Re: Site to Site VPN and LAN Routing

Haroon,
just checking if I understand you right. Bottom line of your topology is
hub and spoke IPSec tunnels with 192.168.1.1 being a hub. Is that right?

You have this:

crypto map svisakmp 1 ipsec-isakmp
 set peer 71.1.1.8
 set peer 208.1.1.209
 set peer 70.2.2.78

To my knowledge, multiple peers under the sane crypto map number will
not achieve any hub and spoke connectivity. This is for redundancy.
You'd better revisit a design of the whole thing.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s2.html#wp1046908

Or I am maybe missing something trying to post at 11 pm. :-)

Cheers,
A.

Haroon wrote:
> Hello Experts,
>
> We've made some changes recently to the network and trying to resolve a
> couple of issues with subnet which isn't part of the site to site vpn being
> able to reach the remote sites.
>
> Here is the diagram:
> http://www.ccie.pro/LAN-Routing-gs.jpg
>
> Servers on the 192.168.1.x subnet can reach other sites just fine, no
> issues. However, the users on the 192.168.66.x network are unable to reach
> the remote subnets even though access to 192.168.1.x from 66.x subnet is
> working just fine. Now, I've tried editing the existing access list
> associated with the crypto policy by adding the 66.x subnet in it on both
> sides but it hasn't worked. What am I missing?
>
> The config on 192.168.1.1 router:
>
> crypto isakmp policy 1
> authentication pre-share
> lifetime 28800
> crypto isakmp key thepsk address 71.1.1.8
> crypto isakmp key thepsk address 208.1.1.209
> crypto isakmp key thepsk address 70.2.2.78
> !
> !
> crypto ipsec transform-set svipsec esp-des esp-md5-hmac
> crypto ipsec df-bit clear
> !
> crypto map svisakmp 1 ipsec-isakmp
> set peer 71.1.1.8
> set peer 208.1.1.209
> set peer 70.2.2.78
> set transform-set svipsec
> match address 186
>
> interface Loopback0
> ip address 12.10.10.1 255.255.255.255
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip route-cache flow
> crypto map svisakmp
>
> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 186 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
> access-list 186 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
> access-list 186 permit ip 192.168.2.0 0.0.0.255 192.168.66.0 0.0.0.255
> access-list 186 permit ip 192.168.66.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 186 permit ip 192.168.2.0 0.0.0.255 172.16.20.0 0.0.0.255
> access-list 186 permit ip 172.16.20.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 186 deny ip 192.168.1.0 0.0.0.255 any
> access-list 186 deny ip 192.168.2.0 0.0.0.255 any
> access-list 186 deny ip 192.168.5.0 0.0.0.255 any
> access-list 186 deny ip 192.168.7.0 0.0.0.255 any
> access-list 186 deny ip 192.168.66.0 0.0.0.255 any
> access-list 186 deny ip 172.16.20.0 0.0.0.255 any
>
>
> *Config from one of the remote routers*:
>
> crypto isakmp policy 1
> authentication pre-share
> lifetime 28800
> crypto isakmp key thetwotowers address 12.10.10.1
> !
> !
> crypto ipsec transform-set svipsec esp-des esp-md5-hmac
> !
> crypto map svisakmp 1 ipsec-isakmp
> set peer 12.10.10.1
> set transform-set svipsec
> match address 185
> !
> !
> !
> !
> interface Ethernet0
> ip address 71.1.1.8 255.255.255.248
> ip nat outside
> ip route-cache flow
> full-duplex
> no cdp enable
> crypto map svisakmp
>
> access-list 185 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 185 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 185 permit ip 192.168.66.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 185 permit ip 192.168.2.0 0.0.0.255 192.168.66.0 0.0.0.255
> access-list 185 deny ip 192.168.2.0 0.0.0.255 any
> access-list 185 deny ip 192.168.1.0 0.0.0.255 any
> access-list 185 deny ip 192.168.66.0 0.0.0.255 any
>
>
> Any help would be greatly appreciated.
>
> Thanks,
>
> Haroon
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Jun 27 2009 - 22:37:10 ART