Site-to-Site FlexVPN Lab 3: Hub-to-Spoke with Virtual Template Interface(VTI)

Lab Introduction This lab is the third post in my site-to-site FlexVPN series. We will use virtual template to establish tunnel between HUB and SPOKE.

Avoid Asymmetric Routing in Load Balancing (pfSense example)
Use pfSense to Load Balance Web Servers (1)
站点间FlexVPN试验(二): 静态隧道 (static tunnel)+证书认证(PKI)

Lab Introduction

This lab is the third post in my site-to-site FlexVPN series. We will use virtual template to establish tunnel between HUB and SPOKE. Same as Lab 2 (ref.Site-to-Site FlexVPN Lab 2: static tunnel + RSA key within PKI), RSA and PSK mixed authentication will be adopted.

As the result of this lab, we should be able to ping SPOKE 1 tunnel IP 172.16.1.1 and SPOKE 2 tunnel IP 172.16.2.1 from the HUB virtual-access interface 192.168.10.1.

Lab 4 (ref.Site-to-Site FlexVPN Lab 4: Spoke-to-Spoke with NHRP and VTI) will further implement NHRP to enable a dynamic tunnel between SPOKEs.

Lab topology is as below. HUB 1 functions as Certificate Authority (CA). SPOKE 1 and SPOKE 2 request and receive certificates from HUB1. NTP points to external NTP server.

I made a human error in the configuration, please read my configuration and verification comments in red carefully. I intended to demonstrate the importance of verification and the approach to verify. DO NOT leave tests to the end as an overall test or end-user test only.
FLEXVPN_SITE_Dynamic

Virtual Template and Virtual Access Interface

Virtual template is used to provide configuration for dynamically created virtual-access interfaces.

When a user/device requests to connect, virtual-access interface is dynamically created based on the configured virtual template. When the peer drops connection, the virtual-access interface automatically freed. As name suggests virtual template provides a configuration template, the configuration details can be customised based on dial-in peer identity via different authorisation, either configured as authorisation policy on the device holding the virtual template or defined in AAA server, such as ACS and ISE.

In this case, one virtual template can support different virtual-access interfaces with customised configuration. Use ‘show interfaces virtual-access x configuration’ to display the derived virtual-access interface configuration.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/dial/configuration/guide/fdial_c/dafvrtmp.html

Interface Configuration

CSR-HUB1

GigabitEthernet1       192.168.1.91 (mgmt)
GigabitEthernet2       200.1.1.1
Loopback0             192.168.10.1
Loopback1            192.168.100.1

CSR-SPOKE1

GigabitEthernet1       192.168.1.93 (mgmt)
GigabitEthernet3       200.1.1.3
Loopback0             172.16.1.1
Loopback1             172.16.100.1

CSR-SPOKE2

GigabitEthernet1       192.168.1.94 (mgmt)
GigabitEthernet3      200.1.1.4
Loopback0             172.16.2.1

CSR-HUB1 Configuration

CSR-SPOKE1 Configuration

CSR-SPOKE2 Configuration

Verification

COMMENTS

WORDPRESS: 2
  • comment-avatar
    Tom 2 years

    I was trying to configure hub and spoke lab but without success. Then i found you guide and i made it. The reason why it didnt work was because i didnt issue the command
    crypto ikev2 client flexvpn FLEX_CLIENT
    peer 1 209.145.81.214
    client connect Tunnel1

    I cant thank you enough!!!

    Keep up the good work.

    Tom

    • comment-avatar

      Thanks for letting me know my lab helped, so happy ^^ The blog also works as my knowledge management tool; I will keep working on 🙂

  • DISQUS: 0