Cisco VPN - Headache !

[joesnow]

Hello all, I have been banging my head against this one for a couple of days now and am totaly lost!

I have two routers doing LAN-LAN VPN, easy I thought, I configured the two 2611 routers using best guess technology.

The problem is that whilst the 192.168.4.x traffic goes through the VPN tunnel the 192.168.1.x traffic does not. I am not sure if my access lists have gone to pot or if it is a issue with routing...

see what you think. Thanks in advance


Joesnow

configs:

Building configuration...

Current configuration : 2885 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ROUTERA
!
enable password XX
!
ip subnet-zero
!
!
no ip domain lookup
!
ip inspect name OUTGOING http
ip inspect name OUTGOING smtp
ip inspect name OUTGOING ftp
ip inspect name OUTGOING tcp
ip inspect name OUTGOING udp
ip inspect name INCOMING smtp
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key VPNKEY address ISP_IP_ROUTER_B
!
!
crypto ipsec transform-set to_EP ah-md5-hmac esp-des esp-md5-hmac
!
crypto map EPVPN 10 ipsec-isakmp
set peer ISP_IP_ROUTER_B
set transform-set to_EP
match address 101
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface Loopback0
ip address ISP_IP_ROUTER_A 255.255.255.248
!
interface ATM0/0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Ethernet0/0
description connected to lan_ROUTERA
ip address 192.168.254.251 255.255.255.0
ip access-group 120 in
ip nat inside
ip inspect OUTGOING in
ip inspect INCOMING out
half-duplex
!
interface Ethernet0/1
description connected to lana_ROUTERA
ip address 192.168.1.242 255.255.255.0
ip access-group 130 in
ip nat inside
ip inspect OUTGOING in
ip inspect INCOMING out
half-duplex
!
interface Dialer1
ip unnumbered Loopback0
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname XX
ppp chap password XX
crypto map EPVPN
!
router rip
version 2
passive-interface Dialer1
network 192.168.1.0
network 192.168.254.0
!
ip nat pool OUTSIDE ISP_IP_ROUTER_A ISP_IP_ROUTER_A netmask 255.255.255.248
ip nat inside source list 100 pool OUTSIDE overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.254.0 0.0.0.255 any
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.254.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 deny ip any any
access-list 120 permit ip 192.168.254.0 0.0.0.255 any
access-list 130 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password XX
login
line aux 0
line vty 0 4
password XX
login
!
!
!
end

ROUTERA#





ROUTER B

Building configuration...

Current configuration : 2570 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ROUTERB
!
enable password XX
!
ip subnet-zero
!
!
no ip domain lookup
!
ip inspect name OUTGOING http
ip inspect name OUTGOING smtp
ip inspect name OUTGOING ftp
ip inspect name OUTGOING tcp
ip inspect name OUTGOING udp
ip inspect name INCOMING smtp
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key VPNKEY address ISP_IP_ROUTER_A
!
!
crypto ipsec transform-set to_HO ah-md5-hmac esp-des esp-md5-hmac
!
crypto map HOVPN 10 ipsec-isakmp
set peer ISP_IP_ROUTER_A
set transform-set to_HO
match address 101
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface Loopback0
ip address ISP_IP_ROUTER_B 255.255.255.0
!
interface ATM0/0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Ethernet0/0
description connected to lan_ROUTERB
ip address 192.168.4.254 255.255.255.0
ip access-group 120 in
ip nat inside
ip inspect OUTGOING in
ip inspect INCOMING out
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Dialer1
ip unnumbered Loopback0
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname XX
ppp chap password XX
crypto map HOVPN
!
router rip
version 2
passive-interface Dialer1
network 192.168.4.0
no auto-summary
!
ip nat pool OUTSIDE ISP_IP_ROUTER_B ISP_IP_ROUTER_B netmask 255.255.255.0
ip nat inside source list 100 pool OUTSIDE overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.225
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny ip any any
access-list 120 permit ip 192.168.4.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
snmp-server community public RO
snmp-server enable traps tty
!
!
!
!
!
line con 0
exec-timeout 0 0
password XX
login
line aux 0
line vty 0 4
password XX
login
!
!
!
end

ROUTERB#

 

[joesnow]

ok, 30 mins after posting this it started to work..... Is there any way to explain this or change anything to make it better?

my next job is to bring a third router into the setup, but routing port 25 traffic (SMTP) in...

what a larf !!

joe.