Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
852
Views
0
Helpful
1
Replies

FLEXVPN SETUP

Maurice Ball
Level 3
Level 3

‎04-20-2014 04:09 PM - edited ‎02-21-2020 07:36 PM

Could someone please tell me how to configure the following configs to use static routes to route traffic between sites using the vpn tunnel? Listed below is the site to site configuration for the Flexvpn setup. The configs below will route traffic between sites, when using a dynamic routing protocol but if the dynamic routing protocol is removed and static routes are added to the configuration, traffic will not route between sites through the vpn  tunnel. The attachment is a picture of  the topology that is being used and the initial router configs.

  

Server Side

Interface loopback 10

ip address 192.168.1.1 255.255.255.0

no shut

Exit

Inter virtual-template 1 type tunnel

ip unnumbered loopback 10

Tunnel source  F0/0

Tunnel mode ipsec ipv4

 

Crypto ikev2 proposal PROP_1

Integrity md5

Group 2

Encryption 3des

 

Crypto ikev2 policy POL_1

proposal PROP_1

 

Crypto ikev2 keyring KR_1

Peer R2

    Address 192.1.23.1

    Pre-shared-key cisco

 

Crypto ikev2 profile PROF_1

match identity remote address 192.1.23.1 255.255.255.255

authentication local pre-share

authentication remote pre-share

keyring local KR_1

virtual-template 1

 

 Crypto ipsec transform-set ABC esp-3des esp-md5

 

Crypto ipsec profile ABC

  set transform-set ABC

 set ikev2-profile PROF_1

 

Interface virtual-template 1

Tunnel protection ipsec profile ABC

 

Router eigrp 100

no auto

net 192.168.1.0

net 10.0.0.0

 

Spoke Side

 

Crypto ikev2 proposal PROP_1

Integrity md5

Group 2

Encryption 3des

 

Crypto ikev2 policy POL_1

proposal PROP_1

 

Crypto ikev2 keyring KR_1

Peer FlexSrv       

    Address 192.1.13.1

    Pre-shared-key cisco

 

Crypto ikev2 profile PROF_1

match identity remote address 192.1.13.1 255.255.255.255

authentication local pre-share

authentication remote pre-share

keyring local KR_1

 

 Crypto ipsec transform-set ABC esp-3des esp-md5

 

Crypto ipsec profile ABC

  set transform-set ABC

 set ikev2-profile PROF_1

 

Interface tunnel 1

Ip address 192.168.1.2 255.255.255.0

Tunnel source f0/1

Tunnel destination 192.1.13.1

Tunnel mode ipsec ipv4

Tunnel protection ipsec profile ABC

 

 

Router eigrp 100

no auto

net 192.168.1.0

net 10.0.0.0

 

Labels:
Preview file
85 KB
0 Helpful
1 Reply 1

Graham Bartlett
Cisco Employee
Cisco Employee

‎06-02-2014 04:16 AM

Hi Maurice

You can use mode config to send prefixes so that when the VPN is established a route is installed into the RIB.

Check the following config guide for aaa authorization and the route-set command.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-3s/sec-flex-vpn-xe-3s-book/sec-cfg-flex-serv.html#GUID-BAAF31B7-0941-418E-A867-8E6750F1DB03

This is an example that uses the technology.

 

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html

 

Please let us know how you get on.

 

many thanks

0 Helpful
Customers Also Viewed These Support Documents