Site-to-Site FlexVPN Lab 3: Hub-to-Spoke with Virtual Template Interface(VTI)

Lab Introduction

This lab is the third post in my site-to-site FlexVPN series. We will use virtual template to establish tunnel between HUB and SPOKE. Same as Lab 2 (ref.Site-to-Site FlexVPN Lab 2: static tunnel + RSA key within PKI), RSA and PSK mixed authentication will be adopted.

As the result of this lab, we should be able to ping SPOKE 1 tunnel IP 172.16.1.1 and SPOKE 2 tunnel IP 172.16.2.1 from the HUB virtual-access interface 192.168.10.1.

Lab 4 (ref.Site-to-Site FlexVPN Lab 4: Spoke-to-Spoke with NHRP and VTI) will further implement NHRP to enable a dynamic tunnel between SPOKEs.

Lab topology is as below. HUB 1 functions as Certificate Authority (CA). SPOKE 1 and SPOKE 2 request and receive certificates from HUB1. NTP points to external NTP server.

I made a human error in the configuration, please read my configuration and verification comments in red carefully. I intended to demonstrate the importance of verification and the approach to verify. DO NOT leave tests to the end as an overall test or end-user test only.
FLEXVPN_SITE_Dynamic

Virtual Template and Virtual Access Interface

Virtual template is used to provide configuration for dynamically created virtual-access interfaces.

When a user/device requests to connect, virtual-access interface is dynamically created based on the configured virtual template. When the peer drops connection, the virtual-access interface automatically freed. As name suggests virtual template provides a configuration template, the configuration details can be customised based on dial-in peer identity via different authorisation, either configured as authorisation policy on the device holding the virtual template or defined in AAA server, such as ACS and ISE.

In this case, one virtual template can support different virtual-access interfaces with customised configuration. Use ‘show interfaces virtual-access x configuration’ to display the derived virtual-access interface configuration.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/dial/configuration/guide/fdial_c/dafvrtmp.html

Interface Configuration

CSR-HUB1

GigabitEthernet1       192.168.1.91 (mgmt)
GigabitEthernet2       200.1.1.1
Loopback0             192.168.10.1
Loopback1            192.168.100.1

CSR-SPOKE1

GigabitEthernet1       192.168.1.93 (mgmt)
GigabitEthernet3       200.1.1.3
Loopback0             172.16.1.1
Loopback1             172.16.100.1

CSR-SPOKE2

GigabitEthernet1       192.168.1.94 (mgmt)
GigabitEthernet3      200.1.1.4
Loopback0             172.16.2.1

CSR-HUB1 Configuration

CSR-HUB1#show run
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
!
hostname CSR-HUB1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
aaa authorization network ike_list local
!
aaa session-id common
!
ip domain name mm.com
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki server CA
no database archive
grant auto
eku server-auth client-auth
!
crypto pki trustpoint CA
revocation-check crl
rsakeypair CA
!
crypto pki trustpoint S2S-CA
enrollment url http://192.168.1.91:80
subject-name cn=HUB1,ou=mm.com
revocation-check crl
!
crypto pki certificate chain CA
certificate ca 01
308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353036 32355A17
0D313930 31323531 35303632 355A300D 310B3009 06035504 03130243 4130819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B787 5D5AA0D5
463A0E98 ABBD8437 FB8D75AE CE767C40 E352008A C1FF4DD3 0493EAAA A22DE447
3BE37B42 3FBE0642 C6FF6620 578EAEF5 80EFBF55 47B7A278 D3F4B96E C24C86B8
B0EA363E 124801AA 30C0B51D 0A3D691B CE246A3B 14C83579 ACD70B95 4ECB3F36
9E40DC30 BCE15FCF EF0A43AD BEF421F8 5D65FEDF 67769337 D2EF0203 010001A3
63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0
FE6B468F 71301D06 03551D0E 04160414 73FC34CC CB32C31A 1573BBCF E858D0FE
6B468F71 300D0609 2A864886 F70D0101 04050003 81810029 5C847FF2 52FC86F0
07CA5E3D 1028F120 0BD97759 6C3C4D86 B5F57A3F 4EE33103 F095AC8D DB9A1B44
1AB1DD32 A32631E6 9E5B8A1A 1224D97F 348A5F3D 0C6902BB 95C04951 61F1D35B
11346869 02EF62B1 A9A4BE43 276F4BD2 301B67C2 5235956A 8FB93B25 9F508FB5
1A30D57C B9E9FA91 673B7D0E B3FF750D 2D278FB9 FF8A40
quit
crypto pki certificate chain S2S-CA
certificate 02
308201ED 30820156 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353130 30365A17
0D313730 31323531 35313030 365A3040 310F300D 06035504 0B13066D 6D2E636F
6D310D30 0B060355 04031304 48554231 311E301C 06092A86 4886F70D 01090216
0F435352 2D485542 312E6D6D 2E636F6D 305C300D 06092A86 4886F70D 01010105
00034B00 30480241 00A161E4 8E1470FD 0599CE51 626D23E1 C89F7111 A8CC58C9
6AA6F145 237D2FBA 020B5CE7 DF0B9BFB 377BA94F FAF10B10 9B54DC95 870D0DF1
5151E45E 0E940684 AD020301 0001A36E 306C301D 0603551D 25041630 1406082B
06010505 07030106 082B0601 05050703 02300B06 03551D0F 04040302 05A0301F
0603551D 23041830 16801473 FC34CCCB 32C31A15 73BBCFE8 58D0FE6B 468F7130
1D060355 1D0E0416 0414C06F 27055188 44A99EE2 9E12290E BB7D80CD 7A33300D
06092A86 4886F70D 01010505 00038181 000A6A08 5D28C8D2 F5789E63 A7B61D13
F95A6958 684D1645 DF3E85E6 7CDFDDA6 471DD539 1B8363D1 AFB5201B 8384BC6B
4A42B8E5 73DD496D B46AE63F 987A6C36 FAFA92A1 34CA8BD2 8C1379E8 D3238ECD
CD8372E1 4C511311 AF323AD6 6C669C95 CDEC05D1 B2F6EC9B 2E368EDE 8A54D55D
457954BD AAEFCDA7 364072E1 E7204C01 0F
quit
certificate ca 01
308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353036 32355A17
0D313930 31323531 35303632 355A300D 310B3009 06035504 03130243 4130819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B787 5D5AA0D5
463A0E98 ABBD8437 FB8D75AE CE767C40 E352008A C1FF4DD3 0493EAAA A22DE447
3BE37B42 3FBE0642 C6FF6620 578EAEF5 80EFBF55 47B7A278 D3F4B96E C24C86B8
B0EA363E 124801AA 30C0B51D 0A3D691B CE246A3B 14C83579 ACD70B95 4ECB3F36
9E40DC30 BCE15FCF EF0A43AD BEF421F8 5D65FEDF 67769337 D2EF0203 010001A3
63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0
FE6B468F 71301D06 03551D0E 04160414 73FC34CC CB32C31A 1573BBCF E858D0FE
6B468F71 300D0609 2A864886 F70D0101 04050003 81810029 5C847FF2 52FC86F0
07CA5E3D 1028F120 0BD97759 6C3C4D86 B5F57A3F 4EE33103 F095AC8D DB9A1B44
1AB1DD32 A32631E6 9E5B8A1A 1224D97F 348A5F3D 0C6902BB 95C04951 61F1D35B
11346869 02EF62B1 A9A4BE43 276F4BD2 301B67C2 5235956A 8FB93B25 9F508FB5
1A30D57C B9E9FA91 673B7D0E B3FF750D 2D278FB9 FF8A40
quit
!
license udi pid CSR1000V sn 9TR6B6610DS
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$zINL$Gf.DJe6Gik9lBzwkmsmAa1
!
redundancy
crypto ikev2 authorization policy default
def-domain mm.com
! Upon successful authentication, use respective authorization policy to advertise interface IP and the static routes defined in access-list flex_route to peer(s). Results are available in verification session.
route set interface
route set access-list flex_route
!
crypto ikev2 keyring mykeys
peer SPOKE
address 200.1.1.0 255.255.255.0
pre-shared-key Cisco123
!
crypto ikev2 profile FLEXVPN-Dynamic
match identity remote address 200.1.1.0 255.255.255.0
authentication remote pre-share
authentication local rsa-sig
keyring local mykeys
pki trustpoint S2S-CA
dpd 60 2 on-demand
aaa authorization group psk list ike_list default
aaa authorization group cert list ike_list default
virtual-template 1
!
crypto ipsec profile default
set ikev2-profile FLEXVPN-Dynamic
!
interface Loopback0
ip address 192.168.10.1 255.255.255.0
!
interface Loopback1
ip address 192.168.100.1 255.255.255.255
!
interface GigabitEthernet1
ip address 192.168.1.91 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
ip address 200.1.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
no ip address
negotiation auto
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
!
! Configure virtual-template, virtual access interface configuration derives from the template. Use ‘show interfaces virtual-access x configuration’ to display the derived specific configuration.
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel source GigabitEthernet2
tunnel protection ipsec profile default
!
router eigrp 1
network 192.168.10.0
network 192.168.100.0
!
virtual-service csr_mgmt
!
ip local pool flex-pool 172.16.0.1 172.16.0.254
ip forward-protocol nd
!
ip http server
no ip http secure-server
ip ssh version 1
!
! Please note the access-list name is different from the one referenced in the above authorization policy: flex-route vs. flex_route. Although it won’t affect our current lab, Lab 4 will not work with the error! Therefore, step-by-step and overall verification are very important.
ip access-list standard flex-route
permit any
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
password cisco
!
ntp source GigabitEthernet1
ntp server 192.168.1.8
!
end

CSR-SPOKE1 Configuration

CSR-SPOKE1#show run
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
!
hostname CSR-SPOKE1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
aaa authorization network ike_list local
!
aaa session-id common
!
ip domain name mm.com
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint S2S-CA
enrollment url http://192.168.1.91:80
revocation-check none
!
crypto pki certificate map S2S-Map 10
issuer-name eq ca
!

crypto pki certificate chain S2S-CA
certificate 04
308201CF 30820138 A0030201 02020104 300D0609 2A864886 F70D0101 05050030
0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353331 31355A17
0D313730 31323531 35333131 355A3022 3120301E 06092A86 4886F70D 01090216
11435352 2D53504F 4B45312E 6D6D2E63 6F6D305C 300D0609 2A864886 F70D0101
01050003 4B003048 024100A4 492AA528 E10414AC F2B1F4E6 1ABC22DA 18925224
F7BE3346 E658A168 5D86BAC3 42F67180 45E3DB7B 908EA63D 6C25310E C33077B6
DF86D2EF 9523A5B2 6D8EB102 03010001 A36E306C 301D0603 551D2504 16301406
082B0601 05050703 0106082B 06010505 07030230 0B060355 1D0F0404 030205A0
301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0 FE6B468F
71301D06 03551D0E 04160414 A056D10B FBCEF130 1F568D48 303421B0 0182C6E9
300D0609 2A864886 F70D0101 05050003 81810045 BE0D3211 2E7F33BC 564B5B4C
BBE76BFE 85DBAA5E 2EA779A9 9B7EB7D7 38E804BB 9F44BD4B 3F768F9A C3B56315
BE4288D2 062E1A18 30533C47 7D6B108A 7CBC9D20 D1A2927C D0A9F751 78391074
949A2FCE E8240014 59F75055 7937F740 52A2FA41 E8505DEA 657E055F 1B65D029
6979A9A6 5E4606F2 FE2DAF56 81EAC20C 9EA846
quit
certificate ca 01
308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353036 32355A17
0D313930 31323531 35303632 355A300D 310B3009 06035504 03130243 4130819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B787 5D5AA0D5
463A0E98 ABBD8437 FB8D75AE CE767C40 E352008A C1FF4DD3 0493EAAA A22DE447
3BE37B42 3FBE0642 C6FF6620 578EAEF5 80EFBF55 47B7A278 D3F4B96E C24C86B8
B0EA363E 124801AA 30C0B51D 0A3D691B CE246A3B 14C83579 ACD70B95 4ECB3F36
9E40DC30 BCE15FCF EF0A43AD BEF421F8 5D65FEDF 67769337 D2EF0203 010001A3
63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0
FE6B468F 71301D06 03551D0E 04160414 73FC34CC CB32C31A 1573BBCF E858D0FE
6B468F71 300D0609 2A864886 F70D0101 04050003 81810029 5C847FF2 52FC86F0
07CA5E3D 1028F120 0BD97759 6C3C4D86 B5F57A3F 4EE33103 F095AC8D DB9A1B44
1AB1DD32 A32631E6 9E5B8A1A 1224D97F 348A5F3D 0C6902BB 95C04951 61F1D35B
11346869 02EF62B1 A9A4BE43 276F4BD2 301B67C2 5235956A 8FB93B25 9F508FB5
1A30D57C B9E9FA91 673B7D0E B3FF750D 2D278FB9 FF8A40
quit
!
license udi pid CSR1000V sn 9QKHH15ZASW
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$hpO9$iuvo4QXwaYNATueef.jMc0
!
redundancy
crypto ikev2 authorization policy default
route set interface
route set access-list flex_route
!
crypto ikev2 keyring mykeys
peer HUB
address 200.1.1.1
pre-shared-key Cisco123
!
crypto ikev2 profile FLEXVPN_Dynamic
match identity remote address 200.1.1.1 255.255.255.255
authentication remote pre-share
authentication remote rsa-sig
authentication local pre-share
keyring local mykeys
pki trustpoint S2S-CA
dpd 60 2 on-demand
aaa authorization group psk list ike_list default
aaa authorization group cert list ike_list default
!
crypto ikev2 client flexvpn FLEXVPN_CLIENT
peer 1 200.1.1.1
client connect Tunnel1
!
crypto ipsec profile default
set ikev2-profile FLEXVPN_Dynamic
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface Loopback1
ip address 172.16.100.1 255.255.255.255
!
interface Tunnel1
description to hub1
ip unnumbered Loopback0
delay 500
tunnel source GigabitEthernet3
tunnel destination dynamic
tunnel protection ipsec profile default
!
interface GigabitEthernet1
ip address 192.168.1.93 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
no ip address
negotiation auto
!
interface GigabitEthernet3
ip address 200.1.1.3 255.255.255.0
negotiation auto
!
interface GigabitEthernet4
no ip address
negotiation auto
!
router eigrp 1
network 172.16.0.0
network 172.16.100.0 0.0.0.255
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip ssh version 1
!
ip access-list standard flex_route
permit 172.16.1.0 0.0.0.255
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
password cisco
!
ntp source GigabitEthernet1
ntp server 192.168.1.8
!
end

