Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1685
Views
0
Helpful
1
Replies

FlexVPN not working

Go to solution
Difan Zhao
Level 5
Level 5

‎09-29-2018 05:16 PM - edited ‎02-21-2020 09:28 PM

I am just learning this technology. I started with a very simple topology however can't get it to work. I have R1 being the hub and R3 being the spoke. Their WAN interfaces are Gi0/1 and they are in the WAN VRF. The IPs are 1.1.1.1/24 on R1 and 1.1.1.3 on R3. 

--- R1 (hub) ---
crypto ikev2 profile test
 match fvrf WAN
 match address local interface GigabitEthernet0/1
 match identity remote any
 identity local address 1.1.1.1
 authentication local pre-share key cisco
 authentication remote pre-share key cisco
 virtual-template 1
!
crypto ipsec profile test
 set ikev2-profile test
!
interface Virtual-Template1 type tunnel
 ip address 10.0.1.1 255.255.255.0
 tunnel vrf WAN
 tunnel protection ipsec profile test

--- R3 (spoke) ---
crypto ikev2 profile test
 match fvrf WAN
 match address local interface GigabitEthernet0/1
 match identity remote address 1.1.1.1 255.255.255.255
 identity local address 1.1.1.3
 authentication local pre-share key cisco
 authentication remote pre-share key cisco
!
crypto ipsec profile test
 set ikev2-profile test
!
interface Tunnel1
 ip address 10.0.1.3 255.255.255.0
 tunnel source GigabitEthernet0/1
 tunnel destination 1.1.1.1
 tunnel vrf WAN
 tunnel protection ipsec profile test
!

Right now when I turn on Tu1 on R3, I see it brings up a virtual-access interface on R1 as well. However the issue is that I can't ping on the Tunnel IP (R3 can't ping 10.0.1.1 configured on R1). Where did I do wrong? Thanks!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Difan Zhao
Level 5
Level 5

‎09-30-2018 01:58 PM

So if I change the hub side virtual-template 1 interface's "ip address" config to "ip unnumbered lo1", then it works. I still can't ping the Tunnel IP on the spoke side but EIGRP works. I guess I won't be able to assign IP directly to virtual-template interface, and I will have to use "ip unnumbered"...

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Difan Zhao
Level 5
Level 5

‎09-30-2018 01:58 PM

So if I change the hub side virtual-template 1 interface's "ip address" config to "ip unnumbered lo1", then it works. I still can't ping the Tunnel IP on the spoke side but EIGRP works. I guess I won't be able to assign IP directly to virtual-template interface, and I will have to use "ip unnumbered"...

0 Helpful
Customers Also Viewed These Support Documents