Site-to-Site FlexVPN Lab 4: Spoke-to-Spoke with NHRP and VTI

Lab Introduction

This lab is the final post in my site-to-site FlexVPN series. I may further write up AnyConnect FlexVPN depending on my time (as we all know documentation takes time…).

In addition to Lab 3 configuration, this lab further creates dynamic tunnels between SPOKEs using NHRP.

LAB 3: Created HUB-SPOKE tunnel using virtual template interface (VTI) on HUB, IKEv2 encryption, and achieved HUB-SPOKE communication as result. Please refer to Site-to-Site FlexVPN Lab 3: Hub-to-Spoke with Virtual Template Interface(VTI)

LAB 4: To create dynamic tunnel between SPOKEs using NHRP and additional VTI (refer to topology chart, the tunnel in dotted line) on SPOKE, IKEv2 encryption, and to achieve SPOKE-SPOKE communication as result.

  • This lab adopts mixed authentication of RSA and PSK as previous
  • HUB functions as Certificate Authority. SPOKE1 and SPOKE2 request and receive certificates from HUB
  • External NTP server
  • IP pool is created on HUB. SPOKE negotiates with HUB to obtain assigned tunnel IP address.

Topology is as below. Verification section is at the end of the lab.
FLEXVPN_SITE_Dynamic_2

Interface Configuration

CSR-HUB
GigabitEthernet1       192.168.1.91 (mgmt)
GigabitEthernet2       200.1.1.1
Loopback0             192.168.10.1

CSR-SPOKE1
GigabitEthernet1       192.168.1.93 (mgmt)
GigabitEthernet3       200.1.1.3

CSR-SPOKE2
GigabitEthernet1       192.168.1.94 (mgmt)
GigabitEthernet3       200.1.1.4

FlexVPN SPOKE to SPOKE Configuration Rationale

NHRP is utilised in DMVPN to allow traffic directly between SPOKEs without detour to HUB. FlexVPN also adopts NHRP to realise SPOKE-to-SPOKE communication. Different from DMVPN, following are the key points configuring NHRP for FlexVPN:

  • No need to configure NHS, SPOKE will use the previously configured HUB-SPOKE tunnel to register on HUB. Although there may be errors in log saying NHS is not found, it is safe to ignore the error. I came across this error message, and it turned out as a message bug.
  • Configure ‘nhrp network’ and ‘nhrp redirect’ on HUB, same as DMVPN
  • Configure ‘nhrp network’ and ‘nhrp shortcut’ on SPOKE, same as DMVPN
  • Configure VTI on SPOKE (refer to topology chart, the tunnel in dotted line), to establish dynamic tunnel between SPOKEs. It is critical in FlexVPN SPOKE-to-SPOKE configuration.

In addition, I made a human error in LAB 3 on purpose to demonstrate the importance of verification. If the configuration error is not corrected, SPOKE-to-SPOKE communication will not work in this Lab; though it didn’t affect Lab 3 result. Therefore, please read LAB 3 carefully, before LAB 4.

The following are further configured in addition to LAB 3.

CSR-HUB Additional Configuration

Interface virtual-template1 type tunnel
#type must be specified in VT configuration. The default is ‘serial’ as type. However, after VT is defined, ‘int virtual-tem 1’ is sufficient to enter the interface and configure.
ip nhrp network-id 1
ip nhrp redirect
#Since virtual-template 1 is in use(LAB3: HUB-SPOKE), the template status is locked and cannot be modified. There are two approaches we can take, either will work.
1) Shut down tunnel interface on SPOKE; then execute ‘clear crypto session ikev2’ on HUB; modify virtual-template on HUB; no shut tunnel interface on SPOKE
2) On HUB under IKEv2 profile, remove virtual-template 1 first; then execute ‘clear crypto session ikev2’ on HUB; modify virtual-template 1 on HUB; finally, add virtual-template 1 back to IKEv2 profile on HUB.

CSR-SPOKE1 Additional Configuration

interface Virtual-Template1 type tunnel
ip unnumbered tunnel1
#In LAB 3, tunnel1 is configured as unnumbered interface; therefore, Virtual-Template 1 cannot further use tunnel 1 as referenced interface. In LAB 4, I created IP pool on HUB, and SPOKE negotiates with HUB to obtain tunnel 1 interface IP. In this case, tunnel 1 has a solid IP instead of referring to another interface IP; Virtual-Template 1 refers to Tunnel 1 IP.
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
tunnel source g3
tunnel protection ipsec profile default
!
interface Tunnel1
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
!
crypto ikev2 keyring mykeys
peer SPOKE
address 200.1.1.0 255.255.255.0
pre-shared-key Cisco123
!
crypto ikev2 profile FLEXVPN_Dynamic
match identity remote address 200.1.1.4
virtual-template 1

CSR-SPOKE2 Additional Configuration

interface Virtual-Template1 type tunnel
ip unnumbered tunnel1
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
tunnel source g3
tunnel protection ipsec profile default
!
interface Tunnel1
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
!
crypto ikev2 keyring mykeys
peer SPOKE
address 200.1.1.0 255.255.255.0
pre-shared-key Cisco123
!
crypto ikev2 profile FLEXVPN_Dynamic
match identity remote address 200.1.1.3
virtual-template 1

CSR-HUB Complete Configuration

CSR-HUB1#sh run
Building configuration...
Current configuration : 6247 bytes
!
! Last configuration change at 09:18:01 UTC Mon Feb 1 2016
! NVRAM config last updated at 09:28:14 UTC Mon Feb 1 2016
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
!
hostname CSR-HUB1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
aaa authorization network ike_list local
!
aaa session-id common
!
ip domain name mengmeng.com
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki server CA
no database archive
grant auto
eku server-auth client-auth
!
crypto pki trustpoint S2S-CA
enrollment url http://192.168.1.91:80
revocation-check none
!
crypto pki trustpoint CA
revocation-check crl
rsakeypair CA
!
crypto pki certificate chain S2S-CA
certificate 02
308201D3 3082013C A0030201 02020102 300D0609 2A864886 F70D0101 05050030
0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383436 35375A17
0D313730 31333130 38343635 375A3026 31243022 06092A86 4886F70D 01090216
15435352 2D485542 312E6D65 6E676D65 6E672E63 6F6D305C 300D0609 2A864886
F70D0101 01050003 4B003048 024100B9 31DC0059 CE47FDEE 4659E3F1 268C2AAA
5A9CA291 76997BCF 241ABADF 79430F59 1A5FA1B1 D5D72799 D2CD855F FFDC583B
481DB271 6839B344 E4BC8B0D 6907B102 03010001 A36E306C 301D0603 551D2504
16301406 082B0601 05050703 0106082B 06010505 07030230 0B060355 1D0F0404
030205A0 301F0603 551D2304 18301680 14F5C117 6FA9F3C9 B65D2F0E F5EE1EFF
F7E77420 06301D06 03551D0E 04160414 44BC78AC 81D43368 F6BF1A84 02D213D6
2D254B41 300D0609 2A864886 F70D0101 05050003 81810022 B4919090 0AD0A2FE
71F0B544 4AD2277E BA5B56F0 458028D9 645A21A9 6B2E285C 65249F72 E4F650F5
FB848610 53C1DF09 31752794 D2BD895F 19D72A4E BF38A2DD E1B6819C CA6FEBF2
790E3302 C4C88FFD B6460FC6 1C76E839 2F2420B1 A487A438 B6DD8A4C 0127C576
874190F5 E7DEF49C 93784078 6A8B5124 C6D1C702 5DD7CC
quit
certificate ca 01
308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383433 35305A17
0D313930 31333130 38343335 305A300D 310B3009 06035504 03130243 4130819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100ABDE 0BDBDFE0
C24BD908 7424DA7B 411E38AC C39595D1 FB61615D D36E295A 8C42D6EE 9BA9524E
2258F7B2 655FA12E DF1FB4D8 40871F17 8577BAFA CCE137E9 77BF39DC C06B2494
DDEBE392 1AB6E588 E53EDAA9 0D5A7ADE B6F3ACEC F50FBF51 9FB36E45 966E4B19
2EFC7465 1F72E833 53290640 C1AEDB08 8F91F442 6857EFDF 52450203 010001A3
63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301F0603 551D2304 18301680 14F5C117 6FA9F3C9 B65D2F0E F5EE1EFF
F7E77420 06301D06 03551D0E 04160414 F5C1176F A9F3C9B6 5D2F0EF5 EE1EFFF7
E7742006 300D0609 2A864886 F70D0101 04050003 8181006E 67FAC869 08CD9E29
B816E975 D837F3FB 3CEB5E17 3EFB78F0 02254016 882BD2FF 5FC42A62 B3A46640
6C5EC23E CF62A1F1 52762173 384D7EE1 665D7A3E 8910F1F5 9E873A78 421ADDB7
45AAB06A E351B630 1C40A9AC 78D1669D 2BA343AA 66400320 198C607E 1ABF3207
D4D7432C CD16508E 8240D5A8 B5FE49AC 2420DD9E DC70B8
quit
crypto pki certificate chain CA
certificate ca 01
308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383433 35305A17
0D313930 31333130 38343335 305A300D 310B3009 06035504 03130243 4130819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100ABDE 0BDBDFE0
C24BD908 7424DA7B 411E38AC C39595D1 FB61615D D36E295A 8C42D6EE 9BA9524E
2258F7B2 655FA12E DF1FB4D8 40871F17 8577BAFA CCE137E9 77BF39DC C06B2494
DDEBE392 1AB6E588 E53EDAA9 0D5A7ADE B6F3ACEC F50FBF51 9FB36E45 966E4B19
2EFC7465 1F72E833 53290640 C1AEDB08 8F91F442 6857EFDF 52450203 010001A3
63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301F0603 551D2304 18301680 14F5C117 6FA9F3C9 B65D2F0E F5EE1EFF
F7E77420 06301D06 03551D0E 04160414 F5C1176F A9F3C9B6 5D2F0EF5 EE1EFFF7
E7742006 300D0609 2A864886 F70D0101 04050003 8181006E 67FAC869 08CD9E29
B816E975 D837F3FB 3CEB5E17 3EFB78F0 02254016 882BD2FF 5FC42A62 B3A46640
6C5EC23E CF62A1F1 52762173 384D7EE1 665D7A3E 8910F1F5 9E873A78 421ADDB7
45AAB06A E351B630 1C40A9AC 78D1669D 2BA343AA 66400320 198C607E 1ABF3207
D4D7432C CD16508E 8240D5A8 B5FE49AC 2420DD9E DC70B8
quit
!
license udi pid CSR1000V sn 9DLA9F8BQTG
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$jOdf$LZHyt.nQTLjm5BYpz1731/
!
redundancy
crypto ikev2 authorization policy default
pool flex-pool
def-domain mengmeng.com
route set interface
route set access-list flex-route
!
crypto ikev2 keyring mykeys
peer SPOKE
address 200.1.1.0 255.255.255.0
pre-shared-key Cisco123
!
crypto ikev2 profile FLEXVPN-Dynamic
match identity remote address 200.1.1.0 255.255.255.0
authentication remote pre-share
authentication local rsa-sig
keyring local mykeys
pki trustpoint S2S-CA
dpd 60 2 on-demand
aaa authorization group psk list ike_list default
aaa authorization group cert list ike_list default
virtual-template 1
!
crypto ipsec profile default
set ikev2-profile FLEXVPN-Dynamic
!
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!
interface GigabitEthernet1
ip address 192.168.1.91 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
ip address 200.1.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip nhrp network-id 1
ip nhrp redirect
tunnel source GigabitEthernet2
tunnel protection ipsec profile default
!
virtual-service csr_mgmt
!
ip local pool flex-pool 172.16.0.1 172.16.0.254
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip access-list standard flex-route
permit any
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
password cisco
!
ntp source GigabitEthernet1
ntp server 192.168.1.8
!
end

CSR-SPOKE1 Complete Configuration

CSR-SPOKE1#show run
Building configuration...
Current configuration : 5194 bytes
!
! Last configuration change at 09:53:53 UTC Mon Feb 1 2016 by admin
! NVRAM config last updated at 09:28:11 UTC Mon Feb 1 2016
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
!
hostname CSR-SPOKE1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
aaa authorization network ike_list local
!
aaa session-id common
!
ip domain name mengmeng.com
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint S2S-CA
enrollment url http://192.168.1.91:80
revocation-check none
!
crypto pki certificate chain S2S-CA
certificate 03
308201C8 30820131 A0030201 02020103 300D0609 2A864886 F70D0101 05050030
0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383439 32375A17
0D313730 31333130 38343932 375A301B 31193017 06092A86 4886F70D 01090216
0A435352 2D53504F 4B453130 5C300D06 092A8648 86F70D01 01010500 034B0030
48024100 E9710C73 20190746 7670C7C3 11058635 B8BE31E4 0CCAB07D F96D893C
58495CE9 54715624 071E346F 70998919 ADC84DF5 B329C484 05349FAF E0458A29
3647AD09 02030100 01A36E30 6C301D06 03551D25 04163014 06082B06 01050507
03010608 2B060105 05070302 300B0603 551D0F04 04030205 A0301F06 03551D23
04183016 8014F5C1 176FA9F3 C9B65D2F 0EF5EE1E FFF7E774 2006301D 0603551D
0E041604 1416C000 FA25BD19 8451DB93 11A009D8 81145D5B 54300D06 092A8648
86F70D01 01050500 03818100 9EEAA74B D1385983 4F73D2F3 6C2F8F2C 8EBF4BDA
367E262E 21AD37AA D65ACF2F 056783C6 530ED1B4 7E76ADF0 C2553054 7200C4F6
CFAC25C8 6F65F88F 3D19E340 FEA3B74E D52496D7 3F901C9C 065F58C8 52AE3124
02999A11 0C6CA8D4 D6C99201 D2E80051 FE314C7C 9734AAC6 47E3F039 E2204BD2
94AFE864 EA946BC5 3D7B582F
quit
certificate ca 01
308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383433 35305A17
0D313930 31333130 38343335 305A300D 310B3009 06035504 03130243 4130819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100ABDE 0BDBDFE0
C24BD908 7424DA7B 411E38AC C39595D1 FB61615D D36E295A 8C42D6EE 9BA9524E
2258F7B2 655FA12E DF1FB4D8 40871F17 8577BAFA CCE137E9 77BF39DC C06B2494
DDEBE392 1AB6E588 E53EDAA9 0D5A7ADE B6F3ACEC F50FBF51 9FB36E45 966E4B19
2EFC7465 1F72E833 53290640 C1AEDB08 8F91F442 6857EFDF 52450203 010001A3
63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301F0603 551D2304 18301680 14F5C117 6FA9F3C9 B65D2F0E F5EE1EFF
F7E77420 06301D06 03551D0E 04160414 F5C1176F A9F3C9B6 5D2F0EF5 EE1EFFF7
E7742006 300D0609 2A864886 F70D0101 04050003 8181006E 67FAC869 08CD9E29
B816E975 D837F3FB 3CEB5E17 3EFB78F0 02254016 882BD2FF 5FC42A62 B3A46640
6C5EC23E CF62A1F1 52762173 384D7EE1 665D7A3E 8910F1F5 9E873A78 421ADDB7
45AAB06A E351B630 1C40A9AC 78D1669D 2BA343AA 66400320 198C607E 1ABF3207
D4D7432C CD16508E 8240D5A8 B5FE49AC 2420DD9E DC70B8
quit
!
license udi pid CSR1000V sn 9C1LX6VGAN8
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$XNVD$qkvBYEKUIkVS02ZZHBzSR0
!
redundancy
crypto ikev2 authorization policy default
route set interface
route set access-list flex_route
!
crypto ikev2 keyring mykeys
peer SPOKE
address 200.1.1.0 255.255.255.0
pre-shared-key Cisco123
!
crypto ikev2 profile FLEXVPN_Dynamic
match identity remote address 200.1.1.1 255.255.255.255
match identity remote address 200.1.1.4 255.255.255.255
authentication remote pre-share
authentication remote rsa-sig
authentication local pre-share
keyring local mykeys
pki trustpoint S2S-CA
dpd 60 2 on-demand
aaa authorization group psk list ike_list default
aaa authorization group cert list ike_list default
virtual-template 1
!
crypto ikev2 client flexvpn FLEXVPN_CLIENT
peer 1 200.1.1.1
client connect Tunnel1
!
crypto ipsec profile default
set ikev2-profile FLEXVPN_Dynamic
!
interface Loopback0
ip address 172.16.1.11 255.255.255.255
!
interface Tunnel1
ip address negotiated
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
tunnel source GigabitEthernet3
tunnel destination dynamic
tunnel protection ipsec profile default
!
interface GigabitEthernet1
ip address 192.168.1.93 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3
ip address 200.1.1.3 255.255.255.0
negotiation auto
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Tunnel1
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
tunnel source GigabitEthernet3
tunnel protection ipsec profile default
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip ssh version 1
!
ip access-list standard flex_route
permit 172.16.1.0 0.0.0.255
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
password cisco
!
ntp source GigabitEthernet1
ntp server 192.168.1.8
!
end

CSR-SPOKE2 Complete Configuration

CSR-SPOKE2#show run
Building configuration...
Current configuration : 5241 bytes
! Last configuration change at 10:03:49 UTC Mon Feb 1 2016 by admin
! NVRAM config last updated at 09:28:17 UTC Mon Feb 1 2016
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
!
hostname CSR-SPOKE2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
aaa authorization network ike_list local
!
aaa session-id common
!
ip domain name mengmeng.com
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint S2S-CA
enrollment url http://192.168.1.91:80
revocation-check none
!
crypto pki certificate chain S2S-CA
certificate 04
308201C8 30820131 A0030201 02020104 300D0609 2A864886 F70D0101 05050030
0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383530 35385A17
0D313730 31333130 38353035 385A301B 31193017 06092A86 4886F70D 01090216
0A435352 2D53504F 4B453230 5C300D06 092A8648 86F70D01 01010500 034B0030
48024100 8D90D044 42797FE4 D63B6EA9 D56D6097 67C6B23D 035E49EE D7B885E5
07FCADFD 03CA51CF 01F71568 B3CAAD90 63E4CDD6 2D363175 B765EA9C A1BE5C66
1239BB7F 02030100 01A36E30 6C301D06 03551D25 04163014 06082B06 01050507
03010608 2B060105 05070302 300B0603 551D0F04 04030205 A0301F06 03551D23
04183016 8014F5C1 176FA9F3 C9B65D2F 0EF5EE1E FFF7E774 2006301D 0603551D
0E041604 14FC612E 15B00451 9CE4B068 3F86F4C2 EF0D7354 30300D06 092A8648
86F70D01 01050500 03818100 37913E4B A99E0335 4BF1127C 23412435 32A0094D
3FB1E35D 19C127F3 2C16018A 4B954CFE A100B716 DB304003 ED380532 E564EEBA
426A14B4 E3ADF073 64EAFD79 0227A2A2 EDFD2367 CAECC0EF DDD34C96 697F7731
B88DB414 219485E6 6398CD49 28C8EC74 351CA368 A08A4CFF 7294BAA1 851D7BBE
45DC7D47 0E5D23A8 D7163E6C
quit
certificate ca 01
308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0D310B30 09060355 04031302 4341301E 170D3136 30323031 30383433 35305A17
0D313930 31333130 38343335 305A300D 310B3009 06035504 03130243 4130819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100ABDE 0BDBDFE0
C24BD908 7424DA7B 411E38AC C39595D1 FB61615D D36E295A 8C42D6EE 9BA9524E
2258F7B2 655FA12E DF1FB4D8 40871F17 8577BAFA CCE137E9 77BF39DC C06B2494
DDEBE392 1AB6E588 E53EDAA9 0D5A7ADE B6F3ACEC F50FBF51 9FB36E45 966E4B19
2EFC7465 1F72E833 53290640 C1AEDB08 8F91F442 6857EFDF 52450203 010001A3
63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301F0603 551D2304 18301680 14F5C117 6FA9F3C9 B65D2F0E F5EE1EFF
F7E77420 06301D06 03551D0E 04160414 F5C1176F A9F3C9B6 5D2F0EF5 EE1EFFF7
E7742006 300D0609 2A864886 F70D0101 04050003 8181006E 67FAC869 08CD9E29
B816E975 D837F3FB 3CEB5E17 3EFB78F0 02254016 882BD2FF 5FC42A62 B3A46640
6C5EC23E CF62A1F1 52762173 384D7EE1 665D7A3E 8910F1F5 9E873A78 421ADDB7
45AAB06A E351B630 1C40A9AC 78D1669D 2BA343AA 66400320 198C607E 1ABF3207
D4D7432C CD16508E 8240D5A8 B5FE49AC 2420DD9E DC70B8
quit
!
license udi pid CSR1000V sn 9VCQA11QETT
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$NQEe$duGHoSnjS/I22EGK9EFiJ0
!
redundancy
crypto ikev2 authorization policy default
route set interface
route set access-list flex_route
!
crypto ikev2 keyring mykeys
peer SPOKE
address 200.1.1.0 255.255.255.0
pre-shared-key Cisco123
!
crypto ikev2 profile FLEXVPN_Dynamic
match identity remote address 200.1.1.1 255.255.255.255
match identity remote address 200.1.1.3 255.255.255.255
authentication remote pre-share
authentication remote rsa-sig
authentication local pre-share
keyring local mykeys
pki trustpoint S2S-CA
dpd 60 2 on-demand
aaa authorization group psk list ike_list default
aaa authorization group cert list ike_list default
virtual-template 2
!
crypto ikev2 client flexvpn FLEXVPN_CLIENT
peer 1 200.1.1.1
client connect Tunnel1
!
crypto ipsec profile default
set ikev2-profile FLEXVPN_Dynamic
!
interface Loopback0
ip address 172.16.200.22 255.255.255.255
!
interface Tunnel1
ip address negotiated
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
tunnel source GigabitEthernet3
tunnel destination dynamic
tunnel protection ipsec profile default
!
interface GigabitEthernet1
ip address 192.168.1.94 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3
ip address 200.1.1.4 255.255.255.0
negotiation auto
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
!
interface Virtual-Template1
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered Tunnel1
ip nhrp network-id 1
ip nhrp shortcut virtual-template 2
tunnel source GigabitEthernet3
tunnel protection ipsec profile default
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip ssh version 1
!
ip access-list standard flex_route
permit 172.16.2.0 0.0.0.255
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
password cisco
!
ntp source GigabitEthernet1
ntp server 192.168.1.8
!
end

Verification

If tunnel is not negotiated up but configuration looks right, it is possible to fix via shut and no shut tunnel interface, and execute ‘clear crypto session ikev2’.

CSR-SPOKE1#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local                 Remote               fvrf/ivrf           Status
1         200.1.1.3/500         200.1.1.1/500         none/none           READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: RSA
Life/Active Time: 86400/4223 sec
CE id: 1009, Session-id: 9
Status Description: Negotiation done
Local spi: C8200BA7E6E8FB0D       Remote spi: 2B58489790D67AF1
Local id: 200.1.1.3
Remote id: 200.1.1.1
Local req msg id: 5             Remote req msg id: 1
Local next msg id: 5             Remote next msg id: 1
Local req queued: 5             Remote req queued: 1
Local window:     5             Remote window:     5
DPD configured for 60 seconds, retry 2
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Pushed IP address: 172.16.0.18
Default Domain: mengmeng.com
Remote subnets:
192.168.10.1 255.255.255.255 #Interface IP advertised by HUB via authorization policy
0.0.0.0 0.0.0.0 #Default route advertised by HUB via authorization policy. Compare the 'show' result with Lab 3
Tunnel-id Local                 Remote               fvrf/ivrf           Status
2         200.1.1.3/500         200.1.1.4/500         none/none           READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3794 sec
CE id: 1010, Session-id: 10
Status Description: Negotiation done
Local spi: D1F3A0345EE93D5C       Remote spi: F7D0787CD2BF1D3F
Local id: 200.1.1.3
Remote id: 200.1.1.4
Local req msg id: 3             Remote req msg id: 3
Local next msg id: 3             Remote next msg id: 3
Local req queued: 3             Remote req queued: 3
Local window:     5             Remote window:     5
DPD configured for 60 seconds, retry 2
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Remote subnets:
172.16.0.20 255.255.255.255 #Interface IP advertised by SPOKE2 via authorization policy
172.16.2.0 255.255.255.0 #Static route advertised by SPOKE2 via authorization policy
CSR-SPOKE1# show ip route static
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S*   0.0.0.0/0 is directly connected, Tunnel1
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
S   %   172.16.0.20/32 is directly connected, Virtual-Access1
S       172.16.2.0/24 is directly connected, Virtual-Access1
192.168.10.0/32 is subnetted, 1 subnets
S       192.168.10.1 is directly connected, Tunnel1
CSR-SPOKE1#show ip int br
Interface             IP-Address     OK? Method Status               Protocol
GigabitEthernet1       192.168.1.93   YES manual up                   up
GigabitEthernet2       unassigned     YES NVRAM administratively down down
GigabitEthernet3       200.1.1.3       YES manual up                   up
GigabitEthernet4       unassigned     YES NVRAM administratively down down
Loopback0             172.16.1.11     YES manual up                   up
Tunnel1               172.16.0.18     YES manual up                   up
Virtual-Access1       172.16.0.18     YES unset up                   up
Virtual-Template1     172.16.0.18     YES unset up                   down
CSR-SPOKE1#ping 172.16.0.20 so 172.16.0.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.20, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.18
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/11/19 ms
CSR-SPOKE1# show ip nhrp
#no result returns if execute ‘show ip nhrp’ on HUB. Please show on SPOKE.
172.16.0.18/32 via 172.16.0.18
Virtual-Access1 created 01:12:48, expire 00:47:11
Type: dynamic, Flags: router unique local
NBMA address: 200.1.1.3
(no-socket)
172.16.0.20/32 via 172.16.0.20
Virtual-Access1 created 01:12:48, expire 00:47:14
Type: dynamic, Flags: router nhop rib nho
NBMA address: 200.1.1.4
CSR-SPOKE1#show crypto ipsec sa | section Crypto | #pkts
Crypto map tag: Tunnel1-head-0, local addr 200.1.1.3
#pkts encaps: 663, #pkts encrypt: 663, #pkts digest: 663
#pkts decaps: 660, #pkts decrypt: 660, #pkts verify: 660
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
   Crypto map tag: Virtual-Access1-head-0, local addr 200.1.1.3
#pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28
#pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
CSR-SPOKE1# show crypto map
Interfaces using crypto map NiStTeSt1:
Crypto Map: "Tunnel1-head-0" IKEv2 profile: FLEXVPN_Dynamic
Crypto Map IPv4 "Tunnel1-head-0" 65536 ipsec-isakmp
IKEv2 Profile: FLEXVPN_Dynamic
Profile name: default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
Crypto Map IPv4 "Tunnel1-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 200.1.1.1
IKEv2 Profile: FLEXVPN_Dynamic
Extended IP access list
access-list permit gre host 200.1.1.3 host 200.1.1.1
Current peer: 200.1.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
Always create SAs
Interfaces using crypto map Tunnel1-head-0:
Tunnel1
Crypto Map: "Virtual-Access1-head-0" IKEv2 profile: FLEXVPN_Dynamic
Crypto Map IPv4 "Virtual-Access1-head-0" 65536 ipsec-isakmp
IKEv2 Profile: FLEXVPN_Dynamic
Profile name: default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
Crypto Map IPv4 "Virtual-Access1-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 200.1.1.4
IKEv2 Profile: FLEXVPN_Dynamic
Extended IP access list
access-list permit gre host 200.1.1.3 host 200.1.1.4
Current peer: 200.1.1.4
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map Virtual-Access1-head-0:
Virtual-Access1
Crypto Map: "Virtual-Template1-head-0" IKEv2 profile: FLEXVPN_Dynamic
Crypto Map IPv4 "Virtual-Template1-head-0" 65536 ipsec-isakmp
IKEv2 Profile: FLEXVPN_Dynamic
Profile name: default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map Virtual-Template1-head-0:
Advertisements

2 thoughts on “Site-to-Site FlexVPN Lab 4: Spoke-to-Spoke with NHRP and VTI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s