Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3512
Views
5
Helpful
15
Replies

flexvpn, hub-spoke, NHRP: Unable to send Registration - no NHSes configured

dm
Level 1
Level 1

‎07-24-2014 02:40 AM - edited ‎02-21-2020 07:44 PM

Hello!

I'm trying to create flexvpn hub-spoke in test enviroment.

 

Here is my hub config:

 

 

Jul 24 09:02:13.431: NHRP: Unable to send Registration - no NHSes configured

crypto ikev2 authorization policy default
 pool flex-pool
 route set interface
!
!
!
crypto ikev2 keyring ikev2-kr
 peer spoke
  address 0.0.0.0 0.0.0.0
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !

crypto ikev2 profile default
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-kr
 aaa authorization group psk list default default
 virtual-template 1
!

interface Loopback0
 ip address 172.16.1.1 255.255.255.255


 

interface GigabitEthernet1.9
 encapsulation dot1Q 9
 ip address 192.168.42.150 255.255.255.0
!


 

interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel protection ipsec profile default
!
!

ip local pool flex-pool 172.16.0.1 172.16.0.254

 

Spoke config:

 

crypto ikev2 keyring ikev2-kr
 peer spoke
  address 0.0.0.0 0.0.0.0
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
!
!

 

crypto ikev2 profile default
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-kr
 aaa authorization group psk list default default
 virtual-template 1
!

interface Loopback0
 ip address 172.16.1.2 255.255.255.255
!
interface Tunnel0
 ip address negotiated
 ip nhrp network-id 1
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 tunnel source GigabitEthernet1.9
 tunnel destination 192.168.42.150
 tunnel protection ipsec profile default

interface GigabitEthernet1.9
 encapsulation dot1Q 9
 ip address 192.168.42.151 255.255.255.0

interface Virtual-Template1 type tunnel
 ip unnumbered Tunnel0
 ip nhrp network-id 1
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 tunnel protection ipsec profile default
!

 

 

IKE works:

 

spoke#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         192.168.42.151/500    192.168.42.150/500    none/none            READY  
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/2238 sec

 IPv6 Crypto IKEv2  SA

 

 

but not NHRP, I got on spoke:

Jul 24 09:02:13.431: NHRP: Unable to send Registration - no NHSes configured

 

 

But I don't see in any examples that NHS should be configured in FlexVPN.

 

Could you tell me what is wrong in my config?

 

Thank you!

 

Labels:
0 Helpful
15 Replies 15

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Alexsandro Reimann

‎11-17-2014 04:16 AM

Alexsandro, 

I do not think we have any docs showing direct spoke to spoke with "tunnel model ipsec ipvX". 

Obviously NHRP will not work over VTI since it's a L2 protocol and VTI implies L3 (IPv4 or IPv6). 

Also tunnel mode gre X implies this is NOT VTI config. 

M.

 

0 Helpful
Customers Also Viewed These Support Documents