Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

hub-spokes routing between spokes

I have hub-spoke VPN configuration. At hub I have 2611 XM and at spokes 1721. VPN works fine between hub and spoke. I need connection between spokes through a hub. Is it possible routing between spokes through the hub with static routes and how can I do that? What is my default gateway for a spoke for network on the other spoke? Do I use public or private address for routing? What are my static routes on the hub?

I have NAT on all routers because they give Internet access.

I need better example than this article “Cisco ? Configuring IPSec Router?to?Router Hub and Spoke with Communication Between the Spokes” from Cisco site. It wasn’t helping me.

6 REPLIES
Silver

Re: hub-spokes routing between spokes

You could try Static Mapping in the Hubs. You need to establish a tunnel between the spokes in order to have the RIP routing working. With OSPF there shouldn't be such a problem.

New Member

Re: hub-spokes routing between spokes

We use DMVPN, NHRP, and EIGRP/OSPF for a dynamic spoke to spoke solution. Essentially w/ NHRP the Hub keeps a database of all the spoke physical and tunnel IPs. So when the tunnels are first established to the hub it tells all subsequent pkts that they don't have to come to hub to talk to other spokes, but that they can establish tunnels to other spokes w/o going through the hub for spoke to spoke communication.

The DMVPN allows for ease of tunnel configuration, so when you add another spoke you don't have to modfiy all the other spokes.

New Member

Re: hub-spokes routing between spokes

Here is my problem:

I have more than three sites in VPN network: Central office SITE A, remote offices SITE B, SITE C, SITE D and remote dialup users with CVPC. I can establish VPN between SITE B,C,D and SITE A. I can ping from SITE A all private network on SITE B,C,D.Also I have to ping from Site B networks on site C,D but I CANNOT do it. I put static routes, access-lists but it doesn't work.

Also remote clients can connect to site B by CVPC but they cannot connect to site A.

SITE A

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xxxxxx

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

username xxxx privilege 15 password 0 xxxxx

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key xxxxxx address 212.39.103.154 no-xauth

crypto isakmp key xxxxxx address 80.65.95.162 no-xauth

crypto isakmp key xxxxxx address xxxxxxx no-xauth

crypto isakmp key xxxxxx address xxxxxxx no-xauth

crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0 no-xauth

!

crypto isakmp client configuration group xxxxx

key xxxxxx

dns 192.168.1.100

domain cpn.vwg

pool ippool

crypto isakmp profile VPNclient

description VPN clients profile

match identity group xxxxxx

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

crypto ipsec transform-set myset3 esp-des esp-md5-hmac

crypto ipsec transform-set rtpset esp-des esp-md5-hmac

crypto ipsec transform-set myset4 esp-des esp-md5-hmac

crypto ipsec transform-set myset5 esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile VPNclient

!

crypto dynamic-map rtpmap 11

set transform-set rtpset

match address 118

!

!

!

crypto map clientmap 5 ipsec-isakmp

set peer 212.39.103.154

set transform-set myset1

match address 115

crypto map clientmap 7 ipsec-isakmp

set peer 80.65.95.162

set transform-set myset3

match address 117

crypto map clientmap 8 ipsec-isakmp

set peer xxxxxx

set transform-set myset4

match address 119

crypto map clientmap 9 ipsec-isakmp

set peer xxxxxx

set transform-set myset5

match address 120

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

crypto map clientmap 11 ipsec-isakmp dynamic rtpmap

!

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip unreachables

ip nat inside

no ip mroute-cache

speed auto

half-duplex

no cdp enable

!

interface FastEthernet0/1

description $FW_OUTSIDE$

ip address 195.222.36.202 255.255.255.252

no ip unreachables

ip nat outside

no ip mroute-cache

duplex auto

speed auto

no cdp enable

crypto map clientmap

!

ip local pool ippool 192.168.200.1 192.168.200.254

ip nat inside source route-map nonat interface FastEthernet0/1 overload

ip http server

ip http authentication local

ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 195.222.36.201

ip route 10.112.192.0 255.255.192.0 192.168.1.101

ip route 192.168.0.0 255.255.255.0 212.39.103.154

ip route 192.168.11.0 255.255.255.0 xxxxxxxx

ip route 192.168.13.0 255.255.255.0 FastEthernet0/1

ip route 192.168.14.0 255.255.255.0 xxxxxxxx

ip route 192.168.15.0 255.255.255.0 FastEthernet0/1

ip route 192.168.220.0 255.255.255.0 xxxxxxx

ip route 193.77.75.0 255.255.255.0 80.65.95.162

!

!

!

ip access-list extended addr-pool

ip access-list extended default-domain

ip access-list extended dns-servers

ip access-list extended idletime

ip access-list extended inacl

ip access-list extended key-exchange

ip access-list extended protocol

ip access-list extended service

ip access-list extended timeout

ip access-list extended tunnel-password

access-list 101 remark SDM_ACL Category=18

access-list 101 deny ip 192.168.11.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 101 deny ip 193.77.75.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 10.112.192.0 0.0.31.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.15.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 101 deny ip 192.168.14.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 101 deny ip 192.168.13.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 101 deny ip 10.112.192.0 0.0.31.255 193.77.75.0 0.0.0.255

access-list 101 deny ip 193.77.75.0 0.0.0.255 192.168.14.0 0.0.0.255

access-list 101 deny ip 10.112.192.0 0.0.31.255 192.168.14.0 0.0.0.255

access-list 101 deny ip 193.77.75.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 101 deny ip 10.112.192.0 0.0.31.255 192.168.11.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.220.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 115 remark SDM_ACL Category=20

access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 115 permit ip 10.112.192.0 0.0.31.255 192.168.0.0 0.0.0.255

access-list 115 permit ip 193.77.75.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 117 remark SDM_ACL Category=20

access-list 117 permit ip 192.168.1.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 117 permit ip 10.112.192.0 0.0.31.255 193.77.75.0 0.0.0.255

access-list 117 permit ip 192.168.0.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 117 permit ip 192.168.1.0 0.0.0.255 192.168.220.0 0.0.0.255

access-list 117 permit ip 192.168.13.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 117 permit ip 192.168.14.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 117 permit ip 192.168.15.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 117 permit ip 192.168.11.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 118 remark SDM_ACL Category=20

access-list 118 permit ip 10.112.192.0 0.0.31.255 192.168.13.0 0.0.0.255

access-list 118 permit ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 118 permit ip 193.77.75.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 118 permit ip 10.112.192.0 0.0.31.255 192.168.15.0 0.0.0.255

access-list 118 permit ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 118 permit ip 193.77.75.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 119 permit ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.255

access-list 119 permit ip 10.112.192.0 0.0.31.255 192.168.14.0 0.0.0.255

access-list 119 permit ip 193.77.75.0 0.0.0.255 192.168.14.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 120 permit ip 10.112.192.0 0.0.31.255 192.168.11.0 0.0.0.255

access-list 120 permit ip 193.77.75.0 0.0.0.255 192.168.11.0 0.0.0.255

no cdp run

!

route-map nonat permit 10

match ip address 101

!

!

dial-peer cor custom

!

!

!

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

line aux 0

line vty 0 4

privilege level 15

password xxxxx

transport input telnet ssh

!

!

!

end

New Member

Re: hub-spokes routing between spokes

SITE B

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname xxxxx

!

boot-start-marker

boot-end-marker

!

logging buffered 52000 debugging

logging console critical

!

username xxxxx privilege 15 password 7 xxxxxxxxxxx

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

no ip source-route

!

!

ip tcp synwait-time 10

ip domain name net.com

!

no ip bootp server

ip cef

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

no ftp-server write-enable

!

!

!

!

crypto isakmp policy 5

hash md5

authentication pre-share

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxx address 195.222.36.202

crypto isakmp key xxxxxx address xxxxxxx

!

crypto isakmp client configuration group xxxxx

key xxxxx

dns 193.77.75.234

pool ipadrese

crypto isakmp profile VPNclient

description VPN clients profile

match identity group xxxxxx

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

!

!

crypto ipsec transform-set myset3 esp-des esp-md5-hmac

mode transport

!

crypto dynamic-map dynmap 5

set transform-set myset3

set isakmp-profile VPNclient

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 195.222.36.202

set peer 195.222.36.202

set transform-set myset3

match address 101

crypto map SDM_CMAP_1 10 ipsec-isakmp dynamic dynmap

crypto map SDM_CMAP_1 11 ipsec-isakmp

description Tunnel to xxxxx

set peer xxxxx

set transform-set myset3

match address 102

!

!

!

!

interface FastEthernet0

description $FW_INSIDE$$ETH-LAN$

ip address 193.77.75.253 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

speed auto

no cdp enable

!

interface Serial0

ip address 80.65.95.162 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

no cdp enable

crypto map SDM_CMAP_1

!

ip local pool ipadrese 192.168.220.1 192.168.220.254

ip nat inside source route-map SDM_RMAP_1 interface Serial0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 80.65.95.161

ip route 10.112.192.0 255.255.224.0 192.168.1.101

ip route 192.168.0.0 255.255.255.0 192.168.1.1

ip route 192.168.13.0 255.255.255.0 192.168.1.1

ip route 192.168.14.0 255.255.255.0 192.168.1.1

ip route 192.168.100.0 255.255.255.0 Serial0

ip route 192.168.220.0 255.255.255.0 Serial0

ip http server

ip http authentication local

ip http secure-server

!

!

!

ip access-list extended ios_web_exec

logging trap debugging

access-list 100 remark SDM_ACL Category=2

access-list 100 deny ip 193.77.75.0 0.0.0.255 192.168.220.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 deny ip 193.77.75.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 100 deny ip 193.77.75.0 0.0.0.255 192.168.14.0 0.0.0.255

access-list 100 deny ip 193.77.75.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 100 deny ip 193.77.75.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 deny ip 193.77.75.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 100 deny ip 193.77.75.0 0.0.0.255 10.112.192.0 0.0.31.255

access-list 100 permit ip 193.77.75.0 0.0.0.255 any

access-list 101 remark SDM_ACL Category=4

access-list 101 permit ip 193.77.75.0 0.0.0.255 10.112.192.0 0.0.31.255

access-list 101 permit ip 193.77.75.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 193.77.75.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 193.77.75.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 101 permit ip 193.77.75.0 0.0.0.255 192.168.14.0 0.0.0.255

access-list 101 permit ip 192.168.220.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 193.77.75.0 0.0.0.255 192.168.100.0 0.0.0.255

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!

^C

!

line con 0

transport output telnet

line aux 0

transport output telnet

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

!

end

SITE C

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xxxxx

!

!

memory-size iomem 25

no aaa new-model

ip subnet-zero

!

!

!

!

ip audit notify log

ip audit po max-events 100

ip ssh time-out 30

ip ssh authentication-retries 5

ip ssh port 2222 rotary 55

ip ssh rsa keypair-name shex

no ftp-server write-enable

!

!

!

!

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key 0 xxxx address 195.222.36.202 no-xauth

!

!

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

!

crypto map clientmap 5 ipsec-isakmp

set peer 195.222.36.202

set transform-set myset1

match address 115

!

!

!

!

interface Ethernet0

ip address 192.168.0.1 255.255.255.0

ip access-group 150 in

no ip proxy-arp

ip nat inside

half-duplex

hold-queue 100 in

hold-queue 100 out

!

interface FastEthernet0

ip address 212.39.103.154 255.255.255.128

no ip proxy-arp

ip nat outside

speed auto

crypto map clientmap

hold-queue 100 in

hold-queue 100 out

!

ip nat inside source route-map nonat interface FastEthernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 212.39.103.130

ip route 10.112.192.0 255.255.224.0 192.168.1.101

ip route 192.168.1.0 255.255.255.0 195.222.36.202

ip route 193.77.75.0 255.255.255.0 192.168.1.1

no ip http server

no ip http secure-server

!

!

access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 deny ip 192.168.0.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 110 deny ip 192.168.0.0 0.0.0.255 10.112.192.0 0.0.31.255

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 115 permit ip 192.168.0.0 0.0.0.255 10.112.192.0 0.0.31.255

access-list 115 permit ip 192.168.0.0 0.0.0.255 193.77.75.0 0.0.0.255

access-list 150 deny icmp any any echo

access-list 150 permit ip any any

no cdp advertise-v2

!

route-map nonat permit 10

match ip address 110

!

!

line con 0

line aux 0

line vty 0 4

password 7 xxxxxx

login local

!

no scheduler allocate

!

end

New Member

Re: hub-spokes routing between spokes

Can you help me with the configuratio which I post it?

New Member

Re: hub-spokes routing between spokes

If you have only one subnet per site, protected by hub router try EazyVPN. Configuration is very easy and scalable, even TAC say it is hard to trobleshot EasyVPN with router, I had no problems!

305
Views
0
Helpful
6
Replies