Re: Site to Site VPN and LAN Routing from Haroon on 2009-06-27 (Ccielab archives 06/2009)

From: Haroon <itguy.pro_at_gmail.com>
Date: Sat, 27 Jun 2009 22:46:45 -0400

Thanks Alexei, that will be helpful. In my case, the spokes do not need to
talk to each other. The resources, servers, win domain controllers, etc. are
all in 192.168.1.1 subnet.

So, if I understand this right, the 192.168.66.x network needs to be part of
the crypto map even though I can reach 192.168.1.1 subnet through the
172.16.20.x subnet and is just another subnet on the local LAN? Or do I need
to break up other sites in separate map numbers and then 66.x subnet can
reach them without being in any crypto?

Some tracerts

C:\>tracert 192.168.1.100

Tracing route to [192.168.1.100]
over a maximum of 30 hops:

  1 <1 ms <1 ms <1 ms 192.168.66.1
  2 <1 ms <1 ms <1 ms 172.16.20.2
  3 <1 ms <1 ms <1 ms 192.168.1.100
Trace complete.

C:\>tracert 192.168.5.100

Tracing route to [192.168.5.100]
over a maximum of 30 hops:

  1 <1 ms <1 ms <1 ms 192.168.66.1
  2 <1 ms <1 ms <1 ms 172.16.20.2
  3 * * * Request timed out.
Trace complete.

Thanks,

Haroon

On Sat, Jun 27, 2009 at 8:30 PM, Alexei Monastyrnyi <alexeim73_at_gmail.com>wrote:

> Haroon,
> you have to create a separate map number per spoke on your hub router under
> the same map name umbrella. Split your ACL 186 into three parts per spoke as
> well to apply to those separated map number sub-configs.
>
> You might check these hub-and-spoke IOS examples to get a better idea. The
> way you have it now it won't work. Only one peer is active per crypto map
> number so once your 192.168.66. site gets connected to the hub, no other
> spokes will be reachable.
>
>
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml
>
>
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml
>
> HTH
> A.
>
> Haroon wrote:
>
>> Alexei,
>>
>> You are right, the 192.168.1.1 is the hub and other sites connect to it.
>> We plan on redoing this and moving the site-to-sites on a concentrator but
>> for now just trying to get the 192.168.66.x network to reach the remote
>> sites through 192.168.1.1.
>>
>> Thanks,
>>
>> Haroon
>>
>> On Sat, Jun 27, 2009 at 8:37 AM, Alexei Monastyrnyi <alexeim73_at_gmail.com<mailto:
>> alexeim73_at_gmail.com>> wrote:
>>
>> Haroon,
>> just checking if I understand you right. Bottom line of your
>> topology is hub and spoke IPSec tunnels with 192.168.1.1 being a
>> hub. Is that right?
>>
>> You have this:
>>
>>
>> crypto map svisakmp 1 ipsec-isakmp
>> set peer 71.1.1.8
>> set peer 208.1.1.209
>> set peer 70.2.2.78
>>
>> To my knowledge, multiple peers under the sane crypto map number
>> will not achieve any hub and spoke connectivity. This is for
>> redundancy. You'd better revisit a design of the whole thing.
>>
>>
>> http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s2.html#wp1046908
>>
>> Or I am maybe missing something trying to post at 11 pm. :-)
>>
>> Cheers,
>> A.
>>
>> Haroon wrote:
>>
>> Hello Experts,
>>
>> We've made some changes recently to the network and trying to
>> resolve a
>> couple of issues with subnet which isn't part of the site to
>> site vpn being
>> able to reach the remote sites.
>>
>> Here is the diagram:
>> http://www.ccie.pro/LAN-Routing-gs.jpg
>>
>> Servers on the 192.168.1.x subnet can reach other sites just
>> fine, no
>> issues. However, the users on the 192.168.66.x network are
>> unable to reach
>> the remote subnets even though access to 192.168.1.x from 66.x
>> subnet is
>> working just fine. Now, I've tried editing the existing access
>> list
>> associated with the crypto policy by adding the 66.x subnet in
>> it on both
>> sides but it hasn't worked. What am I missing?
>>
>> The config on 192.168.1.1 router:
>>
>> crypto isakmp policy 1
>> authentication pre-share
>> lifetime 28800
>> crypto isakmp key thepsk address 71.1.1.8
>> crypto isakmp key thepsk address 208.1.1.209
>> crypto isakmp key thepsk address 70.2.2.78
>> !
>> !
>> crypto ipsec transform-set svipsec esp-des esp-md5-hmac
>> crypto ipsec df-bit clear
>> !
>> crypto map svisakmp 1 ipsec-isakmp
>> set peer 71.1.1.8
>> set peer 208.1.1.209
>> set peer 70.2.2.78
>> set transform-set svipsec
>> match address 186
>>
>> interface Loopback0
>> ip address 12.10.10.1 255.255.255.255
>> no ip redirects
>> no ip unreachables
>> no ip proxy-arp
>> ip route-cache flow
>> crypto map svisakmp
>>
>> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.2.0
>> 0.0.0.255
>> access-list 186 permit ip 192.168.2.0 0.0.0.255 192.168.1.0
>> 0.0.0.255
>> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.5.0
>> 0.0.0.255
>> access-list 186 permit ip 192.168.5.0 0.0.0.255 192.168.1.0
>> 0.0.0.255
>> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.7.0
>> 0.0.0.255
>> access-list 186 permit ip 192.168.2.0 0.0.0.255 192.168.66.0
>> 0.0.0.255
>> access-list 186 permit ip 192.168.66.0 0.0.0.255 192.168.2.0
>> 0.0.0.255
>> access-list 186 permit ip 192.168.2.0 0.0.0.255 172.16.20.0
>> 0.0.0.255
>> access-list 186 permit ip 172.16.20.0 0.0.0.255 192.168.2.0
>> 0.0.0.255
>> access-list 186 deny ip 192.168.1.0 0.0.0.255 any
>> access-list 186 deny ip 192.168.2.0 0.0.0.255 any
>> access-list 186 deny ip 192.168.5.0 0.0.0.255 any
>> access-list 186 deny ip 192.168.7.0 0.0.0.255 any
>> access-list 186 deny ip 192.168.66.0 0.0.0.255 any
>> access-list 186 deny ip 172.16.20.0 0.0.0.255 any
>>
>>
>> *Config from one of the remote routers*:
>>
>> crypto isakmp policy 1
>> authentication pre-share
>> lifetime 28800
>> crypto isakmp key thetwotowers address 12.10.10.1
>> !
>> !
>> crypto ipsec transform-set svipsec esp-des esp-md5-hmac
>> !
>> crypto map svisakmp 1 ipsec-isakmp
>> set peer 12.10.10.1
>> set transform-set svipsec
>> match address 185
>> !
>> !
>> !
>> !
>> interface Ethernet0
>> ip address 71.1.1.8 255.255.255.248
>> ip nat outside
>> ip route-cache flow
>> full-duplex
>> no cdp enable
>> crypto map svisakmp
>>
>> access-list 185 permit ip 192.168.1.0 0.0.0.255 192.168.2.0
>> 0.0.0.255
>> access-list 185 permit ip 192.168.2.0 0.0.0.255 192.168.1.0
>> 0.0.0.255
>> access-list 185 permit ip 192.168.66.0 0.0.0.255 192.168.2.0
>> 0.0.0.255
>> access-list 185 permit ip 192.168.2.0 0.0.0.255 192.168.66.0
>> 0.0.0.255
>> access-list 185 deny ip 192.168.2.0 0.0.0.255 any
>> access-list 185 deny ip 192.168.1.0 0.0.0.255 any
>> access-list 185 deny ip 192.168.66.0 0.0.0.255 any
>>
>>
>> Any help would be greatly appreciated.
>>
>> Thanks,
>>
>> Haroon
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Jun 27 2009 - 22:46:45 ART

This archive was generated by hypermail 2.2.0 : Wed Jul 01 2009 - 20:02:37 ART