06-19-2024 08:40 PM - edited 06-20-2024 11:55 AM
Dear All,
I have tried to configure FLEXVPN between the hub and spoke and I need to do it as a full-tunnel
Hub is a 3945E Router with 1GB fiber connection and Static IP~
The spoke is 819 4G Router using 4G LTE with a CGNAT IP (Dynamic IP)
I am trying to establish a Full Internet Tunnel between the Spoke and Hub
At the Spoke, I need the Internet traffic tunnelled back to the Hub
The hub is based in the UK with a static IP of 193.237.X.X and the spoke is a remote travelling location that needs to have the internet tunneled back to the UK
I have configured FLEXVPN between the Hub and Spoke. The VPN tunnel is up but I have the following problems.
1-No internet at the spoke but when tracerouting or show ip route it the traffic is routed properly through the tunnel to the ISP. Also when pinging 4.2.2.2 it does ping successfully via the hub
2- Hosts at the spoke can't ping hosts at the hub but they can ping the VLAN gateway only and vice versa from the hub to spoke.
Here you are my configuration below What could be the problem???
HUB (3945E Router)
ip local pool SSLVPN_POOL 192.168.JJ.1 192.168.JJ.200 ----> ANY CONNECT Configuration
ip local pool DSL_ACCESSLIST 142.202.YY.51 142.202.YY.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
crypto ikev2 keyring KEYRING
peer ANY-PEER
address 0.0.0.0 0.0.0.0
pre-shared-key local cisco1234
pre-shared-key remote cisco1234
!
!
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain lab.net
identity local fqdn R1.lab.net
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
virtual-template 2
crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEV2_PROFILE
interface Loopback0
ip address 10.10.10.10 255.255.255.255
ip ospf network point-to-point
!
interface Loopback1
ip address 172.16.0.1 255.255.255.255
!
interface Loopback3
ip address 10.1.0.1 255.255.255.0
!
interface Loopback4
ip address 10.1.1.1 255.255.255.0
ip access-list extended DSL_ACCESSLIST
permit ip 142.202.YY.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 142.202.ZZ.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any
ip prefix-list REDIST_STATIC permit 0.0.0.0/0
route-map REDIST_STATIC permit 10
match ip add prefix REDIST_STATIC
router eigrp 1
redistribute static route-map REDIST_STATIC
network 10.1.0.0 0.0.255.255
network 142.202.0.0
network 172.16.0.0
network 192.168.100.0
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any
permit ip any any
!
!
nls resp-timeout 1
cpd cr-id 1
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 142.202.0.0 0.0.255.255
access-list 1 permit any
ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
ip nat inside
ip virtual-reassembly in
tunnel source Dialer1
tunnel protection ipsec profile IPSEC_PROFILE
-----------------------------------------------------
SPOKE
ip dhcp pool Data
import all
network 192.168.100.0 255.255.255.0
dns-server 193.237.XXX.XXX 8.8.8.8
default-router 192.168.100.XXX
router eigrp 1
network 10.3.0.0 0.0.255.255
network 142.202.0.0
network 172.16.0.0
network 192.168.100.0
ip route 193.237.XXX.XXX 255.255.255.255 Cellular0
!
!
interface Tunnel1
ip unnumbered Loopback1
ip virtual-reassembly in
tunnel source Cellular0
tunnel destination 193.237.xxx.xxx
tunnel protection ipsec profile IPSEC_PROFILE
------------------
SPOKE#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 172.16.0.1 to network 0.0.0.0
D*EX 0.0.0.0/0 [170/27392000] via 172.16.0.1, 00:04:49, Tunnel1
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D 10.1.0.0/24 [90/27008000] via 172.16.0.1, 12:01:58, Tunnel1
D 10.1.1.0/24 [90/27008000] via 172.16.0.1, 12:01:58, Tunnel1
C 10.3.0.0/24 is directly connected, Loopback2
L 10.3.0.1/32 is directly connected, Loopback2
C 10.3.1.0/24 is directly connected, Loopback3
L 10.3.1.1/32 is directly connected, Loopback3
C 10.37.134.146/32 is directly connected, Cellular0
142.202.0.0/24 is subnetted, 2 subnets
D 142.202.YY.0 [90/26880256] via 172.16.0.1, 12:01:58, Tunnel1
D 142.202.ZZ.0 [90/26880256] via 172.16.0.1, 12:01:58, Tunnel1
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.0.0/24 is directly connected, Loopback1
D 172.16.0.1/32 [90/27008000] via 172.16.0.1, 12:01:58, Tunnel1
L 172.16.0.2/32 is directly connected, Loopback1
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, Vlan1
L 192.168.100.253/32 is directly connected, Vlan1
193.237.XXX.0/32 is subnetted, 1 subnets
S 193.237.XXX.XXX is directly connected, Cellular0
Spoke#
NOW WHAT COULD BE THE PROBLEM PLEASE?
06-22-2024 09:17 PM - edited 06-25-2024 02:15 PM
It could be NAT issue.
for hub to client make sure the NAT access-list has deny at the top any RFC 1918 to 1918 address
example
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
ip access-list extended DSL_ACCESSLIST
permit ip 142.202.YY.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 142.202.ZZ.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any
for internet traffic from spoke.. check if the traffic is getting NATed to the dialer interface.
show ip nat translation
my guess it is not..
double check the ACL is matching for spoke subnets...
06-23-2024 02:47 PM
@ccieexpert Thanks a lot for your post . Yes you are right , it seems a Natting issue but I still don't get how to resolve it you mentioned in the Hub I should
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
You also mentioned "
What this statement does? also which Ip to deny?
The spoke internal network is 192.168.100.X
The hub internal Networks
permit ip 142.202.YY.0 0.0.0.255 any
permit ip 142.202.ZZ.0 0.0.0.255 any
You have mentioned also "for internet traffic from spoke.. check if the traffic is getting NATed to the dialer interface"
So do you mean at the Hub Dialer interface should I overload the Spoke Network 192.168.100.X . This is done already
Probably you need to elaborate further on the deny statement please
06-25-2024 02:36 PM
hi
put deny entires at the top for hub to spoke traffic on the hub NAT acl...
permit ip 142.202.YY.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 142.202.ZZ.0 0.0.0.255 192.168.0.0 0.0.255.255
for spoke to internet.. check the nat translation are happening ? show ip nat translation
run a continous ping from spoke to internet using the source of 192.168.100.x from inside interface..
06-25-2024 03:21 PM - edited 06-26-2024 01:58 AM
I see your post and remember your previous one
I do a lot of search in past months
I think I found solution but not so sure anyway let share what I get with you
in Hub and spoke add below command
global
username <> privilege 15 password <>
enable password <>
aaa new-model
!
aaa authorization network default local
!
crypto ikev2 authorization policy default
route set interface
NOTE:- when you add aaa new-model please dont WR the config until be sure that you can access router, and after add command try access router if you can not reload the router to return to point before add this command.
in Hub add command
under interface virtual-temp <> type tunnel
ip nhrp network-id 100
ip nhrp redirect
in Spoke add commad
under interface tunnel <>
ip nhrp network-id 100
ip nhrp shortcut
hope this time it work
if you have any Q about aaa new model command please ask
Goodluck friend
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide