Solved: FlexVPN vs DMVPN behavior. Advice?

CCampbell_2 · ‎07-06-2013

So I'm testing FlexVPN and I've found, for me anyway, a pretty big deal breaker.

I can't ping, telnet, connect to in any way (other than routing protocol,which works fine), the "directly connected" network.

What I mean by that is say my Tunnel interface is 192.168.254.2 on one of my spokes, I can't connect to my hub at 192.168.254.1 or another spoke at 192.168.254.3.

Day to day this wouldn't be an issue but sometimes in the event of a network outage I need to be able to get in via my VPN backdoor. So I'd go to 192.168.254.1 and telnet to 192.168.254.3 and wallah I'm in. DMVPN this worked great and saved my bacon many times. With FlexVPN this option is no longer available to me best I can tell.

Is this known behavior? Is there a fix? Am I just doing something wrong?

Thanks

Tarik Admani · ‎07-07-2013

Hi,

The ikev2 routing that you configured in your example is that on the hub and spokes, if so, can you make sure that the aaa authorization is also configured and mapped to the ikev2 profile, this is need to authorize the routes that are being pushed between the hub and spokes.

aaa new-model

aaa authorization network default local

crypto ikev2 profile FlexVPN

-aaa authorization group psk list default default

Then you will need to shut and no shut the tunnel interfaces to force the new ikev2 sessions.

Tarik Admani
*Please rate helpful posts*

[modified to make my thoughts much easier to understand]

View solution in original post

Tarik Admani · ‎07-07-2013

Hi,

Can you post the version of code you are running along with the running configs. I am curious to see which ikev2 authorization policy you are using.

Also did you try sourcing the requests from the tunnel interface?

Thanks,

Sent from Cisco Technical Support iPad App

CCampbell_2 · ‎07-07-2013

Ping will automatically use the IP address of the interface the request is leaving from, but just for grins I went ahead and tried sourcing it explicitly. No change. Again, keep in mind, EIGRP works fine. So neighbors are forming between these Tunnel interfaces. Just no other traffic. Here's the commands I used to add FlexVPN to my router:

ip access-list standard Flex-Route

permit any

!

crypto ikev2 authorization policy default

route set interface

route set access-list Flex-Route

!

crypto ikev2 keyring Keys

peer Router

address 0.0.0.0 0.0.0.0

pre-shared-key X

!

crypto ikev2 profile FlexVPN

match identity remote address 0.0.0.0

authentication remote pre-share

authentication local pre-share

keyring local Keys

dpd 12 3 on-demand

nat keepalive 10

virtual-template 1

!

crypto ipsec transform-set ESP-GCM esp-gcm

mode transport

!

crypto ipsec profile default

set ikev2-profile FlexVPN

set transform-set ESP-GCM

!

interface Virtual-Template1 type tunnel

ip mtu 1400

ip tcp adjust-mss 1360

ip unnumbered Tunnel673

ip nhrp network-id 673

ip nhrp shortcut virtual-template 1

ip nhrp redirect

tunnel path-mtu-discovery

tunnel protection ipsec profile default

!

interface Tunnel673

ip address X.X.X.X 255.255.255.0

ip mtu 1400

ip tcp adjust-mss 1360

ip address negotiated

ip flow ingress

ip nhrp network-id 673

ip nhrp shortcut virtual-template 1

ip nhrp redirect

cdp enable

tunnel path-mtu-discovery

tunnel source GigabitEthernet0/2

tunnel destination X.X.X.X

tunnel protection ipsec profile default

no shut

Tarik Admani · ‎07-07-2013

Hi,

The ikev2 routing that you configured in your example is that on the hub and spokes, if so, can you make sure that the aaa authorization is also configured and mapped to the ikev2 profile, this is need to authorize the routes that are being pushed between the hub and spokes.

aaa new-model

aaa authorization network default local

crypto ikev2 profile FlexVPN

-aaa authorization group psk list default default

Then you will need to shut and no shut the tunnel interfaces to force the new ikev2 sessions.

Tarik Admani
*Please rate helpful posts*

[modified to make my thoughts much easier to understand]

CCampbell_2 · ‎07-07-2013

Well I feel like this is different at least!

I'm now getting these:

008145: Jul 7 20:26:38.914 PDT: %TUN-5-RECURDOWN: Virtual-Access3 temporarily disabled due to recursive routing

My IKEv2 profile looks like this on Hub and two spokes:

crypto ikev2 profile FlexVPN

match identity remote address 0.0.0.0

authentication remote pre-share

authentication local pre-share

keyring local Keys

dpd 12 3 on-demand

nat keepalive 10

aaa authorization group psk list default default

virtual-template 1

AAA related commands looks like this on hub and both spokes:

#sh run | i aaa

aaa new-model

aaa authorization network default local

aaa session-id common

CCampbell_2 · ‎07-07-2013

So I took a look at my config; namely:

ip access-list standard Flex-Route

permit any

!

crypto ikev2 authorization policy default

route set interface

route set access-list Flex-Route

I changed the Flex-Route ACL to permit 192.168.254.0 0.0.0.255 and it all started working! I can ping my interfaces. Thanks for your help!