FlexVPN - No Route to tunnel

mhmservice · ‎05-01-2019

Hi all

I have a problem with a basic hub and spoke FlexVPN configuration I have created. The config was based on a known working config from a virtual lab with Cisco CSR1000v but it doesn't appear to work on physical hardware (Cisco 892FSP)

The tunnel comes up but I can't ping across the tunnel. I dont have any routes into the virtual-access interfaces on the hub, whcih I do see in my lab.

"show crypto ikev2 sa detail" on the hub is missing the "remote subnets" data which I think is the problem, but im unsure how to fix that:

SPOKE#show cry ikev2 sa detail
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         xxxx/500      xxxx/500      FVRF/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/884 sec
      CE id: 2027, Session-id: 2
      Status Description: Negotiation done
      Local spi: CA7B7BB446EC06AD       Remote spi: AB95C68725D297DF
      Local id: xxx
      Remote id: xxx
      Local req msg id:  2              Remote req msg id:  0
      Local next msg id: 2              Remote next msg id: 0
      Local req queued:  2              Remote req queued:  0
      Local window:      5              Remote window:      5
      DPD configured for 10 seconds, retry 2
      Fragmentation not  configured.
      Extended Authentication not configured.
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes
      Pushed IP address: 10.100.240.42
      Remote subnets:
      10.100.240.1 255.255.255.255

 IPv6 Crypto IKEv2  SA

HUB#show crypto ikev2 sa detail
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         xxx/500      xxx/500      none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/842 sec
      CE id: 2027, Session-id: 27
      Status Description: Negotiation done
      Local spi: AB95C68725D297DF       Remote spi: CA7B7BB446EC06AD
      Local id: xxxx
      Remote id: xxxx
      Local req msg id:  0              Remote req msg id:  2
      Local next msg id: 0              Remote next msg id: 2
      Local req queued:  0              Remote req queued:  2
      Local window:      5              Remote window:      5
      DPD configured for 10 seconds, retry 2
      Fragmentation not  configured.
      Extended Authentication not configured.
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Assigned host addr: 10.100.240.42
      Initiator of SA : No

 IPv6 Crypto IKEv2  SA

Here is my full configs, ive removed some public IPS/keys but hopefully it makes sense still

!!! HUB CONFIG !!!

!
hostname HUB
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxx
!
aaa new-model
!
!
aaa authorization network default local
aaa authorization network AUTHOR_LOCAL local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C892FSP-K9 sn FCZ2048E0EL
!
!
username admin privilege 15 secret 5 xxxx
crypto ikev2 authorization policy default
 pool FLEXVPN_POOL
 netmask 255.255.252.0
 route set interface
!
!
!
!
crypto ikev2 profile default
 description *** FLEXVPN TO SPOKES ***
 match identity remote any
 authentication local pre-share key cisco
 authentication remote pre-share key cisco
 aaa authorization group psk list default default
 virtual-template 1 mode auto
!
crypto ikev2 dpd 10 2 on-demand
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 description Management
 ip address 10.100.1.11 255.255.255.255
!
interface Loopback1
 description FLEXVPN HUB IP
 ip address 10.100.240.1 255.255.252.0
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
 shutdown
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 description *** FlexVPN Outside ***
 ip address <PUBLIC IP> 255.255.255.248
 duplex auto
 speed auto
!
interface GigabitEthernet9
 description *** FlexVPN Inside ***
 ip address 10.100.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback1
 ip mtu 1400
 ip nhrp network-id 1
 ip nhrp redirect timeout 3
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet8
 tunnel protection ipsec profile default
!
interface Vlan1
 no ip address
!
!
ip local pool FLEXVPN_POOL 10.100.240.16 10.100.243.200
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip tftp source-interface Loopback0
ip route 0.0.0.0 0.0.0.0 <PUBLIC GATEWAY> name OUTSIDE
ip route 10.0.0.0 255.0.0.0 10.100.3.254 name INSIDE_10
ip route 172.16.0.0 255.240.0.0 10.100.3.254 name INSIDE_172
ip route 192.168.0.0 255.255.0.0 10.100.3.254 name INSIDE_192
ip ssh version 2
!
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 0 0
 transport input ssh
!
scheduler allocate 20000 1000
!
end

!!! SPOKE CONFIG !!!

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SPOKE
!
boot-start-marker
boot-end-marker
!
!
vrf definition FVRF
 !
 address-family ipv4
 exit-address-family
!
enable secret 5 xxxx
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
!
!
!
no ip domain lookup
ip domain name LAB
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
domain LAB
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 xxxx
!
!
!
!
crypto ikev2 profile default
 description *** FLEXVPN TO HQ ***
 match fvrf FVRF
 match identity remote any
 authentication local pre-share key cisco
 authentication remote pre-share key cisco
 virtual-template 1
!
crypto ikev2 dpd 10 2 on-demand
!
!
!
!
!
!
crypto ipsec profile default
 no set ikev2-profile default
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.200.0.1 255.255.255.255
!
interface Tunnel1
 description *** TO HQ FLEXVPN1 ***
 ip address negotiated
 ip mtu 1400
 ip nhrp network-id 1
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect timeout 3
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet8
 tunnel destination <PUBLIC IP OF HUB>
 tunnel vrf FVRF
 tunnel protection ipsec profile default
!
interface GigabitEthernet0
 description *** TRUNK TO FIREWALL ***
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 description *** FIREWALL MGMT PORT ***
 switchport access vlan 10
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet2
 description *** TEST LAPTOP ***
 switchport access vlan 20
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 description *** INET ***
 vrf forwarding FVRF
 ip address <PUBLIC IP> 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet9
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip mtu 1400
 ip nhrp network-id 1
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect timeout 3
 ip tcp adjust-mss 1360
 tunnel vrf FVRF
 tunnel protection ipsec profile default
!
interface Vlan1
 no ip address
!
interface Vlan10
 description *** FIREWALL TO FLEXVPN WAN ***
 ip address 10.200.1.1 255.255.255.0
!
interface Vlan20
 description *** FIREWALL TO INET ***
 vrf forwarding FVRF
 ip address 10.200.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip tftp source-interface Loopback0
ip nat inside source route-map NAT_ISP1 interface GigabitEthernet8 vrf FVRF overload
ip route 10.200.0.0 255.255.0.0 10.200.1.2
ip route vrf FVRF 0.0.0.0 0.0.0.0 <PUBLIC GATEWAY IP>
ip route vrf FVRF 10.0.0.0 255.0.0.0 10.200.2.2
ip route vrf FVRF 172.16.0.0 255.240.0.0 10.200.2.2
ip route vrf FVRF 192.168.0.0 255.255.0.0 10.200.2.2
!
!
route-map NAT_ISP1 permit 10
 match ip address 100
 match interface GigabitEthernet8
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 0 0
 transport input ssh
!
scheduler allocate 20000 1000
!
end

Rob Ingram · ‎05-01-2019

Hi,

You'll need to define an authorization policy and configure route set interface, this will send the tunnel IP address to the Hub.

aaa new-model
aaa authorization network default local

crypto ikev2 authorization policy default
route set interface

crypto ikev2 profile default
aaa authorization group psk list default default

HTH