Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1442
Views
0
Helpful
1
Replies

Unable to establish flexvpn spoke to hub via nat

bz
Level 1
Level 1

‎11-11-2014 07:48 AM - edited ‎02-21-2020 07:55 PM

Hi,

topology:

c2901[public IP]----(internet)-----[some nat device]---c881

IOS 15.4(3)M on both ends.

c2901: hub

c881: spoke

I think I tested all the possible examples i found.

on hub:

  ikev2 stuck in IN-NEG: Status Description: Responder waiting for AUTH message

On spoke:

 ikev2 stuck in IN-NEG:Status Description: Initiator waiting for INIT response

 

 

c2901 config:

aaa new-model
aaa authorization network default local

crypto ipsec transform-set test esp-aes 256 esp-md5-hmac
 mode transport

crypto ikev2 authorization policy test

crypto ikev2 profile test
 match address local [public_IP_of_c2901]
 match identity remote fqdn spoke.test
 identity local fqdn hub.test
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint hub.test
 nat keepalive 20
 aaa authorization group cert list default test
 virtual-template 2

crypto ipsec profile test
 set transform-set test
 set ikev2-profile test


interface Virtual-Template2 type tunnel
 ip address 10.128.99.1 255.255.255.252
 ip mtu 1400
 ip nhrp network-id 999
 ip nhrp redirect
 tunnel source GigabitEthernet0/0
 tunnel protection ipsec profile test shared

 

c880 config:

aaa new-model
aaa authorization network default local

crypto ipsec transform-set test esp-aes 256 esp-md5-hmac
 mode transport

crypto ikev2 authorization policy test

crypto ikev2 profile test
 match address local interface FastEthernet4
 match identity remote fqdn hub.test
 identity local fqdn spoke.test
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint test
 nat keepalive 20
 aaa authorization group cert list default test

crypto ipsec profile test
 set transform-set test
 set ikev2-profile test

interface Tunnel999
 ip address 10.128.99.2 255.255.255.252
 ip mtu 1400
 ip nhrp network-id 999
 ip nhrp redirect
 tunnel source FastEthernet4
 tunnel destination [public_IP_of_c2901]
 tunnel protection ipsec profile test shared

interface FastEthernet4
 ip address dhcp

 

I have no problem to establish ipsec tunnel when both ends have static public IP with the same pki used on both ends. The only difference is that both sides I do not have any virtual templates just tunnel interfaces.

What I am trying to achieve is a working p2p tunnel from a spoke on dhcp behind nat  to hub on public IP. I think I spent the last 2 months trying to get it working. Please help.

 

Labels:
0 Helpful
1 Reply 1

Graham Bartlett
Cisco Employee
Cisco Employee

‎11-30-2014 12:43 PM

Hi


The reply from the Hub isn't coming back to the spoke - check the NAT device to see why this is being dropped.

 

cheers

0 Helpful
Customers Also Viewed These Support Documents