Re: how to set proxy id for ios site to site vpn with dynamic spoke

mmercald · ‎07-19-2024

I have 2 routers in a hub and spoke setup. The Hub has a static public ip and the spoke is behind a firewall that I do not have access to with no one to one nat, so it is using the default nat that all machines connected to it use.

I am doing an ikev2 setup however I am getting an error that the proxy id's are unaccceptable. On the spoke router I am getting this:

(identity) local= 172.25.25.11:0, remote= 5.5.5.5:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0

spoke config:

int gi 0/0/1

ip address dhcp ( the 172.25.25.11 address)

crypto ikev2 profile IKEV2_PROFILE
match identity remote address 5.5.5.5 255.255.255.255
identity local fqdn hostname.domain.com
authentication remote pre-share
authentication local pre-share
keyring local key
dpd 20 2 periodic

crypto ipsec profile svti-profile
set transform-set 3des-sha
set pfs group14
set ikev2-profile IKEV2_PROFILE
tunnel mode ipsec ipv4

interface Tunnel1
bandwidth 1024
ip address 10.0.0.2 255.255.255.252
no ip redirects
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination 5.5.5.5
tunnel protection ipsec profile svti-profile

on the hub

crypto ikev2 profile router_ikev2_profile
match identity remote fqdn hostname.domain.com
identity local address 5.5.5.5
authentication remote pre-share
authentication local pre-share
keyring local key
dpd 20 2 periodic
crypto ikev2 fragmentation

crypto ipsec profile kev2_ipsec_profile
set transform-set 3des-sha
set pfs group14
set ikev2-profile router_ikev2_profile
responder-only

interface Tunnel12
bandwidth 1024
ip address 10.0.0.1 255.255.255.252
no ip redirects
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
delay 50000
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile ikev2_ipsec_profile

any idea what I am missing?

Rob Ingram · ‎07-19-2024

@mmercald you've got "tunnel destination dynamic" configured on the hub router, i believe that will only work when using the flexvpn client configured with multiple peers.

Configure the hub router with a virtual-template and reference the virtual-template under the IKEV2 profile. Example.

mmercald · ‎07-19-2024

thanks I will try it but why would a virtual-template be necessary over a tunnel interface?

Rob Ingram · ‎07-19-2024

@mmercald because a VTI requires you known the destination. An as mentioned previously, even though you configured tunnel destination dynamic, this uses the flexvpn client profile to lookup a list of defined peers. The virtual-template (DVTI) will establish tunnels to VTI from unknown peers (dynamic IP), assuming the peer is successfully authenticated.

MHM Cisco World · ‎07-19-2024

in hub there is no tunnel there is only virtual-template type tunnel

why we need it? if hub connect to many spoke for example 100 how many tunnel in hub we need we need 100 tunnel, instead we config template which each 100 tunnel clone it config from this template
this template config only
1- profile
2- source
3- tunnel IP
4- tunnel source

there is no tunnel destination since each tunnel from 100 tunnel have different tunnel source (in hub it tunnel destination)

your config is one two route so it can config as hub and spoke or config as you did, why it not work are you initiate any traffic from spoke to hub ?
if you want I can run lab test your config
thanks
MHM

MHM Cisco World · ‎07-20-2024

Link below

Use vti with tunnel destination dynamic is work for ikev1 but for ikev2 sorry I get same as you' selector is wrong

So only solution for ikev2 is use virtual-template

https://grumpy-networkers-journal.readthedocs.io/en/latest/VENDOR/CISCO/VPN/CISCO_IKEV1/IOS_IKEV1_DYNAMIC_VTI.html

MHM

MHM Cisco World · ‎07-20-2024

One last point'

In your config if you change mode from ipsec ipv4 to gre ip mode

This gre over ipsec I think can work with ikev2 abd without virtual-template.

Sorry I forget to test this in my lab.

Goodluck

MHM