Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
946
Views
0
Helpful
1
Replies

Unable to reach LAN networks across FlexVPN using BGP

Michael Overholser
Level 1
Level 1

‎02-03-2020 05:37 PM - edited ‎02-21-2020 09:51 PM

I am trying to figure out where I've gone wrong. I am able to get the FlexVPN tunnel up and running (I can ping the hub loopback from the spoke, and the spoke's assigned address to the VPN tunnel), but I cannot ping/reach the LAN networks of the other.

 

Hardware is 1921ISR for Hub, and a 819G Cellular ISR for the Spoke

 

Any help is greatly appreciated!

 

Hub:

Loopback 10.1.1.1

LAN 10.0.0.0/24 (.1 is on interface)

 

Spoke:
FlexVPN assigned 10.1.1.100 to the tunnel

LAN 10.0.1.0/24 (.1 is on interface)

 

BGP Outputs:

Test_Spoke_Router#sh ip bgp summary
BGP router identifier 162.191.17.251, local AS number 65001
BGP table version is 1, main routing table version 1

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.1.1.1        4        65001      24      25        1    0    0 00:19:19        0
Test_Router#sh ip route 10.0.0.1
% Subnet not in table
Test_Spoke_Router#
Mgmt_Hub_LAB#sh ip bgp summary
BGP router identifier 10.1.1.1, local AS number 65001
BGP table version is 1, main routing table version 1

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
*10.1.1.100     4        65001      26      26        1    0    0 00:20:15        0
* Dynamically created based on a listen range command
Dynamically created neighbors: 1, Subnet ranges: 1

BGP peergroup Spokes listen range group members:
  10.1.1.0/24

Total dynamically created neighbors: 1/(100 max), Subnet ranges: 1

Mgmt_Hub_LAB#sh ip route 10.0.1.1
% Subnet not in table
Mgmt_Hub_LAB#

Hub Configuration (minimally sanitized)

Mgmt_Hub_LAB#sh run
Building configuration...

Current configuration : 4502 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Mgmt_Hub_LAB
!
boot-start-marker
boot-end-marker
!
!
logging buffered informational
!
aaa new-model
!
!
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.100
!
ip dhcp pool 10.0.0.x-ccp-pool
 import all
 network 10.0.0.0 255.255.255.0
 default-router 10.0.0.1
 dns-server 8.8.8.8 4.2.2.2
 lease 0 2
!
!
!
ip domain name example.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
login block-for 120 attempts 3 within 120
login quiet-mode access-class RTR_MGMT
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn ****************
!
!
!
vtp mode transparent
!
redundancy
crypto ikev2 authorization policy default
 pool FlexSpokes
 route set interface
!
!
!
crypto ikev2 keyring Flex_key
 peer Spokes
  address 0.0.0.0 0.0.0.0
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
!
!
crypto ikev2 profile Flex_IKEv2
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local Flex_key
 aaa authorization group psk list default default
 virtual-template 1
!
crypto ikev2 dpd 30 5 on-demand
!
!
ip ssh version 2
!
!
!
crypto ipsec transform-set IKEv2 esp-gcm
 mode transport
!
crypto ipsec profile default
 set transform-set IKEv2
 set ikev2-profile Flex_IKEv2
!
!
interface Loopback0
 description FlexVPN Termination
 ip address 10.1.1.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Public Internet
 ip address ****** 255.255.255.0
 ip access-group Inbound in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description LAN Networks
 ip address 10.0.7.1 255.255.255.0 secondary
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip nhrp network-id 2
 ip nhrp redirect
 tunnel path-mtu-discovery
 tunnel protection ipsec profile default
!
router bgp 65001
 bgp log-neighbor-changes
 bgp listen range 10.1.1.0/24 peer-group Spokes
 network 10.0.0.0
 aggregate-address 10.0.0.0 255.255.0.0 summary-only
 neighbor Spokes peer-group
 neighbor Spokes remote-as 65001
!
ip local pool FlexSpokes 10.1.1.100 10.1.1.254
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
no ip nat service sip udp port 5060
no ip nat service sip tcp port 5060
ip nat inside source list NATout-Acl interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 ****PUBLIC INTERNET DEFAULT GATEWAY*****
!
ip access-list extended NATout-Acl
 permit ip 10.0.0.0 0.0.0.255 any
 permit ip 10.0.7.0 0.0.0.255 any
ip access-list extended RTR_MGMT
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 192.168.0.0 0.0.0.255 any
!
no cdp run
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
 access-class RTR_MGMT in
line 2
 access-class RTR_MGMT in
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class RTR_MGMT in
 logging synchronous
 transport input telnet ssh
line vty 5 15
 access-class RTR_MGMT in
 logging synchronous
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp peer ip pool.ntp.org
end

Mgmt_Hub_LAB#

Spoke Config (Minimally Sanitized)

Test_Spoke_Router#sh run
Building configuration...

Current configuration : 8060 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname Test_Spoke_Router
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.156-3.M2.bin
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1160612584
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1160612584
 revocation-check none
 rsakeypair TP-self-signed-1160612584
!
!
ip dhcp excluded-address 10.0.1.1 10.0.1.99
!
!
ip dhcp pool temp
 import all
 network 10.0.1.0 255.255.255.0
 default-router 10.0.1.1
 dns-server 8.8.8.8 8.8.4.4
!
!
!
ip domain name example.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect WAAS flush-timeout 10
!
ip cef
login block-for 120 attempts 3 within 120
login quiet-mode access-class RTR_MGMT
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
!
!
!
license udi pid C819G-LTE-MNA-K9 sn FJC2107L225
!
!
!
redundancy
 notification-timer 120000
!
!
!
crypto ikev2 keyring Flex_key
 peer Spokes
  address 0.0.0.0 0.0.0.0
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
!
!
crypto ikev2 profile Flex_IKEv2
 match identity remote address 0.0.0.0
 authentication local pre-share
 authentication remote pre-share
 keyring local Flex_key
 aaa authorization group psk list default default
 virtual-template 1
!
crypto ikev2 dpd 30 5 on-demand
!
!
controller Cellular 0
 lte gps mode standalone
 lte modem link-recovery rssi onset-threshold -110
 lte modem link-recovery monitor-timer 20
 lte modem link-recovery wait-timer 10
 lte modem link-recovery debounce-count 6
no cdp run
!
!
!
!
crypto ipsec transform-set IKEv2 esp-gcm
 mode transport
!
crypto ipsec profile default
 set transform-set IKEv2
 set ikev2-profile Flex_IKEv2
!
!
!
!
!
!
!
interface Tunnel1
 ip address negotiated
 ip mtu 1400
 ip nhrp network-id 2
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 ip tcp adjust-mss 1360
 tunnel source Cellular0
 tunnel destination ****PUBLIC IP OF HUB ROUTER****
 tunnel path-mtu-discovery
 tunnel protection ipsec profile default
!
interface Cellular0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation slip
 dialer in-band
 dialer string lte
 dialer watch-group 1
 async mode interactive
!
interface Cellular1
 no ip address
 encapsulation slip
 shutdown
!
interface FastEthernet0
 switchport access vlan 10
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 switchport access vlan 10
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 switchport access vlan 10
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 switchport access vlan 10
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0
 no ip address
 shutdown
 clock rate 2000000
!
interface Virtual-Template1 type tunnel
 ip unnumbered Tunnel1
 ip mtu 1400
 ip nhrp network-id 2
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 ip tcp adjust-mss 1360
 tunnel path-mtu-discovery
 tunnel protection ipsec profile default
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map clear-df
!
router bgp 65001
 bgp log-neighbor-changes
 network 10.0.1.0
 neighbor 10.1.1.1 remote-as 65001
!
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip ftp username User
ip ftp password 123
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 23 interface Cellular0 overload
ip nat inside source list 100 interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Cellular0
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard RTR_MGMT
 permit 10.0.0.0 0.255.255.255
 permit 192.168.67.0 0.0.0.255
!
ip access-list extended Management_Access
 permit tcp any any eq telnet log
 permit tcp any any eq 22 log
 deny   tcp any any eq www log
ip access-list extended VTY_ACCESS
 permit tcp 10.0.0.0 0.255.255.255 any eq 22 log
 permit tcp 10.0.0.0 0.255.255.255 any eq telnet log
 deny   ip any any log
!
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
ipv6 ioam timestamp
!
route-map clear-df permit 10
 set ip df 0
!
snmp-server community public RO
access-list 100 permit ip any any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
 no modem enable
line aux 0
 access-class Management_Access in
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line 3
 script dialer lte
 modem InOut
 no exec
 rxspeed 100000000
 txspeed 50000000
line 8
 no exec
 rxspeed 100000000
 txspeed 50000000
line vty 0 4
 access-class Management_Access in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class Management_Access in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
!
!
!
!
!
end

Test_Spoke_Router#

 

For basic configuration and testing, I used the following help guide: https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/115726-flexvpn-hardmove-same-00.html

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎02-04-2020 12:31 AM

Hi,

Ensure that traffic from the spokes local LAN interface to the hub is not being natted. Modify your NAT ACL, on the first line deny traffic from local networks to hub networks., then permit any.

 

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents