07-24-2014 02:40 AM - edited 02-21-2020 07:44 PM
Hello!
I'm trying to create flexvpn hub-spoke in test enviroment.
Here is my hub config:
Jul 24 09:02:13.431: NHRP: Unable to send Registration - no NHSes configured
crypto ikev2 authorization policy default
pool flex-pool
route set interface
!
!
!
crypto ikev2 keyring ikev2-kr
peer spoke
address 0.0.0.0 0.0.0.0
pre-shared-key local cisco
pre-shared-key remote cisco
!
crypto ikev2 profile default
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local ikev2-kr
aaa authorization group psk list default default
virtual-template 1
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
interface GigabitEthernet1.9
encapsulation dot1Q 9
ip address 192.168.42.150 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip nhrp network-id 1
ip nhrp redirect
tunnel protection ipsec profile default
!
!
ip local pool flex-pool 172.16.0.1 172.16.0.254
Spoke config:
crypto ikev2 keyring ikev2-kr
peer spoke
address 0.0.0.0 0.0.0.0
pre-shared-key local cisco
pre-shared-key remote cisco
!
!
!
crypto ikev2 profile default
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local ikev2-kr
aaa authorization group psk list default default
virtual-template 1
!
interface Loopback0
ip address 172.16.1.2 255.255.255.255
!
interface Tunnel0
ip address negotiated
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
tunnel source GigabitEthernet1.9
tunnel destination 192.168.42.150
tunnel protection ipsec profile default
interface GigabitEthernet1.9
encapsulation dot1Q 9
ip address 192.168.42.151 255.255.255.0
interface Virtual-Template1 type tunnel
ip unnumbered Tunnel0
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
tunnel protection ipsec profile default
!
IKE works:
spoke#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.42.151/500 192.168.42.150/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/2238 sec
IPv6 Crypto IKEv2 SA
but not NHRP, I got on spoke:
Jul 24 09:02:13.431: NHRP: Unable to send Registration - no NHSes configured
But I don't see in any examples that NHS should be configured in FlexVPN.
Could you tell me what is wrong in my config?
Thank you!
11-17-2014 04:16 AM
Alexsandro,
I do not think we have any docs showing direct spoke to spoke with "tunnel model ipsec ipvX".
Obviously NHRP will not work over VTI since it's a L2 protocol and VTI implies L3 (IPv4 or IPv6).
Also tunnel mode gre X implies this is NOT VTI config.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide