Re: FLEXVPN Site-to-Site VPN Full Tunnel with One Static IP Peer

heshamcentrino1 · ‎06-19-2024

Dear All,

I have tried to configure FLEXVPN between the hub and spoke and I need to do it as a full-tunnel

Hub is a 3945E Router with 1GB fiber connection and Static IP~
The spoke is 819 4G Router using 4G LTE with a CGNAT IP (Dynamic IP)

I am trying to establish a Full Internet Tunnel between the Spoke and Hub

At the Spoke, I need the Internet traffic tunnelled back to the Hub

The hub is based in the UK with a static IP of 193.237.X.X and the spoke is a remote travelling location that needs to have the internet tunneled back to the UK

I have configured FLEXVPN between the Hub and Spoke. The VPN tunnel is up but I have the following problems.

1-No internet at the spoke but when tracerouting or show ip route it the traffic is routed properly through the tunnel to the ISP. Also when pinging 4.2.2.2 it does ping successfully via the hub

2- Hosts at the spoke can't ping hosts at the hub but they can ping the VLAN gateway only and vice versa from the hub to spoke.

Here you are my configuration below What could be the problem???

HUB (3945E Router)

ip local pool SSLVPN_POOL 192.168.JJ.1 192.168.JJ.200 ----> ANY CONNECT Configuration
ip local pool DSL_ACCESSLIST 142.202.YY.51 142.202.YY.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1

crypto ikev2 keyring KEYRING
peer ANY-PEER
address 0.0.0.0 0.0.0.0
pre-shared-key local cisco1234
pre-shared-key remote cisco1234
!
!
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain lab.net
identity local fqdn R1.lab.net
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
virtual-template 2

crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEV2_PROFILE

interface Loopback0
ip address 10.10.10.10 255.255.255.255
ip ospf network point-to-point
!
interface Loopback1
ip address 172.16.0.1 255.255.255.255
!
interface Loopback3
ip address 10.1.0.1 255.255.255.0
!
interface Loopback4
ip address 10.1.1.1 255.255.255.0

ip access-list extended DSL_ACCESSLIST
permit ip 142.202.YY.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 142.202.ZZ.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any

ip prefix-list REDIST_STATIC permit 0.0.0.0/0

route-map REDIST_STATIC permit 10

match ip add prefix REDIST_STATIC

router eigrp 1
redistribute static route-map REDIST_STATIC
network 10.1.0.0 0.0.255.255
network 142.202.0.0
network 172.16.0.0
network 192.168.100.0
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any
permit ip any any
!
!
nls resp-timeout 1
cpd cr-id 1
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 142.202.0.0 0.0.255.255
access-list 1 permit any

ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload

interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
ip nat inside
ip virtual-reassembly in
tunnel source Dialer1
tunnel protection ipsec profile IPSEC_PROFILE

-----------------------------------------------------

SPOKE

ip dhcp pool Data
import all
network 192.168.100.0 255.255.255.0
dns-server 193.237.XXX.XXX 8.8.8.8
default-router 192.168.100.XXX

router eigrp 1
network 10.3.0.0 0.0.255.255
network 142.202.0.0
network 172.16.0.0
network 192.168.100.0

ip route 193.237.XXX.XXX 255.255.255.255 Cellular0
!

!
interface Tunnel1
ip unnumbered Loopback1
ip virtual-reassembly in
tunnel source Cellular0
tunnel destination 193.237.xxx.xxx
tunnel protection ipsec profile IPSEC_PROFILE

------------------

SPOKE#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 172.16.0.1 to network 0.0.0.0

D*EX 0.0.0.0/0 [170/27392000] via 172.16.0.1, 00:04:49, Tunnel1
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D 10.1.0.0/24 [90/27008000] via 172.16.0.1, 12:01:58, Tunnel1
D 10.1.1.0/24 [90/27008000] via 172.16.0.1, 12:01:58, Tunnel1
C 10.3.0.0/24 is directly connected, Loopback2
L 10.3.0.1/32 is directly connected, Loopback2
C 10.3.1.0/24 is directly connected, Loopback3
L 10.3.1.1/32 is directly connected, Loopback3
C 10.37.134.146/32 is directly connected, Cellular0
142.202.0.0/24 is subnetted, 2 subnets
D 142.202.YY.0 [90/26880256] via 172.16.0.1, 12:01:58, Tunnel1
D 142.202.ZZ.0 [90/26880256] via 172.16.0.1, 12:01:58, Tunnel1
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.0.0/24 is directly connected, Loopback1
D 172.16.0.1/32 [90/27008000] via 172.16.0.1, 12:01:58, Tunnel1
L 172.16.0.2/32 is directly connected, Loopback1
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, Vlan1
L 192.168.100.253/32 is directly connected, Vlan1
193.237.XXX.0/32 is subnetted, 1 subnets
S 193.237.XXX.XXX is directly connected, Cellular0
Spoke#

NOW WHAT COULD BE THE PROBLEM PLEASE?

ccieexpert · ‎06-22-2024

It could be NAT issue.

for hub to client make sure the NAT access-list has deny at the top any RFC 1918 to 1918 address

example

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

ip access-list extended DSL_ACCESSLIST
permit ip 142.202.YY.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 142.202.ZZ.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any

for internet traffic from spoke.. check if the traffic is getting NATed to the dialer interface.

show ip nat translation

my guess it is not..

double check the ACL is matching for spoke subnets...

heshamcentrino1 · ‎06-23-2024

@ccieexpert Thanks a lot for your post . Yes you are right , it seems a Natting issue but I still don't get how to resolve it you mentioned in the Hub I should
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

You also mentioned "

What this statement does? also which Ip to deny?

The spoke internal network is 192.168.100.X
The hub internal Networks

permit ip 142.202.YY.0 0.0.0.255 any
permit ip 142.202.ZZ.0 0.0.0.255 any

You have mentioned also "for internet traffic from spoke.. check if the traffic is getting NATed to the dialer interface"

So do you mean at the Hub Dialer interface should I overload the Spoke Network 192.168.100.X . This is done already

Probably you need to elaborate further on the deny statement please

ccieexpert · ‎06-25-2024

hi

put deny entires at the top for hub to spoke traffic on the hub NAT acl...

permit ip 142.202.YY.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 142.202.ZZ.0 0.0.0.255 192.168.0.0 0.0.255.255

for spoke to internet.. check the nat translation are happening ? show ip nat translation

run a continous ping from spoke to internet using the source of 192.168.100.x from inside interface..

MHM Cisco World · ‎06-25-2024

I see your post and remember your previous one
I do a lot of search in past months
I think I found solution but not so sure anyway let share what I get with you
in Hub and spoke add below command
global
username <> privilege 15 password <>
enable password <>
aaa new-model
!
aaa authorization network default local
!
crypto ikev2 authorization policy default
route set interface

NOTE:- when you add aaa new-model please dont WR the config until be sure that you can access router, and after add command try access router if you can not reload the router to return to point before add this command.

in Hub add command
under interface virtual-temp <> type tunnel
ip nhrp network-id 100
ip nhrp redirect

in Spoke add commad
under interface tunnel <>
ip nhrp network-id 100
ip nhrp shortcut

hope this time it work
if you have any Q about aaa new model command please ask

Goodluck friend

MHM