02-03-2020 05:37 PM - edited 02-21-2020 09:51 PM
I am trying to figure out where I've gone wrong. I am able to get the FlexVPN tunnel up and running (I can ping the hub loopback from the spoke, and the spoke's assigned address to the VPN tunnel), but I cannot ping/reach the LAN networks of the other.
Hardware is 1921ISR for Hub, and a 819G Cellular ISR for the Spoke
Any help is greatly appreciated!
Hub:
Loopback 10.1.1.1
LAN 10.0.0.0/24 (.1 is on interface)
Spoke:
FlexVPN assigned 10.1.1.100 to the tunnel
LAN 10.0.1.0/24 (.1 is on interface)
BGP Outputs:
Test_Spoke_Router#sh ip bgp summary BGP router identifier 162.191.17.251, local AS number 65001 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.1 4 65001 24 25 1 0 0 00:19:19 0 Test_Router#sh ip route 10.0.0.1 % Subnet not in table Test_Spoke_Router#
Mgmt_Hub_LAB#sh ip bgp summary BGP router identifier 10.1.1.1, local AS number 65001 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd *10.1.1.100 4 65001 26 26 1 0 0 00:20:15 0 * Dynamically created based on a listen range command Dynamically created neighbors: 1, Subnet ranges: 1 BGP peergroup Spokes listen range group members: 10.1.1.0/24 Total dynamically created neighbors: 1/(100 max), Subnet ranges: 1 Mgmt_Hub_LAB#sh ip route 10.0.1.1 % Subnet not in table Mgmt_Hub_LAB#
Hub Configuration (minimally sanitized)
Mgmt_Hub_LAB#sh run Building configuration... Current configuration : 4502 bytes ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Mgmt_Hub_LAB ! boot-start-marker boot-end-marker ! ! logging buffered informational ! aaa new-model ! ! aaa authorization network default local ! ! ! ! ! aaa session-id common ! ip cef ! ! ! ip dhcp excluded-address 10.0.0.1 10.0.0.100 ! ip dhcp pool 10.0.0.x-ccp-pool import all network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 8.8.8.8 4.2.2.2 lease 0 2 ! ! ! ip domain name example.com ip name-server 8.8.8.8 ip name-server 8.8.4.4 login block-for 120 attempts 3 within 120 login quiet-mode access-class RTR_MGMT login on-failure log login on-success log no ipv6 cef ! multilink bundle-name authenticated ! ! ! license udi pid CISCO1921/K9 sn **************** ! ! ! vtp mode transparent ! redundancy crypto ikev2 authorization policy default pool FlexSpokes route set interface ! ! ! crypto ikev2 keyring Flex_key peer Spokes address 0.0.0.0 0.0.0.0 pre-shared-key local cisco pre-shared-key remote cisco ! ! ! crypto ikev2 profile Flex_IKEv2 match identity remote address 0.0.0.0 authentication remote pre-share authentication local pre-share keyring local Flex_key aaa authorization group psk list default default virtual-template 1 ! crypto ikev2 dpd 30 5 on-demand ! ! ip ssh version 2 ! ! ! crypto ipsec transform-set IKEv2 esp-gcm mode transport ! crypto ipsec profile default set transform-set IKEv2 set ikev2-profile Flex_IKEv2 ! ! interface Loopback0 description FlexVPN Termination ip address 10.1.1.1 255.255.255.255 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description Public Internet ip address ****** 255.255.255.0 ip access-group Inbound in ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/1 description LAN Networks ip address 10.0.7.1 255.255.255.0 secondary ip address 10.0.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip nhrp network-id 2 ip nhrp redirect tunnel path-mtu-discovery tunnel protection ipsec profile default ! router bgp 65001 bgp log-neighbor-changes bgp listen range 10.1.1.0/24 peer-group Spokes network 10.0.0.0 aggregate-address 10.0.0.0 255.255.0.0 summary-only neighbor Spokes peer-group neighbor Spokes remote-as 65001 ! ip local pool FlexSpokes 10.1.1.100 10.1.1.254 ip forward-protocol nd ! no ip http server no ip http secure-server ! no ip nat service sip udp port 5060 no ip nat service sip tcp port 5060 ip nat inside source list NATout-Acl interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 ****PUBLIC INTERNET DEFAULT GATEWAY***** ! ip access-list extended NATout-Acl permit ip 10.0.0.0 0.0.0.255 any permit ip 10.0.7.0 0.0.0.255 any ip access-list extended RTR_MGMT permit ip 10.0.0.0 0.255.255.255 any permit ip 192.168.0.0 0.0.0.255 any ! no cdp run ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 access-class RTR_MGMT in line 2 access-class RTR_MGMT in no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class RTR_MGMT in logging synchronous transport input telnet ssh line vty 5 15 access-class RTR_MGMT in logging synchronous transport input telnet ssh ! scheduler allocate 20000 1000 ntp peer ip pool.ntp.org end Mgmt_Hub_LAB#
Spoke Config (Minimally Sanitized)
