[c-nsp] VPN-Ipsec Hub/Spoke Configuration

Paul Stewart pstewart at nexicomgroup.net
Fri Mar 17 14:44:30 EST 2006 

Hi there...

I'm trying to build an IPSec hub-spoke setup.  We have a client I'm
working with currently who has a 2811 at their location fed by two
bridged DSL connections (using OSPF to "bond" them).  Their remote
locations have Cisco 806's and some 851's.  Their plan is to create a
large intranet system for web browsing and eventually windows file
sharing etc - maybe even to the point of centralized domain login
authentication.

I don't do a lot of VPN's and this one is "close" I think... Just hoping
someone can tell me the missing piece...;)

Hub site (relevant portions): 

crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key bigsecretkey address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set County esp-3des esp-sha-hmac
!
crypto dynamic-map VPN 1
 set transform-set County
!
!
crypto map static-map 1 ipsec-isakmp dynamic VPN
!
interface Loopback0
 description OSPF Loopback
 ip address 000.000.98.175 255.255.255.255
!
interface FastEthernet0/0
 description HSA-VLAN202
 ip address 000.000.227.2 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map static-map
!
interface FastEthernet0/1
 description HSA-VLAN228
 ip address 000.000.227.10 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 crypto map static-map
!
interface Vlan10
 description NAT Network
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip nat inside source list 102 interface Loopback0 overload
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any


Spoke Site (relevant portions):

crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key mybigsecret address 000.000.98.175
!
!
crypto ipsec transform-set County esp-3des esp-sha-hmac
!
crypto map static-map local-address Dialer1
crypto map static-map 1 ipsec-isakmp
 set peer 000.000.98.175
 set transform-set County
 match address VPN
!
interface Dialer1
 ip address negotiated
 ip mtu 1455
 ip nat outside
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username xxxxxxxxxx at nexicom.net password 7 xxxxxxxxxxxx
 ppp ipcp dns request
 crypto map static-map
!
ip nat inside source list 105 interface Dialer1 overload
!
ip access-list extended VPN
 permit ip 192.168.250.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 105 deny   ip 192.168.250.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 permit ip 192.168.250.0 0.0.0.255 any



>From the spoke site, I can ping the DNS server at the Hub site but I
can't ping anything from the Hub site to the Spoke site nor can I use
any services (such as the DNS server) from the spoke site....

ptboems#ping 192.168.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/40 ms


I'm sure I'm missing something really simple here.... Thoughts? ;)

Paul Stewart
IP Routing/Switching
Nexicom Inc.
http://www.nexicom.net/

More information about the cisco-nsp mailing list