Hi,
I have got an issue where SPOKE1 and SPOKE 2 cannot communicate with each other. However, SPOKE1 and SPOKE 2 can communicate with HUB. Please see configuration below for spoke and hub. I'll really appreciate if anyone could please guide me in right direction.
SPOKE 1 (Cisco SRST881, v. 12.4)
SPOKE 2 (Cisco 887VA, v.12.4(22r)
HUB (ASA5525, v.8.6(1)2)
** Spoke 1 (Cisco SRST881, v. 12.4) **
==================================
crypto ikev2 proposal AES256-192-128-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha1
group 2
crypto ikev2 policy IKEv2-Policy
proposal AES256-192-128-PROPOSAL
crypto ikev2 keyring VPN-KEYS
peer ASA-DC
address 200.200.200.1
pre-shared-key local 12345678
pre-shared-key remote 12345678
crypto ikev2 profile ASA-DC
match identity remote address 200.200.200.1 255.255.255.255
identity local address 50.50.50.1
authentication local pre-share
authentication remote pre-share
keyring VPN-KEYS
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto map SPOKE1-ASA 10 ipsec-isakmp
set peer 200.200.200.1
set transform-set ESP-AES256-SHA
set ikev2-profile ASA-DC
match address SPOKE1-VPN-ACL
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SPOKE1-ASA
interface Vlan1
ip address 192.168.210.225 255.255.255.224
ip nat inside
ip virtual-reassembly in
ip nat inside source list NONAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.50.50.1
ip access-list extended NONAT
deny ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.64 0.0.0.31 any
ip access-list extended SPOKE1-VPN-ACL
permit ip 192.168.210.224 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.224 0.0.0.31 192.168.210.64 0.0.0.31
** SPOKE2 (Cisco 887VA, v.12.4(22r) **
=================================
crypto ikev2 proposal AES256-192-128-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha1
group 2
crypto ikev2 policy IKEv2-Policy
proposal AES256-192-128-PROPOSAL
crypto ikev2 keyring VPN-KEYS
peer ASA-DC
address 200.200.200.1
pre-shared-key local 12345678
pre-shared-key remote 12345678
crypto ikev2 profile ASA-DC
match identity remote address 200.200.200.1 255.255.255.255
identity local address 100.100.100.1
authentication local pre-share
authentication remote pre-share
keyring VPN-KEYS
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto map SPOKE2-ASA 10 ipsec-isakmp
set peer 200.200.200.1
set transform-set ESP-AES256-SHA
set ikev2-profile ASA-DC
match address SPOKE2-VPN-ACL
interface Vlan1
ip address 192.168.210.65 255.255.255.224
ip helper-address 172.16.5.32
ip nat inside
ip virtual-reassembly in
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp chap hostname zzz@zzz.com
ppp chap password 7 zzzzzzzzz
crypto map SPOKE2-ASA
ip nat inside source list NONAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended SPOKE2-VPN-ACL
permit ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.64 0.0.0.31 192.168.210.224 0.0.0.31
ip access-list extended NONAT
deny ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.64 0.0.0.31 any
** HUB (ASA5525, v.8.6(1)2) **
===============================
object network SPOKE1
subnet 192.168.210.224 255.255.255.224
object network SPOKE2
subnet 192.168.210.64 255.255.255.224
object-group network INSIDE-SUBNET
network-object 172.16.0.0 255.255.0.0
access-list VPN-SPOKE1 extended permit ip object-group INSIDE-SUBNET object SPOKE1
access-list VPN-SPOKE1 extended permit ip object SPOKE2 object SPOKE1
access-list VPN-SPOKE2 extended permit ip object-group INSIDE-SUBNET object SPOKE2
access-list VPN-SPOKE2 extended permit ip object SPOKE1 object SPOKE2
nat (inside,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE1 SPOKE1 no-proxy-arp route-lookup
nat (inside,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE2 SPOKE2 no-proxy-arp route-lookup
nat (any,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE1 SPOKE1 no-proxy-arp
nat (any,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE2 SPOKE2 no-proxy-arp
route outside 192.168.210.64 255.255.255.224 200.200.200.1 1
route outside 192.168.210.224 255.255.255.224 200.200.200.1 1
crypto ipsec ikev2 ipsec-proposal AES256-192-128-PROPOSAL
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity sha-1
crypto map ASA-VPN-SITE 10 match address VPN-SPOKE1
crypto map ASA-VPN-SITE 10 set peer 50.50.50.1
crypto map ASA-VPN-SITE 20 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL
crypto map ASA-VPN-SITE 20 match address VPN-SPOKE2
crypto map ASA-VPN-SITE 20 set peer 100.100.100.1
crypto map ASA-VPN-SITE 20 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL
tunnel-group 50.50.50.1 type ipsec-l2l
tunnel-group 50.50.50.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
same-security-traffic permit intra-interface
Thank You,
Kind Regards
Rohit.
