Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9484
Views
0
Helpful
78
Replies

Spoke to Spoke routing (VIGOR to CISCO)

Go to solution
markyd1985
Level 1
Level 1

‎11-29-2010 01:42 PM

Hi All,

I have a problem with my config, it's a hub and spoke setup with 7 spokes. The hub network address is 192.168.6.0.

I would like the spoke sites to be able to communicate to other spokes via the hub. The spoke site are vigor routers and the hub is a cisco 1842, the routing table is present on the vigors. I'm presuming it's an ACL problem but i've spent the last 3 hrs trying to figure this one out and have got no where, can anyone assist?

Also I have nat'd ports 80, 443 which work fine from outside the local lan but do not work inside? Anyone got any suggestions?

Thanks

Mark

192.168.6.0 HUB

192.168.18.0 SPOKE

192.168.23.0 SPOKE

192.168.28.0 SPOKE

192.168.48.0 SPOKE

192.168.78.0 SPOKE

192.168.88.0 SPOKE

192.168.108.0 SPOKE

10.0.0.0 SPOKE

Current configuration : 4558 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname BURTON

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxxxxxxxx

!

no aaa new-model

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

ip name-server 62.xx.x.2

ip name-server 195.xxx.xxx.10

!

!

crypto pki trustpoint TP-self-signed-692553461

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-692553461

revocation-check none

rsakeypair TP-self-signed-692553461

!

!

crypto pki certificate chain TP-self-signed-692553461

certificate self-signed 01

  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 36393235 35333436 31301E17 0D313031 31323530 39353934

  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 32353533

  34363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308xxx 02818100

  BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED

  B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43

  20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387

  FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67

  02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D

  11040A30 08820642 5552544F 4E301F06 03551D23 04183016 8014645E 3FDE4E90

  A8773580 81EE4217 F4821238 993A301D 0603551D 0E041604 14645E3F DE4E90A8

  77358081 EE4217F4 82123899 3A300D06 092A8648 86F70D01 01040500 03818100

  914EE910 C1EFCDB3 2C3B277B 45E4149F B8A78E94 94D6558F 7A1D5B45 D057DC02

  1FCF0C28 5B29728B 9480E807 D7E7DF9E 751DD005 E108D94B 6B3FC03B 8EB1603B

  49067084 9AF1E4CA 5B906C74 4D07217A 13FD0113 B721068A 3EC6C990 54101B4B

  FC9860E4 3xxxB064 586EC91D EF7C5A8F 8BBF33C6 29BCF148 A7E2B987 F2A028F8

  quit

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxx address 77.xxx.xxx.176

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.85

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.9

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.81

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.228

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.153

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.10

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.61

!

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs

crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs

crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac

crypto ipsec transform-set this_should_work esp-des esp-sha-hmac

!

crypto map VPN-Map-1 10 ipsec-isakmp

set peer 77.xxx.xxx.176

set transform-set this_should_work

match address stores

!

crypto map VPN-Map-1 11 ipsec-isakmp

set peer 85.xxx.xxx.85

set transform-set this_should_work

match address dalby

!

crypto map VPN-Map-1 12 ipsec-isakmp

set peer 85.xxx.xxx.9

set transform-set this_should_work

match address braintree

!

crypto map VPN-Map-1 13 ipsec-isakmp

set peer 85.xxx.xxx.81

set transform-set this_should_work

match address corby

!

crypto map VPN-Map-1 14 ipsec-isakmp

set peer 85.xxx.xxx.228

set transform-set this_should_work

match address glasgow

!

crypto map VPN-Map-1 15 ipsec-isakmp

set peer 85.xxx.xxx.153

set transform-set this_should_work

match address hadleigh

!

crypto map VPN-Map-1 16 ipsec-isakmp

set peer 85.xxx.xxx.10

set transform-set this_should_work

match address northwich

!

crypto map VPN-Map-1 17 ipsec-isakmp

set peer 85.xxx.xxx.61

set transform-set this_should_work

match address wycombe

!

!

!

interface FastEthernet0/0

description $ETH-LAN$

ip address 192.168.6.40 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface ATM0/1/0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp reliable-link

ppp authentication chap callin

ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ppp chap password 0 xxxxxxxx

ppp ipcp dns request

ppp link reorders

ppp multilink

ppp multilink slippage mru 16

ppp multilink fragment delay 10

ppp multilink interleave

ppp multilink multiclass

crypto map VPN-Map-1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http secure-server

ip nat inside source list 100 interface Dialer0 overload

!

ip access-list extended corby

permit ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255

ip access-list extended northwich

permit ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255

ip access-list extended wycombe

permit ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255

ip access-list extended hadleigh

permit ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255

ip access-list extended stores

permit ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255

ip access-list extended dalby

permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255

ip access-list extended glasgow

permit ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255

ip access-list extended braintree

permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255

ip access-list extended Internet-inbound-ACL

permit udp host 77.xxx.xxx.176 any eq isakmp

permit esp host 77.xxx.xxx.176 any

permit udp host 85.xxx.xxx.85 any eq isakmp

permit esp host 85.xxx.xxx.85 any

permit udp host 85.xxx.xxx.9 any eq isakmp

permit esp host 85.xxx.xxx.9 any

permit udp host 85.xxx.xxx.81 any eq isakmp

permit esp host 85.xxx.xxx.81 any

permit udp host 85.xxx.xxx.228 any eq isakmp

permit esp host 85.xxx.xxx.228 any

permit udp host 85.xxx.xxx.153 any eq isakmp

permit esp host 85.xxx.xxx.153 any

permit udp host 85.xxx.xxx.10 any eq isakmp

permit esp host 85.xxx.xxx.10 any

permit udp host 85.xxx.xxx.61 any eq isakmp

permit esp host 85.xxx.xxx.61 any

!

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255

access-list 100 permit ip 192.168.6.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community public RO

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password xxxxxxxxxxxxxxx

login

!

scheduler allocate 20000 1000

end

Labels:
0 Helpful
78 Replies 78

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎11-30-2010 08:28 AM

You have to do it on Two Spokes ( not just one ) its a two way communication. if one spoke has route but the other one doesn't then It wont work.

after you make changes , post sh crypto ipsec sa output  ( do that twice , but before the second time you run that command ping the host from vigor 1 to vigor 2 ,  so that I can see if the packets are reaching the Hub in the encrypt/decrypt count ).

Manish

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to manish arora

‎11-30-2010 08:46 AM

BEFORE PING

local  ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.78.0/255.255.255.0/0/0)

   current_peer 78.XX.XXX.82 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 10953, #pkts encrypt: 10953, #pkts digest: 10953

    #pkts decaps: 8717, #pkts decrypt: 8717, #pkts verify: 8717

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 5, #recv errors 13

     local crypto endpt.: 78.XX.XXX.48, remote crypto endpt.: 78.XX.XXX.82

     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access4

     current outbound spi: 0xC68C1831(3331070001)

     inbound esp sas:

      spi: 0xA823CC72(2820918386)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3013, flow_id: FPGA:13, crypto map: VPN-Map-1

        sa timing: remaining key lifetime (k/sec): (4563567/3330)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xC68C1831(3331070001)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3014, flow_id: FPGA:14, crypto map: VPN-Map-1

        sa timing: remaining key lifetime (k/sec): (4563592/3329)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

AFTER PING

local  ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.78.0/255.255.255.0/0/0)

   current_peer 78.XX.XXX.82 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 10953, #pkts encrypt: 10953, #pkts digest: 10953

    #pkts decaps: 8717, #pkts decrypt: 8717, #pkts verify: 8717

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 5, #recv errors 13

     local crypto endpt.: 78.XX.XXX.48, remote crypto endpt.: 78.XX.XXX.82

     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access4

     current outbound spi: 0xC68C1831(3331070001)

     inbound esp sas:

      spi: 0xA823CC72(2820918386)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3013, flow_id: FPGA:13, crypto map: VPN-Map-1

        sa timing: remaining key lifetime (k/sec): (4563567/3276)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xC68C1831(3331070001)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3014, flow_id: FPGA:14, crypto map: VPN-Map-1

        sa timing: remaining key lifetime (k/sec): (4563592/3274)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎11-30-2010 09:00 AM

Ummm ... Post your Cisco router config again. Also when you made changes to the cisco router configuration , did you removed the Crypto Map and reapplied it ? . Also I do not see packets decapsulating counter Increasing with Ping , so I am not still sure if the Vigor1 is sending  traffic  that is destined for Vigor2 to  the HUB.

Manish

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to manish arora

‎11-30-2010 10:41 AM

Here you go, i'm also not too sure how subnet 192.168.108.0 is to send data to 192.168.78.0. I've done a trace route from 192.168.108.0 and it goes out on the public IP of that router and not what i would expect.

traceroute to 192.168.78.44, 30 hops max
  1  85.xxx.xxx.246        40 ms
  2 Request timed out.     *
  3 Request timed out.     *
Trace complete.

    Key: C - connected, S - static, R - RIP, * - default, ~ - private

    *             0.0.0.0/         0.0.0.0 via 85.xxx.229.246, IF3
    C~      192.168.108.0/   255.255.255.0 is directly connected, IF0
    S~        192.168.6.0/   255.255.255.0 via 78.xx.240.48, IF5
    C       192.168.208.0/   255.255.255.0 is directly connected, IF0

