FlexVPN - Single Hub (Part 1)
Topology
This is a topology with Single-Hub with three Spokes. Each Spoke can communicate with HUB Loopback (Lo192) from their own Loopback (Lo192). Each Spoke can communicate with each Spoke, via the HUB, no Spoke-2-Spoke. This is very similar to DMVPN Phase 1.
In a future Part 2 & 3 will be posted, where direct Spoke-2-Spoke and a second FLEXVPN-HUB is included.
- This setup include:
- WEST-FLEXHUB01
- WEST-SPOKE01
- MID-SPOKE01
- EAST-SPOKE01
- WEST-SPOKE01
- WEST-FLEXHUB01
HUB
WEST-FLEXHUB01 - Config
WEST-FLEXHUB01#show run | s crypto ikev2|crypto ipsec|aaa|access-list|Tunnel|Loopback10|Loopback192|Ethernet0/2|router|pool|Virtual-Template
!
aaa new-model
aaa authorization network AAA_AUTHO_NET local
aaa session-id common
!
crypto ikev2 authorization policy WQNET_IKEV2_AUTHO_POLICY
pool SPOKE_IP-POOL
def-domain WQNET.LAB
route set interface
route set access-list ACL_HUB_ROUTES
!
crypto ikev2 profile WQNET_IKEV2_PROFILE
match identity remote any
authentication remote pre-share key ThisIsTheWay
authentication local pre-share key ThisIsTheWay
aaa authorization group psk list AAA_AUTHO_NET WQNET_IKEV2_AUTHO_POLICY
virtual-template 10
!
crypto ipsec profile WQNET_IPSEC_PROFILE
set ikev2-profile WQNET_IKEV2_PROFILE
!
interface Loopback10
ip address 192.192.254.1 255.255.255.0
!
interface Loopback192
ip address 192.192.0.1 255.255.255.128
!
interface Ethernet0/2
ip address 110.110.0.1 255.255.255.0
!
interface Virtual-Template10 type tunnel
ip unnumbered Loopback10
tunnel source Ethernet0/2
tunnel protection ipsec profile WQNET_IPSEC_PROFILE
!
router eigrp WQNET
!
address-family ipv4 unicast autonomous-system 1414
!
af-interface Virtual-Template10
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
network 192.192.0.0 0.0.255.255
exit-address-family
!
ip local pool SPOKE_IP-POOL 192.192.254.2 192.192.255.250
!
ip access-list standard ACL_HUB_ROUTES
10 permit 192.192.0.0 0.0.0.255
!WEST-FLEXHUB01 - Interfaces
WEST-FLEXHUB01#sh ip int bri | exc down|unassigned
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.0.0.4 YES NVRAM up up
Ethernet0/2 110.110.0.1 YES NVRAM up up
Loopback10 192.192.254.1 YES NVRAM up up
Loopback192 192.192.0.1 YES NVRAM up up
Virtual-Access1 192.192.254.1 YES unset up up
Virtual-Access2 192.192.254.1 YES unset up up
Virtual-Access3 192.192.254.1 YES unset up upWEST-FLEXHUB01 - Routing Table
WEST-FLEXHUB01#sh ip route static | beg Gate
Gateway of last resort is not set
S 192.192.1.0/24 is directly connected, Virtual-Access1
S 192.192.2.0/24 is directly connected, Virtual-Access3
S 192.192.3.0/24 is directly connected, Virtual-Access2
192.192.254.0/24 is variably subnetted, 5 subnets, 2 masks
S 192.192.254.2/32 is directly connected, Virtual-Access1
S 192.192.254.3/32 is directly connected, Virtual-Access2
S 192.192.254.4/32 is directly connected, Virtual-Access3SPOKE
WEST-SPOKE01 - Config
WEST-SPOKE01#show run | s crypto ikev2|crypto ipsec|aaa|access-list|Tunnel|Loopback10|Loopback192|Ethernet0/0|router
!
aaa new-model
aaa authorization network AAA_AUTHO_NET local
aaa session-id common
!
crypto ikev2 authorization policy WQNET_IKEV2_AUTHO_POLICY
route set interface
route set access-list ACL_SPOKE_ROUTES
!
crypto ikev2 profile WQNET_IKEV2_PROFILE
match identity remote any
authentication remote pre-share key ThisIsTheWay
authentication local pre-share key ThisIsTheWay
aaa authorization group psk list AAA_AUTHO_NET WQNET_IKEV2_AUTHO_POLICY
!
