform-set this_should_work
match address stores
!
crypto map VPN-Map-1 11 ipsec-isakmp
set peer 85.xxx.xxx.85
set transform-set this_should_work
match address dalby
!
crypto map VPN-Map-1 12 ipsec-isakmp
set peer 85.xxx.xxx.9
set transform-set this_should_work
match address braintree
!
crypto map VPN-Map-1 13 ipsec-isakmp
set peer 85.xxx.xxx.81
set transform-set this_should_work
match address corby
!
crypto map VPN-Map-1 14 ipsec-isakmp
set peer 85.xxx.xxx.228
set transform-set this_should_work
match address glasgow
!
crypto map VPN-Map-1 15 ipsec-isakmp
set peer 85.xxx.xxx.153
set transform-set this_should_work
match address hadleigh
!
crypto map VPN-Map-1 16 ipsec-isakmp
set peer 85.xxx.xxx.10
set transform-set this_should_work
match address northwich
!
crypto map VPN-Map-1 17 ipsec-isakmp
set peer 85.xxx.xxx.61
set transform-set this_should_work
match address wycombe
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.6.40 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxx
ppp ipcp dns request
ppp link reorders
ppp multilink
ppp multilink slippage mru 16
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink multiclass
crypto map VPN-Map-1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
!
ip access-list extended corby
permit ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255
ip access-list extended northwich
permit ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255
ip access-list extended wycombe
permit ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255
ip access-list extended hadleigh
permit ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255
ip access-list extended stores
permit ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255
ip access-list extended dalby
permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
ip access-list extended glasgow
permit ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
ip access-list extended braintree
permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
permit udp host 77.xxx.xxx.176 any eq isakmp
permit esp host 77.xxx.xxx.176 any
permit udp host 85.xxx.xxx.85 any eq isakmp
permit esp host 85.xxx.xxx.85 any
permit udp host 85.xxx.xxx.9 any eq isakmp
permit esp host 85.xxx.xxx.9 any
permit udp host 85.xxx.xxx.81 any eq isakmp
permit esp host 85.xxx.xxx.81 any
permit udp host 85.xxx.xxx.228 any eq isakmp
permit esp host 85.xxx.xxx.228 any
permit udp host 85.xxx.xxx.153 any eq isakmp
permit esp host 85.xxx.xxx.153 any
permit udp host 85.xxx.xxx.10 any eq isakmp
permit esp host 85.xxx.xxx.10 any
permit udp host 85.xxx.xxx.61 any eq isakmp
permit esp host 85.xxx.xxx.61 any
!
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxxxxxxxx
login
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
11-30-2010 01:11 PM
Hmmm okay, im not too sure how to do that
access-list EXEMPT permit ip 192.168.108.0 255.255.255.0 any
access-list EXEMPT permit ip 192.168.78.0 255.255.255.0 any
Anything like this?
11-30-2010 01:13 PM
Nevermind the ACL , just paste debug crypto ipsec sa output when pinging.
Manish
11-30-2010 01:16 PM
Extended IP access list 100
10 deny ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255 (673 matches)
20 deny ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255 (2 matches)
30 deny ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255 (233 matches)
40 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255 (661 matches)
50 deny ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255 (470 matches)
60 deny ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255 (3092 matches)
70 deny ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255 (875 matches)
80 deny ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255 (763 matches)
90 permit ip 192.168.6.0 0.0.0.255 any (1318 matches)
11-30-2010 01:23 PM
Not alot came up just
BURTON#debug crypto ipsec
Crypto IPSEC debugging is on
BURTON#term monitor
*Nov 30 21:13:34.311: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
*Nov 30 21:13:35.523: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
*Nov 30 21:13:36.311: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
*Nov 30 21:13:38.315: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
*Nov 30 21:13:40.323: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
11-30-2010 01:23 PM
Nevermind the ACL ( It is already denying everything else ), just paste debug crypto ipsec sa output when pinging.
Manish
11-30-2010 01:26 PM
Ok Mark , the error you are getting is because the CRYPTO ACL on cisco is
not match on other end Vigor.
for example :-
hostname house
match address 101
access-list 101 permit ip host 11.11.11.12 host 11.11.11.11
!
hostname light
match address 100
access-list 100 permit ip host 12.12.12.12 host 14.14.14.14
This output is taken from the side_A initiating ping:
nothing
light#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
2000 Ethernet2/1 11.11.11.11 set DES_56_CBC 5 0
2001 Ethernet2/1 11.11.11.11 set DES_56_CBC 0 0
This output is taken from the side_B when side_A is initiating ping:
house#
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Check and try to Match the acl's on Vigor side with the one you have cisco side.
Manish
11-30-2010 01:30 PM
Also Check this Important Information about Vigor holding ipsec sa.
https://supportforums.cisco.com/thread/257320?decorator=print&displayFullThread=true
Manish
11-30-2010 02:06 PM
So the vigors can only keep one IPSEC SA between two hosts. That explains the message "decrypted packet failed SA identity check".
It does say
"After some other testing I changed Local LANs to 172.27.241.96/27 (spoke) and 0.0.0.0/0 (hub) and statically routed necessary traffic to IPSEC tunnel on Vigor and it started to work."
Any ideas what this means?
Thanks
Mark
11-30-2010 02:22 PM
I think what he is trying to say is to create the crypto ACL on both ends to be something like :-
Vigor 1 :-
local lan = 192.168.78.0/24
remote lan = 0/0 ( any ) and then statically route 192.168.x.x to vpn tunnel and rest to default gateway.
on cisco =
crypto acl should be something like :-
access-list crypto_1 permit any 192.168.78.0 0.0.0.255
you can try this out but I am not sure how it will work out. Even though it solves the problem of SA Identity Check.
Manish
11-30-2010 02:56 PM
Right, we have progress. That works, but...
The client pc on 192.168.108.0 cannot access the internet any longer?
Key: C - connected, S - static, R - RIP, * - default, ~ - private
* 0.0.0.0/ 0.0.0.0 via 85.xxx.xxx.246, IF3
C~ 192.168.108.0/ 255.255.255.0 is directly connected, IF0
S~ 192.168.78.0/ 255.255.255.0 via 78.xx.xxx.48, IF5
S 78.25.240.48/ 255.255.255.255 via 85.xx.xxx.246, IF3
S~ 192.168.6.0/ 255.255.255.0 via 78.xx.xxx.48, IF5
C 192.168.208.0/ 255.255.255.0 is directly connected, IF0
11-30-2010 03:00 PM
Yup I feared that it will stop your internet access as it will start sending all traffic to the hub. try replacing 0/0 on the routers with 192.168.0.0/16 ( 192.168.0.0 0.0.255.255 ) . This will do it i think & hope .
Manish
11-30-2010 03:10 PM
Hi Manish
Well what can I say, amazing!
That worked great, can ping the remote site and access the internet. Tomorrow i'll change the other spokes to the same configuration and hopefully it will all work fingers crossed.
I would like to say thanks as well, without your expertise I would have been well and truly in the dark.
Thanks you very much.
Mark
11-30-2010 03:12 PM
Happy to help Mark, also please mark this thread answered , it will be helpful for others trying to figure out VIGOR routers
Manish
12-01-2010 03:36 AM
Hi Manish
One of our subnet's is 10.0.0.0 and it looks like these vigors can only handle ona sa.
When i try and ping from 10.0.0.0 Spoke A to 192.168.78.0 to Spoke B it drops the sa and creates one between these two hosts but then the hub cannot talk to 192.168.78.0.
I think we may have to change this subnet to begin with 192.168.x.x
Do you think 10.0.0.0 is the problem?
Thanks
Mark
12-01-2010 08:56 AM
Hello Mark,
umm , we missed 10.x.x.x network , anyways here are few options that we can you use ( starting from the easiest -- from Network point of view ) :-
1> Change the 10.x.x.x subnet to 192.168.x.x Network ( I know system guys would hate this ) .
2> change our network on all Vigors to 0.0.0.0/0 and place 253 static routes on each of the vigor router like :-
1.0.0.0/8
2.0.0.0/8
3.0.0.0/8 all pointing to the default gateway of the vigor for Internet traffic. just do not include 10.0.0.0/8 & 192.168.0.0/16 in that static routing table.
3> do a destination based NAT on the 10.x.x.x vigor that nat the source ip from 10.0.0.0/24 to something in 192.168.x.x network when the destination is 192.168.x.x ( don't know how it will be done on the vigor --or if its even possible on vigor ).
I hope that someone else can input as well if I missed any option.
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide