08-30-2018 09:36 AM - edited 02-21-2020 09:27 PM
Hello,
I've been struggling to get a Flex VPN Setup to work and I seem to be getting some problem.
Specifically - the static route for the subnet between the hub and spoke tunnel does not appear in the routing table of any of them.
Here is the configuration. ikev2 association is up, ipsec association is up i'm just missing something....
Anyone has any ideas?
===========HUB======================
crypto ikev2 authorization policy FLEX-AUTH-POL-01
route set interface
route set access-list FLEX-ROUTE-ACL-01
crypto ikev2 proposal FLEX-PROP-01
encryption aes-cbc-128
integrity sha256
group 19
crypto ikev2 policy FLEX-POL-01
match fvrf any
proposal FLEX-PROP-01
crypto ikev2 keyring FLEX-KEYS-01
peer spoke
description spoke.sig.dom
address 1.1.1.2
identity address 1.1.1.2
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
crypto ikev2 profile FLEX-IKEV2-PROFILE-01
match identity remote address 0.0.0.0
identity local address 1.1.3.2
authentication remote pre-share
authentication local pre-share
keyring local FLEX-KEYS-01
aaa authorization group psk list default FLEX-AUTH-POL-01
virtual-template 23
crypto ipsec transform-set FLEX-IPSEC-TS-01 esp-aes esp-md5-hmac
mode transport
crypto ipsec profile FLEX-IPSEC-PROF-01
set transform-set FLEX-IPSEC-TS-01
set ikev2-profile FLEX-IKEV2-PROFILE-01
apacN-flex-hub01#sh run | s Virtual-tem
apacN-flex-hub01#sh run | s Virtual-
interface Virtual-Template23 type tunnel
ip unnumbered Loopback23
ip nhrp network-id 23
ip nhrp redirect
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile FLEX-IPSEC-PROF-01
!
apacN-flex-hub01#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 1.1.3.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 1.1.3.1
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.3.0/24 is directly connected, Ethernet0/0
L 1.1.3.2/32 is directly connected, Ethernet0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.23.1.0/24 is directly connected, Loopback23
L 10.23.1.2/32 is directly connected, Loopback23
!
apacN-flex-hub01#sh ip int br | e unas
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 1.1.3.2 YES NVRAM up up
Loopback23 10.23.1.2 YES NVRAM up up
Virtual-Access1 10.23.1.2 YES unset up up
Virtual-Template23 10.23.1.2 YES unset up down
================SPOKE=====================================
crypto ikev2 proposal FLEX-PROP-01
encryption aes-cbc-128
integrity sha256
group 19
crypto ikev2 policy FLEX-POL-01
match fvrf any
proposal FLEX-PROP-01
crypto ikev2 keyring FLEX-KEYS-01
peer apacN
description spoke.sig.dom
address 1.1.3.2
identity address 1.1.3.2
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
crypto ikev2 profile FLEX-IKEV2-PROFILE-01
match identity remote address 0.0.0.0
identity local address 1.1.1.2
authentication remote pre-share
authentication local pre-share
keyring local FLEX-KEYS-01
virtual-template 23
crypto ikev2 client flexvpn FLEX-FLEX-CLIENT-01
peer 1 1.1.3.2
client connect Tunnel23
set ikev2-profile FLEX-IKEV2-PROFILE-01
!
crypto ipsec transform-set CCONNECT-IPSEC-TS-01 esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile CCONNECT-IPSEC-PROF-01
set transform-set CCONNECT-IPSEC-TS-01
set ikev2-profile CCONNECT-IKEV2-PROFILE-01
!
interface Tunnel23
ip unnumbered Loopback23
ip nhrp network-id 23
ip nhrp redirect
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile CCONNECT-IPSEC-PROF-01
!
crypto ikev2 client flexvpn CCONNECT-FLEX-CLIENT-01
peer 1 1.1.3.2
client connect Tunnel23
!
SPOKE#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 1.1.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 1.1.1.1
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, Ethernet0/0
L 1.1.1.2/32 is directly connected, Ethernet0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.23.1.0/24 is directly connected, Loopback23
L 10.23.1.11/32 is directly connected, Loopback23
!
SPOKE# sh crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
5 IPsec AES+MD5 0 0 0 1.1.1.2
6 IPsec AES+MD5 0 0 0 1.1.1.2
1004 IKEv2 SHA256+AES 0 0 0 1.1.1.2
Solved! Go to Solution.
08-31-2018 02:23 AM
Hi,
You don't have the authorization profile defined under your IKEv2 profile on the spoke. Your current config:-
crypto ikev2 profile CCONNECT-IKEV2-PROFILE-01
match identity remote address 0.0.0.0
identity local address 1.1.1.2
authentication remote pre-share
authentication local pre-share
keyring local CCONNECT-KEYS-01
virtual-template 23
Add this and bounce the tunnels:-
crypto ikev2 profile CCONNECT-IKEV2-PROFILE-01
aaa authorization group psk list default FLEX-AUTH-POL-01
HTH
08-30-2018 11:08 AM
Hi,
Do you have the aaa settings configured? E.g.
aaa new-model
aaa authorization network default local
You've also only defined FLEX-AUTH-POL-01 on the hub, you'd need it both ends.
If you run the command "show crypto ikev2 sa detailed" this will display the remote subnet (/32) learnt from the peer.
HTH
08-30-2018 02:40 PM - edited 08-30-2018 02:41 PM
Hello,
thank you for the suggestions:
- I did not have the AAA Commands,
- I have configured the FLEX-AUTH-POL-01 and the ACL on both the hub and spoke.
and the output for the "show crypto ikev2 sa detail" is as follows bellow. From what I see the hub does not have any subnet information from the spoke.
apacN-flex-hub01#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 1.1.3.2/500 1.1.1.2/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/40 sec
CE id: 1005, Session-id: 5
Status Description: Negotiation done
Local spi: A4915DC037638FE9 Remote spi: A327D2A22B8CF0AF
Local id: 1.1.3.2
Remote id: 1.1.1.2
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No
IPv6 Crypto IKEv2 SA
__________
SPOKE#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 1.1.1.2/500 1.1.3.2/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/17 sec
CE id: 1005, Session-id: 4
Status Description: Negotiation done
Local spi: A327D2A22B8CF0AF Remote spi: A4915DC037638FE9
Local id: 1.1.1.2
Remote id: 1.1.3.2
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Remote subnets:
10.23.1.2 255.255.255.255
0.0.0.0 0.0.0.0
IPv6 Crypto IKEv2 SA
regards,
Gabriel
08-30-2018 10:51 PM - edited 08-31-2018 02:24 AM
Ok, I can see the hub does not have the routes but the spoke does. Can you upload the full configuration of both routers please?
08-31-2018 12:01 AM
Hello,
here it is:
apacN-flex-hub01#sh run
Building configuration...
Current configuration : 3247 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname apacN-flex-hub01
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authorization network default local
!
!
aaa session-id common
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
ip domain name sig.dom
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
redundancy
!
!
!
!
crypto ikev2 authorization policy CCONNECT-AUTH-POL-01
route set interface
route set access-list CCONNECT-ROUTE-ACL-01
!
crypto ikev2 authorization policy FLEX-AUTH-POL-01
route set interface
route set access-list FLEX-ROUTE-ACL-01
!
crypto ikev2 proposal CCONNECT-PROP-01
encryption aes-cbc-128
integrity sha256
group 19
!
crypto ikev2 policy CCONNECT-POL-01
match fvrf any
proposal CCONNECT-PROP-01
!
crypto ikev2 keyring CCONNECT-KEYS-01
peer spoke
description spoke.sig.dom
address 1.1.1.2
identity address 1.1.1.2
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
!
!
crypto ikev2 profile CCONNECT-IKEV2-PROFILE-01
match identity remote address 0.0.0.0
identity local address 1.1.3.2
authentication remote pre-share
authentication local pre-share
keyring local CCONNECT-KEYS-01
aaa authorization group psk list default CCONNECT-AUTH-POL-01
virtual-template 23
!
!
!
crypto ipsec transform-set CCONNECT-IPSEC-TS-01 esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile CCONNECT-IPSEC-PROF-01
set transform-set CCONNECT-IPSEC-TS-01
set ikev2-profile CCONNECT-IKEV2-PROFILE-01
!
!
!
!
!
!
!
interface Loopback23
ip address 10.23.1.2 255.255.255.0
!
interface Ethernet0/0
ip address 1.1.3.2 255.255.255.0
!
interface Ethernet0/1
no ip address
shutdown
!
! interfaces in shutdiwn removed
!
interface Virtual-Template23 type tunnel
ip unnumbered Loopback23
ip nhrp network-id 23
ip nhrp redirect
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CCONNECT-IPSEC-PROF-01
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 1.1.3.1
!
ip access-list standard CCONNECT-ROUTE-ACL-01
permit any
ip access-list standard FLEX-ROUTE-ACL-01
permit 10.0.0.0 0.255.255.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
transport input all
!
!
end
====================================================================
====================================================================
====================================================================
SPOKE#sh run
Building configuration...
Current configuration : 3095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SPOKE
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authorization network default local
!
!
!
!
!
aaa session-id common
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
ip domain name sig.dom
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
crypto ikev2 authorization policy FLEX-AUTH-POL-01
route set interface
route set access-list FLEX-ROUTE-ACL-01
!
crypto ikev2 proposal CCONNECT-PROP-01
encryption aes-cbc-128
integrity sha256
group 19
!
crypto ikev2 policy CCONNECT-POL-01
match fvrf any
proposal CCONNECT-PROP-01
!
crypto ikev2 keyring CCONNECT-KEYS-01
peer apacN
description spoke.sig.dom
address 1.1.3.2
identity address 1.1.3.2
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
!
!
crypto ikev2 profile CCONNECT-IKEV2-PROFILE-01
match identity remote address 0.0.0.0
identity local address 1.1.1.2
authentication remote pre-share
authentication local pre-share
keyring local CCONNECT-KEYS-01
virtual-template 23
!
crypto ikev2 client flexvpn CCONNECT-FLEX-CLIENT-01
peer 1 1.1.3.2
client connect Tunnel23
!
!
!
crypto ipsec transform-set CCONNECT-IPSEC-TS-01 esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile CCONNECT-IPSEC-PROF-01
set transform-set CCONNECT-IPSEC-TS-01
set ikev2-profile CCONNECT-IKEV2-PROFILE-01
!
!
!
!
!
!
!
interface Loopback23
ip address 10.23.1.11 255.255.255.0
!
interface Tunnel23
ip unnumbered Loopback23
ip nhrp network-id 23
ip nhrp redirect
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile CCONNECT-IPSEC-PROF-01
!
interface Ethernet0/0
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/1
no ip address
shutdown
!
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip access-list standard FLEX-ROUTE-ACL-01
permit 10.0.0.0 0.255.255.255
!
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
transport input all
!
!
end
08-31-2018 02:23 AM
Hi,
You don't have the authorization profile defined under your IKEv2 profile on the spoke. Your current config:-
crypto ikev2 profile CCONNECT-IKEV2-PROFILE-01
match identity remote address 0.0.0.0
identity local address 1.1.1.2
authentication remote pre-share
authentication local pre-share
keyring local CCONNECT-KEYS-01
virtual-template 23
Add this and bounce the tunnels:-
crypto ikev2 profile CCONNECT-IKEV2-PROFILE-01
aaa authorization group psk list default FLEX-AUTH-POL-01
HTH
08-31-2018 02:59 AM
Wow. Yes, that's the problem.
It works now.
I'm posting my config here just for people to be able to use it.