crypto ipsec transform-set WQNET_IPSEC-TS ah-sha512-hmac
mode transport
!
crypto ipsec profile WQNET_IPSEC_PROFILE
set ikev2-profile WQNET_IKEV2_PROFILE
!
interface Loopback192
ip address 192.192.1.1 255.255.255.0
!
interface Tunnel10
ip address negotiated
tunnel source Ethernet0/0
tunnel destination 110.110.0.1
!
interface Ethernet0/0
ip address 110.110.0.10 255.255.255.0
!
router eigrp WQNET
!
address-family ipv4 unicast autonomous-system 1414
!
topology base
exit-af-topology
network 192.192.0.0 0.0.255.255
exit-address-family
!
ip access-list standard ACL_SPOKE_ROUTES
10 permit 192.192.1.0 0.0.0.255
! WEST-SPOKE01 - Interfaces
WEST-SPOKE01#sh ip int bri | exc down|unassigned
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 110.110.0.10 YES NVRAM up up
Loopback192 192.192.1.1 YES NVRAM up up
Tunnel10 192.192.254.2 YES NVRAM up up WEST-SPOKE01 - Routing Table
WEST-SPOKE01#sh ip route eig | beg Gate
Gateway of last resort is not set
192.192.0.0/24 is variably subnetted, 2 subnets, 2 masks
D 192.192.0.0/25 [90/76800640] via 192.192.254.1, 00:00:07
D 192.192.2.0/24 [90/102400000] via 192.192.254.1, 00:00:07
D 192.192.3.0/24 [90/102400000] via 192.192.254.1, 00:00:07
192.192.254.0/24 is variably subnetted, 5 subnets, 2 masks
D 192.192.254.0/24 [90/76800640] via 192.192.254.1, 00:00:07
D 192.192.254.2/32 [90/102400000] via 192.192.254.1, 00:00:07
D 192.192.254.4/32 [90/102400000] via 192.192.254.1, 00:00:07MID-SPOKE02 - Config
MID-SPOKE01#show run | s crypto ikev2|crypto ipsec|aaa|access-list|Tunnel|Loopback10|Loopback192|Ethernet0/0|router
!
aaa new-model
aaa authorization network AAA_AUTHO_NET local
aaa session-id common
!
crypto ikev2 authorization policy WQNET_IKEV2_AUTHO_POLICY
route set interface
route set access-list ACL_SPOKE_ROUTES
!
crypto ikev2 profile WQNET_IKEV2_PROFILE
match identity remote any
authentication remote pre-share key ThisIsTheWay
authentication local pre-share key ThisIsTheWay
aaa authorization group psk list AAA_AUTHO_NET WQNET_IKEV2_AUTHO_POLICY
!
crypto ipsec transform-set WQNET_IPSEC-TS ah-sha512-hmac
mode transport
!
crypto ipsec profile WQMET_IPSEC_PROFILE
set ikev2-profile WQNET_IKEV2_PROFILE
!
interface Loopback192
ip address 192.192.2.1 255.255.255.0
!
interface Tunnel10
ip address negotiated
tunnel source Ethernet0/0
tunnel destination 110.110.0.1
tunnel protection ipsec profile WQMET_IPSEC_PROFILE
!
interface Ethernet0/0
ip address 110.110.0.20 255.255.255.0
router eigrp WQNET
!
address-family ipv4 unicast autonomous-system 1414
!
topology base
exit-af-topology
network 192.192.0.0 0.0.255.255
exit-address-family
!
ip access-list standard ACL_SPOKE_ROUTES
10 permit 192.192.2.0 0.0.0.255
!MID-SPOKE01 - Interfaces
MID-SPOKE01#sh ip int bri | exc down|unassigned
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 110.110.0.20 YES NVRAM up up
Loopback192 192.192.2.1 YES NVRAM up up
Tunnel10 192.192.254.2 YES NVRAM up up MID-SPOKE01 - Routing Table
MID-SPOKE01#sh ip route eig | beg Gate
Gateway of last resort is not set
192.192.0.0/24 is variably subnetted, 2 subnets, 2 masks
D 192.192.0.0/25 [90/76800640] via 192.192.254.1, 00:13:52
D 192.192.1.0/24 [90/102400000] via 192.192.254.1, 14:05:33
D 192.192.3.0/24 [90/102400000] via 192.192.254.1, 14:05:28
192.192.254.0/24 is variably subnetted, 5 subnets, 2 masks
D 192.192.254.0/24 [90/76800640] via 192.192.254.1, 14:05:33
D 192.192.254.3/32 [90/102400000] via 192.192.254.1, 14:05:33
D 192.192.254.4/32 [90/102400000] via 192.192.254.1, 14:05:28EAST-SPOKE01 - Config
aaa new-model
aaa authorization network AAA_AUTHO_NET local
aaa session-id common
!
crypto ikev2 authorization policy WQNET_IKEV2_AUTHO_POLICY
route set interface
route set access-list ACL_SPOKE_ROUTES
!
crypto ikev2 profile WQNET_IKEV2_PROFILE
match identity remote any
authentication remote pre-share key ThisIsTheWay
authentication local pre-share key ThisIsTheWay
aaa authorization group psk list AAA_AUTHO_NET WQNET_IKEV2_AUTHO_POLICY
!
crypto ipsec transform-set WQNET_IPSEC-TS ah-sha512-hmac
mode transport
!
crypto ipsec profile WQMET_IPSEC_PROFILE
set ikev2-profile WQNET_IKEV2_PROFILE
!
interface Loopback192
ip address 192.192.3.1 255.255.255.0
interface Tunnel10
ip address negotiated
ip nhrp network-id 1414
tunnel source Ethernet0/0
tunnel destination 110.110.0.1
tunnel protection ipsec profile WQMET_IPSEC_PROFILE
interface Ethernet0/0
ip address 110.110.0.30 255.255.255.0
router eigrp WQNET
!
address-family ipv4 unicast autonomous-system 1414
!
topology base
exit-af-topology
network 192.192.0.0 0.0.255.255
exit-address-family
ip access-list standard ACL_SPOKE_ROUTES
10 permit 192.192.3.0 0.0.0.255EAST-SPOKE01 - Interfaces
EAST-SPOKE01#sh ip int bri | exc down|unassigned
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 110.110.0.30 YES NVRAM up up
Loopback192 192.192.3.1 YES NVRAM up up
Tunnel10 192.192.254.4 YES NVRAM up up EAST-SPOKE01 - Routing Table
EAST-SPOKE01#sh ip route eig | beg Gate
Gateway of last resort is not set
192.192.0.0/24 is variably subnetted, 2 subnets, 2 masks
D 192.192.0.0/25 [90/76800640] via 192.192.254.1, 00:23:48
D 192.192.1.0/24 [90/102400000] via 192.192.254.1, 14:15:19
D 192.192.2.0/24 [90/102400000] via 192.192.254.1, 14:15:19
192.192.254.0/24 is variably subnetted, 5 subnets, 2 masks
D 192.192.254.0/24 [90/76800640] via 192.192.254.1, 14:15:19
D 192.192.254.2/32 [90/102400000] via 192.192.254.1, 14:15:19
D 192.192.254.3/32 [90/102400000] via 192.192.254.1, 14:15:19TEST and TSHOOT-commands
HUB | sh crypto ikev2 sa
WEST-FLEXHUB01#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 110.110.0.1/500 110.110.0.30/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4932 sec
CE id: 1002, Session-id: 2
Local spi: 0114D5753354E94A Remote spi: 0C0EA52760565D3C
Tunnel-id Local Remote fvrf/ivrf Status
1 110.110.0.1/500 110.110.0.10/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4954 sec
CE id: 1001, Session-id: 1
Local spi: 641D27C0F81AE269 Remote spi: BB03988E7D874FD1
Tunnel-id Local Remote fvrf/ivrf Status
3 110.110.0.1/500 110.110.0.20/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4917 sec
CE id: 1003, Session-id: 3
Local spi: AD9409307CAF8CDE Remote spi: 5A77B211840B3D13
IPv6 Crypto IKEv2 SA HUB | sh crypto ikev2 sa detailed
WEST-FLEXHUB01#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 110.110.0.1/500 110.110.0.30/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4947 sec
CE id: 1002, Session-id: 2
Local spi: 0114D5753354E94A Remote spi: 0C0EA52760565D3C
Status Description: Negotiation done
Local id: 110.110.0.1
Remote id: 110.110.0.30
Local req msg id: 0 Remote req msg id: 5
Local next msg id: 0 Remote next msg id: 5
Local req queued: 0 Remote req queued: 5
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Assigned host addr: 192.192.254.3
Initiator of SA : No
Remote subnets:
192.192.254.3 255.255.255.255
192.192.3.0 255.255.255.0
PEER TYPE: IOS-XE
Tunnel-id Local Remote fvrf/ivrf Status
1 110.110.0.1/500 110.110.0.10/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4969 sec
CE id: 1001, Session-id: 1
Local spi: 641D27C0F81AE269 Remote spi: BB03988E7D874FD1
Status Description: Negotiation done
Local id: 110.110.0.1
Remote id: 110.110.0.10
Local req msg id: 0 Remote req msg id: 5
Local next msg id: 0 Remote next msg id: 5
Local req queued: 0 Remote req queued: 5
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Assigned host addr: 192.192.254.2
Initiator of SA : No
Remote subnets:
192.192.254.2 255.255.255.255
192.192.1.0 255.255.255.0
PEER TYPE: IOS-XE
Tunnel-id Local Remote fvrf/ivrf Status
3 110.110.0.1/500 110.110.0.20/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4932 sec
CE id: 1003, Session-id: 3
Local spi: AD9409307CAF8CDE Remote spi: 5A77B211840B3D13
Status Description: Negotiation done
Local id: 110.110.0.1
Remote id: 110.110.0.20
Local req msg id: 0 Remote req msg id: 5
Local next msg id: 0 Remote next msg id: 5
Local req queued: 0 Remote req queued: 5
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Assigned host addr: 192.192.254.4
Initiator of SA : No
Remote subnets:
192.192.254.4 255.255.255.255
192.192.2.0 255.255.255.0
PEER TYPE: IOS-XE
IPv6 Crypto IKEv2 SA
WEST-SPOKE01 - Is Tunnel Protection missing?
- If you take a look at Tunnel-part under:
- (Tunnel receive bandwidth 8000 (kbps))
- Protection is missing, there is no line "Tunnel protection via IPSec (profile "NAMEOFPROFILE")".
- Protection is missing, there is no line "Tunnel protection via IPSec (profile "NAMEOFPROFILE")".
- (Tunnel receive bandwidth 8000 (kbps))
WEST-SPOKE01#sh interfaces tunnel10 | inc Tunnel
Tunnel10 is up, line protocol is up
Hardware is Tunnel
Tunnel linestate evaluation up
Tunnel source 110.110.0.10 (Ethernet0/0), destination 110.110.0.1
Tunnel Subblocks:
Tunnel10 source tracking subblock associated with Ethernet0/0
Tunnel protocol/transport GRE/IP
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)WEST-SPOKE01 - Add Tunnel Protection
WEST-SPOKE01#conf t
WEST-SPOKE01(config)#interface Tunnel10
WEST-SPOKE01(config-if)#tunnel protection ipsec profile WQNET_IPSEC_PROFILE
WEST-SPOKE01(config-if)#do sh run | s Tunnel
interface Tunnel10
ip address negotiated
tunnel source Ethernet0/0
tunnel destination 110.110.0.1
tunnel protection ipsec profile WQNET_IPSEC_PROFILEWEST-SPOKE01 - Verify Tunnel Protection
- If you take a look at Tunnel-part under:
- (Tunnel receive bandwidth 8000 (kbps))
- Protection is now showed, there is a line "Tunnel protection via IPSec (profile "NAMEOFPROFILE")".
- Protection is now showed, there is a line "Tunnel protection via IPSec (profile "NAMEOFPROFILE")".
- (Tunnel receive bandwidth 8000 (kbps))
WEST-SPOKE01(config-if)#do sh interfaces tunnel10 | inc Tunnel
Tunnel10 is up, line protocol is up
Hardware is Tunnel
Tunnel linestate evaluation up
Tunnel source 110.110.0.10 (Ethernet0/0), destination 110.110.0.1
Tunnel Subblocks:
Tunnel10 source tracking subblock associated with Ethernet0/0
Tunnel protocol/transport GRE/IP
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1434 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "WQNET_IPSEC_PROFILE")TSHOOT | Commands
show run | section ikev2 profile
show crypto ikev2 profile
debug crypto ikev2 error
show crypto ikev2 sa
trace 192.192.2.1 source Loopback192 numeric