07-19-2024 09:50 AM - edited 07-19-2024 09:52 AM
I have 2 routers in a hub and spoke setup. The Hub has a static public ip and the spoke is behind a firewall that I do not have access to with no one to one nat, so it is using the default nat that all machines connected to it use.
I am doing an ikev2 setup however I am getting an error that the proxy id's are unaccceptable. On the spoke router I am getting this:
(identity) local= 172.25.25.11:0, remote= 5.5.5.5:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
spoke config:
int gi 0/0/1
ip address dhcp ( the 172.25.25.11 address)
crypto ikev2 profile IKEV2_PROFILE
match identity remote address 5.5.5.5 255.255.255.255
identity local fqdn hostname.domain.com
authentication remote pre-share
authentication local pre-share
keyring local key
dpd 20 2 periodic
crypto ipsec profile svti-profile
set transform-set 3des-sha
set pfs group14
set ikev2-profile IKEV2_PROFILE
tunnel mode ipsec ipv4
interface Tunnel1
bandwidth 1024
ip address 10.0.0.2 255.255.255.252
no ip redirects
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination 5.5.5.5
tunnel protection ipsec profile svti-profile
on the hub
crypto ikev2 profile router_ikev2_profile
match identity remote fqdn hostname.domain.com
identity local address 5.5.5.5
authentication remote pre-share
authentication local pre-share
keyring local key
dpd 20 2 periodic
crypto ikev2 fragmentation
crypto ipsec profile kev2_ipsec_profile
set transform-set 3des-sha
set pfs group14
set ikev2-profile router_ikev2_profile
responder-only
interface Tunnel12
bandwidth 1024
ip address 10.0.0.1 255.255.255.252
no ip redirects
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
delay 50000
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile ikev2_ipsec_profile
any idea what I am missing?
07-19-2024 10:28 AM
07-19-2024 10:32 AM
thanks I will try it but why would a virtual-template be necessary over a tunnel interface?
07-19-2024 10:43 AM - edited 07-19-2024 10:46 AM
@mmercald because a VTI requires you known the destination. An as mentioned previously, even though you configured tunnel destination dynamic, this uses the flexvpn client profile to lookup a list of defined peers. The virtual-template (DVTI) will establish tunnels to VTI from unknown peers (dynamic IP), assuming the peer is successfully authenticated.
07-19-2024 11:02 AM
in hub there is no tunnel there is only virtual-template type tunnel
why we need it? if hub connect to many spoke for example 100 how many tunnel in hub we need we need 100 tunnel, instead we config template which each 100 tunnel clone it config from this template
this template config only
1- profile
2- source
3- tunnel IP
4- tunnel source
there is no tunnel destination since each tunnel from 100 tunnel have different tunnel source (in hub it tunnel destination)
your config is one two route so it can config as hub and spoke or config as you did, why it not work are you initiate any traffic from spoke to hub ?
if you want I can run lab test your config
thanks
MHM
07-20-2024 11:58 AM
Link below
Use vti with tunnel destination dynamic is work for ikev1 but for ikev2 sorry I get same as you' selector is wrong
So only solution for ikev2 is use virtual-template
MHM
07-20-2024 12:03 PM
One last point'
In your config if you change mode from ipsec ipv4 to gre ip mode
This gre over ipsec I think can work with ikev2 abd without virtual-template.
Sorry I forget to test this in my lab.
Goodluck
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide