[c-nsp] VPN-Ipsec Hub/Spoke Configuration

Rodney Dunn rodunn at cisco.com
Fri Mar 17 15:22:14 EST 2006 

You have to make sure that your routing is setup.

It's harder if you have to do static routing or
some form of reverse route injection.

If you have a hub and a bunch of spokes the easiest
thing to do is setup your hub as a DMVPN hub and
then just run a routing protocol over it to the spokes.

Use tunnel protection to make the IPSEC configuration
much simpler.

http://www.cisco.com/en/US/products/ps6658/products_ios_protocol_option_home.html

On Fri, Mar 17, 2006 at 02:44:30PM -0500, Paul Stewart wrote:
> Hi there...
> 
> I'm trying to build an IPSec hub-spoke setup.  We have a client I'm
> working with currently who has a 2811 at their location fed by two
> bridged DSL connections (using OSPF to "bond" them).  Their remote
> locations have Cisco 806's and some 851's.  Their plan is to create a
> large intranet system for web browsing and eventually windows file
> sharing etc - maybe even to the point of centralized domain login
> authentication.
> 
> I don't do a lot of VPN's and this one is "close" I think... Just hoping
> someone can tell me the missing piece...;)
> 
> Hub site (relevant portions): 
> 
> crypto isakmp policy 1
>  encr 3des
>  authentication pre-share
> crypto isakmp key bigsecretkey address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set County esp-3des esp-sha-hmac
> !
> crypto dynamic-map VPN 1
>  set transform-set County
> !
> !
> crypto map static-map 1 ipsec-isakmp dynamic VPN
> !
> interface Loopback0
>  description OSPF Loopback
>  ip address 000.000.98.175 255.255.255.255
> !
> interface FastEthernet0/0
>  description HSA-VLAN202
>  ip address 000.000.227.2 255.255.255.248
>  ip nat outside
>  ip virtual-reassembly
>  duplex auto
>  speed auto
>  crypto map static-map
> !
> interface FastEthernet0/1
>  description HSA-VLAN228
>  ip address 000.000.227.10 255.255.255.248
>  ip nat outside
>  ip virtual-reassembly
>  load-interval 30
>  duplex auto
>  speed auto
>  crypto map static-map
> !
> interface Vlan10
>  description NAT Network
>  ip address 192.168.2.1 255.255.255.0
>  ip nat inside
>  ip virtual-reassembly
> !
> ip nat inside source list 102 interface Loopback0 overload
> access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.250.0 0.0.0.255
> access-list 102 permit ip 192.168.2.0 0.0.0.255 any
> 
> 
> Spoke Site (relevant portions):
> 
> crypto isakmp policy 1
>  encr 3des
>  authentication pre-share
> crypto isakmp key mybigsecret address 000.000.98.175
> !
> !
> crypto ipsec transform-set County esp-3des esp-sha-hmac
> !
> crypto map static-map local-address Dialer1
> crypto map static-map 1 ipsec-isakmp
>  set peer 000.000.98.175
>  set transform-set County
>  match address VPN
> !
> interface Dialer1
>  ip address negotiated
>  ip mtu 1455
>  ip nat outside
>  encapsulation ppp
>  ip route-cache flow
>  dialer pool 1
>  dialer-group 1
>  no cdp enable
>  ppp authentication pap callin
>  ppp pap sent-username xxxxxxxxxx at nexicom.net password 7 xxxxxxxxxxxx
>  ppp ipcp dns request
>  crypto map static-map
> !
> ip nat inside source list 105 interface Dialer1 overload
> !
> ip access-list extended VPN
>  permit ip 192.168.250.0 0.0.0.255 192.168.2.0 0.0.0.255
> !
> access-list 105 deny   ip 192.168.250.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 105 permit ip 192.168.250.0 0.0.0.255 any
> 
> 
> 
> >From the spoke site, I can ping the DNS server at the Hub site but I
> can't ping anything from the Hub site to the Spoke site nor can I use
> any services (such as the DNS server) from the spoke site....
> 
> ptboems#ping 192.168.2.2
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/40 ms
> 
> 
> I'm sure I'm missing something really simple here.... Thoughts? ;)
> 
> Paul Stewart
> IP Routing/Switching
> Nexicom Inc.
> http://www.nexicom.net/ 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list