[c-nsp] VPN-Ipsec Hub/Spoke Configuration

Joe Maimon jmaimon at ttec.com
Fri Mar 17 15:21:10 EST 2006 

research DMVPN on cco.


Paul Stewart wrote:

> Hi there...
> 
> I'm trying to build an IPSec hub-spoke setup.  We have a client I'm
> working with currently who has a 2811 at their location fed by two
> bridged DSL connections (using OSPF to "bond" them).  Their remote
> locations have Cisco 806's and some 851's.  Their plan is to create a
> large intranet system for web browsing and eventually windows file
> sharing etc - maybe even to the point of centralized domain login
> authentication.
> 
> I don't do a lot of VPN's and this one is "close" I think... Just hoping
> someone can tell me the missing piece...;)
> 
> Hub site (relevant portions): 
> 
> crypto isakmp policy 1
>  encr 3des
>  authentication pre-share
> crypto isakmp key bigsecretkey address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set County esp-3des esp-sha-hmac
> !
> crypto dynamic-map VPN 1
>  set transform-set County
> !
> !
> crypto map static-map 1 ipsec-isakmp dynamic VPN
> !
> interface Loopback0
>  description OSPF Loopback
>  ip address 000.000.98.175 255.255.255.255
> !
> interface FastEthernet0/0
>  description HSA-VLAN202
>  ip address 000.000.227.2 255.255.255.248
>  ip nat outside
>  ip virtual-reassembly
>  duplex auto
>  speed auto
>  crypto map static-map
> !
> interface FastEthernet0/1
>  description HSA-VLAN228
>  ip address 000.000.227.10 255.255.255.248
>  ip nat outside
>  ip virtual-reassembly
>  load-interval 30
>  duplex auto
>  speed auto
>  crypto map static-map
> !
> interface Vlan10
>  description NAT Network
>  ip address 192.168.2.1 255.255.255.0
>  ip nat inside
>  ip virtual-reassembly
> !
> ip nat inside source list 102 interface Loopback0 overload
> access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.250.0 0.0.0.255
> access-list 102 permit ip 192.168.2.0 0.0.0.255 any
> 
> 
> Spoke Site (relevant portions):
> 
> crypto isakmp policy 1
>  encr 3des
>  authentication pre-share
> crypto isakmp key mybigsecret address 000.000.98.175
> !
> !
> crypto ipsec transform-set County esp-3des esp-sha-hmac
> !
> crypto map static-map local-address Dialer1
> crypto map static-map 1 ipsec-isakmp
>  set peer 000.000.98.175
>  set transform-set County
>  match address VPN
> !
> interface Dialer1
>  ip address negotiated
>  ip mtu 1455
>  ip nat outside
>  encapsulation ppp
>  ip route-cache flow
>  dialer pool 1
>  dialer-group 1
>  no cdp enable
>  ppp authentication pap callin
>  ppp pap sent-username xxxxxxxxxx at nexicom.net password 7 xxxxxxxxxxxx
>  ppp ipcp dns request
>  crypto map static-map
> !
> ip nat inside source list 105 interface Dialer1 overload
> !
> ip access-list extended VPN
>  permit ip 192.168.250.0 0.0.0.255 192.168.2.0 0.0.0.255
> !
> access-list 105 deny   ip 192.168.250.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 105 permit ip 192.168.250.0 0.0.0.255 any
> 
> 
> 
>>From the spoke site, I can ping the DNS server at the Hub site but I
> can't ping anything from the Hub site to the Spoke site nor can I use
> any services (such as the DNS server) from the spoke site....
> 
> ptboems#ping 192.168.2.2
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/40 ms
> 
> 
> I'm sure I'm missing something really simple here.... Thoughts? ;)
> 
> Paul Stewart
> IP Routing/Switching
> Nexicom Inc.
> http://www.nexicom.net/ 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
>

More information about the cisco-nsp mailing list