Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
981
Views
1
Helpful
10
Replies

Configuring FlexVPN (IOSXE) in Multiple spokes environment

Go to solution
dmit-tim1972
Level 1
Level 1

‎04-02-2025 11:57 PM - edited ‎04-03-2025 12:01 AM

Hello,

I have configured my test network enviroment in Dual Hub Flex Vpn design on IOSXE 17.3.3 (C1111-4P) but with one spoke - something like this (on the Hub1 for example)

===============section keyring===============

My spokes have dynamic addresses

crypto ikev2 keyring CRKEYS
peer Spoke1

address 0.0.0.0
pre-shared-key xxxxx1

After that I need to add another Spoke and it has a dynamic address too but another key and I want to differentiate these spokes in the future by name or something like this except key. How can I configure that task? Give an advise please.

Without the command "address" I get an error %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to dmit-tim1972

‎04-03-2025 12:58 AM - edited ‎04-03-2025 12:59 AM

@dmit-tim1972 I've just checked my notes and the docs. On the hub router match on the IKE identity sent by the spoke, instead of using the IP address.

crypto ikev2 keyring KEYRING
 peer ONE
  identity fqdn SPOKE1.LAB.LOCAL
  pre-shared-key Cisco1234

You would create additional peers in the keyring for each of the spokes, or match on a group of spokes if you use "identity fqdn domain <domainname>"

View solution in original post

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to dmit-tim1972

‎04-03-2025 01:09 AM

Try key-id 

Under ilev2 profile 

Match identity remote/local key-id

MHM

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Rob Ingram
VIP
VIP

‎04-03-2025 12:01 AM

@dmit-tim1972 with dynamic IP addresses in this scenario you'd either need to use the same PSK or ideally use certificates. You can configure the IOS-XE router to be CA to distribute certificate to the spokes.

0 Helpful

Go to solution
dmit-tim1972
Level 1
Level 1
In response to Rob Ingram

‎04-03-2025 12:13 AM

Hi Rob,

Thank you for your answer. I entirely with you about the certificates but this solution is a bit complicated in my case.

I think I can add another keys in one section "peer Spoke1" (let's say SPOKES) isn't it? but in that case I get all keys in one section and there is a bit confusing. What do you think?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to dmit-tim1972

‎04-03-2025 12:58 AM - edited ‎04-03-2025 12:59 AM

@dmit-tim1972 I've just checked my notes and the docs. On the hub router match on the IKE identity sent by the spoke, instead of using the IP address.

crypto ikev2 keyring KEYRING
 peer ONE
  identity fqdn SPOKE1.LAB.LOCAL
  pre-shared-key Cisco1234

You would create additional peers in the keyring for each of the spokes, or match on a group of spokes if you use "identity fqdn domain <domainname>"

0 Helpful

Go to solution
dmit-tim1972
Level 1
Level 1
In response to Rob Ingram

‎04-03-2025 02:13 AM

Thanks Rob I had deleted the command "address" from this section and I got an error on my spoke:

IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

.Apr 3 08:45:35.147: IKEv2:(SESSION ID = 4,SA ID = 2):Process auth response notify
.Apr 3 08:45:35.147: IKEv2:(SESSION ID = 4,SA ID = 2):
.Apr 3 08:45:35.147: IKEv2:(SESSION ID = 4,SA ID = 2):Auth exchange failed
.Apr 3 08:45:35.147: IKEv2:(SESSION ID = 4,SA ID = 2):: Auth exchange failed
.Apr 3 08:45:35.147: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed

.Apr 3 08:45:35.147: IKEv2:(SESSION ID = 4,SA ID = 2):Abort exchange
.Apr 3 08:45:35.151: IKEv2:(SESSION ID = 4,SA ID = 2):Deleting SA

I can't find where this authentication was configured (I think it is on the hub)

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to dmit-tim1972

‎04-03-2025 02:21 AM

@dmit-tim1972

The pre-shared key lookup is performed on the keyring not ikev2 profile, the local IKE identity is specified on the ikev2 profile. On the hub (responder) the PSK lookup is based on the IKE identity - fqdn, email, key-id or address (not revelvant in your scenario) as per the example using fqdn above. The spoke (initiator) use still uses the peer address of the hub, which should be static anyway.

What it your keyring and ikev2 profile configuration of both the hub and spoke?

 

0 Helpful

Go to solution
dmit-tim1972
Level 1
Level 1
In response to Rob Ingram

‎04-03-2025 02:47 AM

Yes Rob, you are correct - it works fine. It was my mistake.

thanks.

0 Helpful

Go to solution
dmit-tim1972
Level 1
Level 1

‎04-03-2025 12:33 AM

I think I can use one key for all spokes but an identity for each one, isn't it?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to dmit-tim1972

‎04-03-2025 01:09 AM

Try key-id 

Under ilev2 profile 

Match identity remote/local key-id

MHM

0 Helpful

Go to solution
dmit-tim1972
Level 1
Level 1
In response to MHM Cisco World

‎04-03-2025 01:33 AM

Thanks MHM,

its a good idea.

Go to solution
dmit-tim1972
Level 1
Level 1

‎04-03-2025 02:51 AM

Thanks guys

0 Helpful
Customers Also Viewed These Support Documents