IPsec Tunnel with Virtual-Access Interface

pgyogeshkumar · ‎05-30-2016

Hi,

I configured Ipsec tunnel between two endpoints with Virtual-Template interface at one end.

Tunnel is established successfully between both routers with Tunnel1 at one end and Virtual-Access1 at other end.

I am unable to add static route with exit interface as Virtual-Access1, due to which my tunnel is not working and BGP neighborship is not forming over this tunnel.

I actually need to add this static route with exit interface as Virtual-Access1. can you please suggest to how to add as I dont see relative command to configure it.

Thanks

Karsten Iwen · ‎05-30-2016

With Virtual-Access interfaces you have to use a dynamic IGP because you never know in advance which destination is reachable through virtual-access 1,2,3,4 ....

Do you need BGP for a particular reason? Then enable the IGP of your choice on the tunnel-interfaces/templates and on a router loopback. Your BGP-session is then bound to the loopback-interfaces.

pgyogeshkumar · ‎05-30-2016

Agreed, With Virtual-Access interfaces we will not be sure which destination the tunnel will be formed.

However in another exact same similar set up, a Static route is automatically updated in routing table with exit interface as the corresponding Virtual-Access interface.

I am really not sure how this static seen in routing table as soon as the tunnel is formed without being configured manually.

Please confirm in what ways I can inject the static route with virtual access interface as soon as the tunnel is formed ?

Karsten Iwen · ‎05-30-2016

There are multiple ways how the routing table can be populated depending on the technology used. What are you running? Plain dVTI or FlexVPN? With FlexVPN you can use authorization lists to send routes to the peer.

And if these routes show up in one setup but not in the other, they are probably more "similar" then "exact same" ... ;-)

pgyogeshkumar · ‎05-30-2016

Iam using flexVPN..

Can you please share some sample config of authorization lists to configure to have automatic entry of static routes when the tunnel is formed.. Thanks...

Yeah set up is not exact same.. :) hence the issue:)

pgyogeshkumar · ‎05-30-2016

I tried using authorization lists under Ikev2 configuration as below..

crypto ikev2 profile FlexVpnToCPE
match fvrf any
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local FlexVpnKeyring
aaa authorization group psk list default--------------> newsly added command
virtual-template 1

After which the tunnel establishment has been failed with the error message:

*May 30 13:20:23.337: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed

Can you please suggest how to establish tunnels now with this additional configuration

pgyogeshkumar · ‎05-30-2016

Thanks Karsten for your helps and clues on using authorization lists

The issue is now solved.. Thanks again

Difan Zhao · ‎09-30-2018

Hi Karsten,

I am playing with the FlexVPN with automatically assigning the address from the hub to the spoke with the authorization method you were referencing. The tunnels come up, IP is assigned and with basic EIGRP config the adj comes up too. However the hub does not install any static route for the assigned IP... Any ideas why? Here is my config on the hub

ip local pool POOL 10.0.1.10 10.0.1.100
!
aaa authorization network test local
!
crypto ikev2 authorization policy IKEV2POLICY
 pool POOL
 netmask 255.255.255.0
!
crypto ikev2 profile test
 match fvrf WAN
 match identity remote any
 identity local address 1.1.1.1
 authentication local pre-share
 authentication remote pre-share
 keyring local test
 dpd 10 2 on-demand
 aaa authorization group psk list test IKEV2POLICY
 virtual-template 1
!
crypto ipsec profile test
 set ikev2-profile test
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback1
 tunnel vrf WAN
 tunnel protection ipsec profile test

Thanks!