Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2999
Views
25
Helpful
16
Replies

dynamic ip FlexVPN Hub-and- dynamic ip multi Spoke

Go to solution
katheer_4u
Level 1
Level 1

‎01-23-2020 09:39 AM - edited ‎02-21-2020 09:50 PM

Good day

Hi Everyone,
I'm having some trouble with FlexVPN in a Hub & multi Spoke i have both site are dynamic ip. actually the VPN is up but when i trying to configure the 2nd spoke 1 st one getting down and when i restrat the 1st one its getting VPN up but 2nd one its getting down

if anyone can help me i really appreciated

 

HUB

+++++++++++++++

 

HO-FLXVPN#show running-config
Building configuration...

Current configuration : 3455 bytes
!
! Last configuration change at 15:26:37 UTC Thu Jan 23 2020 by ciscouser
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname HO-FLXVPN
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family

!
aaa new-model
!
!
aaa authorization network default local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!


ip domain name mm.com

!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4331/K9 sn FDO20432DC6
license boot level securityk9
spanning-tree extend system-id
!

!
redundancy
mode none
!
crypto ikev2 authorization policy POC-AUTH-POL-01
route set interface
route set access-list POC-ROUTE-ACL-01
!
crypto ikev2 authorization policy FLEX-AUTH-POL-01
route set interface
route set access-list FLEX-ROUTE-ACL-01
!
crypto ikev2 proposal POC-PROP-01
encryption aes-cbc-128
integrity sha256
group 19
!
crypto ikev2 policy POC-POL-01
match fvrf any
proposal POC-PROP-01
!
!
crypto ikev2 profile POC-IKEV2-PROFILE-01
match identity remote address 0.0.0.0
identity local address 192.168.100.222
authentication remote pre-share key 6 cisco123
authentication local pre-share key 6 cisco123
aaa authorization group psk list default FLEX-AUTH-POL-01
virtual-template 23
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
crypto ipsec transform-set POC-IPSEC-TS-01 esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile POC-IPSEC-PROF-01
set transform-set POC-IPSEC-TS-01
set ikev2-profile POC-IKEV2-PROFILE-01
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 192.168.100.222 255.255.255.0
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Virtual-Template23 type tunnel
ip unnumbered Vlan1
ip nhrp network-id 23
ip nhrp redirect
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile POC-IPSEC-PROF-01
!
interface Vlan1
ip address 192.168.250.1 255.255.255.0
ip nat inside
!
ip nat inside source list 20 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0/1/0
ip route 0.0.0.0 0.0.0.0 192.168.100.1
ip route 192.168.42.0 255.255.255.0 192.168.250.2
ip route 192.168.101.0 255.255.255.0 192.168.250.2
ip route 192.168.203.0 255.255.255.0 192.168.250.2
ip ssh rsa keypair-name mm.com
!
!
ip access-list standard FLEX-ROUTE-ACL-01
permit 192.168.101.0 0.0.0.255
permit 192.168.203.0 0.0.0.255
permit 192.168.42.0 0.0.0.255
ip access-list standard POC-ROUTE-ACL-01
permit any
!
access-list 20 permit 192.168.250.0 0.0.0.255
access-list 21 permit 192.168.203.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 21 in
transport input all
!
!
end

 

 

Spoke

++++++++++++++++

Branch#show running-config
Building configuration...

Current configuration : 2825 bytes
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Branch
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!

!
aaa new-model
!
!
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!


!
!
!
!
ip name-server 216.146.35.35
ip name-server 216.146.36.36
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ1950929W
!
!

