Solved: Re: OSPF Routing with FlexVPN Tunnel | Dynamic Spoke / Static Hub

Nils.w · ‎09-08-2021

Hello all,

i have little problem with my OSPF Routing.

We want to set up a FlexVPN Tunnel between a Cisco 2951 (Hub) and a Cisco 881G-4G LTE router (Spoke).

In this case we have a static public ip on the hub side and a dynamic public ip over LTE on the spoke side.

My FlexVPN Tunnel is UP. I think the FlexVPN is working fine, ikev2 and ipsec SA's are there.

The OSPF-Neighbor state is "full"

When i run a sh ip route on the hub side, i can see my OSPF routes, but on the spoke side i don't see any ospf routes.

It seems that the hub is not advertise any routes.

If you need some parts of my config please command below.

Nils.w · ‎12-08-2021

@craineri yeah i have a solution for this first you need the ikev2 authorization policy.

after that you must check your Tunnel Interface configuration on hub and spoke. If you use like me the command "ip unnumbered loopbackXY" for the virtual-template on the hub, then you must use it on the spooke tunnel interface too.

That was the big thing why i don't receieved any OSPF routes.

I hope this help you a bit!

View solution in original post

Rob Ingram · ‎09-08-2021

@Nils.w

Can you provide the output of "show crypto ikev2 sa detail" from both the hub and spoke.

Provide the output of the tunnel/template interface, ospf configuration and ikev2 authorisation profile configuration.

Nils.w · ‎09-09-2021

Hey @Rob Ingram,

thank you for your Post.

Actually i don't have a "ikev2 authorisation policy" - maybe this is the issue?

Here the needed commands:

HUB:

sh crypto ikev2 sa detailed

IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 PUBLIC-IP of the HUB/4500 PUBLIC NAT IP OF THE LTE SPOKE/18869 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/72897 sec
CE id: 14241, Session-id: 720
Status Description: Negotiation done
Local spi: E447D7C7AE0C6878 Remote spi: 4F1E411D9111D188
Local id: PUBLIC-IP of the HUB
Remote id: Internal IP of the Cellular Interface
Local req msg id: 0 Remote req msg id: 1662
Local next msg id: 0 Remote next msg id: 1662
Local req queued: 0 Remote req queued: 1662
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is detected outside
Cisco Trust Security SGT is disabled
Initiator of SA : No

IPv6 Crypto IKEv2 SA


sh run int virtual-template 10

interface Virtual-Template10 type tunnel
ip unnumbered Loopback10
ip mtu 1370
ip tcp adjust-mss 1330
tunnel source GigabitEthernet0/0
tunnel protection ipsec profile FLEX-IPSEC
end

router ospf 1
 redistribute static subnets route-map ROUTEMAP 
 passive-interface GigabitEthernet0/0
 network 172.23.10.0 0.0.0.255 area 1
 network 0.0.0.0 255.255.255.255 area 1
snmp-server enable traps ospf errors

Spoke:

sh crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         Internal IP of the Cellular Interface/4500    PUBLIC-IP of the HUB /4500    none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/73274 sec
      CE id: 2007, Session-id: 6
      Status Description: Negotiation done
      Local spi: 4F1E411D9111D188       Remote spi: E447D7C7AE0C6878
      Local id: Internal IP of the Cellular Interface 
      Remote id: PUBLIC-IP of the HUB 
      Local req msg id:  1670           Remote req msg id:  0
      Local next msg id: 1670           Remote next msg id: 0
      Local req queued:  1670           Remote req queued:  0
      Local window:      5              Remote window:      5
      DPD configured for 0 seconds, retry 0
      Fragmentation not  configured.
      Dynamic Route Update: disabled
      Extended Authentication not configured.
      NAT-T is detected inside
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes
      Post NATed Address  : PUBLIC NAT IP OF THE LTE SPOKE

 IPv6 Crypto IKEv2  SA

interface Tunnel9910
 ip address 172.23.10.3 255.255.255.0
 ip mtu 1370
 ip tcp adjust-mss 1330
 tunnel source Cellular0
 tunnel destination dynamic
 tunnel protection ipsec profile FLEX-IPSEC
end

router ospf 1
 redistribute static subnets
 passive-interface Cellular0
 passive-interface Loopback0
 network 11.11.11.0 0.0.0.255 area 1
 network 172.23.10.0 0.0.0.255 area 1

Regards!

Rob Ingram · ‎09-09-2021

@Nils.w Can you even ping between the tunnel interfaces? You could try creating an IKEv2 authorisation profile with the command "route set interface".

Nils.w · ‎09-09-2021

Yes a virtual-access interface was created.

You mean ping the 172.23.10.3 from hub and ping the 172.23.10.1(Loopback10) from spoke?

Rob Ingram · ‎09-09-2021

@Nils.w Yes, to confirm they can actually communicate over the tunnel.

Nils.w · ‎09-09-2021

No, that doesn't work..

Milos_Jovanovic · ‎09-09-2021

Hi @Nils.w,

On the Spoke router, you have this configuration:

interface Tunnel9910
 tunnel destination dynamic

For the destination, on Spoke side, IP of Hub must be configured (otherwise, how would it know where to initiate the tunnel). Or was this a mistake from the masquerading?

BR,

Milos

Rob Ingram · ‎09-09-2021

@Milos_Jovanovic I assume that @Nils.w is using the flexvpn client config (not shown here), which defines the hub or a list of hub IP addresses.

@Nils.w If the tunnel IP addresses cannot communicate can you define the ikev2 authz config I suggested, this will push out the tunnel IP address to the peer.

Nils.w · ‎09-09-2021

@Rob Ingram @Milos_Jovanovic yes im using the FlexVPN config.

@Rob Ingram could you give me a short example for the ikev2 auth policy ? That would be awesome!

Thank you!

Rob Ingram · ‎09-09-2021

@Nils.w here is an example of IKEv2 AuthZ, amend accordingly.

aaa new-model
aaa authorization network FLEX_LOCAL local
!
crypto ikev2 authorization policy IKEV2_AUTHZ
 route set interface
!
crypto ikev2 profile IKEV2_PROFILE
 aaa authorization group psk list FLEX_LOCAL IKEV2_AUTHZ

Nils.w · ‎09-09-2021

@Rob Ingramthank you!

now i'm able to ping my Tunnel Endpoints.

Nils.w · ‎09-09-2021

@Rob Ingram

do you have a idea why I don’t get any OSPF routes on my spoke ?

craineri · ‎12-07-2021

Can you advise if you ever received a solution regarding this issue because I am experience the same issue. Thanks.

Nils.w · ‎12-08-2021

@craineri yeah i have a solution for this first you need the ikev2 authorization policy.

after that you must check your Tunnel Interface configuration on hub and spoke. If you use like me the command "ip unnumbered loopbackXY" for the virtual-template on the hub, then you must use it on the spooke tunnel interface too.

That was the big thing why i don't receieved any OSPF routes.

I hope this help you a bit!