Re: Site to Site VPN and LAN Routing from Alexei Monastyrnyi on 2009-06-28 (Ccielab archives 06/2009)

From: Alexei Monastyrnyi <alexeim73_at_gmail.com>
Date: Sun, 28 Jun 2009 13:30:57 +1000

Haroon,
just split the spokes following this example
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml
and you'll be fine.

Haroon wrote:
> Thanks Alexei, that will be helpful. In my case, the spokes do not
> need to talk to each other. The resources, servers, win domain
> controllers, etc. are all in 192.168.1.1 subnet.
>
> So, if I understand this right, the 192.168.66.x network needs to be
> part of the crypto map even though I can reach 192.168.1.1 subnet
> through the 172.16.20.x subnet and is just another subnet on the local
> LAN? Or do I need to break up other sites in separate map numbers and
> then 66.x subnet can reach them without being in any crypto?
>
> Some tracerts
>
> C:\>tracert 192.168.1.100
>
> Tracing route to [192.168.1.100]
> over a maximum of 30 hops:
>
> 1 <1 ms <1 ms <1 ms 192.168.66.1
> 2 <1 ms <1 ms <1 ms 172.16.20.2
> 3 <1 ms <1 ms <1 ms 192.168.1.100
> Trace complete.
>
>
> C:\>tracert 192.168.5.100
>
> Tracing route to [192.168.5.100]
> over a maximum of 30 hops:
>
> 1 <1 ms <1 ms <1 ms 192.168.66.1
> 2 <1 ms <1 ms <1 ms 172.16.20.2
> 3 * * * Request timed out.
> Trace complete.
>
> Thanks,
>
> Haroon
>
>
> On Sat, Jun 27, 2009 at 8:30 PM, Alexei Monastyrnyi
> <alexeim73_at_gmail.com <mailto:alexeim73_at_gmail.com>> wrote:
>
> Haroon,
> you have to create a separate map number per spoke on your hub
> router under the same map name umbrella. Split your ACL 186 into
> three parts per spoke as well to apply to those separated map
> number sub-configs.
>
> You might check these hub-and-spoke IOS examples to get a better
> idea. The way you have it now it won't work. Only one peer is
> active per crypto map number so once your 192.168.66. site gets
> connected to the hub, no other spokes will be reachable.
>
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml
>
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml
>
> HTH
> A.
>
> Haroon wrote:
>
> Alexei,
>
> You are right, the 192.168.1.1 is the hub and other sites
> connect to it. We plan on redoing this and moving the
> site-to-sites on a concentrator but for now just trying to get
> the 192.168.66.x network to reach the remote sites through
> 192.168.1.1.
>
> Thanks,
>
> Haroon
>
> On Sat, Jun 27, 2009 at 8:37 AM, Alexei Monastyrnyi
> <alexeim73_at_gmail.com <mailto:alexeim73_at_gmail.com>
> <mailto:alexeim73_at_gmail.com <mailto:alexeim73_at_gmail.com>>> wrote:
>
> Haroon,
> just checking if I understand you right. Bottom line of your
> topology is hub and spoke IPSec tunnels with 192.168.1.1
> being a
> hub. Is that right?
>
> You have this:
>
>
> crypto map svisakmp 1 ipsec-isakmp
> set peer 71.1.1.8
> set peer 208.1.1.209
> set peer 70.2.2.78
>
> To my knowledge, multiple peers under the sane crypto map
> number
> will not achieve any hub and spoke connectivity. This is for
> redundancy. You'd better revisit a design of the whole thing.
>
>
> http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s2.html#wp1046908
>
> Or I am maybe missing something trying to post at 11 pm. :-)
>
> Cheers,
> A.
>
> Haroon wrote:
>
> Hello Experts,
>
> We've made some changes recently to the network and
> trying to
> resolve a
> couple of issues with subnet which isn't part of the
> site to
> site vpn being