!
crypto ikev2 authorization policy FLEX-AUTH-POL-01
route set interface
route set access-list FLEX-ROUTE-ACL-01
!
crypto ikev2 proposal POC-PROP-01
encryption aes-cbc-128
integrity sha256
group 19
!
crypto ikev2 policy POC-POL-01
match fvrf any
proposal POC-PROP-01
!
!
crypto ikev2 profile POC-IKEV2-PROFILE-01
match identity remote address 0.0.0.0
identity local address 192.168.100.250
authentication remote pre-share key 6 cisco123
authentication local pre-share key 6 cisco123
aaa authorization group psk list default FLEX-AUTH-POL-01
virtual-template 23
!
crypto ikev2 client flexvpn POC-FLEX-CLIENT-01
peer 1 fqdn xxxxxxx.dyndns.org dynamic
client connect Tunnel23
!
!
!
controller VDSL 0
!
!
!
!
crypto ipsec transform-set POC-IPSEC-TS-01 esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile POC-IPSEC-PROF-01
set transform-set POC-IPSEC-TS-01
set ikev2-profile POC-IKEV2-PROFILE-01
!
!
!
!
!
!
!
!
interface Tunnel23
ip unnumbered Vlan1
ip nhrp network-id 23
ip nhrp redirect
tunnel source Vlan2
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile POC-IPSEC-PROF-01
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface Vlan1
ip address 192.168.14.1 255.255.255.0
!
interface Vlan2
ip address 192.168.100.250 255.255.255.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.100.1
ip route 172.16.114.0 255.255.255.0 192.168.14.2
ip route 192.168.114.0 255.255.255.0 192.168.14.2
!
ip access-list standard FLEX-ROUTE-ACL-01
permit 192.168.114.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!
end

 

 

 

Branch#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.100.250/4500 89.211.152.117/4500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/17018 sec
CE id: 2001, Session-id: 1
Status Description: Negotiation done
Local spi: 7435398A5B040F61 Remote spi: 9A900A01F9641E5B
Local id: 192.168.100.250
Remote id: 192.168.100.222
Local req msg id: 5 Remote req msg id: 6
Local next msg id: 5 Remote next msg id: 6
Local req queued: 5 Remote req queued: 6
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Remote subnets:
192.168.250.1 255.255.255.255
192.168.101.0 255.255.255.0
192.168.203.0 255.255.255.0
192.168.42.0 255.255.255.0

 

 

 

Labels:
0 Helpful
16 Replies 16

Go to solution
Rob Ingram
VIP
VIP
In response to katheer_4u

‎01-24-2020 04:30 AM - edited ‎01-24-2020 04:56 AM

If the hub and branch2 spoke cannot communicate with each other (which is what it looks like from your ikev2 debugs) then no tunnel will be established. You need to get them communicating with each other.

Are you pinging using the FQDN or are pinging using the IP address? If you are relying on DNS resolution, I suggest checking DNS is still working, clear the cache and get the 2 routers to communicate with each other....then hopefully the VPN should re-establish.

HTH

Go to solution
katheer_4u
Level 1
Level 1
In response to Rob Ingram

‎01-24-2020 05:41 AM

thanks so much and i found the debug on HUB and i changed the IP and so far its okay now 

hub and both branches 

 

 

HUB#
*Jan 24 13:28:43.565: %IP-4-DUPADDR: Duplicate address 192.168.100.222 on GigabitEthernet0/0/0, sourced by 005f.8612.bfc1
*Jan 24 13:29:13.566: %IP-4-DUPADDR: Duplicate address 192.168.100.222 on GigabitEthernet0/0/0, sourced by 005f.8612.bfc1
*Jan 24 13:29:43.567: %IP-4-DUPADDR: Duplicate address 192.168.100.222 on GigabitEthernet0/0/0, sourced by 005f.8612.bfc1
*Jan 24 13:30:13.567: %IP-4-DUPADDR: Duplicate address 192.168.100.222 on GigabitEthernet0/0/0, sourced by 005f.8612.bfc1
*Jan 24 13:30:43.568: %IP-4-DUPADDR: Duplicate address 192.168.100.222 on GigabitEthernet0/0/0, sourced by 005f.8612.bfc1
*Jan 24 13:31:13.569: %IP-4-DUPADDR: Duplicate address 192.168.100.222 on GigabitEthernet0/0/0, sourced by 005f.8612.bfc1

 

 

0 Helpful
Customers Also Viewed These Support Documents