Site-to-Site FlexVPN Lab 4: Spoke-to-Spoke with NHRP and VTI

Lab Introduction This lab is the final post in my site-to-site FlexVPN series. I may further write up AnyConnect FlexVPN depending on my time (as we a

Use pfSense to Load Balance Web Servers (2)
Site-to-Site FlexVPN Lab 2: static tunnel + RSA key within PKI
Avoid Asymmetric Routing in Load Balancing (pfSense example)

Lab Introduction

This lab is the final post in my site-to-site FlexVPN series. I may further write up AnyConnect FlexVPN depending on my time (as we all know documentation takes time…).

In addition to Lab 3 configuration, this lab further creates dynamic tunnels between SPOKEs using NHRP.

LAB 3: Created HUB-SPOKE tunnel using virtual template interface (VTI) on HUB, IKEv2 encryption, and achieved HUB-SPOKE communication as result. Please refer to Site-to-Site FlexVPN Lab 3: Hub-to-Spoke with Virtual Template Interface(VTI)

LAB 4: To create dynamic tunnel between SPOKEs using NHRP and additional VTI (refer to topology chart, the tunnel in dotted line) on SPOKE, IKEv2 encryption, and to achieve SPOKE-SPOKE communication as result.

  • This lab adopts mixed authentication of RSA and PSK as previous
  • HUB functions as Certificate Authority. SPOKE1 and SPOKE2 request and receive certificates from HUB
  • External NTP server
  • IP pool is created on HUB. SPOKE negotiates with HUB to obtain assigned tunnel IP address.

Topology is as below. Verification section is at the end of the lab.
FLEXVPN_SITE_Dynamic_2

Interface Configuration

CSR-HUB
GigabitEthernet1       192.168.1.91 (mgmt)
GigabitEthernet2       200.1.1.1
Loopback0             192.168.10.1

CSR-SPOKE1
GigabitEthernet1       192.168.1.93 (mgmt)
GigabitEthernet3       200.1.1.3

CSR-SPOKE2
GigabitEthernet1       192.168.1.94 (mgmt)
GigabitEthernet3       200.1.1.4

FlexVPN SPOKE to SPOKE Configuration Rationale

NHRP is utilised in DMVPN to allow traffic directly between SPOKEs without detour to HUB. FlexVPN also adopts NHRP to realise SPOKE-to-SPOKE communication. Different from DMVPN, following are the key points configuring NHRP for FlexVPN:

  • No need to configure NHS, SPOKE will use the previously configured HUB-SPOKE tunnel to register on HUB. Although there may be errors in log saying NHS is not found, it is safe to ignore the error. I came across this error message, and it turned out as a message bug.
  • Configure ‘nhrp network’ and ‘nhrp redirect’ on HUB, same as DMVPN
  • Configure ‘nhrp network’ and ‘nhrp shortcut’ on SPOKE, same as DMVPN
  • Configure VTI on SPOKE (refer to topology chart, the tunnel in dotted line), to establish dynamic tunnel between SPOKEs. It is critical in FlexVPN SPOKE-to-SPOKE configuration.

In addition, I made a human error in LAB 3 on purpose to demonstrate the importance of verification. If the configuration error is not corrected, SPOKE-to-SPOKE communication will not work in this Lab; though it didn’t affect Lab 3 result. Therefore, please read LAB 3 carefully, before LAB 4.

The following are further configured in addition to LAB 3.

CSR-HUB Additional Configuration

CSR-SPOKE1 Additional Configuration

CSR-SPOKE2 Additional Configuration

CSR-HUB Complete Configuration

CSR-SPOKE1 Complete Configuration

CSR-SPOKE2 Complete Configuration

Verification

If tunnel is not negotiated up but configuration looks right, it is possible to fix via shut and no shut tunnel interface, and execute ‘clear crypto session ikev2’.

COMMENTS

WORDPRESS: 2
  • comment-avatar

    好文章,不过每篇文章的行间距都稍大了点,能不能把config或者output用HTML格式区分开来。

  • DISQUS: 0