#######################CISCO CONFIG#############################

Current configuration : 8351 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BURTON
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxx
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip name-server 62.121.0.2
ip name-server 195.54.225.10
!
!
crypto pki trustpoint TP-self-signed-561592686
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-561592686
revocation-check none
rsakeypair TP-self-signed-561592686
!
!
crypto pki certificate chain TP-self-signed-561592686
certificate self-signed 01
  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35363135 39323638 36301E17 0D313031 31333031 37353530
  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3536 31353932
  36383630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  E4DBC9F8 8DE09F73 32A36E04 09799F97 29720B78 4C02543D EA4EC2F1 71A3C126
  C93BE7BD 0D76F720 A0617593 6CABD849 771E52A7 27832E26 4D8B51E8 3F18CCE0
  B809D177 8820615D 7EDB42AE EB1AC1B6 D1333F93 AF284E97 2E254CE9 905C54EE
  B52F5E66 6D653B3C F490B042 AEBF2962 3BEF40EC FFB79ECC C21FC162 B85E83D9
  02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
  11040A30 08820642 5552544F 4E301F06 03551D23 04183016 80148AC9 92D2CAA8
  C71BB6E5 D8AF5B07 B0E876B8 3837301D 0603551D 0E041604 148AC992 D2CAA8C7
  1BB6E5D8 AF5B07B0 E876B838 37300D06 092A8648 86F70D01 01040500 03818100
  E0F88458 50C8056F 5B6AC450 BC9CC614 35563AFB 5154EC3E 4B16AD64 22896195
  0639DFB5 A5740C58 D56163BF 50E330BF BF00973C EBFA627F A00AEEE9 9AE7843C
  0038C2BD 5F3E6F4C 5D705353 EFBD8CA4 B6DC8EB5 EA3E6D6E A7C6F410 62862540
  48AD3FDD 02AFD9D9 0D5E3DFD 05DEF4C0 C85686F1 FF7EC47B 6A272889 DF3DCC0B
  quit
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address 85.xxx.155.85
crypto isakmp key xxxxxxxxxx address 85.xxx.190.9
crypto isakmp key xxxxxxxxxx  address 85.xxx.155.81
crypto isakmp key xxxxxxxxxx  address 85.xxx.155.228
crypto isakmp key xxxxxxxxxx  address 85.xxx.222.153
crypto isakmp key xxxxxxxxxx  address 85.xxx.190.10
crypto isakmp key xxxxxxxxxx  address 85.xxx.190.61
crypto isakmp key xxxxxxxxxx address 78.xx.240.82
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac
crypto ipsec transform-set this_should_work esp-des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 78.xxx.240.82
set transform-set this_should_work
match address burtonstores
crypto map VPN-Map-1 11 ipsec-isakmp
set peer 85.xxx.155.85
set transform-set this_should_work
match address dalby
crypto map VPN-Map-1 12 ipsec-isakmp
set peer 85.xxx.190.9
set transform-set this_should_work
match address braintree
crypto map VPN-Map-1 13 ipsec-isakmp
set peer 85.xxx.155.81
set transform-set this_should_work
match address corby
crypto map VPN-Map-1 14 ipsec-isakmp
set peer 85.xxx.155.228
set transform-set this_should_work
match address glasgow
crypto map VPN-Map-1 15 ipsec-isakmp
set peer 85.xxx.222.153
set transform-set this_should_work
match address hadleigh
crypto map VPN-Map-1 16 ipsec-isakmp
set peer 85.xxx.190.10
set transform-set this_should_work
match address northwich
crypto map VPN-Map-1 17 ipsec-isakmp
set peer 85.xxx.190.61
set transform-set this_should_work
match address wycombe
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.6.40 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface ATM0/0/0
no ip address
no ip mroute-cache
atm restart timer 300
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip mroute-cache
atm restart timer 300
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxx
ppp ipcp dns request
ppp link reorders
ppp multilink
ppp multilink slippage mru 16
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink multiclass
crypto map VPN-Map-1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.6.45 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.6.65 25 78.xx.240.61 25 extendable
ip nat inside source static tcp 192.168.6.65 80 78.xx.240.61 80 extendable
ip nat inside source static tcp 192.168.6.65 443 78.xx.240.61 443 extendable
ip nat inside source static tcp 192.168.6.30 80 78.xx.240.62 80 extendable
ip nat inside source static tcp 192.168.6.30 443 78.xx.240.62 443 extendable
!
ip access-list extended Internet-inbound-ACL
permit udp host 85.xxx.155.85 any eq isakmp
permit esp host 85.xxx.155.85 any
permit udp host 85.xxx.190.9 any eq isakmp
permit esp host 85.xxx.190.9 any
permit udp host 85.xxx.155.81 any eq isakmp
permit esp host 85.xxx.155.81 any
permit udp host 85.xxx.155.228 any eq isakmp
permit esp host 85.xxx.155.228 any
permit udp host 85.xxx.222.153 any eq isakmp
permit esp host 85.xxx.222.153 any
permit udp host 85.xxx.190.10 any eq isakmp
permit esp host 85.xxx.190.10 any
permit udp host 85.xxx.190.61 any eq isakmp
permit esp host 85.xxx.190.61 any
permit udp host 78.xx.240.82 any eq isakmp
permit esp host 78.xx.240.82 any
ip access-list extended braintree
permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255
ip access-list extended burtonstores
permit ip 192.168.108.0 0.0.0.255 192.168.78.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255
ip access-list extended corby
permit ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255
ip access-list extended dalby
permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
ip access-list extended glasgow
permit ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
permit ip 192.168.78.0 0.0.0.255 192.168.108.0 0.0.0.255
ip access-list extended hadleigh
permit ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255
ip access-list extended northwich
permit ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255
ip access-list extended wycombe
permit ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255
!
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
control-plane
!
banner motd ^CC
******************************************
* Welcome to xxxxxxxxxxxxxxxx
* Burton Router
* Unauthorized access prohibited
******************************************
^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password xxxxxxxxxxxx
login
!
scheduler allocate 20000 1000
no process cpu extended
no process cpu autoprofile hog
end

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to markyd1985

‎11-30-2010 10:46 AM

Yeah sorry forgot to mention I've saved the config removed the crypto map, reloaded and re-applied,

still no joy

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎11-30-2010 10:49 AM

Is this output from Vigor ?

