Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1217
Views
0
Helpful
3
Replies

FlexVPN/IKEV2 is up between server and client, BGP advertised route not reachable from Server

harshamore
Level 1
Level 1

‎02-17-2018 08:19 PM - edited ‎03-12-2019 05:02 AM

I have a FlexVPN server dynamic VTI configuration with a single client. The ikev2 is up with child sa established. I am running eBGP session between the vti interfaces of the client and server, the session is in established state. Client advertises a lan network route through bgp, this route is learnt and installed on Server. However, I cannot reach this route.

 

FlexVPN server configuration:

 

aaa new-model
!
!
aaa authentication login default local enable
aaa authentication login ucpe-auth local
aaa authorization console
aaa authorization exec default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
!
!
!
aaa session-id common
!
ip vrf private-vrf
description unencrypted VRF
rd 1:1
maximum routes 50000 80
!
ip vrf public-vrf
!


no crypto ikev2 authorization policy default
!
crypto ikev2 authorization policy uCPE-auth-pol
pool uCPE-pool1
dns 1.1.1.1 2.2.2.2
netmask 255.255.255.0
route set interface Loopback1001

!
crypto ikev2 proposal uCPE-proposal
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 16 15 14
!
no crypto ikev2 policy default
crypto ikev2 policy uCPE-policy
match fvrf public-vrf
proposal uCPE-proposal
!
!
crypto ikev2 profile uCPE-profile
description uCPE profile
match fvrf public-vrf
match identity remote key-id uCPE-key-id
match identity remote key-id uCPE-key-ian1
match identity remote key-id uCPE-key-billb
identity local fqdn ucpe.verizon.net
authentication local pre-share key abc123
authentication remote pre-share key abc123
dpd 600 2 periodic
aaa authorization group psk list default uCPE-auth-pol
virtual-template 1 mode auto
!

crypto ipsec transform-set tset_aes_256_sha esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set tset_aes_128_sha esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set tset_aes_128_sha256 esp-aes esp-sha256-hmac
mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile uCPE-ips-prof
set security-association lifetime seconds 28800
set transform-set tset_aes_128_sha256
set pfs group14
set ikev2-profile uCPE-profile
!
!
crypto call admission limit ike in-negotiation-sa 30
!
!
!
!
!
!
!
!
interface Loopback1001
description MNSO Interface and Tunnel Loopback
ip vrf forwarding private-vrf
ip address 10.100.100.100 255.255.255.255
!
interface GigabitEthernet1
description IDN Access Interface
ip vrf forwarding private-vrf
ip address z.z.z.z 255.255.255.0
no ip redirects
no ip proxy-arp
logging event link-status
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip vrf forwarding public-vrf
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip proxy-arp
logging event link-status
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
vrf forwarding mgmt
ip address y.y.y.y 255.255.255.128
no ip redirects
no ip proxy-arp
logging event link-status
negotiation auto
no mop enabled
no mop sysid
!
interface Virtual-Template1 type tunnel
description uCPE virt template
ip vrf forwarding private-vrf
ip unnumbered Loopback1001
ip mtu 1400
ip tcp adjust-mss 1400
tunnel mode ipsec ipv4
tunnel vrf public-vrf
tunnel protection ipsec profile uCPE-ips-prof
!
router bgp 65001
bgp router-id 1.1.1.1
bgp log-neighbor-changes
bgp listen range 192.164.110.0/24 peer-group uCPEs
bgp listen range 172.163.110.0/24 peer-group uCPEs
bgp listen range 172.163.0.0/16 peer-group uCPEs
no bgp default ipv4-unicast
!
address-family ipv4 vrf private-vrf
network z.z.z.0 mask 255.255.255.0
redistribute connected
redistribute static
neighbor uCPEs peer-group
neighbor uCPEs remote-as 65002
neighbor uCPEs ebgp-multihop 2
neighbor uCPEs update-source Loopback1001
neighbor uCPEs default-originate
exit-address-family
!

threat-visibility
!
virtual-service csr_mgmt
!
ip local pool uCPE-pool1 172.163.110.10 172.163.110.100
ip forward-protocol nd
ip tcp path-mtu-discovery
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 x.x.x.1
ip route 0.0.0.0 0.0.0.0 y.y.y.1
ip route vrf mgmt 0.0.0.0 0.0.0.0 y.y.y.1
ip route vrf private-vrf z.z.z.0 255.255.255.0 z.z.z.1
ip route vrf public-vrf 0.0.0.0 0.0.0.0 x.x.x.1
!
ip ssh time-out 60
ip ssh rsa keypair-name test
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!

ip access-list extended public-vrf-acl
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit icmp any any
permit tcp any eq bgp any
permit ip any any
!
!
ip prefix-list allow-prefix seq 10 permit 0.0.0.0/0 le 24

 

 

==============================================================

 

BGP table:

Routing Table: private-vrf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.1.24.0/24 is directly connected, GigabitEthernet1
L 10.1.24.120/32 is directly connected, GigabitEthernet1
C 10.100.100.100/32 is directly connected, Loopback1001
172.163.0.0/32 is subnetted, 1 subnets
S 172.163.110.14 is directly connected, Virtual-Access1
B 192.164.110.0/24 [20/0] via 172.163.110.14, 00:04:24

 

192.164.110.0/24 network is not reachable. I do not see the encrypt/devcrypt counters incrementing. 

 

Labels:
0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎02-18-2018 06:07 AM

Get the output of show ikev2 sa

Also from Loopback1001 can you ping your BGP destination which is in
private-vrf. This BGP sources should be reachable using another routing
(static or dynamic) for BGP neigh to establish
0 Helpful

harshamore
Level 1
Level 1
In response to Mohammed al Baqari

‎02-18-2018 06:47 AM

There is an ip leased to the client vti and my ike and child sa is up. I can also ping the peer bgp ip address from my loopback. Bgp is also up and established state. Now, client advertised route is also installed on server's private vrf . The problem I see is this route is not in VPN routing table and also there is no entry for this route in IPsec flow or traffic selector of ike. 

0 Helpful

shelfdrilling.it
Level 1
Level 1
In response to harshamore

‎02-18-2018 08:58 AM

Then look at route-import/export. If BGP and make sure that your subnet mask which you are advertising is matching the configured mask of the networks. If BGP session is up then its routing problem rather than security 

0 Helpful
Customers Also Viewed These Support Documents