FLEXVPN Site-to-Site VPN Full Tunnel with One Static IP Peer

heshamcentrino1 · ‎06-19-2024

Dear All,

I have tried to configure FLEXVPN between the hub and spoke and I need to do it as a full-tunnel

Hub is a 3945E Router with 1GB fiber connection and Static IP~
The spoke is 819 4G Router using 4G LTE with a CGNAT IP (Dynamic IP)

I am trying to establish a Full Internet Tunnel between the Spoke and Hub

At the Spoke, I need the Internet traffic tunnelled back to the Hub

The hub is based in the UK with a static IP of 193.237.X.X and the spoke is a remote travelling location that needs to have the internet tunneled back to the UK

I have configured FLEXVPN between the Hub and Spoke. The VPN tunnel is up but I have the following problems.

1-No internet at the spoke but when tracerouting or show ip route it the traffic is routed properly through the tunnel to the ISP. Also when pinging 4.2.2.2 it does ping successfully via the hub

2- Hosts at the spoke can't ping hosts at the hub but they can ping the VLAN gateway only and vice versa from the hub to spoke.

Here you are my configuration below What could be the problem???

HUB (3945E Router)

ip local pool SSLVPN_POOL 192.168.JJ.1 192.168.JJ.200 ----> ANY CONNECT Configuration
ip local pool DSL_ACCESSLIST 142.202.YY.51 142.202.YY.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1

crypto ikev2 keyring KEYRING
peer ANY-PEER
address 0.0.0.0 0.0.0.0
pre-shared-key local cisco1234
pre-shared-key remote cisco1234
!
!
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain lab.net
identity local fqdn R1.lab.net
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
virtual-template 2

crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEV2_PROFILE

interface Loopback0
ip address 10.10.10.10 255.255.255.255
ip ospf network point-to-point
!
interface Loopback1
ip address 172.16.0.1 255.255.255.255
!
interface Loopback3
ip address 10.1.0.1 255.255.255.0
!
interface Loopback4
ip address 10.1.1.1 255.255.255.0

ip access-list extended DSL_ACCESSLIST
permit ip 142.202.YY.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 142.202.ZZ.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any

ip prefix-list REDIST_STATIC permit 0.0.0.0/0

route-map REDIST_STATIC permit 10

match ip add prefix REDIST_STATIC

router eigrp 1
redistribute static route-map REDIST_STATIC
network 10.1.0.0 0.0.255.255
network 142.202.0.0
network 172.16.0.0
network 192.168.100.0
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any
permit ip any any
!
!
nls resp-timeout 1
cpd cr-id 1
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 142.202.0.0 0.0.255.255
access-list 1 permit any

ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload

interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
ip nat inside
ip virtual-reassembly in
tunnel source Dialer1
tunnel protection ipsec profile IPSEC_PROFILE

-----------------------------------------------------

SPOKE

ip dhcp pool Data
import all
network 192.168.100.0 255.255.255.0
dns-server 193.237.XXX.XXX 8.8.8.8
default-router 192.168.100.XXX

router eigrp 1
network 10.3.0.0 0.0.255.255
network 142.202.0.0
network 172.16.0.0
network 192.168.100.0

ip route 193.237.XXX.XXX 255.255.255.255 Cellular0
!

!
interface Tunnel1
ip unnumbered Loopback1
ip virtual-reassembly in
tunnel source Cellular0
tunnel destination 193.237.xxx.xxx
tunnel protection ipsec profile IPSEC_PROFILE

------------------

SPOKE#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 172.16.0.1 to network 0.0.0.0

D*EX 0.0.0.0/0 [170/27392000] via 172.16.0.1, 00:04:49, Tunnel1
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D 10.1.0.0/24 [90/27008000] via 172.16.0.1, 12:01:58, Tunnel1
D 10.1.1.0/24 [90/27008000] via 172.16.0.1, 12:01:58, Tunnel1
C 10.3.0.0/24 is directly connected, Loopback2
L 10.3.0.1/32 is directly connected, Loopback2
C 10.3.1.0/24 is directly connected, Loopback3
L 10.3.1.1/32 is directly connected, Loopback3
C 10.37.134.146/32 is directly connected, Cellular0
142.202.0.0/24 is subnetted, 2 subnets
D 142.202.YY.0 [90/26880256] via 172.16.0.1, 12:01:58, Tunnel1
D 142.202.ZZ.0 [90/26880256] via 172.16.0.1, 12:01:58, Tunnel1
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.0.0/24 is directly connected, Loopback1
D 172.16.0.1/32 [90/27008000] via 172.16.0.1, 12:01:58, Tunnel1
L 172.16.0.2/32 is directly connected, Loopback1
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, Vlan1
L 192.168.100.253/32 is directly connected, Vlan1
193.237.XXX.0/32 is subnetted, 1 subnets
S 193.237.XXX.XXX is directly connected, Cellular0
Spoke#

NOW WHAT COULD BE THE PROBLEM PLEASE?

ccieexpert · ‎06-22-2024

It could be NAT issue.

for hub to client make sure the NAT access-list has deny at the top any RFC 1918 to 1918 address

example

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

ip access-list extended DSL_ACCESSLIST
permit ip 142.202.YY.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 142.202.ZZ.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any

for internet traffic from spoke.. check if the traffic is getting NATed to the dialer interface.

show ip nat translation

my guess it is not..

double check the ACL is matching for spoke subnets...

heshamcentrino1 · ‎06-23-2024

@ccieexpert Thanks a lot for your post . Yes you are right , it seems a Natting issue but I still don't get how to resolve it you mentioned in the Hub I should
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

You also mentioned "

What this statement does? also which Ip to deny?

