03-22-2022 04:42 AM
Hello,
i am configuring an CSR1000v on an Azure Infrastracture to enable it as Hub Server VPN.
I' ve almost done the configuration but when i do a telnet on its Public IP (on the 500 and 4500 ports) the server is not reachable.
I have already opened the ports on the Security Panel of the Azure Portal.
iotodvpn#sh ip socket
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 172.28.0.1 500 0 0 2001011 0
17(v6) --listen-- --any-- 500 0 0 2020011 0
17 --listen-- 172.28.0.1 4500 0 0 2001011 0
17(v6) --listen-- --any-- 4500 0 0 2020011 0
Can you help me?
Solved! Go to Solution.
03-22-2022 05:40 AM
03-22-2022 04:50 AM
@angelito_mas the FlexVPN hub would be listening on UDP, when you are connecting are you using UDP? If you've opened the ports and you can at least ping, connect a spoke for testing and enable IKEv2 debugs (if you are having an issue).
03-22-2022 04:55 AM
@Rob Ingram i can ping but i cannot connect a spoke.
When I test the connectivity with a telnet on the port from the command prompy of my pc, it says that the host is not responding.
03-22-2022 05:09 AM
@angelito_mas natively windows is going to telnet to TCP, not UDP. You'd have to use a tool to query using UDP
Regardless if you have a spoke, turn on debugs on the hub, if debug is generated that will confirm whether you've got connectivity....if it fails, then it's a configuration issue, but at least you've confirmed the ports are open.
03-22-2022 05:32 AM
thank you! i did not know this tool..
Now, I would to enable the local authentication just for testing the tunnel. How can I do?
03-22-2022 05:36 AM
@angelito_mas You mean authentication of a Site-to-Site VPN using Pre-shared-key/certificates? or are you setting up a Remote Access VPN and want to authenticate to the hub using a local username/password?
03-22-2022 05:39 AM
@Rob Ingram At the moment I need to authenticate to the hub using a local username/password.
03-22-2022 05:40 AM
03-22-2022 06:34 AM
can you share the config here ?
03-22-2022 07:34 AM - edited 03-22-2022 07:36 AM
@Rob Ingram @MHM Cisco World this is the config, can you check it it is everything ok?
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local none
!
!
!!
!
crypto ikev2 name-mangler VPN
email username
!
!
crypto ikev2 authorization policy VPN
pool TestPool
dhcp giaddr 172.28.0.1
netmask 255.255.252.0
route set interface
route set remote ipv4 172.26.255.0 255.255.255.0
route accept any distance 70
!
!
!
crypto ikev2 keyring Flex_key
peer alleantia
identity email domain ***
pre-shared-key ****
!
!
!
crypto ikev2 profile VPN_I2PF
match fvrf any
match identity remote email domain ******
identity local key-id *PUBLIC_IP*
authentication remote pre-share
authentication local pre-share
keyring local Flex_key
dpd 29 2 on-demand
aaa authorization group psk list VPN VPN
virtual-template 2
!
!
!
!
!
crypto logging ikev2
!
!
!
!
!
!
crypto isakmp key cisco123 address 0.0.0.0
!
!
!
crypto ipsec profile VPN_IPS_PF
set ikev2-profile VPN_I2PF
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description FlexTunnel interface
ip address 172.28.0.1 255.255.252.0
ip mtu 1400
ip nat inside
!
interface Loopback1
ip address 172.26.255.1 255.255.255.0
ip mtu 1400
!
interface VirtualPortGroup0
vrf forwarding GS
ip address 192.168.35.101 255.255.255.0
ip nat inside
no mop enabled
no mop sysid
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
ip mtu 1358
ip nat inside
ip tcp adjust-mss 1318
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel path-mtu-discovery
tunnel protection ipsec profile VPN_IPS_PF
!
iox
ip local pool TestPool 172.28.0.2 172.28.3.254
ip forward-protocol nd
ip tcp window-size 8192
ip http server
ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet1 overload
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 172.16.0.1 global
ip ssh rsa keypair-name ssh-key
ip ssh version 2
ip ssh server algorithm publickey ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp521
ip scp server enable
!
ip access-list standard GS_NAT_ACL
10 permit 192.168.35.0 0.0.0.255
!
!
ip access-list extended 101
10 permit ip 172.28.0.0 0.0.3.255 any
!
03-22-2022 08:29 AM
@angelito_mas I thought you wanted to authenticate users with a username and password? You've defined the authentication method (local and remote) as PSK.
You've also reference a method list called VPN under the ikev2 profile that does not exist.
03-22-2022 08:45 AM
@Rob Ingram I need to connect the spoke to the hub using an email address as username and a pre-shared key as password.
Previously I' ve added the AAA configuration because i should use a radius server.
At the moment I would like to check the connectivity between the hub and the spoke.
03-22-2022 09:30 AM
show ip interface brief
can you share it ?
03-22-2022 12:47 PM - edited 03-22-2022 12:48 PM
interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
ip mtu 1358
ip nat inside
ip tcp adjust-mss 1318
tunnel source GigabitEthernet1<-wrong
tunnel mode ipsec ipv4
tunnel destination dynamic<-wrong
tunnel path-mtu-discovery
tunnel protection ipsec profile VPN_IPS_PF
the Spoke-Hub tunnel is dynamic build.
in Spoke you config the source and destination which is the Lo of Hub virtual-templateX
in Hub the virtual-template is generate VCI for each spoke depend on config "IPSec profile".
so here why you config this source/destination ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide