Site-to-site VPN with two subnets - Cisco IOS config

Can somebody doublecheck my configuration here and make sure I have it right?

We have two offices. The first one, R1, is on the 192.168.11.0/24 subnet, the other, R2, is on the 192.168.12.0/24 subnet. A Cisco 890 series router is at each location. Both offices have a cable Internet service with 1x static IP.

The R1 network also has a second subnet on a separate VLAN, 192.168.0.0/24, which is for the VOIP phone system. We have a PBX on 192.168.0.200.

The R2 network has a handful of IP phones on the 192.168.12.0/24 network which are pre-configured to connect to the PBX over the site-to-site VPN. The IP phones on R2 all have a 192.168.12.xxx IP address.

The site-to-site VPN is working correctly so far as I can tell - the 192.168.11.0/24 and 192.168.12.0/24 subnets can talk to each other, and I can even access the PBX's web interface on 192.168.0.200 from the 192.168.12.0/24 network.

But we're having trouble with getting no sound on the phones despite them linking up and registering to the PBX. The voip provider is saying it's a a network issue, and they're probably right because this was working before on the old cheapo Netgear routers that we replaced.

As far as I can tell, I've configured it so that ALL traffic can travel between the 192.168.12.0 and 192.168.0.0 networks... but can someone doublecheck and see if I'm missing anything obvious?

Network Diagram

Rough Network Diagram
R1 router's config:

!
! Last configuration change at 05:05:58 UTC Thu Mar 26 2015 by Cisco
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging buffered
!
no aaa new-model
!
!
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FGL1911216R
!
!
username cisco privilege 15 secret 5 $1$xxxx$xxxxxxxxxxxxxxxxxxxx/
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key REDACTED address 173.xxx.xxx.xxx
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
 set peer 173.xxx.xxx.xxx
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description Uplink to switch
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 description Internet
 ip address 208.xxx.xxx.xxx 255.255.255.252
 ip access-group WAN-IN in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map CMAP
!
interface Vlan1
 description R1 Network
 ip address 192.168.11.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 description VOIP
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async3
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 100 interface GigabitEthernet8 overload
ip nat inside source static tcp 192.168.11.14 1723 interface GigabitEthernet8 1723
ip nat inside source static tcp 192.168.11.14 80 208.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 192.168.11.14 443 208.xxx.xxx.xxx 443 extendable
ip route 0.0.0.0 0.0.0.0 208.124.242.25
!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
 permit ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255
ip access-list extended WAN-IN
 deny   tcp any host 208.xxx.xxx.xxx eq 22
 deny   tcp any host 208.xxx.xxx.xxx eq telnet
 deny   udp any host 208.xxx.xxx.xxx eq snmp
 deny   udp any host 208.xxx.xxx.xxx eq snmptrap
 permit ip any any
!
!
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny   ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 permit ip 192.168.11.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end

Open in new window



R2 router's config:

!
! Last configuration change at 20:50:18 UTC Thu Mar 26 2015 by Cisco
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging buffered
!
no aaa new-model
!
!
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FGL1911216S
!
!
username cisco privilege 15 secret 5 $1$xxxx$xxxxxxxxxxxxxxxxxxxxx/
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key REDACTED address 208.xxx.xxx.xxx
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
 set peer 208.xxx.xxx.xxx
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description Uplink to Switch
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 description Uplink to WiFi AP
 switchport mode trunk
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 description Internet
 ip address 173.xxx.xxx.xxx 255.255.255.252
 ip access-group WAN-IN in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map CMAP
!
interface Vlan1
 description R2 Network
 ip address 192.168.12.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan200
 description Guest Network
 ip address 10.0.0.1 255.0.0.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async3
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 101 interface GigabitEthernet8 overload
ip nat inside source static tcp 192.168.12.14 1723 interface GigabitEthernet8 1723
ip nat inside source static tcp 192.168.12.14 80 173.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 192.168.12.14 443 173.xxx.xxx.xxx 443 extendable
ip route 0.0.0.0 0.0.0.0 173.209.143.213
!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
 permit ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended WAN-IN
 deny   tcp any host 173.xxx.xxx.xxx eq 22
 deny   tcp any host 173.xxx.xxx.xxx eq telnet
 deny   udp any host 173.xxx.xxx.xxx eq snmp
 deny   udp any host 173.xxx.xxx.xxx eq snmptrap
 permit ip any any
!
!
access-list 101 remark -=[Define NAT Service]=-
access-list 101 deny   ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 deny   ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
access-list 101 remark
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end

Open in new window

LVL 31
Frosty555Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
Without going into the Cisco config's, here's one thing I would look for (since you've changed the routers):

- There needs to be a "return path" route at each VPN router so that packet responses from the remote site will be directed to the tunnel or tunnel interface in the case of a *separate* VPN router.  Since you have combined VPN routers / internet gateways then this should not be a problem.

- There needs to be no firewall service that blocks LAN/LAN return packets because they didn't arrive through the internet gateway device.  Since you have combined VPN routers / internet gateways then this should also not be a problem.

But, I wonder about the VOIP subnet?  Are there return routes to / from 192.168.0.0/24?
- 1) Presumably, packets originating at 192.168.12.0/24 and destined for 192.168.0.0/24 should be directed to the tunnel at the source end of those packets.  How is that assured in the settings?
- 2) Presumably, packets returning from 192.168.0.0/24 and destined for 192.168.12.0/24 should be directed to the tunnel at the source end of *those* packets.  How is that assured in the settings?
Providing the routing tables for the two routers might shed a lot of light on all this.

I'm less concerned about #2 than #1.  That is, I think it's more likely that #2 is taken care of without explicit configs.  But #1 is more likely to be a question.
- Also, return packets from 192.168.0.0/24 destined for 192.168.12.0 should be directed
0
Frosty555Author Commented:
1) Presumably, packets originating at 192.168.12.0/24 and destined for 192.168.0.0/24 should be directed to the tunnel at the source end of those packets.  How is that assured in the settings?
- 2) Presumably, packets returning from 192.168.0.0/24 and destined for 192.168.12.0/24 should be directed to the tunnel at the source end of *those* packets.  How is that assured in the settings?
Providing the routing tables for the two routers might shed a lot of light on all this.

I *think*, that this is accomplished through the "VPN-TRAFFIC" access-list configured on R2. This access list is used in the "match address" section of the VPN config. There is also an access list 101 that determines what packets get NATTed, and the traffic is explicitly denied in there so that NAT doesn't happen on those packets

ip access-list extended VPN-TRAFFIC
 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
 permit ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.0.255    <-- here

access-list 101 remark -=[Define NAT Service]=-
access-list 101 deny   ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 deny   ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.0.255       <--- here
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
access-list 101 remark
access-list 101 permit ip 192.168.0.0 0.0.0.255 any

Open in new window


Similarly, on R1 there is an access list:

ip access-list extended VPN-TRAFFIC
 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
 permit ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255     <--- here


access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny   ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255     <--- here
access-list 100 permit ip 192.168.11.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark

Open in new window



I'm assuming that this is enough?
0
Fred MarshallPrincipalCommented:
I'm not a Cisco configuration expert.  
These are talking about access which also means permission.
My concern is about routing.

What's in the routing table on the running routers?
NAT should not be in the discussion because the VPN acts like a router (no NAT) and not a gateway (with NAT).
So, when a packet arrives that's destined for a remote subnet, it has to be directed to the VPN / tunnel.  It's the destination that's important and that happens without NAT.  

(Well, of course there's NAT associated with the internet connection but the VPN acts as though there is none.  So, no NAT within the VPN from end to end.  Only routing.)

A packet arrives at the router destined for a remote subnet.
That packet is delivered to the tunnel termination which is supposed to know what to do with it.  
It goes through the VPN tunnel and exits the other end.
The destination IP address remains the same throughout; so, when the packet exits the tunnel, it goes out on the "wire" on the LAN subnet which includes the destination address.

What I don't know is how one launches a packet that's destined for a *different* subnet (e.g. the VLAN2 subnet) and have the local router/VPN handle that.
So, in my ignorance, I'd want to see the routing tables.

