05-01-2019 04:24 AM - edited 02-21-2020 09:37 PM
Hi all
I have a problem with a basic hub and spoke FlexVPN configuration I have created. The config was based on a known working config from a virtual lab with Cisco CSR1000v but it doesn't appear to work on physical hardware (Cisco 892FSP)
The tunnel comes up but I can't ping across the tunnel. I dont have any routes into the virtual-access interfaces on the hub, whcih I do see in my lab.
"show crypto ikev2 sa detail" on the hub is missing the "remote subnets" data which I think is the problem, but im unsure how to fix that:
SPOKE#show cry ikev2 sa detail IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 xxxx/500 xxxx/500 FVRF/none READY Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/884 sec CE id: 2027, Session-id: 2 Status Description: Negotiation done Local spi: CA7B7BB446EC06AD Remote spi: AB95C68725D297DF Local id: xxx Remote id: xxx Local req msg id: 2 Remote req msg id: 0 Local next msg id: 2 Remote next msg id: 0 Local req queued: 2 Remote req queued: 0 Local window: 5 Remote window: 5 DPD configured for 10 seconds, retry 2 Fragmentation not configured. Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Pushed IP address: 10.100.240.42 Remote subnets: 10.100.240.1 255.255.255.255 IPv6 Crypto IKEv2 SA
HUB#show crypto ikev2 sa detail IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 xxx/500 xxx/500 none/none READY Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/842 sec CE id: 2027, Session-id: 27 Status Description: Negotiation done Local spi: AB95C68725D297DF Remote spi: CA7B7BB446EC06AD Local id: xxxx Remote id: xxxx Local req msg id: 0 Remote req msg id: 2 Local next msg id: 0 Remote next msg id: 2 Local req queued: 0 Remote req queued: 2 Local window: 5 Remote window: 5 DPD configured for 10 seconds, retry 2 Fragmentation not configured. Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Assigned host addr: 10.100.240.42 Initiator of SA : No IPv6 Crypto IKEv2 SA
Here is my full configs, ive removed some public IPS/keys but hopefully it makes sense still
!!! HUB CONFIG !!! ! hostname HUB ! boot-start-marker boot-end-marker ! ! enable secret 5 xxxx ! aaa new-model ! ! aaa authorization network default local aaa authorization network AUTHOR_LOCAL local ! ! ! ! ! aaa session-id common ethernet lmi ce ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! no ip domain lookup ip cef no ipv6 cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! license udi pid C892FSP-K9 sn FCZ2048E0EL ! ! username admin privilege 15 secret 5 xxxx crypto ikev2 authorization policy default pool FLEXVPN_POOL netmask 255.255.252.0 route set interface ! ! ! ! crypto ikev2 profile default description *** FLEXVPN TO SPOKES *** match identity remote any authentication local pre-share key cisco authentication remote pre-share key cisco aaa authorization group psk list default default virtual-template 1 mode auto ! crypto ikev2 dpd 10 2 on-demand ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 description Management ip address 10.100.1.11 255.255.255.255 ! interface Loopback1 description FLEXVPN HUB IP ip address 10.100.240.1 255.255.252.0 ! interface GigabitEthernet0 no ip address ! interface GigabitEthernet1 no ip address ! interface GigabitEthernet2 no ip address ! interface GigabitEthernet3 no ip address ! interface GigabitEthernet4 no ip address ! interface GigabitEthernet5 no ip address ! interface GigabitEthernet6 no ip address shutdown ! interface GigabitEthernet7 no ip address ! interface GigabitEthernet8 description *** FlexVPN Outside *** ip address <PUBLIC IP> 255.255.255.248 duplex auto speed auto ! interface GigabitEthernet9 description *** FlexVPN Inside *** ip address 10.100.3.1 255.255.255.0 duplex auto speed auto ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 ip mtu 1400 ip nhrp network-id 1 ip nhrp redirect timeout 3 ip tcp adjust-mss 1360 tunnel source GigabitEthernet8 tunnel protection ipsec profile default ! interface Vlan1 no ip address ! ! ip local pool FLEXVPN_POOL 10.100.240.16 10.100.243.200 ip forward-protocol nd no ip http server ip http authentication local ip http secure-server ! ! ip tftp source-interface Loopback0 ip route 0.0.0.0 0.0.0.0 <PUBLIC GATEWAY> name OUTSIDE ip route 10.0.0.0 255.0.0.0 10.100.3.254 name INSIDE_10 ip route 172.16.0.0 255.240.0.0 10.100.3.254 name INSIDE_172 ip route 192.168.0.0 255.255.0.0 10.100.3.254 name INSIDE_192 ip ssh version 2 ! ! ! ! ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous no modem enable stopbits 1 line aux 0 line vty 0 4 exec-timeout 0 0 transport input ssh ! scheduler allocate 20000 1000 ! end !!! SPOKE CONFIG !!! service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SPOKE ! boot-start-marker boot-end-marker ! ! vrf definition FVRF ! address-family ipv4 exit-address-family ! enable secret 5 xxxx ! aaa new-model ! ! ! ! ! ! ! aaa session-id common ethernet lmi ce ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! no ip domain lookup ip domain name LAB ip cef no ipv6 cef ! ! ! ! ! multilink bundle-name authenticated ! domain LAB ! ! ! ! ! ! ! ! username admin privilege 15 secret 5 xxxx ! ! ! ! crypto ikev2 profile default description *** FLEXVPN TO HQ *** match fvrf FVRF match identity remote any authentication local pre-share key cisco authentication remote pre-share key cisco virtual-template 1 ! crypto ikev2 dpd 10 2 on-demand ! ! ! ! ! ! crypto ipsec profile default no set ikev2-profile default ! ! ! ! ! ! ! interface Loopback0 ip address 10.200.0.1 255.255.255.255 ! interface Tunnel1 description *** TO HQ FLEXVPN1 *** ip address negotiated ip mtu 1400 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 ip nhrp redirect timeout 3 ip tcp adjust-mss 1360 tunnel source GigabitEthernet8 tunnel destination <PUBLIC IP OF HUB> tunnel vrf FVRF tunnel protection ipsec profile default ! interface GigabitEthernet0 description *** TRUNK TO FIREWALL *** switchport mode trunk no ip address ! interface GigabitEthernet1 description *** FIREWALL MGMT PORT *** switchport access vlan 10 no ip address spanning-tree portfast ! interface GigabitEthernet2 description *** TEST LAPTOP *** switchport access vlan 20 no ip address spanning-tree portfast ! interface GigabitEthernet3 no ip address ! interface GigabitEthernet4 no ip address ! interface GigabitEthernet5 no ip address ! interface GigabitEthernet6 no ip address ! interface GigabitEthernet7 no ip address ! interface GigabitEthernet8 description *** INET *** vrf forwarding FVRF ip address <PUBLIC IP> 255.255.255.248 ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet9 no ip address shutdown duplex auto speed auto ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip mtu 1400 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 ip nhrp redirect timeout 3 ip tcp adjust-mss 1360 tunnel vrf FVRF tunnel protection ipsec profile default ! interface Vlan1 no ip address ! interface Vlan10 description *** FIREWALL TO FLEXVPN WAN *** ip address 10.200.1.1 255.255.255.0 ! interface Vlan20 description *** FIREWALL TO INET *** vrf forwarding FVRF ip address 10.200.2.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ! ! ip tftp source-interface Loopback0 ip nat inside source route-map NAT_ISP1 interface GigabitEthernet8 vrf FVRF overload ip route 10.200.0.0 255.255.0.0 10.200.1.2 ip route vrf FVRF 0.0.0.0 0.0.0.0 <PUBLIC GATEWAY IP> ip route vrf FVRF 10.0.0.0 255.0.0.0 10.200.2.2 ip route vrf FVRF 172.16.0.0 255.240.0.0 10.200.2.2 ip route vrf FVRF 192.168.0.0 255.255.0.0 10.200.2.2 ! ! route-map NAT_ISP1 permit 10 match ip address 100 match interface GigabitEthernet8 ! access-list 100 permit ip 10.0.0.0 0.255.255.255 any ! ! ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous no modem enable stopbits 1 line aux 0 line vty 0 4 exec-timeout 0 0 transport input ssh ! scheduler allocate 20000 1000 ! end
05-01-2019 04:34 AM
Hi,
You'll need to define an authorization policy and configure route set interface, this will send the tunnel IP address to the Hub.
aaa new-model
aaa authorization network default local
crypto ikev2 authorization policy default
route set interface
crypto ikev2 profile default
aaa authorization group psk list default default
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide