Lab Introduction This lab is the third post in my site-to-site FlexVPN series. We will use virtual template to establish tunnel between HUB and SPOKE.
Lab Introduction
This lab is the third post in my site-to-site FlexVPN series. We will use virtual template to establish tunnel between HUB and SPOKE. Same as Lab 2 (ref.Site-to-Site FlexVPN Lab 2: static tunnel + RSA key within PKI), RSA and PSK mixed authentication will be adopted.
As the result of this lab, we should be able to ping SPOKE 1 tunnel IP 172.16.1.1 and SPOKE 2 tunnel IP 172.16.2.1 from the HUB virtual-access interface 192.168.10.1.
Lab 4 (ref.Site-to-Site FlexVPN Lab 4: Spoke-to-Spoke with NHRP and VTI) will further implement NHRP to enable a dynamic tunnel between SPOKEs.
Lab topology is as below. HUB 1 functions as Certificate Authority (CA). SPOKE 1 and SPOKE 2 request and receive certificates from HUB1. NTP points to external NTP server.
I made a human error in the configuration, please read my configuration and verification comments in red carefully. I intended to demonstrate the importance of verification and the approach to verify. DO NOT leave tests to the end as an overall test or end-user test only.
Virtual Template and Virtual Access Interface
Virtual template is used to provide configuration for dynamically created virtual-access interfaces.
When a user/device requests to connect, virtual-access interface is dynamically created based on the configured virtual template. When the peer drops connection, the virtual-access interface automatically freed. As name suggests virtual template provides a configuration template, the configuration details can be customised based on dial-in peer identity via different authorisation, either configured as authorisation policy on the device holding the virtual template or defined in AAA server, such as ACS and ISE.
In this case, one virtual template can support different virtual-access interfaces with customised configuration. Use ‘show interfaces virtual-access x configuration’ to display the derived virtual-access interface configuration.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/dial/configuration/guide/fdial_c/dafvrtmp.html
Interface Configuration
CSR-HUB1
GigabitEthernet1 192.168.1.91 (mgmt)
GigabitEthernet2 200.1.1.1
Loopback0 192.168.10.1
Loopback1 192.168.100.1
CSR-SPOKE1
GigabitEthernet1 192.168.1.93 (mgmt)
GigabitEthernet3 200.1.1.3
Loopback0 172.16.1.1
Loopback1 172.16.100.1
CSR-SPOKE2
GigabitEthernet1 192.168.1.94 (mgmt)
GigabitEthernet3 200.1.1.4
Loopback0 172.16.2.1
CSR-HUB1 Configuration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 |
CSR-HUB1#show run version 15.5 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core platform console auto ! hostname CSR-HUB1 ! boot-start-marker boot-end-marker ! enable password cisco ! aaa new-model ! <span style="color:#ff0000;">aaa authorization network ike_list local</span> ! aaa session-id common ! ip domain name mm.com ! subscriber templating ! multilink bundle-name authenticated ! crypto pki server CA no database archive grant auto eku server-auth client-auth ! crypto pki trustpoint CA revocation-check crl rsakeypair CA ! crypto pki trustpoint S2S-CA enrollment url http://192.168.1.91:80 subject-name cn=HUB1,ou=mm.com revocation-check crl ! crypto pki certificate chain CA certificate ca 01 308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030 0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353036 32355A17 0D313930 31323531 35303632 355A300D 310B3009 06035504 03130243 4130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B787 5D5AA0D5 463A0E98 ABBD8437 FB8D75AE CE767C40 E352008A C1FF4DD3 0493EAAA A22DE447 3BE37B42 3FBE0642 C6FF6620 578EAEF5 80EFBF55 47B7A278 D3F4B96E C24C86B8 B0EA363E 124801AA 30C0B51D 0A3D691B CE246A3B 14C83579 ACD70B95 4ECB3F36 9E40DC30 BCE15FCF EF0A43AD BEF421F8 5D65FEDF 67769337 D2EF0203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0 FE6B468F 71301D06 03551D0E 04160414 73FC34CC CB32C31A 1573BBCF E858D0FE 6B468F71 300D0609 2A864886 F70D0101 04050003 81810029 5C847FF2 52FC86F0 07CA5E3D 1028F120 0BD97759 6C3C4D86 B5F57A3F 4EE33103 F095AC8D DB9A1B44 1AB1DD32 A32631E6 9E5B8A1A 1224D97F 348A5F3D 0C6902BB 95C04951 61F1D35B 11346869 02EF62B1 A9A4BE43 276F4BD2 301B67C2 5235956A 8FB93B25 9F508FB5 1A30D57C B9E9FA91 673B7D0E B3FF750D 2D278FB9 FF8A40 quit crypto pki certificate chain S2S-CA certificate 02 308201ED 30820156 A0030201 02020102 300D0609 2A864886 F70D0101 05050030 0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353130 30365A17 0D313730 31323531 35313030 365A3040 310F300D 06035504 0B13066D 6D2E636F 6D310D30 0B060355 04031304 48554231 311E301C 06092A86 4886F70D 01090216 0F435352 2D485542 312E6D6D 2E636F6D 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00A161E4 8E1470FD 0599CE51 626D23E1 C89F7111 A8CC58C9 6AA6F145 237D2FBA 020B5CE7 DF0B9BFB 377BA94F FAF10B10 9B54DC95 870D0DF1 5151E45E 0E940684 AD020301 0001A36E 306C301D 0603551D 25041630 1406082B 06010505 07030106 082B0601 05050703 02300B06 03551D0F 04040302 05A0301F 0603551D 23041830 16801473 FC34CCCB 32C31A15 73BBCFE8 58D0FE6B 468F7130 1D060355 1D0E0416 0414C06F 27055188 44A99EE2 9E12290E BB7D80CD 7A33300D 06092A86 4886F70D 01010505 00038181 000A6A08 5D28C8D2 F5789E63 A7B61D13 F95A6958 684D1645 DF3E85E6 7CDFDDA6 471DD539 1B8363D1 AFB5201B 8384BC6B 4A42B8E5 73DD496D B46AE63F 987A6C36 FAFA92A1 34CA8BD2 8C1379E8 D3238ECD CD8372E1 4C511311 AF323AD6 6C669C95 CDEC05D1 B2F6EC9B 2E368EDE 8A54D55D 457954BD AAEFCDA7 364072E1 E7204C01 0F quit certificate ca 01 308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030 0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353036 32355A17 0D313930 31323531 35303632 355A300D 310B3009 06035504 03130243 4130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B787 5D5AA0D5 463A0E98 ABBD8437 FB8D75AE CE767C40 E352008A C1FF4DD3 0493EAAA A22DE447 3BE37B42 3FBE0642 C6FF6620 578EAEF5 80EFBF55 47B7A278 D3F4B96E C24C86B8 B0EA363E 124801AA 30C0B51D 0A3D691B CE246A3B 14C83579 ACD70B95 4ECB3F36 9E40DC30 BCE15FCF EF0A43AD BEF421F8 5D65FEDF 67769337 D2EF0203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0 FE6B468F 71301D06 03551D0E 04160414 73FC34CC CB32C31A 1573BBCF E858D0FE 6B468F71 300D0609 2A864886 F70D0101 04050003 81810029 5C847FF2 52FC86F0 07CA5E3D 1028F120 0BD97759 6C3C4D86 B5F57A3F 4EE33103 F095AC8D DB9A1B44 1AB1DD32 A32631E6 9E5B8A1A 1224D97F 348A5F3D 0C6902BB 95C04951 61F1D35B 11346869 02EF62B1 A9A4BE43 276F4BD2 301B67C2 5235956A 8FB93B25 9F508FB5 1A30D57C B9E9FA91 673B7D0E B3FF750D 2D278FB9 FF8A40 quit ! license udi pid CSR1000V sn 9TR6B6610DS ! spanning-tree extend system-id ! username admin privilege 15 secret 5 $1$zINL$Gf.DJe6Gik9lBzwkmsmAa1 ! redundancy crypto ikev2 authorization policy default def-domain mm.com <span style="color:#ff0000;">! Upon successful authentication, use respective authorization policy to advertise interface IP and the static routes defined in access-list flex_route to peer(s). Results are available in verification session.</span> <span style="color:#ff0000;">route set interface</span> <span style="color:#ff0000;">route set access-list flex_route</span> ! crypto ikev2 keyring mykeys peer SPOKE address 200.1.1.0 255.255.255.0 pre-shared-key Cisco123 ! crypto ikev2 profile FLEXVPN-Dynamic match identity remote address 200.1.1.0 255.255.255.0 authentication remote pre-share authentication local rsa-sig keyring local mykeys pki trustpoint S2S-CA dpd 60 2 on-demand <span style="color:#ff0000;">aaa authorization group psk list ike_list default</span> <span style="color:#ff0000;">aaa authorization group cert list ike_list default</span> <span style="color:#ff0000;">virtual-template 1</span> ! crypto ipsec profile default set ikev2-profile FLEXVPN-Dynamic ! interface Loopback0 ip address 192.168.10.1 255.255.255.0 ! interface Loopback1 ip address 192.168.100.1 255.255.255.255 ! interface GigabitEthernet1 ip address 192.168.1.91 255.255.255.0 negotiation auto ! interface GigabitEthernet2 ip address 200.1.1.1 255.255.255.0 negotiation auto ! interface GigabitEthernet3 no ip address negotiation auto ! interface GigabitEthernet4 no ip address shutdown negotiation auto ! <span style="color:#ff0000;">! Configure virtual-template, virtual access interface configuration derives from the template. Use ‘show interfaces virtual-access x configuration’ to display the derived specific configuration.</span> <span style="color:#ff0000;">interface Virtual-Template1 type tunnel</span> <span style="color:#ff0000;">ip unnumbered Loopback0</span> <span style="color:#ff0000;">tunnel source GigabitEthernet2</span> <span style="color:#ff0000;">tunnel protection ipsec profile default</span> ! router eigrp 1 network 192.168.10.0 network 192.168.100.0 ! virtual-service csr_mgmt ! ip local pool flex-pool 172.16.0.1 172.16.0.254 ip forward-protocol nd ! ip http server no ip http secure-server ip ssh version 1 ! <span style="color:#ff0000;">! Please note the access-list name is different from the one referenced in the above authorization policy: flex-route vs. flex_route. Although it won’t affect our current lab, Lab 4 will not work with the error! Therefore, step-by-step and overall verification are very important.</span> <span style="color:#ff0000;">ip access-list standard flex-route</span> <span style="color:#ff0000;">permit any</span> ! control-plane ! line con 0 stopbits 1 line vty 0 4 password cisco ! ntp source GigabitEthernet1 ntp server 192.168.1.8 ! end |
CSR-SPOKE1 Configuration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 |
CSR-SPOKE1#show run version 15.5 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core platform console auto ! hostname CSR-SPOKE1 ! boot-start-marker boot-end-marker ! enable password cisco ! aaa new-model ! aaa authorization network ike_list local ! aaa session-id common ! ip domain name mm.com ! subscriber templating ! multilink bundle-name authenticated ! crypto pki trustpoint S2S-CA enrollment url http://192.168.1.91:80 revocation-check none ! crypto pki certificate map S2S-Map 10 issuer-name eq ca ! crypto pki certificate chain S2S-CA certificate 04 308201CF 30820138 A0030201 02020104 300D0609 2A864886 F70D0101 05050030 0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353331 31355A17 0D313730 31323531 35333131 355A3022 3120301E 06092A86 4886F70D 01090216 11435352 2D53504F 4B45312E 6D6D2E63 6F6D305C 300D0609 2A864886 F70D0101 01050003 4B003048 024100A4 492AA528 E10414AC F2B1F4E6 1ABC22DA 18925224 F7BE3346 E658A168 5D86BAC3 42F67180 45E3DB7B 908EA63D 6C25310E C33077B6 DF86D2EF 9523A5B2 6D8EB102 03010001 A36E306C 301D0603 551D2504 16301406 082B0601 05050703 0106082B 06010505 07030230 0B060355 1D0F0404 030205A0 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0 FE6B468F 71301D06 03551D0E 04160414 A056D10B FBCEF130 1F568D48 303421B0 0182C6E9 300D0609 2A864886 F70D0101 05050003 81810045 BE0D3211 2E7F33BC 564B5B4C BBE76BFE 85DBAA5E 2EA779A9 9B7EB7D7 38E804BB 9F44BD4B 3F768F9A C3B56315 BE4288D2 062E1A18 30533C47 7D6B108A 7CBC9D20 D1A2927C D0A9F751 78391074 949A2FCE E8240014 59F75055 7937F740 52A2FA41 E8505DEA 657E055F 1B65D029 6979A9A6 5E4606F2 FE2DAF56 81EAC20C 9EA846 quit certificate ca 01 308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030 0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353036 32355A17 0D313930 31323531 35303632 355A300D 310B3009 06035504 03130243 4130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B787 5D5AA0D5 463A0E98 ABBD8437 FB8D75AE CE767C40 E352008A C1FF4DD3 0493EAAA A22DE447 3BE37B42 3FBE0642 C6FF6620 578EAEF5 80EFBF55 47B7A278 D3F4B96E C24C86B8 B0EA363E 124801AA 30C0B51D 0A3D691B CE246A3B 14C83579 ACD70B95 4ECB3F36 9E40DC30 BCE15FCF EF0A43AD BEF421F8 5D65FEDF 67769337 D2EF0203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0 FE6B468F 71301D06 03551D0E 04160414 73FC34CC CB32C31A 1573BBCF E858D0FE 6B468F71 300D0609 2A864886 F70D0101 04050003 81810029 5C847FF2 52FC86F0 07CA5E3D 1028F120 0BD97759 6C3C4D86 B5F57A3F 4EE33103 F095AC8D DB9A1B44 1AB1DD32 A32631E6 9E5B8A1A 1224D97F 348A5F3D 0C6902BB 95C04951 61F1D35B 11346869 02EF62B1 A9A4BE43 276F4BD2 301B67C2 5235956A 8FB93B25 9F508FB5 1A30D57C B9E9FA91 673B7D0E B3FF750D 2D278FB9 FF8A40 quit ! license udi pid CSR1000V sn 9QKHH15ZASW ! spanning-tree extend system-id ! username admin privilege 15 secret 5 $1$hpO9$iuvo4QXwaYNATueef.jMc0 ! redundancy crypto ikev2 authorization policy default <span style="color:#ff0000;">route set interface</span> <span style="color:#ff0000;">route set access-list flex_route</span> ! crypto ikev2 keyring mykeys peer HUB address 200.1.1.1 pre-shared-key Cisco123 ! crypto ikev2 profile FLEXVPN_Dynamic match identity remote address 200.1.1.1 255.255.255.255 authentication remote pre-share authentication remote rsa-sig authentication local pre-share keyring local mykeys pki trustpoint S2S-CA dpd 60 2 on-demand aaa authorization group psk list ike_list default aaa authorization group cert list ike_list default ! crypto ikev2 client flexvpn FLEXVPN_CLIENT peer 1 200.1.1.1 client connect Tunnel1 ! crypto ipsec profile default set ikev2-profile FLEXVPN_Dynamic ! interface Loopback0 ip address 172.16.1.1 255.255.255.0 ! interface Loopback1 ip address 172.16.100.1 255.255.255.255 ! interface Tunnel1 description to hub1 ip unnumbered Loopback0 delay 500 tunnel source GigabitEthernet3 tunnel destination dynamic tunnel protection ipsec profile default ! interface GigabitEthernet1 ip address 192.168.1.93 255.255.255.0 negotiation auto ! interface GigabitEthernet2 no ip address negotiation auto ! interface GigabitEthernet3 ip address 200.1.1.3 255.255.255.0 negotiation auto ! interface GigabitEthernet4 no ip address negotiation auto ! router eigrp 1 network 172.16.0.0 network 172.16.100.0 0.0.0.255 ! ip forward-protocol nd ! no ip http server no ip http secure-server ip ssh version 1 ! <span style="color:#ff0000;">ip access-list standard flex_route</span> <span style="color:#ff0000;">permit 172.16.1.0 0.0.0.255</span> ! control-plane ! line con 0 stopbits 1 line vty 0 4 password cisco ! ntp source GigabitEthernet1 ntp server 192.168.1.8 ! end |
CSR-SPOKE2 Configuration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 |
CSR-SPOKE2#show run version 15.5 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core platform console auto ! hostname CSR-SPOKE2 ! boot-start-marker boot-end-marker ! enable password cisco ! aaa new-model ! aaa authorization network ike_list local ! aaa session-id common ! ip domain name mm.com ! subscriber templating ! multilink bundle-name authenticated ! crypto pki trustpoint S2S-CA enrollment url http://192.168.1.91:80 revocation-check none ! crypto pki certificate chain S2S-CA certificate 05 308201CF 30820138 A0030201 02020105 300D0609 2A864886 F70D0101 05050030 0D310B30 09060355 04031302 4341301E 170D3136 30313238 32333034 33355A17 0D313730 31323732 33303433 355A3022 3120301E 06092A86 4886F70D 01090216 11435352 2D53504F 4B45322E 6D6D2E63 6F6D305C 300D0609 2A864886 F70D0101 01050003 4B003048 02410089 BD4258B7 6F5D7BCD 6D054F08 5D7540CA 84FD8832 81C7294A 086F1244 D4408FD7 B5C584FB 384BB858 B8D0CAAC D3341757 DBC70FE9 6DAFF0A8 72DE3101 50D35D02 03010001 A36E306C 301D0603 551D2504 16301406 082B0601 05050703 0106082B 06010505 07030230 0B060355 1D0F0404 030205A0 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0 FE6B468F 71301D06 03551D0E 04160414 C35F3701 1BF005FB 2C363F30 D122D536 DA949088 300D0609 2A864886 F70D0101 05050003 818100A4 016A404E A63DEE56 DBE61ABC 25F4FF27 D023FBEA DCC6C240 B9A465DE 7F7F33AF 6FCD4DC1 04509A5D 9D81C3E5 6DE93C52 DD8B6D74 957E88F5 05F70D75 9B7738FE BACFB31D AF3FE606 D79F6C8C 8BBA15DF 28915BC2 35010C25 C002965F 89CD3232 792BAA9A B3256742 09DC63BF 356570A9 C9269155 E2032F18 9E58653D 5BE210 quit certificate ca 01 308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030 0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353036 32355A17 0D313930 31323531 35303632 355A300D 310B3009 06035504 03130243 4130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B787 5D5AA0D5 463A0E98 ABBD8437 FB8D75AE CE767C40 E352008A C1FF4DD3 0493EAAA A22DE447 3BE37B42 3FBE0642 C6FF6620 578EAEF5 80EFBF55 47B7A278 D3F4B96E C24C86B8 B0EA363E 124801AA 30C0B51D 0A3D691B CE246A3B 14C83579 ACD70B95 4ECB3F36 9E40DC30 BCE15FCF EF0A43AD BEF421F8 5D65FEDF 67769337 D2EF0203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0 FE6B468F 71301D06 03551D0E 04160414 73FC34CC CB32C31A 1573BBCF E858D0FE 6B468F71 300D0609 2A864886 F70D0101 04050003 81810029 5C847FF2 52FC86F0 07CA5E3D 1028F120 0BD97759 6C3C4D86 B5F57A3F 4EE33103 F095AC8D DB9A1B44 1AB1DD32 A32631E6 9E5B8A1A 1224D97F 348A5F3D 0C6902BB 95C04951 61F1D35B 11346869 02EF62B1 A9A4BE43 276F4BD2 301B67C2 5235956A 8FB93B25 9F508FB5 1A30D57C B9E9FA91 673B7D0E B3FF750D 2D278FB9 FF8A40 quit ! license udi pid CSR1000V sn 99RWKS44J5X ! spanning-tree extend system-id ! username admin privilege 15 secret 5 $1$JiwR$8bSDjrkmXRi0VVhMbGSat0 ! redundancy crypto ikev2 authorization policy default <span style="color:#ff0000;">route set interface</span> <span style="color:#ff0000;">route set access-list flex_route</span> ! crypto ikev2 keyring mykeys peer HUB address 200.1.1.1 pre-shared-key Cisco123 ! crypto ikev2 profile FLEXVPN_Dynamic match identity remote address 200.1.1.1 255.255.255.255 authentication remote pre-share authentication remote rsa-sig authentication local pre-share keyring local mykeys pki trustpoint S2S-CA dpd 60 2 on-demand aaa authorization group psk list ike_list default aaa authorization group cert list ike_list default ! crypto ikev2 client flexvpn FLEXVPN_CLIENT peer 1 200.1.1.1 client connect Tunnel1 ! crypto ipsec profile default set ikev2-profile FLEXVPN_Dynamic ! interface Loopback0 ip address 172.16.2.1 255.255.255.0 ! interface Tunnel1 ip unnumbered Loopback0 tunnel source GigabitEthernet3 tunnel destination dynamic tunnel protection ipsec profile default ! interface GigabitEthernet1 ip address 192.168.1.94 255.255.255.0 negotiation auto ! interface GigabitEthernet2 no ip address negotiation auto ! interface GigabitEthernet3 ip address 200.1.1.4 255.255.255.0 negotiation auto ! interface GigabitEthernet4 no ip address shutdown negotiation auto ! virtual-service csr_mgmt ! ip forward-protocol nd ! no ip http server no ip http secure-server ip ssh version 1 ! <span style="color:#ff0000;">ip access-list standard flex_route</span> <span style="color:#ff0000;">permit 172.16.2.0 0.0.0.255</span> ! control-plane ! line con 0 stopbits 1 line vty 0 4 password cisco ! ntp server 192.168.1.8 ! end |
Verification
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
<span style="color:#ff0000;"><strong>CSR-SPOKE1# show crypto ikev2 sa detailed </strong></span> IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 200.1.1.3/500 200.1.1.1/500 none/none READY Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, <span style="color:#ff0000;">Auth sign: PSK, Auth verify: RSA</span> Life/Active Time: 86400/4657 sec CE id: 1039, Session-id: 3 Status Description: Negotiation done Local spi: 01ADA7BB4DA0E34D Remote spi: 13A01100B375CD16 Local id: 200.1.1.3 Remote id: 200.1.1.1 Local req msg id: 6 Remote req msg id: 2 Local next msg id: 6 Remote next msg id: 2 Local req queued: 6 Remote req queued: 2 Local window: 5 Remote window: 5 DPD configured for 60 seconds, retry 2 Fragmentation not configured. Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : Yes Default Domain: mm.com <span style="color:#ff0000;"> Remote subnets:# authorization policy under ikev2 profile manages advertising static routes to peers. Upon successful authentication, authorization will be executed based on peer identity. ‘route set interface’ and ‘route set access-list’ under authorization policy advertises interface IP and IPs defined in the access-list to peers respectively. Please note only HUB’s interface IP was received on SPOKE, 0.0.0.0/0 defined in the HUB’s access-list was not received due to HUB’s access-list name mismatch error!</span> <span style="color:#ff0000;"> 192.168.10.1 255.255.255.255</span> |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
<span style="color:#ff0000;"><strong>CSR-SPOKE1#show ip route </strong></span> 172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks C 172.16.1.0/24 is directly connected, Loopback0 L 172.16.1.1/32 is directly connected, Loopback0 C 172.16.100.1/32 is directly connected, Loopback1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, GigabitEthernet1 L 192.168.1.93/32 is directly connected, GigabitEthernet1 192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks D 192.168.10.0/24 [90/25856000] via 192.168.10.1, 00:56:29, Tunnel1 S <span style="color:#ff0000;"> 192.168.10.1/32 is directly connected, Tunnel1 # static route received from HUB</span> 192.168.100.0/32 is subnetted, 1 subnets D 192.168.100.1 [90/25856000] via 192.168.10.1, 00:56:29, Tunnel1 200.1.1.0/24 is variably subnetted, 2 subnets, 2 masks C 200.1.1.0/24 is directly connected, GigabitEthernet3 L 200.1.1.3/32 is directly connected, GigabitEthernet3 |
COMMENTS
I was trying to configure hub and spoke lab but without success. Then i found you guide and i made it. The reason why it didnt work was because i didnt issue the command
crypto ikev2 client flexvpn FLEX_CLIENT
peer 1 209.145.81.214
client connect Tunnel1
I cant thank you enough!!!
Keep up the good work.
Tom
Thanks for letting me know my lab helped, so happy ^^ The blog also works as my knowledge management tool; I will keep working on 🙂