There should be routes from the 192.168.12.0/24 end to the 192.168.11.0/24 AND the 192.168.00/24 subnets.  That's two routes at that end.  
Maybe you need 2 VPNs - one for each subnet.  I just don't know how your Cisco devices support this sort of thing.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Frosty555Author Commented:
It seems a little tricky to get a standard routing table out of these routers, but this is the result of the "show ip route" and "show crypto session" commands:

R1:

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 208.xxx.xxx.yyy to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 208.124.242.25
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/8 is directly connected, Vlan200
L        10.0.0.1/32 is directly connected, Vlan200
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, Vlan2
L        192.168.0.1/32 is directly connected, Vlan2
      192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.11.0/24 is directly connected, Vlan1
L        192.168.11.1/32 is directly connected, Vlan1
      208.xxx.xxx.0/24 is variably subnetted, 2 subnets, 2 masks
C        208.xxx.xxx.xxx/30 is directly connected, GigabitEthernet8
L        208.xxx.xxx.yyy/32 is directly connected, GigabitEthernet8

Open in new window


Crypto session current status

Interface: GigabitEthernet8
Session status: UP-ACTIVE
Peer: 173.xxx.xxx.xxx port 500
  Session ID: 0
  IKEv1 SA: local 208.xxx.xxx.xxx/500 remote 173.xxx.xxx.xxx/500 Active
  IPSEC FLOW: permit ip 192.168.11.0/255.255.255.0 192.168.12.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.12.0/255.255.255.0
        Active SAs: 2, origin: crypto map

Open in new window



R2:

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 173.xxx,xxx,xxx to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 173.209.143.213
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/8 is directly connected, Vlan200
L        10.0.0.1/32 is directly connected, Vlan200
      173.xxx.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        173.xxx.xxx.xxx/30 is directly connected, GigabitEthernet8
L        173.xxx.xxx.yyy/32 is directly connected, GigabitEthernet8
      192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.12.0/24 is directly connected, Vlan1
L        192.168.12.1/32 is directly connected, Vlan1

Open in new window


Crypto session current status

Interface: GigabitEthernet8
Session status: UP-ACTIVE
Peer: 208.xxx.xxx.xxx port 500
  Session ID: 0
  IKEv1 SA: local 173.xxx.xxx.xxx/500 remote 208.xxx.xxx.xxx/500 Active
  IPSEC FLOW: permit ip 192.168.12.0/255.255.255.0 192.168.11.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 192.168.12.0/255.255.255.0 192.168.0.0/255.255.255.0
        Active SAs: 2, origin: crypto map

Open in new window

0
Fred MarshallPrincipalCommented:
It appeared to me that the routes are there to do the job.  So then I re-read the description you'd provided.

In my simple-minded not-so-Cisco view, it looks for all intents and purposes like two tunnels - but that could well be an exercise in semantics.

The only thing I wonder about is this:
The phones at R1 are all in the 192.168.0.0/24 subnet, right?
But, the phones at R2 are all in the 192.168.12.0/24 subnet, right?

I wonder what would happen if you put the R2 phones on 192.168.3.0/24 or something like that?
Then both sites would be of the same structure.
I imagine that the ip addressing scheme preceded the new routers.
I wonder if the new routers will work well or at all with the legacy scheme?

Do calls to the outside world all go through the R1 internet connection?
Knowing this might help understand everything a little better.
0
Frosty555Author Commented:
Actually there are no iP phones in the R1 network. They're all digital handsets (like a normal, non-voip phone system). The PBX has an analog card that connects to Bell lines.  The only part of the system that is actually VOIP is the communication between the R2 phones and the PBX on the R1 network.

The R2 network was indeed on a different subnet prior to putting the new routers in place, although I've been assured by the telephone guys that this should not make any difference (the PBX doesn't have any firewall or rules that make it only talk to one particular subnet)

I was considering putting all the phones on a separate subnet for the R2 network, but it seems like that's a separate task.

I have a list now of the necessary UDP ports required for the RTP traffic. Is there some tool I can use to test if data flows on arbitrary TCP and UDP ports? Like a listener and a broadcaster that can be configured to use whatever ports I like? I think I need to start digging and see what's actually happening on the network.
0
Frosty555Author Commented:
It turns out I just needed to reboot the phone system, everything else was fine.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Frosty555Author Commented:
whoops...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.