> able to reach the remote sites.
>
> Here is the diagram:
> http://www.ccie.pro/LAN-Routing-gs.jpg
>
> Servers on the 192.168.1.x subnet can reach other sites
> just
> fine, no
> issues. However, the users on the 192.168.66.x network are
> unable to reach
> the remote subnets even though access to 192.168.1.x
> from 66.x
> subnet is
> working just fine. Now, I've tried editing the existing
> access
> list
> associated with the crypto policy by adding the 66.x
> subnet in
> it on both
> sides but it hasn't worked. What am I missing?
>
> The config on 192.168.1.1 router:
>
> crypto isakmp policy 1
> authentication pre-share
> lifetime 28800
> crypto isakmp key thepsk address 71.1.1.8
> crypto isakmp key thepsk address 208.1.1.209
> crypto isakmp key thepsk address 70.2.2.78
> !
> !
> crypto ipsec transform-set svipsec esp-des esp-md5-hmac
> crypto ipsec df-bit clear
> !
> crypto map svisakmp 1 ipsec-isakmp
> set peer 71.1.1.8
> set peer 208.1.1.209
> set peer 70.2.2.78
> set transform-set svipsec
> match address 186
>
> interface Loopback0
> ip address 12.10.10.1 255.255.255.255
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip route-cache flow
> crypto map svisakmp
>
> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.2.0
> 0.0.0.255
> access-list 186 permit ip 192.168.2.0 0.0.0.255 192.168.1.0
> 0.0.0.255
> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.5.0
> 0.0.0.255
> access-list 186 permit ip 192.168.5.0 0.0.0.255 192.168.1.0
> 0.0.0.255
> access-list 186 permit ip 192.168.1.0 0.0.0.255 192.168.7.0
> 0.0.0.255
> access-list 186 permit ip 192.168.2.0 0.0.0.255
> 192.168.66.0
> 0.0.0.255
> access-list 186 permit ip 192.168.66.0 0.0.0.255
> 192.168.2.0
> 0.0.0.255
> access-list 186 permit ip 192.168.2.0 0.0.0.255 172.16.20.0
> 0.0.0.255
> access-list 186 permit ip 172.16.20.0 0.0.0.255 192.168.2.0
> 0.0.0.255
> access-list 186 deny ip 192.168.1.0 0.0.0.255 any
> access-list 186 deny ip 192.168.2.0 0.0.0.255 any
> access-list 186 deny ip 192.168.5.0 0.0.0.255 any
> access-list 186 deny ip 192.168.7.0 0.0.0.255 any
> access-list 186 deny ip 192.168.66.0 0.0.0.255 any
> access-list 186 deny ip 172.16.20.0 0.0.0.255 any
>
>
> *Config from one of the remote routers*:
>
> crypto isakmp policy 1
> authentication pre-share
> lifetime 28800
> crypto isakmp key thetwotowers address 12.10.10.1
> !
> !
> crypto ipsec transform-set svipsec esp-des esp-md5-hmac
> !
> crypto map svisakmp 1 ipsec-isakmp
> set peer 12.10.10.1
> set transform-set svipsec
> match address 185
> !
> !
> !
> !
> interface Ethernet0
> ip address 71.1.1.8 255.255.255.248
> ip nat outside
> ip route-cache flow
> full-duplex
> no cdp enable
> crypto map svisakmp
>
> access-list 185 permit ip 192.168.1.0 0.0.0.255 192.168.2.0
> 0.0.0.255
> access-list 185 permit ip 192.168.2.0 0.0.0.255 192.168.1.0
> 0.0.0.255
> access-list 185 permit ip 192.168.66.0 0.0.0.255
> 192.168.2.0
> 0.0.0.255
> access-list 185 permit ip 192.168.2.0 0.0.0.255
> 192.168.66.0
> 0.0.0.255
> access-list 185 deny ip 192.168.2.0 0.0.0.255 any
> access-list 185 deny ip 192.168.1.0 0.0.0.255 any
> access-list 185 deny ip 192.168.66.0 0.0.0.255 any
>
>
> Any help would be greatly appreciated.
>
> Thanks,
>
> Haroon
>
>
> Blogs and organic groups at http://www.ccie.net
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Jun 28 2009 - 13:30:57 ART

This archive was generated by hypermail 2.2.0 : Wed Jul 01 2009 - 20:02:37 ART