FlexVPN with local address pool but no static route added

Difan Zhao · ‎09-30-2018

I am playing with the FlexVPN and I am testing with assigning the spoke with the address from a pool. The tunnel comes up and the address is assigned to the spoke. The EIGRP adj comes up too if I put on some EIGRP config. However I don't have the /32 static route added for the address assigned. Here is my config on the hub

ip local pool POOL 10.0.1.10 10.0.1.100
!
aaa authorization network test local
!
crypto ikev2 authorization policy IKEV2POLICY
 pool POOL
 netmask 255.255.255.0
!
crypto ikev2 profile test
 match fvrf WAN
 match identity remote any
 identity local address 1.1.1.1
 authentication local pre-share
 authentication remote pre-share
 keyring local test
 dpd 10 2 on-demand
 aaa authorization group psk list test IKEV2POLICY
 virtual-template 1
!
crypto ipsec profile test
 set ikev2-profile test
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback1
 tunnel vrf WAN
 tunnel protection ipsec profile test

On the spoke I have a "tunnel 1" interface with "ip address negotiated" configured.

Any idea what I missed in the config? Thanks!

Rob Ingram · ‎10-01-2018

Hi, you would need to amend your ikve2 authorization policy as below:-

crypto ikev2 authorization policy IKEV2POLICY

route set interface

Some more information here.

HTH

Difan Zhao · ‎10-05-2018

Hey sorry for the late response... I have tried this on both the hub and the spoke, and I have shut/no shut the virtual-template interface (in case it needs bouncing interface to take effect) but I still don't see the routes getting added on the hub side... On the spoke side I do see static route "10.0.1.1/32" added.

--- hub ---
crypto ikev2 authorization policy IKEV2POLICY
 pool POOL
 netmask 255.255.255.0
 route set interface
 route accept any tag 10
!
crypto ikev2 profile test
 match fvrf WAN
 match identity remote any
 identity local address 1.1.1.1
 authentication local pre-share
 authentication remote pre-share
 keyring local test
 dpd 10 2 on-demand
 aaa authorization group psk list test IKEV2POLICY
 virtual-template 1
!
aaa authorization network test local
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback1
 tunnel mode ipsec ipv4
 tunnel vrf WAN
 tunnel protection ipsec profile test

--- spoke ---

interface Tunnel1
 ip address negotiated
 tunnel source GigabitEthernet0/1
 tunnel mode ipsec ipv4
 tunnel destination 1.1.1.1
 tunnel vrf WAN
 tunnel protection ipsec profile test
end
!
crypto ikev2 authorization policy test
 route set interface
!
crypto ikev2 profile test
 match fvrf WAN
 match address local interface GigabitEthernet0/1
 match identity remote address 1.1.1.1 255.255.255.255
 identity local address 1.1.1.3
 authentication local pre-share key cisco
 authentication remote pre-share key cisco
 dpd 10 2 on-demand
 aaa authorization group psk list default test
!
aaa authorization network default local

Thanks,

Difan

Rob Ingram · ‎10-05-2018

I've built this in my lab, but I do receive routes on the hub and the spoke - using near identical config (as far as I can tell). Care to provide the full configuration of hub and spoke?

Can you provide the output of "show crypto ikev2 sa detailed"? from both hub and spoke

Difan Zhao · ‎10-05-2018

The configs are attached. Here is the output of the show command. Thank you!

--- hub ---

iosv-1#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         1.1.1.1/500           1.1.1.3/500           WAN/none             READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/6233 sec
      CE id: 1045, Session-id: 104
      Status Description: Negotiation done
      Local spi: 6E48C3DDAD863562       Remote spi: 67734402799B912A
      Local id: 1.1.1.1
      Remote id: 1.1.1.3
      Local req msg id:  0              Remote req msg id:  5
      Local next msg id: 0              Remote next msg id: 5
      Local req queued:  0              Remote req queued:  5
      Local window:      5              Remote window:      5
      DPD configured for 10 seconds, retry 2
      Fragmentation not  configured.
      Dynamic Route Update: disabled
      Extended Authentication not configured.
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Assigned host addr: 10.0.1.87
      Initiator of SA : No
      Remote subnets:
      10.0.1.87 255.255.255.255

 IPv6 Crypto IKEv2  SA

--- spoke ---
iosv-3#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         1.1.1.3/500           1.1.1.1/500           WAN/none             READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/6257 sec
      CE id: 1045, Session-id: 104
      Status Description: Negotiation done
      Local spi: 67734402799B912A       Remote spi: 6E48C3DDAD863562
      Local id: 1.1.1.3
      Remote id: 1.1.1.1
      Local req msg id:  5              Remote req msg id:  0
      Local next msg id: 5              Remote next msg id: 0
      Local req queued:  5              Remote req queued:  0
      Local window:      5              Remote window:      5
      DPD configured for 10 seconds, retry 2
      Fragmentation not  configured.
      Dynamic Route Update: disabled
      Extended Authentication not configured.
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes
      Pushed IP address: 10.0.1.87
      Remote subnets:
      10.0.1.1 255.255.255.255

 IPv6 Crypto IKEv2  SA

Rob Ingram · ‎10-05-2018

So normally if you receive the "Remote subnets" as you have below, those routes should be in the routing table, unless you have the command "no route accept" defined in the authorization profile, but you do have it defined.

From Hub

      Remote subnets:
      10.0.1.87 255.255.255.255

From Spoke

      Remote subnets:
      10.0.1.1 255.255.255.255

I assume you are checking the routing table "show ip route" and they aren't visible? These routes would be in the global routing table not the WAN vrf you have defined.

What IOS version are you running?

Difan Zhao · ‎10-05-2018

Thanks for the quick response! I am running a Virl lab so the routers are all virtual. The version is

Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(3)M2, RELEASE SOFTWARE (fc2)

I will see if there is an update available to upgrade and try again...

Rob Ingram · ‎10-05-2018

I am using a VIRL image but on GNS3:- VIOS-ADVENTERPRISEK9-M), Version 15.4(2)T1,

I labbed it using your full configuration (copy & pasted the config) and it works.

Hub:-

sh cry ike sa det | begin subnets
      Remote subnets:
      10.0.1.10 255.255.255.255

IPv6 Crypto IKEv2 SA

sh ip route static | begin Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
S        10.0.1.10/32 is directly connected, Virtual-Access1

Spoke:-

show crypto ikev2 sa detailed | begin subnet
      Remote subnets:
      10.0.1.1 255.255.255.255

IPv6 Crypto IKEv2 SA

show ip route | begin Gateway
Gateway of last resort is not set

      2.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        2.2.2.0/24 is directly connected, GigabitEthernet0/0
L        2.2.2.2/32 is directly connected, GigabitEthernet0/0
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.0.0.3/32 is directly connected, Loopback0
C        10.0.1.0/24 is directly connected, Tunnel1
S        10.0.1.1/32 is directly connected, Tunnel1
L        10.0.1.10/32 is directly connected, Tunnel1

Difan Zhao · ‎10-06-2018

I reloaded the lab (which means all routers) and it works fine now! I think it was that the original config was not right and when I made it right I forgot to shut/no shut the virtual-tem interface to make it take effect or something... Anyway it works fine now! Thank you for your help