Key: C - connected, S - static, R - RIP, * - default, ~ - private

    *             0.0.0.0/         0.0.0.0 via 85.xxx.229.246, IF3
    C~      192.168.108.0/   255.255.255.0 is directly connected, IF0
    S~        192.168.6.0/   255.255.255.0 via 78.xx.240.48, IF5
    C       192.168.208.0/   255.255.255.0 is directly connected, IF0

Manish

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to manish arora

‎11-30-2010 10:53 AM

Yes, the other site 192.168.78.0 is similar with no route to 108.0

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎11-30-2010 10:59 AM

ok then we need a route at Vigors for all 192.168.x.x subnets to 78.xx.240.48. so that It send packets to the HUB.

Manish

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to manish arora

‎11-30-2010 11:12 AM

Still no luck unfortunately

SITE A

    Key: C - connected, S - static, R - RIP, * - default, ~ - private

    *             0.0.0.0/         0.0.0.0 via 85.xxx.229.246, IF3
    C~      192.168.108.0/   255.255.255.0 is directly connected, IF0
    S~       192.168.78.0/   255.255.255.0 via 78.xx.240.48, IF5
    S~        192.168.6.0/   255.255.255.0 via 78.xx.240.48, IF5
    C       192.168.208.0/   255.255.255.0 is directly connected, IF0


SITE B

    Key: C - connected, S - static, R - RIP, * - default, ~ - private

    *             0.0.0.0/         0.0.0.0 via 62.xxx.9.202, IF3
    S~      192.168.108.0/   255.255.255.0 via 78.xx.240.48, IF4
    C~       192.168.78.0/   255.255.255.0 is directly connected, IF0
    C         192.168.2.0/   255.255.255.0 is directly connected, IF0
    S~        192.168.6.0/   255.255.255.0 via 78.xx.240.48, IF4

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎11-30-2010 11:21 AM

on the output of sh crypto ipsec sa , do you now see the counters increasing for packets dcrypt when you ping between the subnets ?

Manish

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to manish arora

‎11-30-2010 11:42 AM

No, no packets are decrypted on either tunnel.

I have noticed this though, below receive errors on the cisco router when I ping from 192.168.108.0 to 192.168.78.44 (router)

These recv errors go up by 5 or so each time

local  ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.108.0/255.255.255.0/0/0)
   current_peer 85.xxx.155.228 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 754, #pkts encrypt: 754, #pkts digest: 754
    #pkts decaps: 773, #pkts decrypt: 773, #pkts verify: 773
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 0, #recv errors 15

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to markyd1985

‎11-30-2010 12:26 PM

I've just found this

https://supportforums.cisco.com/thread/2041441

He mentions there's a problem between cisco and draytek vigors and only be able to use standard ipsec VPN.

What do you think, i think we my have covered all areas?

Thanks

Mark

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎11-30-2010 12:28 PM

Try "no ip route-cache" on dialer or atm interface on the cisco router so that It process switch the packets rather than fast switch.

ALso

Manish

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to manish arora

‎11-30-2010 12:44 PM

Hi Manish

I've put no ip route-cache on both ATM's, FastEthernet0/0, dialer0 and still no luck.

The recv errors just keep going up by about 5 each time.

Does it look like it's not compatible?

Thanks

Mark

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎11-30-2010 12:56 PM

Mark,


1> place the nat exmept for the subnets as well on the cisco router for subnets coming from vigor to diffrent vigor.

2> run debug crypto ipsec while you are pinging.

Manish

0 Helpful
Customers Also Viewed These Support Documents