The spoke internal network is 192.168.100.X
The hub internal Networks

permit ip 142.202.YY.0 0.0.0.255 any
permit ip 142.202.ZZ.0 0.0.0.255 any

You have mentioned also "for internet traffic from spoke.. check if the traffic is getting NATed to the dialer interface"

So do you mean at the Hub Dialer interface should I overload the Spoke Network 192.168.100.X . This is done already

Probably you need to elaborate further on the deny statement please

ccieexpert · ‎06-25-2024

hi

put deny entires at the top for hub to spoke traffic on the hub NAT acl...

permit ip 142.202.YY.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 142.202.ZZ.0 0.0.0.255 192.168.0.0 0.0.255.255

for spoke to internet.. check the nat translation are happening ? show ip nat translation

run a continous ping from spoke to internet using the source of 192.168.100.x from inside interface..

MHM Cisco World · ‎06-25-2024

I see your post and remember your previous one
I do a lot of search in past months
I think I found solution but not so sure anyway let share what I get with you
in Hub and spoke add below command
global
username <> privilege 15 password <>
enable password <>
aaa new-model
!
aaa authorization network default local
!
crypto ikev2 authorization policy default
route set interface

NOTE:- when you add aaa new-model please dont WR the config until be sure that you can access router, and after add command try access router if you can not reload the router to return to point before add this command.

in Hub add command
under interface virtual-temp <> type tunnel
ip nhrp network-id 100
ip nhrp redirect

in Spoke add commad
under interface tunnel <>
ip nhrp network-id 100
ip nhrp shortcut

hope this time it work
if you have any Q about aaa new model command please ask

Goodluck friend

MHM

heshamcentrino1 · ‎07-07-2024

@MHM Cisco World Welcome back, and thanks again for trying. Sorry, I was away from home and just returned a few days ago. I have tried your solution, and it still didn't work. I have attached here my configurations below for Hub and Spoke.

@ccieexpert Thanks a lot for helping. I tried to add your statements but nothing changed.

I still have the same problems. I can't ping the hosts from the Spoke, and I can't reach or ping the internet 4.2.2.2
-----------------------------------------------------------------------------------------

Spoke Config

Router#
Router#
Router#show run
Building configuration...

Current configuration : 3374 bytes
!
! Last configuration change at 16:49:32 UTC Sun Jul 7 2024
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable password
!
aaa new-model
!
!
aaa authorization network default local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
service-module wlan-ap 0 bootimage autonomous
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
ip dhcp excluded-address 192.168.***.1 192.168.***.50
!
ip dhcp pool Data
import all
network 192.168.***.0 255.255.255.0
default-router 192.168.***.253
dns-server 8.8.8.8 8.8.4.4
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
!
!
!
license udi pid C819GW-LTE-GA-EK9 sn FCZ2103E0AY
!
!
vtp mode transparent
username myusername password 7
crypto ikev2 authorization policy default
route set interface
!
!
!
crypto ikev2 keyring KEYRING
peer ANY-PEER
address 0.0.0.0 0.0.0.0
pre-shared-key local cisco1234
pre-shared-key remote cisco1234
!
!
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain lab.net
identity local fqdn R2.lab.net
authentication local pre-share
authentication remote pre-share
keyring local KEYRING
!
!
!
controller Cellular 0
lte sim data-profile 1 attach-profile 1 slot 0
!
!
!
!
!
crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEV2_PROFILE
!
!
!
!
!
!
!
!
interface Loopback1
ip address 172.16.0.2 255.255.255.0
!
interface Loopback2
ip address 10.3.0.1 255.255.255.0
!
interface Loopback3
ip address 10.3.1.1 255.255.255.0
!
interface Tunnel1
ip unnumbered Loopback1
ip nhrp network-id 100
ip nhrp shortcut
tunnel source Cellular0
tunnel destination 193.237.XXX.XXX
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Cellular0
ip address negotiated
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
async mode interactive
routing dynamic
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Wlan-GigabitEthernet0
no ip address
!
interface wlan-ap0
no ip address
!
interface Vlan1
ip address 192.168.***.*** 255.255.255.0
!
!
router eigrp 1
network 10.3.0.0 0.0.255.255
network 172.16.0.0
network 192.168.***.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 193.237.XXX.XXX 255.255.255.255 Cellular0
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Cellular0
threshold 1000
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!

Router#$

------------------------------------------------------------
HUB CONFIG

aaa new-model
!
!
aaa authentication login default local
aaa authentication login SSLVPN_AAA local
aaa authorization exec default local
aaa authorization network default local
!

!
aaa session-id common
clock timezone GMT 0 0
clock summer-time GMT recurring

redundancy
crypto ikev2 authorization policy default
route set interface
!

crypto ikev2 keyring KEYRING
peer ANY-PEER
address 0.0.0.0 0.0.0.0
pre-shared-key local cisco1234
pre-shared-key remote cisco1234
!
!
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain lab.net
identity local fqdn R1.lab.net
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
virtual-template 2

!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.10.00093-webdeploy-k9.pkg sequence 1
!
!
crypto ipsec transform-set 170cisco esp-des esp-md5-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEV2_PROFILE
!
!
!
crypto dynamic-map dyn 10
set transform-set 170cisco
!
!
crypto map ETH0 65535 ipsec-isakmp dynamic dyn
!

!
interface Loopback0
ip address 10.10.10.10 255.255.255.255
ip ospf network point-to-point
!
interface Loopback1
ip address 172.16.0.1 255.255.255.255
!
interface Loopback3
ip address 10.1.0.1 255.255.255.0
!
interface Loopback4
ip address 10.1.1.1 255.255.255.0

interface GigabitEthernet0/0
description *****Connected to Vodafone Fibre GPON*****
no ip address
ip nat outside
no ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
pppoe enable group global
pppoe-client dial-pool-number 1

!
interface Virtual-Template1
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly in
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
ip nat inside
ip nhrp network-id 100
ip nhrp redirect
ip virtual-reassembly in
tunnel source Dialer1
tunnel protection ipsec profile IPSEC_PROFILE
!

interface Dialer1
mtu 1492
bandwidth 38000
ip address negotiated
no ip redirects
ip nat outside
ip virtual-reassembly in max-reassemblies 64
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent delay initial 5
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp route default
crypto map ETH0

router eigrp 1
network 10.1.0.0 0.0.0.255
network 10.1.1.0 0.0.0.255
network 142.202.XX.0 0.0.0.255
network 142.202.YY.0 0.0.0.255
network 172.16.0.0 0.0.0.255
redistribute static route-map REDIST_STATIC
!
ip local pool SSLVPN_POOL 192.168.VV.1 192.168.VV.200<<<<<< Anyconnect Pool
ip local pool DSL_ACCESSLIST 142.202.XX.51 142.202.XX.99
ip forward-protocol nd

ip http server
ip http access-class 23
ip http authentication aaa
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh rsa keypair-name KEYPAIR
ip ssh version 2

ip access-list extended DSL_ACCESSLIST
deny ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
permit ip 142.202.XX.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 142.202.YY.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 142.202.XX.0 0.0.0.255 any
permit ip 192.168.SSS.0 0.0.0.255 any
permit ip 142.202.YY.0 0.0.0.255 any
permit ip 192.168.ZZZ.0 0.0.0.255 any
permit ip 192.168.Z.0 0.0.0.255 any
permit ip 192.168.ZZZ.0 0.0.0.255 any
permit ip 192.168.ZZZ.0 0.0.0.255 any
permit ip 192.168.***.0 0.0.0.255 any <<<< SPOKE LAN ADDRESS
permit ip any any
!

!
ip prefix-list REDIST_STATIC seq 5 permit 0.0.0.0/0
!
nls resp-timeout 1
cpd cr-id 1
route-map REDIST_STATIC permit 10
match ip address prefix-list REDIST_STATIC

access-list 1 permit 192.168.ggg.0 0.0.0.255
access-list 1 permit any
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 1 permit 10.3.0.0 0.0.0.255
access-list 1 permit 10.3.1.0 0.0.0.255
access-list 1 permit 192.168.zzz.0 0.0.0.255
access-list 1 permit 192.168.***.0 0.0.0.255 <<<< SPOKE LAN ADDRESS
!

--------------------
Tracert 4.2.2.2 from Spoke

Tracing route to b.resolvers.level3.net [4.2.2.2]
over a maximum of 30 hops:

1 1 ms 2 ms 2 ms 192.168.***.****
2 110 ms 49 ms 50 ms 172.16.0.1
3 61 ms 47 ms 49 ms 100.68.0.1
4 166 ms * * 63.130.172.39
5 * * * Request timed out.
6 101 ms 51 ms 55 ms ae1.3110.edge3.lon1.neo.colt.net [171.75.8.81]
7 * * * Request timed out.
8 * * * Request timed out.

Tracert 4.2.2.2 from hub

1 <1 ms <1 ms <1 ms 142.202.YY.YYY
2 2 ms 2 ms 2 ms 100.68.0.1
3 4 ms * * 63.130.172.39
4 * * * Request timed out.
5 5 ms 7 ms 4 ms ae1.3110.edge3.lon1.neo.colt.net [171.75.8.81]
6 4 ms 4 ms 4 ms b.resolvers.level3.net [4.2.2.2]