Thanks and regards,
Gabriel
spoke-155#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 1.1.1.2/500 1.1.1.1/500 none/none READY
Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/43 sec
CE id: 1004, Session-id: 2
Status Description: Negotiation done
Local spi: 48D03C55E08D0E24 Remote spi: E7742CD0A88AE162
Local id: 1.1.1.2
Remote id: 1.1.1.1
Local req msg id: 3 Remote req msg id: 0
Local next msg id: 3 Remote next msg id: 0
Local req queued: 3 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Remote subnets:
10.23.1.1 255.255.255.255
10.0.0.0 255.0.0.0
IPv6 Crypto IKEv2 SA
spoke-155#ping 10.23.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
=======================================================================
Hub-155#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 1.1.1.1/500 1.1.1.2/500 none/none READY
Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/72 sec
CE id: 1004, Session-id: 4
Status Description: Negotiation done
Local spi: E7742CD0A88AE162 Remote spi: 48D03C55E08D0E24
Local id: 1.1.1.1
Remote id: 1.1.1.2
Local req msg id: 0 Remote req msg id: 3
Local next msg id: 0 Remote next msg id: 3
Local req queued: 0 Remote req queued: 3
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No
Remote subnets:
10.23.1.11 255.255.255.255
10.0.0.0 255.0.0.0
IPv6 Crypto IKEv2 SA
Hub-155#ping 10.23.1.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.1.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
===================================================================
HUB CONFIG
===================================================================
aaa new-model
aaa authorization network default local
!
crypto ikev2 authorization policy POC-AUTH-POL-01
route set interface
route set access-list POC-ROUTE-ACL-01
!
crypto ikev2 authorization policy FLEX-AUTH-POL-01
route set interface
route set access-list FLEX-ROUTE-ACL-01
!
crypto ikev2 proposal POC-PROP-01
encryption aes-cbc-128
integrity sha256
group 19
!
crypto ikev2 policy POC-POL-01
match fvrf any
proposal POC-PROP-01
!
crypto ikev2 keyring POC-KEYS-01
peer spoke
description spoke.sig.dom
address 1.1.1.2
identity address 1.1.1.2
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
!
!
crypto ikev2 profile POC-IKEV2-PROFILE-01
match identity remote address 0.0.0.0
identity local address 1.1.1.1
authentication remote pre-share
authentication local pre-share
keyring local POC-KEYS-01
aaa authorization group psk list default FLEX-AUTH-POL-01
virtual-template 23
!
!
!
crypto ipsec transform-set POC-IPSEC-TS-01 esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile POC-IPSEC-PROF-01
set transform-set POC-IPSEC-TS-01
set ikev2-profile POC-IKEV2-PROFILE-01
!
!
interface Loopback23
ip address 10.23.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 1.1.1.1 255.255.255.0
!
interface Virtual-Template23 type tunnel
ip unnumbered Loopback23
ip nhrp network-id 23
ip nhrp redirect
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile POC-IPSEC-PROF-01
!
!
ip access-list standard POC-ROUTE-ACL-01
permit any
ip access-list standard FLEX-ROUTE-ACL-01
permit 10.0.0.0 0.255.255.255
===========================================================
============================================================
spoke
version 15.5
aaa new-model
aaa authorization network default local
!
!
crypto ikev2 authorization policy FLEX-AUTH-POL-01
route set interface
route set access-list FLEX-ROUTE-ACL-01
!
crypto ikev2 proposal POC-PROP-01
encryption aes-cbc-128
integrity sha256
group 19
!
crypto ikev2 policy POC-POL-01
match fvrf any
proposal POC-PROP-01
!
crypto ikev2 keyring POC-KEYS-01
peer apacN
description spoke.sig.dom
address 1.1.1.1
identity address 1.1.1.1
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
!
!
crypto ikev2 profile POC-IKEV2-PROFILE-01
match identity remote address 0.0.0.0
identity local address 1.1.1.2
authentication remote pre-share
authentication local pre-share
keyring local POC-KEYS-01
aaa authorization group psk list default FLEX-AUTH-POL-01
virtual-template 23
!
crypto ikev2 client flexvpn POC-FLEX-CLIENT-01
peer 1 1.1.1.1
client connect Tunnel23
!
crypto ipsec transform-set POC-IPSEC-TS-01 esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile POC-IPSEC-PROF-01
set transform-set POC-IPSEC-TS-01
set ikev2-profile POC-IKEV2-PROFILE-01
!
interface Loopback23
ip address 10.23.1.11 255.255.255.0
!
interface Tunnel23
ip unnumbered Loopback23
ip nhrp network-id 23
ip nhrp redirect
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile POC-IPSEC-PROF-01
!
interface Ethernet0/0
ip address 1.1.1.2 255.255.255.0
!
ip access-list standard FLEX-ROUTE-ACL-01
permit 10.0.0.0 0.255.255.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide