Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2589
Views
0
Helpful
6
Replies

FlexVPN - No Route to tunnel

Go to solution
gabi.albert
Level 1
Level 1

‎08-30-2018 09:36 AM - edited ‎02-21-2020 09:27 PM

Hello,

 

I've been struggling to get a Flex VPN Setup to work and I seem to be getting some problem.

 

Specifically - the static route for the subnet between the hub and spoke tunnel does not appear in the routing table of any of them.

 

Here is the configuration. ikev2 association is up, ipsec association is up i'm just missing something....

 

Anyone has any ideas?

===========HUB======================
crypto ikev2 authorization policy FLEX-AUTH-POL-01
 route set interface
 route set access-list FLEX-ROUTE-ACL-01
crypto ikev2 proposal FLEX-PROP-01
 encryption aes-cbc-128
 integrity sha256
 group 19
crypto ikev2 policy FLEX-POL-01
 match fvrf any
 proposal FLEX-PROP-01
crypto ikev2 keyring FLEX-KEYS-01
 peer spoke
  description spoke.sig.dom
  address 1.1.1.2
  identity address 1.1.1.2
  pre-shared-key local cisco123
  pre-shared-key remote cisco123
 !
crypto ikev2 profile FLEX-IKEV2-PROFILE-01
 match identity remote address 0.0.0.0
 identity local address 1.1.3.2
 authentication remote pre-share
 authentication local pre-share
 keyring local FLEX-KEYS-01
 aaa authorization group psk list default FLEX-AUTH-POL-01
 virtual-template 23
crypto ipsec transform-set FLEX-IPSEC-TS-01 esp-aes esp-md5-hmac
 mode transport
crypto ipsec profile FLEX-IPSEC-PROF-01
 set transform-set FLEX-IPSEC-TS-01
 set ikev2-profile FLEX-IKEV2-PROFILE-01
apacN-flex-hub01#sh run | s Virtual-tem
apacN-flex-hub01#sh run | s Virtual-
interface Virtual-Template23 type tunnel
 ip unnumbered Loopback23
 ip nhrp network-id 23
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile FLEX-IPSEC-PROF-01
!
apacN-flex-hub01#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 1.1.3.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.3.1
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.3.0/24 is directly connected, Ethernet0/0
L        1.1.3.2/32 is directly connected, Ethernet0/0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.23.1.0/24 is directly connected, Loopback23
L        10.23.1.2/32 is directly connected, Loopback23
!
apacN-flex-hub01#sh ip int br | e unas
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                1.1.3.2         YES NVRAM  up                    up
Loopback23                 10.23.1.2       YES NVRAM  up                    up
Virtual-Access1            10.23.1.2       YES unset  up                    up
Virtual-Template23         10.23.1.2       YES unset  up                    down


================SPOKE=====================================

crypto ikev2 proposal FLEX-PROP-01
 encryption aes-cbc-128
 integrity sha256
 group 19
crypto ikev2 policy FLEX-POL-01
 match fvrf any
 proposal FLEX-PROP-01
crypto ikev2 keyring FLEX-KEYS-01
 peer apacN
  description spoke.sig.dom
  address 1.1.3.2
  identity address 1.1.3.2
  pre-shared-key local cisco123
  pre-shared-key remote cisco123
 !
crypto ikev2 profile FLEX-IKEV2-PROFILE-01
 match identity remote address 0.0.0.0
 identity local address 1.1.1.2
 authentication remote pre-share
 authentication local pre-share
 keyring local FLEX-KEYS-01
 virtual-template 23
crypto ikev2 client flexvpn FLEX-FLEX-CLIENT-01
  peer 1 1.1.3.2
  client connect Tunnel23
 set ikev2-profile FLEX-IKEV2-PROFILE-01
 !
 crypto ipsec transform-set CCONNECT-IPSEC-TS-01 esp-aes esp-md5-hmac
 mode transport
!
crypto ipsec profile CCONNECT-IPSEC-PROF-01
 set transform-set CCONNECT-IPSEC-TS-01
 set ikev2-profile CCONNECT-IKEV2-PROFILE-01

 !
 interface Tunnel23
 ip unnumbered Loopback23
 ip nhrp network-id 23
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile CCONNECT-IPSEC-PROF-01
!
crypto ikev2 client flexvpn CCONNECT-FLEX-CLIENT-01
  peer 1 1.1.3.2
  client connect Tunnel23
!
SPOKE#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 1.1.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.1.1
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/24 is directly connected, Ethernet0/0
L        1.1.1.2/32 is directly connected, Ethernet0/0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.23.1.0/24 is directly connected, Loopback23
L        10.23.1.11/32 is directly connected, Loopback23
!


  SPOKE# sh crypto engine connections active
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
    5  IPsec   AES+MD5                   0        0        0 1.1.1.2
    6  IPsec   AES+MD5                   0        0        0 1.1.1.2
 1004  IKEv2   SHA256+AES                0        0        0 1.1.1.2


 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to gabi.albert

‎08-31-2018 02:23 AM

Hi,

 

You don't have the authorization profile defined under your IKEv2 profile on the spoke. Your current config:-

 

crypto ikev2 profile CCONNECT-IKEV2-PROFILE-01
 match identity remote address 0.0.0.0
 identity local address 1.1.1.2
 authentication remote pre-share
 authentication local pre-share
 keyring local CCONNECT-KEYS-01
 virtual-template 23

 

Add this and bounce the tunnels:-

 

crypto ikev2 profile CCONNECT-IKEV2-PROFILE-01

 aaa authorization group psk list default FLEX-AUTH-POL-01

 

HTH

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎08-30-2018 11:08 AM

Hi,

Do you have the aaa settings configured? E.g.

aaa new-model
aaa authorization network default local

You've also only defined FLEX-AUTH-POL-01 on the hub, you'd need it both ends. 

If you run the command "show crypto ikev2 sa detailed" this will display the remote subnet (/32) learnt from the peer.

 

HTH

0 Helpful

Go to solution
gabi.albert
Level 1
Level 1

‎08-30-2018 02:40 PM - edited ‎08-30-2018 02:41 PM

Hello,

thank you for the suggestions:

 

 - I did not have the AAA Commands,

 - I have configured the FLEX-AUTH-POL-01 and the ACL on both the hub and spoke.

 

and the output for the "show crypto ikev2 sa detail" is as follows bellow. From what I see the hub does not have any subnet information from the spoke.

 

apacN-flex-hub01#sh crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         1.1.3.2/500           1.1.1.2/500           none/none            READY
      Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/40 sec
      CE id: 1005, Session-id: 5
      Status Description: Negotiation done
      Local spi: A4915DC037638FE9       Remote spi: A327D2A22B8CF0AF
      Local id: 1.1.3.2
      Remote id: 1.1.1.2
      Local req msg id:  0              Remote req msg id:  2
      Local next msg id: 0              Remote next msg id: 2
      Local req queued:  0              Remote req queued:  2
      Local window:      5              Remote window:      5
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : No

 IPv6 Crypto IKEv2  SA

__________


SPOKE#sh crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         1.1.1.2/500           1.1.3.2/500           none/none            READY
      Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/17 sec
      CE id: 1005, Session-id: 4
      Status Description: Negotiation done
      Local spi: A327D2A22B8CF0AF       Remote spi: A4915DC037638FE9
      Local id: 1.1.1.2
      Remote id: 1.1.3.2
      Local req msg id:  2              Remote req msg id:  0
      Local next msg id: 2              Remote next msg id: 0
      Local req queued:  2              Remote req queued:  0
      Local window:      5              Remote window:      5
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes
      Remote subnets:
      10.23.1.2 255.255.255.255
      0.0.0.0 0.0.0.0

 IPv6 Crypto IKEv2  SA

 

 

regards,

Gabriel

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to gabi.albert

‎08-30-2018 10:51 PM - edited ‎08-31-2018 02:24 AM

Ok, I can see the hub does not have the routes but the spoke does. Can you upload the full configuration of both routers please?

0 Helpful

Go to solution
gabi.albert
Level 1
Level 1
In response to Rob Ingram

‎08-31-2018 12:01 AM

Hello,

 

here it is:

 

apacN-flex-hub01#sh run
Building configuration...

Current configuration : 3247 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname apacN-flex-hub01
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authorization network default local
!

!
aaa session-id common
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
ip domain name sig.dom
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
redundancy
!
!
!
!
crypto ikev2 authorization policy CCONNECT-AUTH-POL-01
 route set interface
 route set access-list CCONNECT-ROUTE-ACL-01
!
crypto ikev2 authorization policy FLEX-AUTH-POL-01
 route set interface
 route set access-list FLEX-ROUTE-ACL-01
!
crypto ikev2 proposal CCONNECT-PROP-01
 encryption aes-cbc-128
 integrity sha256
 group 19
!
crypto ikev2 policy CCONNECT-POL-01
 match fvrf any
 proposal CCONNECT-PROP-01
!
crypto ikev2 keyring CCONNECT-KEYS-01
 peer spoke
  description spoke.sig.dom
  address 1.1.1.2
  identity address 1.1.1.2
  pre-shared-key local cisco123
  pre-shared-key remote cisco123
 !
!
!
crypto ikev2 profile CCONNECT-IKEV2-PROFILE-01
 match identity remote address 0.0.0.0
 identity local address 1.1.3.2
 authentication remote pre-share
 authentication local pre-share
 keyring local CCONNECT-KEYS-01
 aaa authorization group psk list default CCONNECT-AUTH-POL-01
 virtual-template 23
!
!
!
crypto ipsec transform-set CCONNECT-IPSEC-TS-01 esp-aes esp-md5-hmac
 mode transport
!
crypto ipsec profile CCONNECT-IPSEC-PROF-01
 set transform-set CCONNECT-IPSEC-TS-01
 set ikev2-profile CCONNECT-IKEV2-PROFILE-01
!
!
!
!
!
!
!
interface Loopback23
 ip address 10.23.1.2 255.255.255.0
!
interface Ethernet0/0
 ip address 1.1.3.2 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
! interfaces in shutdiwn removed
!
interface Virtual-Template23 type tunnel
 ip unnumbered Loopback23
 ip nhrp network-id 23
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CCONNECT-IPSEC-PROF-01
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 1.1.3.1
!
ip access-list standard CCONNECT-ROUTE-ACL-01
 permit any
ip access-list standard FLEX-ROUTE-ACL-01
 permit 10.0.0.0 0.255.255.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 transport input all
!
!
end
====================================================================
====================================================================
====================================================================

SPOKE#sh run
Building configuration...

Current configuration : 3095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SPOKE
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authorization network default local
!
!
!
!
!
aaa session-id common
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
ip domain name sig.dom
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
crypto ikev2 authorization policy FLEX-AUTH-POL-01
 route set interface
 route set access-list FLEX-ROUTE-ACL-01
!
crypto ikev2 proposal CCONNECT-PROP-01
 encryption aes-cbc-128
 integrity sha256
 group 19
!
crypto ikev2 policy CCONNECT-POL-01
 match fvrf any
 proposal CCONNECT-PROP-01
!
crypto ikev2 keyring CCONNECT-KEYS-01
 peer apacN
  description spoke.sig.dom
  address 1.1.3.2
  identity address 1.1.3.2
  pre-shared-key local cisco123
  pre-shared-key remote cisco123
 !
!
!
crypto ikev2 profile CCONNECT-IKEV2-PROFILE-01
 match identity remote address 0.0.0.0
 identity local address 1.1.1.2
 authentication remote pre-share
 authentication local pre-share
 keyring local CCONNECT-KEYS-01
 virtual-template 23
!
crypto ikev2 client flexvpn CCONNECT-FLEX-CLIENT-01
  peer 1 1.1.3.2
  client connect Tunnel23
!
!
!
crypto ipsec transform-set CCONNECT-IPSEC-TS-01 esp-aes esp-md5-hmac
 mode transport
!
crypto ipsec profile CCONNECT-IPSEC-PROF-01
 set transform-set CCONNECT-IPSEC-TS-01
 set ikev2-profile CCONNECT-IKEV2-PROFILE-01
!
!
!
!
!
!
!
interface Loopback23
 ip address 10.23.1.11 255.255.255.0
!
interface Tunnel23
 ip unnumbered Loopback23
 ip nhrp network-id 23
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile CCONNECT-IPSEC-PROF-01
!
interface Ethernet0/0
 ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip access-list standard FLEX-ROUTE-ACL-01
 permit 10.0.0.0 0.255.255.255
!

!
control-plane
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 transport input all
!
!
end

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to gabi.albert

‎08-31-2018 02:23 AM

Hi,

 

You don't have the authorization profile defined under your IKEv2 profile on the spoke. Your current config:-

 

crypto ikev2 profile CCONNECT-IKEV2-PROFILE-01
 match identity remote address 0.0.0.0
 identity local address 1.1.1.2
 authentication remote pre-share
 authentication local pre-share
 keyring local CCONNECT-KEYS-01
 virtual-template 23

 

Add this and bounce the tunnels:-

 

crypto ikev2 profile CCONNECT-IKEV2-PROFILE-01

 aaa authorization group psk list default FLEX-AUTH-POL-01

 

HTH

0 Helpful

Go to solution
gabi.albert
Level 1
Level 1
In response to Rob Ingram

‎08-31-2018 02:59 AM

Wow. Yes, that's the problem.

 

It works now.

 

I'm posting my config here just for people to be able to use it.

 

Thanks and regards,

Gabriel

 

 

spoke-155#sh crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         1.1.1.2/500           1.1.1.1/500           none/none            READY
      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/43 sec
      CE id: 1004, Session-id: 2
      Status Description: Negotiation done
      Local spi: 48D03C55E08D0E24       Remote spi: E7742CD0A88AE162
      Local id: 1.1.1.2
      Remote id: 1.1.1.1
      Local req msg id:  3              Remote req msg id:  0
      Local next msg id: 3              Remote next msg id: 0
      Local req queued:  3              Remote req queued:  0
      Local window:      5              Remote window:      5
      DPD configured for 0 seconds, retry 0
      Fragmentation not  configured.
      Extended Authentication not configured.
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes
      Remote subnets:
      10.23.1.1 255.255.255.255
      10.0.0.0 255.0.0.0

 IPv6 Crypto IKEv2  SA

spoke-155#ping 10.23.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
=======================================================================
Hub-155#sh crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         1.1.1.1/500           1.1.1.2/500           none/none            READY
      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/72 sec
      CE id: 1004, Session-id: 4
      Status Description: Negotiation done
      Local spi: E7742CD0A88AE162       Remote spi: 48D03C55E08D0E24
      Local id: 1.1.1.1
      Remote id: 1.1.1.2
      Local req msg id:  0              Remote req msg id:  3
      Local next msg id: 0              Remote next msg id: 3
      Local req queued:  0              Remote req queued:  3
      Local window:      5              Remote window:      5
      DPD configured for 0 seconds, retry 0
      Fragmentation not  configured.
      Extended Authentication not configured.
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : No
      Remote subnets:
      10.23.1.11 255.255.255.255
      10.0.0.0 255.0.0.0

 IPv6 Crypto IKEv2  SA

Hub-155#ping 10.23.1.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.1.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
===================================================================
HUB CONFIG
===================================================================
aaa new-model
aaa authorization network default local

!
crypto ikev2 authorization policy POC-AUTH-POL-01
 route set interface
 route set access-list POC-ROUTE-ACL-01
!
crypto ikev2 authorization policy FLEX-AUTH-POL-01
 route set interface
 route set access-list FLEX-ROUTE-ACL-01
!
crypto ikev2 proposal POC-PROP-01
 encryption aes-cbc-128
 integrity sha256
 group 19
!
crypto ikev2 policy POC-POL-01
 match fvrf any
 proposal POC-PROP-01
!
crypto ikev2 keyring POC-KEYS-01
 peer spoke
  description spoke.sig.dom
  address 1.1.1.2
  identity address 1.1.1.2
  pre-shared-key local cisco123
  pre-shared-key remote cisco123
 !
!
!
crypto ikev2 profile POC-IKEV2-PROFILE-01
 match identity remote address 0.0.0.0
 identity local address 1.1.1.1
 authentication remote pre-share
 authentication local pre-share
 keyring local POC-KEYS-01
 aaa authorization group psk list default FLEX-AUTH-POL-01
 virtual-template 23
!
!
!
crypto ipsec transform-set POC-IPSEC-TS-01 esp-aes esp-md5-hmac
 mode transport
!
crypto ipsec profile POC-IPSEC-PROF-01
 set transform-set POC-IPSEC-TS-01
 set ikev2-profile POC-IKEV2-PROFILE-01
!
!
interface Loopback23
 ip address 10.23.1.1 255.255.255.0
!
interface Ethernet0/0
 ip address 1.1.1.1 255.255.255.0
!
interface Virtual-Template23 type tunnel
 ip unnumbered Loopback23
 ip nhrp network-id 23
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile POC-IPSEC-PROF-01
!
!
ip access-list standard POC-ROUTE-ACL-01
 permit any
ip access-list standard FLEX-ROUTE-ACL-01
 permit 10.0.0.0 0.255.255.255

 ===========================================================
 ============================================================
 spoke

version 15.5
aaa new-model

aaa authorization network default local
!

!
crypto ikev2 authorization policy FLEX-AUTH-POL-01
 route set interface
 route set access-list FLEX-ROUTE-ACL-01
!
crypto ikev2 proposal POC-PROP-01
 encryption aes-cbc-128
 integrity sha256
 group 19
!
crypto ikev2 policy POC-POL-01
 match fvrf any
 proposal POC-PROP-01
!
crypto ikev2 keyring POC-KEYS-01
 peer apacN
  description spoke.sig.dom
  address 1.1.1.1
  identity address 1.1.1.1
  pre-shared-key local cisco123
  pre-shared-key remote cisco123
 !
!
!
crypto ikev2 profile POC-IKEV2-PROFILE-01
 match identity remote address 0.0.0.0
 identity local address 1.1.1.2
 authentication remote pre-share
 authentication local pre-share
 keyring local POC-KEYS-01
 aaa authorization group psk list default FLEX-AUTH-POL-01
 virtual-template 23
!
crypto ikev2 client flexvpn POC-FLEX-CLIENT-01
  peer 1 1.1.1.1
  client connect Tunnel23
!
crypto ipsec transform-set POC-IPSEC-TS-01 esp-aes esp-md5-hmac
 mode transport
!
crypto ipsec profile POC-IPSEC-PROF-01
 set transform-set POC-IPSEC-TS-01
 set ikev2-profile POC-IKEV2-PROFILE-01
!

interface Loopback23
 ip address 10.23.1.11 255.255.255.0
!
interface Tunnel23
 ip unnumbered Loopback23
 ip nhrp network-id 23
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile POC-IPSEC-PROF-01
!
interface Ethernet0/0
 ip address 1.1.1.2 255.255.255.0
!
ip access-list standard FLEX-ROUTE-ACL-01
 permit 10.0.0.0 0.255.255.255


 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents