- Cisco Community
- Technology and Support
- Security
- VPN
- Re: Spoke to Spoke routing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-29-2010 01:42 PM
Hi All,
I have a problem with my config, it's a hub and spoke setup with 7 spokes. The hub network address is 192.168.6.0.
I would like the spoke sites to be able to communicate to other spokes via the hub. The spoke site are vigor routers and the hub is a cisco 1842, the routing table is present on the vigors. I'm presuming it's an ACL problem but i've spent the last 3 hrs trying to figure this one out and have got no where, can anyone assist?
Also I have nat'd ports 80, 443 which work fine from outside the local lan but do not work inside? Anyone got any suggestions?
Thanks
Mark
192.168.6.0 HUB
192.168.18.0 SPOKE
192.168.23.0 SPOKE
192.168.28.0 SPOKE
192.168.48.0 SPOKE
192.168.78.0 SPOKE
192.168.88.0 SPOKE
192.168.108.0 SPOKE
10.0.0.0 SPOKE
Current configuration : 4558 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BURTON
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxx
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip name-server 62.xx.x.2
ip name-server 195.xxx.xxx.10
!
!
crypto pki trustpoint TP-self-signed-692553461
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-692553461
revocation-check none
rsakeypair TP-self-signed-692553461
!
!
crypto pki certificate chain TP-self-signed-692553461
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36393235 35333436 31301E17 0D313031 31323530 39353934
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 32353533
34363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308xxx 02818100
BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED
B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43
20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387
FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820642 5552544F 4E301F06 03551D23 04183016 8014645E 3FDE4E90
A8773580 81EE4217 F4821238 993A301D 0603551D 0E041604 14645E3F DE4E90A8
77358081 EE4217F4 82123899 3A300D06 092A8648 86F70D01 01040500 03818100
914EE910 C1EFCDB3 2C3B277B 45E4149F B8A78E94 94D6558F 7A1D5B45 D057DC02
1FCF0C28 5B29728B 9480E807 D7E7DF9E 751DD005 E108D94B 6B3FC03B 8EB1603B
49067084 9AF1E4CA 5B906C74 4D07217A 13FD0113 B721068A 3EC6C990 54101B4B
FC9860E4 3xxxB064 586EC91D EF7C5A8F 8BBF33C6 29BCF148 A7E2B987 F2A028F8
quit
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxx address 77.xxx.xxx.176
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.85
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.9
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.81
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.228
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.153
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.10
crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.61
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac
crypto ipsec transform-set this_should_work esp-des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 77.xxx.xxx.176
set transform-set this_should_work
match address stores
!
crypto map VPN-Map-1 11 ipsec-isakmp
set peer 85.xxx.xxx.85
set transform-set this_should_work
match address dalby
!
crypto map VPN-Map-1 12 ipsec-isakmp
set peer 85.xxx.xxx.9
set transform-set this_should_work
match address braintree
!
crypto map VPN-Map-1 13 ipsec-isakmp
set peer 85.xxx.xxx.81
set transform-set this_should_work
match address corby
!
crypto map VPN-Map-1 14 ipsec-isakmp
set peer 85.xxx.xxx.228
set transform-set this_should_work
match address glasgow
!
crypto map VPN-Map-1 15 ipsec-isakmp
set peer 85.xxx.xxx.153
set transform-set this_should_work
match address hadleigh
!
crypto map VPN-Map-1 16 ipsec-isakmp
set peer 85.xxx.xxx.10
set transform-set this_should_work
match address northwich
!
crypto map VPN-Map-1 17 ipsec-isakmp
set peer 85.xxx.xxx.61
set transform-set this_should_work
match address wycombe
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.6.40 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxx
ppp ipcp dns request
ppp link reorders
ppp multilink
ppp multilink slippage mru 16
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink multiclass
crypto map VPN-Map-1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
!
ip access-list extended corby
permit ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255
ip access-list extended northwich
permit ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255
ip access-list extended wycombe
permit ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255
ip access-list extended hadleigh
permit ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255
ip access-list extended stores
permit ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255
ip access-list extended dalby
permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
ip access-list extended glasgow
permit ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
ip access-list extended braintree
permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
permit udp host 77.xxx.xxx.176 any eq isakmp
permit esp host 77.xxx.xxx.176 any
permit udp host 85.xxx.xxx.85 any eq isakmp
permit esp host 85.xxx.xxx.85 any
permit udp host 85.xxx.xxx.9 any eq isakmp
permit esp host 85.xxx.xxx.9 any
permit udp host 85.xxx.xxx.81 any eq isakmp
permit esp host 85.xxx.xxx.81 any
permit udp host 85.xxx.xxx.228 any eq isakmp
permit esp host 85.xxx.xxx.228 any
permit udp host 85.xxx.xxx.153 any eq isakmp
permit esp host 85.xxx.xxx.153 any
permit udp host 85.xxx.xxx.10 any eq isakmp
permit esp host 85.xxx.xxx.10 any
permit udp host 85.xxx.xxx.61 any eq isakmp
permit esp host 85.xxx.xxx.61 any
!
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxxxxxxxx
login
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2011 08:12 AM
Hi Manish,
I was wondering if you can help me please.
I've just replaced one of the vigor routers with a cisco 1841 as a spoke to the main hub.
Im getting this though...
*Jan 18 14:58:46.147: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 78.xx.xxx.48
This is my spoke config..
#############################################################################
Current configuration : 6571 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DALBY
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$iFwB$xxxxxxxxxxxxxxxx.
enable password xxxxxxxxxx
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip name-server 62.121.0.2
ip name-server 195.54.225.10
!
!
crypto pki trustpoint TP-self-signed-692553461
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-692553461
revocation-check none
rsakeypair TP-self-signed-692553461
!
!
crypto pki certificate chain TP-self-signed-692553461
certificate self-signed 01
3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36393235 35333436 31301E17 0D313130 31313831 34313134
305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 32353533
34363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED
B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43
20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387
FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67
02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D
11040930 07820544 414C4259 301F0603 551D2304 18301680 14645E3F DE4E90A8
77358081 EE4217F4 82123899 3A301D06 03551D0E 04160414 645E3FDE 4E90A877
358081EE 4217F482 1238993A 300D0609 2A864886 F70D0101 04050003 8181006C
774C8BB8 2E5A70BA 4E38068F C4B8CC70 3318C04D 1EF45489 D3FD6E13 A49AB6B7
8A40E698 09FA2417 A61C574A 8668E3F4 67532654 C33034DC 1B0B0962 EB5F05F6
C83B7AA8 D132208C 1CFC10A4 94D5741C 83967D65 642886A9 2FC53C0F 4C21303E
A90FDF8F 4742460B 4DFB3E2C ECE1E328 4642C1F3 2E687B94 A44082E7 2E56A6
quit
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Dalby%19 address 78.xx.xxx.48
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac
crypto ipsec transform-set this_should_work esp-des esp-sha-hmac
crypto ipsec transform-set cm-transformset-2 esp-des esp-md5-hmac
!
crypto map VPN-Map-1 11 ipsec-isakmp
set peer 78.xx.xxx.48
set transform-set this_should_work
set pfs group2
match address burton
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.88.40 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface ATM0/0/0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
atm restart timer 300
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
atm restart timer 300
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer-group 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxx
ppp ipcp dns request
ppp link reorders
ppp multilink
ppp multilink slippage mru 16
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink multiclass
crypto map VPN-Map-1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.88.30 25 78.xx.xxx.245 25 extendable
ip nat inside source static tcp 192.168.88.30 80 78.xx.xxx.245 80 extendable
ip nat inside source static tcp 192.168.88.30 443 78.xx.xxx.245 443 extendable
ip nat inside source static tcp 192.168.88.45 443 78.xx.xxx.246 443 extendable
!
ip access-list extended Internet-inbound-ACL
permit udp host 78.xx.xx.48 any eq isakmp
permit esp host 78.xx.xx.48 any
permit udp host 78.xx.xx.188 any eq isakmp
permit esp host 78.xx.xx.188 any
ip access-list extended braintree
permit ip any 10.0.0.0 0.0.0.255
ip access-list extended burton
permit ip any 192.168.6.0 0.0.0.255
ip access-list extended burtonstores
permit ip any 192.168.78.0 0.0.0.255
ip access-list extended corby
permit ip any 192.168.18.0 0.0.0.255
ip access-list extended dalby
permit ip any 192.168.88.0 0.0.0.255
ip access-list extended glasgow
permit ip any 192.168.108.0 0.0.0.255
ip access-list extended hadleigh
permit ip any 192.168.48.0 0.0.0.255
ip access-list extended northwich
permit ip any 192.168.23.0 0.0.0.255
ip access-list extended wycombe
permit ip any 192.168.28.0 0.0.0.255
!
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 permit ip 192.168.88.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
control-plane
!
banner motd ^CCC
******************************************
* Welcome to xxxxxxxxxxxxxxxxx
* Dalby Router
* Unauthorized access prohibited
******************************************
^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password xxxxxxxxxx%18
login
!
scheduler allocate 20000 1000
no process cpu extended
no process cpu autoprofile hog
end
My hub config.....
####################################################################
Current configuration : 8449 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BURTON
!
boot-start-marker
boot-end-marker
!
enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxx.
enable password xxxxxxxxxx
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip name-server 62.121.0.2
ip name-server 195.54.225.10
!
!
crypto pki trustpoint TP-self-signed-561592686
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-561592686
revocation-check none
rsakeypair TP-self-signed-561592686
!
!
crypto pki certificate chain TP-self-signed-561592686
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35363135 39323638 36301E17 0D313130 31313831 33303433
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3536 31353932
36383630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
E4DBC9F8 8DE09F73 32A36E04 09799F97 29720B78 4C02543D EA4EC2F1 71A3C126
C93BE7BD 0D76F720 A0617593 6CABD849 771E52A7 27832E26 4D8B51E8 3F18CCE0
B809D177 8820615D 7EDB42AE EB1AC1B6 D1333F93 AF284E97 2E254CE9 905C54EE
B52F5E66 6D653B3C F490B042 AEBF2962 3BEF40EC FFB79ECC C21FC162 B85E83D9
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820642 5552544F 4E301F06 03551D23 04183016 80148AC9 92D2CAA8
C71BB6E5 D8AF5B07 B0E876B8 3837301D 0603551D 0E041604 148AC992 D2CAA8C7
1BB6E5D8 AF5B07B0 E876B838 37300D06 092A8648 86F70D01 01040500 03818100
0164D61E 00DA2699 FCEC5883 9673596F 6BAF1602 ED1CDDF9 EC94F994 01452D19
FEFD02BB 592E1C44 7EE37A45 8861C6FC 0D6CE485 CDE5AFEE C4D9B629 1F6EFDB8
F4C122B6 2DD9FABE 0BE55EBD 2F38F37A 5305F79C A798B50C 1FFD8355 80539A2E
9C4277E8 7762A368 5CCE6916 8949A1A9 4588E7B9 822C3C5A D8F30C1F 2744EB55
quit
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Braxxxe%20 address 85.xxx.xxx.9
crypto isakmp key Nordddd%24x address 85.xx.xxx.10
crypto isakmp key Burxxxst%18 address 78.xx.xxx.82
crypto isakmp key Corxxxx%21 address 78.xx.xxx.179
crypto isakmp key Glaxsxxx%22 address 78.xx.xxx.181
crypto isakmp key Haxxxxh%23 address 78.xx.xxx.180
crypto isakmp key Wyxxxe%25 address 78.xx.xxx.178
crypto isakmp key Daxxxx%19 address 78.xx.xxx.188
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac
crypto ipsec transform-set this_should_work esp-des esp-sha-hmac
crypto ipsec transform-set cm-transformset-2 esp-des esp-md5-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 78.xx.xxx.82
set transform-set cm-transformset-2
match address burtonstores
crypto map VPN-Map-1 11 ipsec-isakmp
set peer 78.xx.xxx.188
set transform-set this_should_work
set pfs group2
match address dalby
crypto map VPN-Map-1 12 ipsec-isakmp
set peer 85.xxx.xxx.9
set transform-set this_should_work
match address braintree
crypto map VPN-Map-1 13 ipsec-isakmp
set peer 78.xx.xxx.179
set transform-set this_should_work
match address corby
crypto map VPN-Map-1 14 ipsec-isakmp
set peer 78.xx.xxx.181
set transform-set cm-transformset-2
match address glasgow
crypto map VPN-Map-1 15 ipsec-isakmp
set peer 78.xx.xxx.180
set transform-set this_should_work
match address hadleigh
crypto map VPN-Map-1 16 ipsec-isakmp
set peer 85.xxx.xxx.10
set transform-set this_should_work
match address northwich
crypto map VPN-Map-1 17 ipsec-isakmp
set peer 78.xx.xxx.178
set transform-set this_should_work
match address wycombe
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.6.40 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface ATM0/0/0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
atm restart timer 300
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
atm restart timer 300
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer-group 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxxxxx
ppp ipcp dns request
ppp link reorders
ppp multilink
ppp multilink slippage mru 16
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink multiclass
crypto map VPN-Map-1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.6.45 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.6.65 25 78.xx.xxx.48 25 extendable
ip nat inside source static tcp 192.168.6.65 80 78.xx.xxx.48 80 extendable
ip nat inside source static tcp 192.168.6.65 443 78.xx.xxx.48 443 extendable
ip nat inside source static tcp 192.168.6.30 80 78.xx.xxx.62 80 extendable
ip nat inside source static tcp 192.168.6.30 443 78.xx.xxx.62 443 extendable
!
ip access-list extended Internet-inbound-ACL
permit udp host 85.xxx.xxx.85 any eq isakmp
permit esp host 85.xxx.xxx.85 any
permit udp host 85.xxx.xxx.9 any eq isakmp
permit esp host 85.xxx.xxx.9 any
permit udp host 85.xxx.xxx.10 any eq isakmp
permit esp host 85.xxx.xxx.10 any
permit udp host 78.xx.xxx.82 any eq isakmp
permit esp host 78.xx.xxx.82 any
permit udp host 78.xx.xxx.178 any eq isakmp
permit esp host 78.xx.xxx.178 any
permit udp host 78.xx.xxx.179 any eq isakmp
permit esp host 78.xx.xxx.179 any
permit udp host 78.xx.xxx.180 any eq isakmp
permit esp host 78.xx.xxx.180 any
permit udp host 78.xx.xxx.181 any eq isakmp
permit esp host 78.xx.xxx.181 any
permit udp host 78.xx.xxx.188 any eq isakmp
permit esp host 78.xx.xxx.188 any
ip access-list extended braintree
permit ip any 10.0.0.0 0.0.0.255
ip access-list extended burtonstores
permit ip any 192.168.78.0 0.0.0.255
ip access-list extended corby
permit ip any 192.168.18.0 0.0.0.255
ip access-list extended dalby
permit ip any 192.168.88.0 0.0.0.255
ip access-list extended glasgow
permit ip any 192.168.108.0 0.0.0.255
ip access-list extended hadleigh
permit ip any 192.168.48.0 0.0.0.255
ip access-list extended northwich
permit ip any 192.168.23.0 0.0.0.255
ip access-list extended wycombe
permit ip any 192.168.28.0 0.0.0.255
!
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server community private RW
!
!
control-plane
!
banner motd ^CC
******************************************
* Welcome to xxxxxxxxxxxx
* Burton Router
* Unauthorized access prohibited
******************************************
^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password xxxxxxxxxxxxx%18
login
!
scheduler allocate 20000 1000
no process cpu extended
no process cpu autoprofile hog
end
###############################################
This is shown on the spoke
DALBY#show crypto isakmp sa
dst src state conn-id slot status
78.xx.xxx.48 78.xx.xxx.188 QM_IDLE 69 0 ACTIVE
78.xx.xxx.48 78.xx.xxx.188 MM_NO_STATE 68 0 ACTIVE (deleted)
It looks like it's failing on phase 2 (this is on the spoke)
*Jan 18 15:27:38.431: map_db_find_best did not find matching map
*Jan 18 15:27:38.431: IPSEC(validate_transform_proposal): no IPSEC cryptomap exi
sts for local address 78.xx.xxx.188
*Jan 18 15:27:38.431: ISAKMP:(0:72:SW:1): IPSec policy invalidated proposal
*Jan 18 15:27:38.431: ISAKMP:(0:72:SW:1): phase 2 SA policy not acceptable! (loc
al 78.xx.xxx.188 remote 78.xx.xxx.48)
If you could help I would be extremely greatfull.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2011 10:38 AM
Mark,
The error "*Jan 18 14:58:46.147: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 78.xx.xxx.48"
is generally due to phase policy mismatch. I havent had a chance to check the complete config , but you should recheck the following on both hub and spoke.
Verify that the phase 1 policy is on both peers, and ensure that all the attributes match.
Encryption DES or 3DES
Hash MD5 or SHA
Diffie-Hellman Group 1 or 2
Authentication {rsa-sig | rsa-encr | pre-share
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2011 12:23 PM
Hi Manish,
Thanks for the reply, got it sorted now had my ACL's the wrong way round on the spoke
Bad
ip access-list extended dalby
permit ip any 192.168.88.0 0.0.0.255
Good
ip access-list extended dalby
permit ip 192.168.88.0 0.0.0.255 any
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2011 02:01 PM
I've applied the above ACL to the hub and the VPN is now up and working but local clients at the site cannot access the internet?
Do you have any ideas what could be wrong?
Thanks
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2011 02:06 PM
Mark,
on what router did you made the ACL changes that you mentioned ?
Thanks
Manish
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2011 02:08 PM
Manish,
The changes were made on the spoke router
Thanks
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2011 02:21 PM
Hi Mark,
It is kinda confusing right now, as you mention "applied changes to Hub" and now you are saying to the spoke.
Please attach the config of both cisco devices and I will review it again. I know it's a minor change that you would require but since it's a live enviorment , i don't want to mess up things, since i know you have various vigor connecting to hub cisco already.
Manish
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2011 02:32 PM
Oh sorry it was meant to say Spoke! I think the 10 hours trying to sort this out is getting the better of me!
I've kinda broken the spoke at the moment and can't access it now so im going to have to wait until tomorrow to get you the full config but below under spoke acl's should be the only part i've changed. I made the acl change on the spoke, removed the crypto and the internet was working, as soon as i apply it to the dialer the vpn works but no internet
Hub ACL's
ip access-list extended braintree
permit ip any 10.0.0.0 0.0.0.255
ip access-list extended burtonstores
permit ip any 192.168.78.0 0.0.0.255
ip access-list extended corby
permit ip any 192.168.18.0 0.0.0.255
ip access-list extended dalby
permit ip any 192.168.88.0 0.0.0.255
ip access-list extended glasgow
permit ip any 192.168.108.0 0.0.0.255
ip access-list extended hadleigh
permit ip any 192.168.48.0 0.0.0.255
ip access-list extended northwich
permit ip any 192.168.23.0 0.0.0.255
ip access-list extended wycombe
permit ip any 192.168.28.0 0.0.0.255
!
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
Spoke ACL's
ip access-list extended Internet-inbound-ACL
permit udp host 78.xx.xx.48 any eq isakmp
permit esp host 78.xx.xx.48 any
ip access-list extended dalby
permit ip 192.168.88.0 0.0.0.255 any
!
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 100 deny ip 192.168.88.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 permit ip 192.168.88.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2011 02:45 PM
ok , you will need to make changes on both HUB and Spoke ( since non of them is Vigor anymore ) :-
Hub :-
from
ip access-list extended dalby
permit ip any 192.168.88.0 0.0.0.255
to
ip access-list extended dalby
permit ip 192.168.0.0 0.0.255.255 192.168.88.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 192.168.88.0 0.0.0.255
Spoke :-
from :
ip access-list extended dalby
permit ip 192.168.88.0 0.0.0.255 any
to :
ip access-list extended dalby
permit ip 192.168.88.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.88.0 0.0.0.255 10.0.0.0 0.0.0.255
Reapply the crypto map
Manish
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2011 03:05 PM
Okay thanks for your help again on this.
I'll give this a try tomorrow. Will this make the internet work?
Thanks
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2011 03:08 PM
It should otherwise we can always fix it
manish
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2011 02:25 AM
Thanks Manish worked great.
I haven't got the hang of these ACL's yet!
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2011 04:06 AM
Manish im trying to make sure my SMTP traffic goes out on one of the usable IP's, i've found a guide to modify some ACL's but it doesn't seem to work.
Our smtp is receiving on 78.xx.xxx.245 and send out on 78.xx.xxx.188, i'd like to send the traffic out on 78.xx.xxx.245.
I've seen a few suggestions but they all seem very complicated and refer to PIX.
Any ideas?
Thanks
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2011 09:03 AM
Hi Mark,
The reason that traffic is leaving out of different interface ip add is because your Nat for SMTP server is port redirection, to avoid this i think replace following :-
ip nat inside source static tcp 192.168.88.30 25 78.xx.xxx.245 25 extendable
ip nat inside source static tcp 192.168.88.30 80 78.xx.xxx.245 80 extendable
ip nat inside source static tcp 192.168.88.30 443 78.xx.xxx.245 443 extendable
with :-
ip nat inside source static 192.168.88.30 78.xx.xxx.245
This will do one to one static nat for that server. the problem now if that this open all the ports for that server , but you can always place an access list on the outside interface ( in inbound direction ) to limit access to that public ip according to what your organization feels comfortable with.
Manish
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2011 11:21 AM
Manish would this work then?
ip access-list extended Internet-inbound-ACL
permit tcp any any eq smtp
permit tcp any any eq www
permit tcp any any eq 443
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide