03-04-2017 03:29 PM - edited 02-21-2020 09:10 PM
Hoping for some assistance on this issue, been racking my brain on it but find myself going in circles at this point.
We have implemented a hub and spoke IPSEC flexvpn design with redundant hubs using certificate based auth. Loopback0 int used in a virtual template for creating virtual access instances for the spokes. I can supply configurations if necessary, but I feel I'm missing something fundamental that someone may be able to point out without configs. We are also in the process of migrating to Eigrp, which I have running on the Hub and spoke.
The tunnel configuration is up and working, but intranet only, I'm unable to get internet traffic to route over the tunnel on the spoke router. When sourcing from our local lan on the spoke I can get to everything on our network, but nothing outside that. Yes I can NAT the WAN interface on the spoke, which will allow internet access not sourced from our network, but then traffic destined for the internet is not routed over the tunnel, and we are not wanting to do split tunneling.
From the HUB, I am able to get out to the internet, even from the lo0 interface, but from the client I don't seem to be getting anywhere. Traceroute from lan source to internet on the spoke shows immediate timeout.
Again, aside from not having internet access from the spoke via the IPSEC tunnel, there are no other issues, that is why I feel it's something simple I'm missing.
I'm guessing it is because the default route is to the local router interface, not tunnel0, but if I try to make the default route tunnel0 I end up with the tunnel bouncing due to a routing loop. So all intranet bound traffic has a route via eigrp via tunnel0, but the default route goes directly out the WAN interface, and I don't know how to correct that without recursive routing.
03-05-2017 03:11 PM
Sounds like you are not propagating the default route through EIGRP.
when you do a sh ip route on a spoke, what does it show? can you add that to this post.
If your hub router has access to the internet break out, you might want to redistribute the static default route into EIGRP,
03-05-2017 05:51 PM
Show IP route will show the default route as being the ISP gateway associated the WAN interface, as opposed to tunnel0
I agree, but I have tried using redistribute static, but it does not propagate the default route on the hub through the tunnel to the spoke.
How about summarizing on the Virtual-Access template, if possible, I have not tried it yet.
HUB(config-if)#ip summary-address eigrp 101 0.0.0.0 0.0.0.0
HUB(config)#ip route 0.0.0.0 0.0.0.0 Tunnel0
The adding network 0.0.0.0 to router EIGRP
03-06-2017 05:08 AM
Nope, that does work. Here are some configs:
ip address 10.100.200.1 255.255.255.0
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel source GigabitEthernet0/1/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSECPROF
router eigrp 101
no passive-interface Virtual-Template1
crypto ikev2 client flexvpn FLEXCLIENT
peer 2 x.x.x.x
client connect Tunnel0
ip address negotiated
tunnel source GigabitEthernet8
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile IPSECPROFILE
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
03-06-2017 02:46 PM
if you do a sh ip route at one of the spoke sites, what is the output you get?
03-07-2017 05:17 AM
Here is part of it, in between, which i omitted, is all our private address eigrp routes:
H1000R-VPN#show ip route
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 192.168.2.1
10.0.0.0/8 is variably subnetted, 55 subnets, 5 masks
S 10.0.0.0/8 is directly connected, Tunnel0
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, GigabitEthernet8
L 192.168.2.2/32 is directly connected, GigabitEthernet8
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: