Hi,

Let me show you my config. at this moment all works fine becuase tunnel 0 is shutdown.

when I enable tunnel 0 all www traffic is piointing to the hub.

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SPOKE

!

boot-start-marker

boot-end-marker

!

!

!

aaa new-model

!

!

aaa authorization network Spoke local

!

!

!

!

!

aaa session-id common

clock timezone PCTime 1 0

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

!

!

!

!

!

ip dhcp pool DHCP-POOL

network 10.68.1.0 255.255.255.0

default-router 10.68.1.1

dns-server 8.8.8.8

lease 8

!

!

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username xxxxxx privilege 15 password 0 xxxxx

!

redundancy

!

crypto ikev2 authorization policy SPOKE.policy

route set interface

route set access-list 6

!

crypto ikev2 proposal SPOKE.pro

encryption aes-cbc-256

integrity sha256

group 15

!

crypto ikev2 policy SPOKE.PROpolicy

proposal SPOKE.pro

!

crypto ikev2 keyring SPOKE.keyring

peer HUB

  address 0.0.0.0 0.0.0.0

  pre-shared-key local xxxxx

  pre-shared-key remote xxxxx

!

!

!

crypto ikev2 profile SPOKE.prof

match identity remote address 0.0.0.0

identity local address 217.112.xxx.xxx

authentication remote pre-share

authentication local pre-share

keyring local SPOKE.keyring

aaa authorization group psk list Spoke SPOKE.policy

virtual-template 1

!

crypto ikev2 dpd 30 5 on-demand

crypto ikev2 client flexvpn Flex_client

  peer 1 217.112.xxx.xxx

  client connect Tunnel0

!

!

!

!

!

!

crypto ipsec transform-set WilNet-ESP esp-gcm

mode transport

!

crypto ipsec profile SPOKE.ipsprof

set transform-set WilNet-ESP

set ikev2-profile SPOKE.prof

!

!

!

!

!

!

!

interface Loopback1

ip address 10.68.255.11 255.255.255.255

!

interface Tunnel0

ip address 10.68.254.11 255.255.255.0

ip mtu 1400

ip nhrp network-id 2

ip nhrp shortcut virtual-template 1

ip nhrp redirect

ip tcp adjust-mss 1360

shutdown

tunnel source GigabitEthernet0/0

tunnel destination dynamic

tunnel path-mtu-discovery

tunnel protection ipsec profile SPOKE.ipsprof

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 217.112.xxx.xxx 255.255.255.224

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 10.68.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Tunnel0

ip mtu 1400

ip nhrp network-id 2

ip nhrp shortcut virtual-template 1

ip nhrp redirect

ip tcp adjust-mss 1360

tunnel path-mtu-discovery

tunnel protection ipsec profile SPOKE.ipsprof

!

!

router eigrp 11

network 10.0.0.0

passive-interface default

no passive-interface Tunnel0

eigrp stub connected

!

ip default-gateway 217.112.xxx.xxx

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip dns server

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

!

access-list 1 remark Nat traffic to Internet

access-list 1 permit 10.68.1.0 0.0.0.255

access-list 6 permit 10.0.0.0 0.255.255.255

access-list 6 permit any

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

hope you can tell my what I'm doing wrong.

Thanks in advance,

Well, at a glance, it looks OK.

So what are the prefixes recived from hub?

M.

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, GigabitEthernet0/0

      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks

C        10.68.1.0/24 is directly connected, GigabitEthernet0/1

L        10.68.1.1/32 is directly connected, GigabitEthernet0/1

C        10.68.254.0/24 is directly connected, Tunnel0

L        10.68.254.11/32 is directly connected, Tunnel0

C        10.68.255.11/32 is directly connected, Loopback1

      217.112.xxx.0/24 is variably subnetted, 2 subnets, 2 masks

C        217.112.xxx.xxx/27 is directly connected, GigabitEthernet0/0

L        217.112.xxx.xxx/32 is directly connected, GigabitEthernet0/0

So the hub does not insert any EIGRP routes?

Quick question:

access-list 6 permit 10.0.0.0 0.255.255.255
access-list 6 permit any

What the point of this?

Is 10.0.0.0/24 a local subnet, doesn't look to be.

Why do you need that "any".

I have enabled the tunnels, I'm getting the eigrp routes.

as far as I know if you don't set permit any it will block all other traffic by his self.

but i don't understand why I don't have last gateway resort and why 0.0.0.0 is connected wiht virtual access1.

I think that this is causing the problem. but i'm not sure

S*    0.0.0.0/0 is directly connected, Virtual-Access1

                is directly connected, Tunnel0

                is directly connected, GigabitEthernet0/0

      10.0.0.0/8 is variably subnetted, 9 subnets, 3 masks

S        10.0.0.0/8 is directly connected, Virtual-Access1

C        10.68.1.0/24 is directly connected, GigabitEthernet0/1

L        10.68.1.1/32 is directly connected, GigabitEthernet0/1

H        10.68.2.0/24 [250/1] via 10.68.254.12, 00:00:15, Virtual-Access1

C        10.68.254.0/24 is directly connected, Tunnel0

L        10.68.254.11/32 is directly connected, Tunnel0

S   %    10.68.254.12/32 is directly connected, Virtual-Access1

C        10.68.255.11/32 is directly connected, Loopback1

      217.112.xxx.xxx/24 is variably subnetted, 2 subnets, 2 masks

C        217.112.xxx.xxx/27 is directly connected, GigabitEthernet0/0

L        217.112.xxx.xxx/32 is directly connected, GigabitEthernet0/0

Hi,

Thanks for your help,

indead, permit any was causing the problem.

remove them. restarted all other routers and all works fine.

Thanks for your help.