Test_Spoke_Router#sh run Building configuration... Current configuration : 8060 bytes ! version 15.6 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service internal ! hostname Test_Spoke_Router ! boot-start-marker boot system flash:c800-universalk9-mz.SPA.156-3.M2.bin boot-end-marker ! ! logging buffered 51200 warnings ! aaa new-model ! ! aaa authorization network default local ! ! ! ! ! aaa session-id common ! crypto pki trustpoint TP-self-signed-1160612584 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1160612584 revocation-check none rsakeypair TP-self-signed-1160612584 ! ! ip dhcp excluded-address 10.0.1.1 10.0.1.99 ! ! ip dhcp pool temp import all network 10.0.1.0 255.255.255.0 default-router 10.0.1.1 dns-server 8.8.8.8 8.8.4.4 ! ! ! ip domain name example.com ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip inspect WAAS flush-timeout 10 ! ip cef login block-for 120 attempts 3 within 120 login quiet-mode access-class RTR_MGMT no ipv6 cef ! ! ! ! ! multilink bundle-name authenticated ! ! chat-script lte "" "AT!CALL" TIMEOUT 20 "OK" ! ! ! ! ! license udi pid C819G-LTE-MNA-K9 sn FJC2107L225 ! ! ! redundancy notification-timer 120000 ! ! ! crypto ikev2 keyring Flex_key peer Spokes address 0.0.0.0 0.0.0.0 pre-shared-key local cisco pre-shared-key remote cisco ! ! ! crypto ikev2 profile Flex_IKEv2 match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring local Flex_key aaa authorization group psk list default default virtual-template 1 ! crypto ikev2 dpd 30 5 on-demand ! ! controller Cellular 0 lte gps mode standalone lte modem link-recovery rssi onset-threshold -110 lte modem link-recovery monitor-timer 20 lte modem link-recovery wait-timer 10 lte modem link-recovery debounce-count 6 no cdp run ! ! ! ! crypto ipsec transform-set IKEv2 esp-gcm mode transport ! crypto ipsec profile default set transform-set IKEv2 set ikev2-profile Flex_IKEv2 ! ! ! ! ! ! ! interface Tunnel1 ip address negotiated ip mtu 1400 ip nhrp network-id 2 ip nhrp shortcut virtual-template 1 ip nhrp redirect ip tcp adjust-mss 1360 tunnel source Cellular0 tunnel destination ****PUBLIC IP OF HUB ROUTER**** tunnel path-mtu-discovery tunnel protection ipsec profile default ! interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation slip dialer in-band dialer string lte dialer watch-group 1 async mode interactive ! interface Cellular1 no ip address encapsulation slip shutdown ! interface FastEthernet0 switchport access vlan 10 no ip address spanning-tree portfast ! interface FastEthernet1 switchport access vlan 10 no ip address spanning-tree portfast ! interface FastEthernet2 switchport access vlan 10 no ip address spanning-tree portfast ! interface FastEthernet3 switchport access vlan 10 no ip address spanning-tree portfast ! interface GigabitEthernet0 no ip address shutdown duplex auto speed auto ! interface Serial0 no ip address shutdown clock rate 2000000 ! interface Virtual-Template1 type tunnel ip unnumbered Tunnel1 ip mtu 1400 ip nhrp network-id 2 ip nhrp shortcut virtual-template 1 ip nhrp redirect ip tcp adjust-mss 1360 tunnel path-mtu-discovery tunnel protection ipsec profile default ! interface Vlan1 no ip address ! interface Vlan10 ip address 10.0.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in ip policy route-map clear-df ! router bgp 65001 bgp log-neighbor-changes network 10.0.1.0 neighbor 10.1.1.1 remote-as 65001 ! ip forward-protocol nd no ip http server ip http access-class 23 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip ftp username User ip ftp password 123 no ip nat service sip tcp port 5060 no ip nat service sip udp port 5060 ip nat inside source list 23 interface Cellular0 overload ip nat inside source list 100 interface Cellular0 overload ip route 0.0.0.0 0.0.0.0 Cellular0 ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh source-interface Cellular0 ip ssh version 2 ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr ! ip access-list standard RTR_MGMT permit 10.0.0.0 0.255.255.255 permit 192.168.67.0 0.0.0.255 ! ip access-list extended Management_Access permit tcp any any eq telnet log permit tcp any any eq 22 log deny tcp any any eq www log ip access-list extended VTY_ACCESS permit tcp 10.0.0.0 0.255.255.255 any eq 22 log permit tcp 10.0.0.0 0.255.255.255 any eq telnet log deny ip any any log ! dialer watch-list 1 ip 5.6.7.8 0.0.0.0 dialer watch-list 1 delay route-check initial 60 dialer watch-list 1 delay connect 1 ipv6 ioam timestamp ! route-map clear-df permit 10 set ip df 0 ! snmp-server community public RO access-list 100 permit ip any any ! ! ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! ! ! line con 0 no modem enable line aux 0 access-class Management_Access in line 2 no activation-character no exec transport preferred none transport input all stopbits 1 line 3 script dialer lte modem InOut no exec rxspeed 100000000 txspeed 50000000 line 8 no exec rxspeed 100000000 txspeed 50000000 line vty 0 4 access-class Management_Access in privilege level 15 transport input telnet ssh line vty 5 15 access-class Management_Access in privilege level 15 transport input telnet ssh ! scheduler allocate 20000 1000 ! ! ! ! ! ! end Test_Spoke_Router#
For basic configuration and testing, I used the following help guide: https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/115726-flexvpn-hardmove-same-00.html
02-04-2020 12:31 AM
Hi,
Ensure that traffic from the spokes local LAN interface to the hub is not being natted. Modify your NAT ACL, on the first line deny traffic from local networks to hub networks., then permit any.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide