Solved: FlexVPN: How do I tell my hosts to use VPN?

Xenogan28 · ‎11-10-2016

Hello,

I have created a site-to-site VPN using FlexVPN between two hosts. I can see the VPN is established, I can ping end to to. However, when I ping end-to-end via loopback addresses which I have set up to be my test hosts. I can not see this traffic crossing the VPN. The traffic is making it to the destination due to me having a static route but when I do a "debug crypto ikev2" I do not see any ikev2 packets during my pings from loopback to loopback. Please advise.

Here is my config for my two routers.

hostname PSE_BOTH
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
crypto pki token default removal timeout 0
!
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
ip cef
!
multilink bundle-name authenticated
!
!
license udi pid C3900-SPE100/K9 sn FOC16227TPB
license boot module c3900 technology-package securityk9
license boot module c3900 technology-package datak9
!
!
!
redundancy
!
crypto ikev2 authorization policy DEFAULT
route set interface
route set access-list PSE_ADVERTISEMENTS
!
!
!
crypto ikev2 keyring PSE_KEYRING
peer L&G
description PSE_BOTH_TO_L&G
address 1XX.80.253.199
hostname LNX_VPN
pre-shared-key cisco
!
!
!
crypto ikev2 profile PSE_2_L&G
match identity remote address 1XX.80.253.199 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local PSE_KEYRING
dpd 60 2 on-demand
!
!
!
!
!
!
!
crypto ipsec profile DEFAULT
set ikev2-profile PSE_2_L&G
!
!
!
!
!
!
!
interface Loopback0
ip address 1XX.192.0.1 255.255.0.0
!
interface Tunnel1
description PSE_2_L&G
ip address 1XX.21.254.33 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 1XX.80.253.199
tunnel protection ipsec profile DEFAULT
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 2XX.61.51.9 255.255.255.128
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 1XX.80.133.0 255.255.255.0 GigabitEthernet0/0
ip route 1XX.80.253.199 255.255.255.255 GigabitEthernet0/0
!
ip access-list standard FLEX_PERMITTED_SOURCES
ip access-list standard PSE_ADVERTISEMENTS
permit 1XX.192.0.0 0.0.255.255
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

hostname LNX_VPN
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
crypto pki token default removal timeout 0
!
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
ip cef
!
multilink bundle-name authenticated
!
!
license udi pid C3900-SPE100/K9 sn FOC16227TL1
license boot module c3900 technology-package securityk9
!
!
!
redundancy
!
crypto ikev2 authorization policy DEFAULT
route set interface
route set access-list L&G_Advertisements
!
!
!
crypto ikev2 keyring PSE_KEYRING
peer PSE_BOTH
description THIS IS TO AUTHENTICATE PSE_BOTH
address 2XX.61.51.9
hostname PSE_BOTH
pre-shared-key cisco
!
peer PSE_EST
description THIS IS TO AUTHENTICATE PSE_EST
address 2XX.61.41.9
hostname PSE_EST
pre-shared-key cisco
!
!
!
crypto ikev2 profile PSE_2_L&G
match identity remote address 2XX.61.51.9 255.255.255.255
match identity remote address 2XX.61.41.9 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local PSE_KEYRING
!
!
!
!
!
!
!
crypto ipsec profile DEFAULT
set ikev2-profile PSE_2_L&G
!
!
!
!
!
!
!
interface Loopback0
ip address 1XX.80.133.1 255.255.255.0
!
interface Tunnel1
description L&G_TO_PSE_BOTH
ip address 1XX.21.254.34 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 2XX.61.51.9
tunnel protection ipsec profile DEFAULT
!
interface Tunnel2
description L&G_TO_PSE_EST
ip address 1XX.21.254.38 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 2XX.61.41.9
tunnel protection ipsec profile DEFAULT
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 1XX.80.253.199 255.255.255.240
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address dhcp
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 1XX.192.0.0 255.255.0.0 GigabitEthernet0/0
ip route 20X.61.41.9 255.255.255.255 GigabitEthernet0/0
ip route 20X.61.51.9 255.255.255.255 GigabitEthernet0/0
!
ip access-list standard L&G_Advertisements
permit 1XX.80.133.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

LNX_VPN#

Rolando Valenzuela · ‎11-11-2016

Change this (I'm assuming that's the route for the loopback on the other end)

ip route 1XX.192.0.0 255.255.0.0 GigabitEthernet0/0

!

ip route 1XX.192.0.0 255.255.0.0 TunnelX

Regards

Rolando A. Valenzuela.

View solution in original post

Rolando Valenzuela · ‎11-11-2016

Change this (I'm assuming that's the route for the loopback on the other end)

ip route 1XX.192.0.0 255.255.0.0 GigabitEthernet0/0

!

ip route 1XX.192.0.0 255.255.0.0 TunnelX

Regards

Rolando A. Valenzuela.

Xenogan28 · ‎11-11-2016

This seems right.. Basically via my static route I am telling the router to use the tunnel interface for traffic to the destination of 1XX.192.0.0. I should have known that. Thanks :)