CSR-SPOKE2 Configuration

CSR-SPOKE2#show run
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
!
hostname CSR-SPOKE2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
aaa authorization network ike_list local
!
aaa session-id common
!
ip domain name mm.com
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint S2S-CA
enrollment url http://192.168.1.91:80
revocation-check none
!
crypto pki certificate chain S2S-CA
certificate 05
308201CF 30820138 A0030201 02020105 300D0609 2A864886 F70D0101 05050030
0D310B30 09060355 04031302 4341301E 170D3136 30313238 32333034 33355A17
0D313730 31323732 33303433 355A3022 3120301E 06092A86 4886F70D 01090216
11435352 2D53504F 4B45322E 6D6D2E63 6F6D305C 300D0609 2A864886 F70D0101
01050003 4B003048 02410089 BD4258B7 6F5D7BCD 6D054F08 5D7540CA 84FD8832
81C7294A 086F1244 D4408FD7 B5C584FB 384BB858 B8D0CAAC D3341757 DBC70FE9
6DAFF0A8 72DE3101 50D35D02 03010001 A36E306C 301D0603 551D2504 16301406
082B0601 05050703 0106082B 06010505 07030230 0B060355 1D0F0404 030205A0
301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0 FE6B468F
71301D06 03551D0E 04160414 C35F3701 1BF005FB 2C363F30 D122D536 DA949088
300D0609 2A864886 F70D0101 05050003 818100A4 016A404E A63DEE56 DBE61ABC
25F4FF27 D023FBEA DCC6C240 B9A465DE 7F7F33AF 6FCD4DC1 04509A5D 9D81C3E5
6DE93C52 DD8B6D74 957E88F5 05F70D75 9B7738FE BACFB31D AF3FE606 D79F6C8C
8BBA15DF 28915BC2 35010C25 C002965F 89CD3232 792BAA9A B3256742 09DC63BF
356570A9 C9269155 E2032F18 9E58653D 5BE210
quit
certificate ca 01
308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0D310B30 09060355 04031302 4341301E 170D3136 30313236 31353036 32355A17
0D313930 31323531 35303632 355A300D 310B3009 06035504 03130243 4130819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B787 5D5AA0D5
463A0E98 ABBD8437 FB8D75AE CE767C40 E352008A C1FF4DD3 0493EAAA A22DE447
3BE37B42 3FBE0642 C6FF6620 578EAEF5 80EFBF55 47B7A278 D3F4B96E C24C86B8
B0EA363E 124801AA 30C0B51D 0A3D691B CE246A3B 14C83579 ACD70B95 4ECB3F36
9E40DC30 BCE15FCF EF0A43AD BEF421F8 5D65FEDF 67769337 D2EF0203 010001A3
63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301F0603 551D2304 18301680 1473FC34 CCCB32C3 1A1573BB CFE858D0
FE6B468F 71301D06 03551D0E 04160414 73FC34CC CB32C31A 1573BBCF E858D0FE
6B468F71 300D0609 2A864886 F70D0101 04050003 81810029 5C847FF2 52FC86F0
07CA5E3D 1028F120 0BD97759 6C3C4D86 B5F57A3F 4EE33103 F095AC8D DB9A1B44
1AB1DD32 A32631E6 9E5B8A1A 1224D97F 348A5F3D 0C6902BB 95C04951 61F1D35B
11346869 02EF62B1 A9A4BE43 276F4BD2 301B67C2 5235956A 8FB93B25 9F508FB5
1A30D57C B9E9FA91 673B7D0E B3FF750D 2D278FB9 FF8A40
quit
!
license udi pid CSR1000V sn 99RWKS44J5X
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$JiwR$8bSDjrkmXRi0VVhMbGSat0
!
redundancy
crypto ikev2 authorization policy default
route set interface
route set access-list flex_route
!
crypto ikev2 keyring mykeys
peer HUB
address 200.1.1.1
pre-shared-key Cisco123
!
crypto ikev2 profile FLEXVPN_Dynamic
match identity remote address 200.1.1.1 255.255.255.255
authentication remote pre-share
authentication remote rsa-sig
authentication local pre-share
keyring local mykeys
pki trustpoint S2S-CA
dpd 60 2 on-demand
aaa authorization group psk list ike_list default
aaa authorization group cert list ike_list default
!
crypto ikev2 client flexvpn FLEXVPN_CLIENT
peer 1 200.1.1.1
client connect Tunnel1
!
crypto ipsec profile default
set ikev2-profile FLEXVPN_Dynamic
!
interface Loopback0
ip address 172.16.2.1 255.255.255.0
!

interface Tunnel1
ip unnumbered Loopback0
tunnel source GigabitEthernet3
tunnel destination dynamic
tunnel protection ipsec profile default
!
interface GigabitEthernet1
ip address 192.168.1.94 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
no ip address
negotiation auto
!
interface GigabitEthernet3
ip address 200.1.1.4 255.255.255.0
negotiation auto
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip ssh version 1
!
ip access-list standard flex_route
permit 172.16.2.0 0.0.0.255
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
password cisco
!
ntp server 192.168.1.8
!
end

Verification

CSR-SPOKE1# show crypto ikev2 sa detailed 
IPv4 Crypto IKEv2 SA
Tunnel-id Local                 Remote               fvrf/ivrf           Status
1         200.1.1.3/500         200.1.1.1/500         none/none           READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: RSA
Life/Active Time: 86400/4657 sec
CE id: 1039, Session-id: 3
Status Description: Negotiation done
Local spi: 01ADA7BB4DA0E34D       Remote spi: 13A01100B375CD16
Local id: 200.1.1.3
Remote id: 200.1.1.1
Local req msg id: 6             Remote req msg id: 2
Local next msg id: 6             Remote next msg id: 2
Local req queued: 6             Remote req queued: 2
Local window:     5             Remote window:     5
DPD configured for 60 seconds, retry 2
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Default Domain: mm.com
     Remote subnets:# authorization policy under ikev2 profile manages advertising static routes to peers. Upon successful authentication, authorization will be executed based on peer identity. ‘route set interface’ and ‘route set access-list’ under authorization policy advertises interface IP and IPs defined in the access-list to peers respectively. Please note only HUB’s interface IP was received on SPOKE, 0.0.0.0/0 defined in the HUB’s access-list was not received due to HUB’s access-list name mismatch error!
     192.168.10.1 255.255.255.255
CSR-SPOKE1#show ip route 
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C       172.16.1.0/24 is directly connected, Loopback0
L       172.16.1.1/32 is directly connected, Loopback0
C       172.16.100.1/32 is directly connected, Loopback1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.1.0/24 is directly connected, GigabitEthernet1
L       192.168.1.93/32 is directly connected, GigabitEthernet1
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
D       192.168.10.0/24 [90/25856000] via 192.168.10.1, 00:56:29, Tunnel1
S       192.168.10.1/32 is directly connected, Tunnel1 # static route received from HUB
192.168.100.0/32 is subnetted, 1 subnets
D       192.168.100.1 [90/25856000] via 192.168.10.1, 00:56:29, Tunnel1
200.1.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       200.1.1.0/24 is directly connected, GigabitEthernet3
L       200.1.1.3/32 is directly connected, GigabitEthernet3
Advertisements

2 thoughts on “Site-to-Site FlexVPN Lab 3: Hub-to-Spoke with Virtual Template Interface(VTI)

  1. I was trying to configure hub and spoke lab but without success. Then i found you guide and i made it. The reason why it didnt work was because i didnt issue the command
    crypto ikev2 client flexvpn FLEX_CLIENT
    peer 1 209.145.81.214
    client connect Tunnel1

    I cant thank you enough!!!

    Keep up the good work.

    Tom

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s