05-30-2016 12:53 AM - edited 03-05-2019 04:07 AM
Hi,
I configured Ipsec tunnel between two endpoints with Virtual-Template interface at one end.
Tunnel is established successfully between both routers with Tunnel1 at one end and Virtual-Access1 at other end.
I am unable to add static route with exit interface as Virtual-Access1, due to which my tunnel is not working and BGP neighborship is not forming over this tunnel.
I actually need to add this static route with exit interface as Virtual-Access1. can you please suggest to how to add as I dont see relative command to configure it.
Thanks
05-30-2016 01:06 AM
With Virtual-Access interfaces you have to use a dynamic IGP because you never know in advance which destination is reachable through virtual-access 1,2,3,4 ....
Do you need BGP for a particular reason? Then enable the IGP of your choice on the tunnel-interfaces/templates and on a router loopback. Your BGP-session is then bound to the loopback-interfaces.
05-30-2016 04:51 AM
Agreed, With Virtual-Access interfaces we will not be sure which destination the tunnel will be formed.
However in another exact same similar set up, a Static route is automatically updated in routing table with exit interface as the corresponding Virtual-Access interface.
I am really not sure how this static seen in routing table as soon as the tunnel is formed without being configured manually.
Please confirm in what ways I can inject the static route with virtual access interface as soon as the tunnel is formed ?
05-30-2016 05:08 AM
There are multiple ways how the routing table can be populated depending on the technology used. What are you running? Plain dVTI or FlexVPN? With FlexVPN you can use authorization lists to send routes to the peer.
And if these routes show up in one setup but not in the other, they are probably more "similar" then "exact same" ... ;-)
05-30-2016 05:47 AM
Iam using flexVPN..
Can you please share some sample config of authorization lists to configure to have automatic entry of static routes when the tunnel is formed.. Thanks...
Yeah set up is not exact same.. :) hence the issue:)
05-30-2016 06:35 AM
I tried using authorization lists under Ikev2 configuration as below..
crypto ikev2 profile FlexVpnToCPE
match fvrf any
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local FlexVpnKeyring
aaa authorization group psk list default--------------> newsly added command
virtual-template 1
After which the tunnel establishment has been failed with the error message:
*May 30 13:20:23.337: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed
Can you please suggest how to establish tunnels now with this additional configuration
05-30-2016 08:49 AM
Thanks Karsten for your helps and clues on using authorization lists
The issue is now solved.. Thanks again
09-30-2018 03:04 PM
Hi Karsten,
I am playing with the FlexVPN with automatically assigning the address from the hub to the spoke with the authorization method you were referencing. The tunnels come up, IP is assigned and with basic EIGRP config the adj comes up too. However the hub does not install any static route for the assigned IP... Any ideas why? Here is my config on the hub
ip local pool POOL 10.0.1.10 10.0.1.100 ! aaa authorization network test local ! crypto ikev2 authorization policy IKEV2POLICY pool POOL netmask 255.255.255.0 ! crypto ikev2 profile test match fvrf WAN match identity remote any identity local address 1.1.1.1 authentication local pre-share authentication remote pre-share keyring local test dpd 10 2 on-demand aaa authorization group psk list test IKEV2POLICY virtual-template 1 ! crypto ipsec profile test set ikev2-profile test ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 tunnel vrf WAN tunnel protection ipsec profile test
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: