cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
508
Views
0
Helpful
5
Replies

No Internet connectivity from spoke via FlexVPN tunnel

Hope Network
Level 1
Level 1

Hoping for some assistance on this issue, been racking my brain on it but find myself going in circles at this point.

We have implemented a hub and spoke IPSEC flexvpn design with redundant hubs using certificate based auth.  Loopback0 int used in a virtual template for creating virtual access instances for the spokes.  I can supply configurations if necessary, but I feel I'm missing something fundamental that someone may be able to point out without configs.  We are also in the process of migrating to Eigrp, which I have running on the Hub and spoke.

The tunnel configuration is up and working, but intranet only, I'm unable to get internet traffic to route over the tunnel on the spoke router.  When sourcing from our local lan on the spoke I can get to everything on our network, but nothing outside that.  Yes I can NAT the WAN interface on the spoke, which will allow internet access not sourced from our network, but then traffic destined for the internet is not routed over the tunnel, and we are not wanting to do split tunneling.  

From the HUB, I am able to get out to the internet, even from the lo0 interface, but from the client I don't seem to be getting anywhere.  Traceroute from lan source to internet on the spoke shows immediate timeout.

Again, aside from not having internet access from the spoke via the IPSEC tunnel, there are no other issues, that is why I feel it's something simple I'm missing.

I'm guessing it is because the default route is to the local router interface, not tunnel0, but if I try to make the default route tunnel0 I end up with the tunnel bouncing due to a routing loop.  So all intranet bound traffic has a route via eigrp via tunnel0, but the default route goes directly out the WAN interface, and I don't know how to correct that without recursive routing.

5 Replies 5

Dennis Mink
VIP Alumni
VIP Alumni

Sounds like you are not propagating the default route through EIGRP.

when you do a sh ip route on a spoke, what does it show?  can you add that to this post.

If your hub router has access to the internet break out, you might want to redistribute the static default route into EIGRP, 

Please remember to rate useful posts, by clicking on the stars below.

Show IP route will show the default route as being the ISP gateway associated the WAN interface, as opposed to tunnel0

I agree, but I have tried using redistribute static, but it does not propagate the default route on the hub through the tunnel to the spoke.

How about summarizing on the Virtual-Access template, if possible, I have not tried it yet.

HUB(config)#interface Virtual-Template1
HUB(config-if)#ip summary-address eigrp 101 0.0.0.0 0.0.0.0
HUB(config)#ip route 0.0.0.0 0.0.0.0 Tunnel0

The adding network 0.0.0.0 to router EIGRP

Nope, that does work.  Here are some configs:

Hub:

interface Loopback0
ip address 10.100.200.1 255.255.255.0

interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel source GigabitEthernet0/1/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSECPROF

router eigrp 101
network 10.0.0.0
passive-interface default
no passive-interface Virtual-Template1

Spoke:

crypto ikev2 client flexvpn FLEXCLIENT
peer 2 x.x.x.x
client connect Tunnel0

interface Tunnel0
ip address negotiated
tunnel source GigabitEthernet8
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile IPSECPROFILE

interface GigabitEthernet8
description Internet
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
duplex auto
speed auto

if you do a sh ip route at one of the spoke sites, what is the output you get?

Please remember to rate useful posts, by clicking on the stars below.

Here is part of it, in between, which i omitted, is all our private address eigrp routes:

H1000R-VPN#show ip route

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 192.168.2.1
10.0.0.0/8 is variably subnetted, 55 subnets, 5 masks
S 10.0.0.0/8 is directly connected, Tunnel0

192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, GigabitEthernet8
L 192.168.2.2/32 is directly connected, GigabitEthernet8

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: