Re: Site to Site VPN and LAN Routing from Haroon on 2009-06-27 (Ccielab archives 06/2009)

From: Haroon <itguy.pro_at_gmail.com>
Date: Sat, 27 Jun 2009 13:13:00 -0400

Alexei,

You are right, the 192.168.1.1 is the hub and other sites connect to it. We
plan on redoing this and moving the site-to-sites on a concentrator but for
now just trying to get the 192.168.66.x network to reach the remote sites
through 192.168.1.1.

Thanks,

Haroon

On Sat, Jun 27, 2009 at 8:37 AM, Alexei Monastyrnyi <alexeim73_at_gmail.com>wrote:

> Haroon,
> just checking if I understand you right. Bottom line of your topology is
> hub and spoke IPSec tunnels with 192.168.1.1 being a hub. Is that right?
>
> You have this:
>
> crypto map svisakmp 1 ipsec-isakmp
> set peer 71.1.1.8
> set peer 208.1.1.209
> set peer 70.2.2.78
>
> To my knowledge, multiple peers under the sane crypto map number will not
> achieve any hub and spoke connectivity. This is for redundancy. You'd better
> revisit a design of the whole thing.
>
>
> http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s2.html#wp1046908
>
> Or I am maybe missing something trying to post at 11 pm. :-)
>
> Cheers,
> A.
>
> Haroon wrote:
>
>> Hello Experts,
>>
>> We've made some changes recently to the network and trying to resolve a
>> couple of issues with subnet which isn't part of the site to site vpn
>> being
>> able to reach the remote sites.
>>
>> Here is the diagram:
>> http://www.ccie.pro/LAN-Routing-gs.jpg
>>
>> Servers on the 192.168.1.x subnet can reach other sites just fine, no
>> issues. However, the users on the 192.168.66.x network are unable to reach
>> the remote subnets even though access to 192.168.1.x from 66.x subnet is
>> working just fine. Now, I've tried editing the existing access list
>> associated with the crypto policy by adding the 66.x subnet in it on both
>> sides but it hasn't worked. What am I missing?
>>
>> The config on 192.168.1.1 router:
>>
>> crypto isakmp policy 1
>> authentication pre-share
>> lifetime 28800
>> crypto isakmp key thepsk address 71.1.1.8
>> crypto isakmp key thepsk address 208.1.1.209
>> crypto isakmp key thepsk address 70.2.2.78
>> !
>> !
>> crypto ipsec transform-set svipsec esp-des esp-md5-hmac
>> crypto ipsec df-bit clear
>> !
>> crypto map svisakmp 1 ipsec-isakmp
>> set peer 71.1.1.8
>> set peer 208.1.1.209
>> set peer 70.2.2.78
>> set transform-set svipsec
>> match address 186
>>
>> interface Loopback0
>> ip address 12.10.10.1 255.255.255.255
>> no ip redirects
>> no ip unreachables
>> no ip proxy-arp
>> ip route-cache flow
>> crypto map svisakmp
>>
>> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
>> access-list 186 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
>> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
>> access-list 186 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
>> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
>> access-list 186 permit ip 192.168.2.0 0.0.0.255 192.168.66.0 0.0.0.255
>> access-list 186 permit ip 192.168.66.0 0.0.0.255 192.168.2.0 0.0.0.255
>> access-list 186 permit ip 192.168.2.0 0.0.0.255 172.16.20.0 0.0.0.255
>> access-list 186 permit ip 172.16.20.0 0.0.0.255 192.168.2.0 0.0.0.255
>> access-list 186 deny ip 192.168.1.0 0.0.0.255 any
>> access-list 186 deny ip 192.168.2.0 0.0.0.255 any
>> access-list 186 deny ip 192.168.5.0 0.0.0.255 any
>> access-list 186 deny ip 192.168.7.0 0.0.0.255 any
>> access-list 186 deny ip 192.168.66.0 0.0.0.255 any
>> access-list 186 deny ip 172.16.20.0 0.0.0.255 any
>>
>>
>> *Config from one of the remote routers*:
>>
>> crypto isakmp policy 1
>> authentication pre-share
>> lifetime 28800
>> crypto isakmp key thetwotowers address 12.10.10.1
>> !
>> !
>> crypto ipsec transform-set svipsec esp-des esp-md5-hmac
>> !
>> crypto map svisakmp 1 ipsec-isakmp
>> set peer 12.10.10.1
>> set transform-set svipsec
>> match address 185
>> !
>> !
>> !
>> !
>> interface Ethernet0
>> ip address 71.1.1.8 255.255.255.248
>> ip nat outside
>> ip route-cache flow
>> full-duplex
>> no cdp enable
>> crypto map svisakmp
>>
>> access-list 185 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
>> access-list 185 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
>> access-list 185 permit ip 192.168.66.0 0.0.0.255 192.168.2.0 0.0.0.255
>> access-list 185 permit ip 192.168.2.0 0.0.0.255 192.168.66.0 0.0.0.255
>> access-list 185 deny ip 192.168.2.0 0.0.0.255 any
>> access-list 185 deny ip 192.168.1.0 0.0.0.255 any
>> access-list 185 deny ip 192.168.66.0 0.0.0.255 any
>>
>>
>> Any help would be greatly appreciated.
>>
>> Thanks,
>>
>> Haroon
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Jun 27 2009 - 13:13:00 ART

This archive was generated by hypermail 2.2.0 : Wed Jul 01 2009 - 20:02:37 ART