04-02-2019 11:19 AM
Cisco 4351 configured as FlexVPN headend AND spoke to DMVPN. Hub and spoke seems to be working just fine.
AnyConnect clients authenticate locally and seem to work fine with one problem. From AnyConnect client we cannot SSH to FlexVPN's headend G0/0/1.319 internal interface of 192.168.19.254 (needed for mgmt.) Some details:
Client receives 192.168.1.1 and can ping 192.168.19.254.
Client can SSH to other hosts on 192.168.19.0/24 network.
Client can SSH to a loopback address if configured on router and route is given to client
DMVPN Hub router can SSH to 192.168.19.254.
Some debug output:
000686: *Apr 2 13:12:56.622 EDT: TCPADJMSS: process_enqueue_feature
000687: *Apr 2 13:12:56.622 EDT: IP: s=192.168.1.1 (Virtual-Access1), d=192.168.19.254, len 52, enqueue feature, TCP Adjust MSS(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwE
000688: *Apr 2 13:12:56.623 EDT: PAKDBG: COND_DEB_OFF: Direction 0 CBUG ID: 0 Packet: 0
000689: *Apr 2 13:12:56.623 EDT: Setting New Reno as congestion control algorithm
000690: *Apr 2 13:12:56.623 EDT: VTYMGT: tableid = 0, laddr = 192.168.19.254, faddr = 192.168.1.1, lport = 22
000691: *Apr 2 13:12:56.624 EDT: vrfmgr: Tableid 0xFFF returned for ivrf id 0x0
000692: *Apr 2 13:12:56.624 EDT: VTYMGT: Connection table id (0) does not match LIIN table id (4095)
000693: *Apr 2 13:12:56.624 EDT: AN: INFRA_EVENT - SSH connection detetced, failed to get vrf id
000694: *Apr 2 13:12:56.625 EDT: IP: s=192.168.19.254 (local), d=192.168.1
IOS-RP-CMAN: Rcv msg handler: msg_len 2243.1, len 44, local feature, feature skipped, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
000695: *Apr 2 13:12:56.625 EDT: IP: tableid=0, s=192.168.19.254 (local), d=192.168.1.1 (Virtual-Access1), routed via FIB
000696: *Apr 2 13:12:56.625 EDT: IP: s=192.168.19.254 (local), d=192.168.1.1 (Virtual-Access1), len 44, sending
000697: *Apr 2 13:12:56.626 EDT: IP: s=192.168.19.254 (local), d=192.168.1.1 (Virtual-Access1), len 44, output feature, feature skipped, NAT Inside(8), rtype 1, forus FALSE, sendsE
000698: *Apr 2 13:12:56.627 EDT: IP: s=192.168.19.254 (local), d=192.168.1.1 (Virtual-Access1), len 44, output feature, feature skipped, TCP Adjust MSS(58), rtype 1, forus FALSE, E
000699: *Apr 2 13:12:56.627 EDT: IP: s=192.168.19.254 (local), d=192.168.1.1 (Virtual-Access1), len 44, output feature, feature skipped, debug packet(100), rtype 1, forus FALSE, sE
Here are the relevant parts of our config:
!
version 16.6
!
vrf definition Mgmt-intf
!
aaa new-model
!
aaa group server radius ISE-RADIUS
server name ISE01-RADIUS
!
aaa group server tacacs+ ISE-TACACS
server name ISE01-TACACS
!
aaa authentication login default local
aaa authentication login CONSOLE local
aaa authentication login a-eap-authen-local local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network a-eap-author-grp local
!
aaa attribute list AAA-attr
attribute type interface-config "ip mtu 1300"
!
no ip bootp server
ip name-server x.x.x.x
ip domain name [domain.com]
!
crypto pki trustpoint TRUST_POINT
enrollment terminal pem
usage ike
subject-name [blah blah]
revocation-check none
rsakeypair KEYPAIR
hash sha256
!
crypto pki certificate chain TRUST_POINT
certificate [blah blah]
certificate ca [blah blah]
!
crypto ikev2 authorization policy ANYCONNECT-IKEV2-AUTH-POLICY
pool ANYCONNECTPOOL-1
netmask 255.255.255.0
include-local-lan
aaa attribute list AAA-attr
route set remote ipv4 192.168.19.0 255.255.255.0
route set remote ipv4 192.168.1.0 255.255.255.0
!
crypto ikev2 proposal SPOKE-IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 profile ANYCONNECT-IKEV2-PROFILE
match identity remote key-id *$AnyConnectClient$*
identity local dn
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint TRUST_POINT
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ANYCONNECT-IKEV2-AUTH-POLICY
aaa authorization user anyconnect-eap cached
virtual-template 100
!
crypto ikev2 profile SPOKE-IKEV2-PROFILE
match identity remote address 0.0.0.0
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint TRUST_POINT
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec transform-set TS4 esp-aes 256 esp-sha512-hmac
mode transport
!
crypto ipsec profile ANYCONNECT-IPSEC-PROFILE
set transform-set TS4
set ikev2-profile ANYCONNECT-IKEV2-PROFILE
!
crypto ipsec profile SPOKE-IPSEC-PROFILE
set transform-set TS
set ikev2-profile SPOKE-IKEV2-PROFILE
!
interface Loopback0
no ip address
!
interface Tunnel1
description IKEv2-Tunnel
bandwidth 1000
ip address 10.x.x.x 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 10.x.x.x x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 20
ip nhrp holdtime 360
ip nhrp nhs 10.x.x.x
delay 1000
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 20
tunnel protection ipsec profile SPOKE-IPSEC-PROFILE
!
interface GigabitEthernet0/0/0
description ---OUTSIDE---
ip address x.x.x.x
ip nat outside
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/1.319
description --- INSIDE---
encapsulation dot1Q 319
ip address 192.168.19.254 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/2
no ip address
shutdown
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback0
ip nat inside
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
tunnel protection ipsec profile ANYCONNECT-IPSEC-PROFILE
!
ip local pool ANYCONNECTPOOL-19 192.168.19.10 192.168.19.20
ip local pool ANYCONNECTPOOL-1 192.168.1.1 192.168.1.9
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface GigabitEthernet0/0/1.319
ip ssh version 2
!
access-list 198 permit tcp 192.168.1.0 0.0.0.255 any
access-list 198 permit tcp 192.168.19.0 0.0.0.255 any
access-list 198 deny ip any any log
!
line vty 0 4
session-timeout 30
access-class 198 in
exec-timeout 30 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
session-timeout 30
access-class 198 in
exec-timeout 30 0
privilege level 15
logging synchronous
transport input ssh
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide