THE FASCINATING WORLD OF NETWORKING
OPTIMIZED FOR GOOGLE CHROME
FlexVPN Dual Hub using PSK - Configuring High Availability
Date: 14-12-2016
Table of Contents
About this Lab
I was thinking the best way to achieve high availability in a small topology using standard GNS3. I didn’t see any example like this on the Internet. I’m sure this isn’t the best solution, so if you think this is not a good solution for you, use other features. Later, I’ll give you some links.
GRE/IP vs IPSEC/IP
The main difference is that IPSEC/IP only support IP (unicast and multicast), while GRE also supports other protocols. VTIs also were not available on all platforms when they were first introduced.
​
GRE/IP is the default mode for encapsulation of a tunnel or virtual template interface.
HUB#show interfaces virtual-template 1
Tunnel protocol/transport GRE/IP
By definition, an IPSec VTI (virtual tunnel interface) use tunnel mode ipsec ipv4 (or ipv6) in both, the virtual template and the tunnel interface. Remember, mode tunnel is a must for the Transform Set in this case. Be careful with this, because I watched some learning videos using ‘mode transport’ for this configuration. In this latter case:
HUB#show interfaces virtual-template 1
Tunnel protocol/transport IPSEC/IP
NOTE On GNS3, LAN to LAN connectivity between spokes fails using IPSec Ipv4 for tunnel encapsulation. I think this is a bug on GNS3 or 7200 router. Remember, IKEv2 is not supported on this router (at least, this is what Cisco says). But, using GRE over IPSec this works fine (changing tunnel mode ipsec ipv4 by tunnel mode gre ip on Hub and spokes) . I tested L2L connectivity using IPSec DVTI with IKEv1 and it worked fine.
​
IMPORTANT As Cisco says, Cisco 7200 doesn't support fully ikev2 configuration. Nonetheless, you can configure flexVPN DVTI using tunnel mode gre ip instead of tunnel mode ipsec ipv4 on GNS3 with 7200 routers.
I tested this topology using csr1000v (on GNS3 1.3.11) instead of Cisco 7200 routers and tunnel mode ipsec ipv4, and everything works fine.
¡¡¡Spokes can ping each other in DVTI VPN setup!!!
In this lab I’ll configure GRE over IPSec, but if you want to implement IPSec DVTI, use tunnel mode ipsec ipv4 for the virtual and tunnel interfaces. I won’t configure this, so the default tunnel mode is GRE/IP. GREoIPsec has more overhead compared to IPsec VTI.
Topology
IOS = c7200-adventerprisek9-mz.152-4.S5.image
R5 simulates a PC; LAN on R2 and R3 are simulated using loopback 0 interfaces.
NOTE For the sake of simplicity, Internet is an Ethernet switch.
​
I will use PSK as the authentication method and GRE over IPSec for tunnel encapsulation. Cisco recommends the use of certificates whenever applicable.
​
I will use a pushing policy inside the IKEv2 SAs for sending IP addresses to spokes’ tunnel interfaces. In this case, I will configure Local AAA, but you can use an external Remote Authentication Dial-In User Service (RADIUS) Server.
Routing Protocol
Here there is no a primary connection for VPN, but only a Hub router works as the Flexserver, the other works as a backup (redundancy, but no load sharing). So I will use EIGRP for tunnels an virtual templates, and for advertising LAN from these routers. I will use 1000 for delay on R1’s virtual interface and 2000 on R4’s tunnel interface, to guarantee R2 and R3 establish adjacencies with the same VPN router. Under normal circunstances (R1 boots first), R1 works as a Flexserver and symmetric routing is guaranteed.
​
NOTE You can also use a pushing policy for routing and avoid the use of a dynamic routing protocol.
Load Sharing with HSRP
In order to utilize both paths from the host network to the server network, you can configure Multigroup HSRP (MHSRP) between R1 and R4. Essentially, R1 is configured with two HSRP groups (for example, group 1 and group 2) and R4 is also configured with the same HSRP groups. For group 1, R1 is the active router and R4 is the standby router. For group 2, R4 is the active router and R1 is the standby router. Then you configure half of the hosts' default gateways with the HSRP group 1 virtual IP address, and the other half of the hosts' default gateways with the HSRP group 2 virtual IP address.
​
Regarding the tunnel connections, some spokes connect to R1 and some others to R4.
​
NOTE In this scenery, symmetric routing is much more complicated.
​
For high availability you can use: Reverse Route Injection (RRI) and HSRP with IPsec. See: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/17826-ipsec-feat.html
​
Reverse Route Injection (RRI) simplifies network design for Virtual Private Networks (VPNs) in which there is a requirement for redundancy or load balancing. RRI works with both dynamic and static crypto maps.
​
Another example: http://www.cisco.com/c/en/us/support/docs/security/flexvpn/118888-configure-flexvpn-00.html
Dead Peer Detection in IKEv2
GRE tunnels are designed to be completely stateless. This means that each tunnel endpoint does not keep any information about the state or availability of the remote tunnel endpoint. A consequence of this is that, by default, the local tunnel endpoint router does not have the ability to bring the line protocol of the GRE Tunnel interface down if the remote end of the tunnel is unreachable.
​
But you can solve this problem by using DPD in the IPsec configuration. Using GRE over IPSec, you’ll see that the tunnel goes down and up, because of this design. Dead Peer Detection (DPD) is a method that allows automatic detection of unreachable Internet Key Exchange (IKE) peers. DPD addresses the shortcomings of IKE keepalives- and heartbeats- schemes by introducing a more reasonable logic governing message exchange.
​
You can use the global command:
crypto ikev2 dpd threshold retry-interval {on-demand | periodic}
Or the specific command:
crypto ikev2 profile profile-name
dpd threshold retry-interval {on-demand | periodic}
Since the version 12.3(7)T, IOS supports periodic DPD messages at regular intervals, which turns the protocol essentially into a keepalive mechanism. Note that periodic messages will significantly increase the amount of traffic in deployments with large number of tunnels.
​
NOTE Periodic DPD can improve convergence in some scenarios.
​
In this topology I will use on-demand because convergency is faster.
Final Configurations
R1 (Hub1)
hostname R1
!
aaa new-model
aaa authorization network default local
!
interface Loopback0
description LAN
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
ip address 10.1.13.1 255.255.255.255
!
interface FastEthernet0/0
ip address 200.1.13.1 255.255.255.0
duplex full
no shut
!
! IP addresses for tunnel interfaces of spokes
ip local pool POOL 192.168.0.1 192.168.0.10
!
! Pushing Policy
crypto ikev2 authorization policy default
pool POOL
route set interface
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-128
integrity sha1
group 5
!
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
!
crypto ikev2 keyring mykeys
peer SPOKE
address 200.1.13.0 255.255.255.0
pre-shared-key Cisco123
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 200.1.13.0
authentication remote pre-share
authentication local pre-share
dpd 60 2 on-demand
keyring local mykeys
aaa authorization group psk list default default
virtual-template 1
!
crypto ipsec transform-set OUR-TEST esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set OUR-TEST
set ikev2-profile IKEV2-PROFILE
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
delay 1000
tunnel source FastEthernet0/0
tunnel protection ipsec profile IPSEC-PROFILE
!
router eigrp 1
no auto-summary
passive-interface fa0/0
network 192.168.1.0 0.0.0.255
network 10.1.13.1 0.0.0.0
!
end
R4 (Hub2)
hostname R4
!
aaa new-model
aaa authorization network default local
!
interface Loopback0
description LAN
ip address 192.168.1.4 255.255.255.0
!
interface Loopback1
ip address 10.1.13.4 255.255.255.255
!
interface FastEthernet0/0
ip address 200.1.13.4 255.255.255.0
duplex full
no shut
!
ip local pool POOL 192.168.0.11 192.168.0.20
!
crypto ikev2 authorization policy default
pool POOL
route set interface
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-128
integrity sha1
group 5
!
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
!
crypto ikev2 keyring mykeys
peer SPOKE
address 200.1.13.0 255.255.255.0
pre-shared-key Cisco123
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 200.1.13.0
authentication remote pre-share
authentication local pre-share
dpd 60 2 on-demand
keyring local mykeys
aaa authorization group psk list default default
virtual-template 1
!
crypto ipsec transform-set OUR-TEST esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set OUR-TEST
set ikev2-profile IKEV2-PROFILE
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
delay 2000
tunnel source FastEthernet0/0
tunnel protection ipsec profile IPSEC-PROFILE
!
router eigrp 1
no auto-summary
passive-interface fa0/0
network 192.168.1.0 0.0.0.255
network 10.1.13.4 0.0.0.0
!
end
R2 (Spoke1)
hostname R2
!
aaa new-model
aaa authorization network default local
!
interface FastEthernet0/0
ip address 200.1.13.2 255.255.255.0
duplex full
no shut
!
interface Loopback0
description LAN
ip address 192.168.2.1 255.255.255.0
!
crypto ikev2 authorization policy default
route set interface
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-128
integrity sha1
group 5
!
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
!
crypto ikev2 keyring mykeys
peer HUB
address 0.0.0.0 0.0.0.0
pre-shared-key Cisco123
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
dpd 60 2 on-demand
keyring local mykeys
aaa authorization group psk list default default
!
crypto ipsec transform-set OUR-TEST esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set OUR-TEST
set ikev2-profile IKEV2-PROFILE
!
interface Tunnel0
ip address negotiated
tunnel source FastEthernet0/0
tunnel destination dynamic
tunnel protection ipsec profile IPSEC-PROFILE
!
crypto ikev2 client flexvpn IKEv2_CLIENT_PROFILE
peer 1 200.1.13.1
peer 2 200.1.13.4
client connect Tunnel0
!
router eigrp 1
no auto-summary
passive-interface fa0/0
network 192.168.2.0 0.0.0.255
network 192.168.0.0 0.0.0.255
!
end
R3 (Spoke2)
hostname R3
!
aaa new-model
aaa authorization network IKE-list local
!
interface FastEthernet0/0
ip address 200.1.13.3 255.255.255.0
duplex full
no shut
!
interface Loopback0
description LAN
ip address 192.168.3.1 255.255.255.0
!
crypto ikev2 authorization policy IKE_AUTH
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-128
integrity sha1
group 5
!
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
!
crypto ikev2 keyring mykeys
peer HUB
address 0.0.0.0 0.0.0.0
pre-shared-key Cisco123
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
dpd 60 2 on-demand
keyring local mykeys
aaa authorization group psk list IKE-list IKE_AUTH
!
crypto ipsec transform-set OUR-TEST esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set OUR-TEST
set ikev2-profile IKEV2-PROFILE
!
interface Tunnel0
ip address negotiated
tunnel source FastEthernet0/0
tunnel destination dynamic
tunnel protection ipsec profile IPSEC-PROFILE
!
crypto ikev2 client flexvpn IKEv2_CLIENT_PROFILE
peer 1 200.1.13.1
peer 2 200.1.13.4
client connect Tunnel0
!
router eigrp 1
no auto-summary
passive-interface fa0/0
network 192.168.3.0 0.0.0.255
network 192.168.0.0 0.0.0.255
!
end
​
NOTE The AAA configuration for R3 is different but works in the same way.
Verification
R3#sh crypto ikev2 authorization policy
IKEv2 Authorization Policy : default
route set interface
route accept any tag : 1 distance : 1
IKEv2 Authorization Policy : IKE_AUTH
route accept any tag : 1 distance : 1
R2#sh crypto ikev2 authorization policy
IKEv2 Authorization Policy : default
route accept any tag : 1 distance : 1
​
R1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 200.1.13.1 YES NVRAM up up
FastEthernet1/0 192.168.1.1 YES NVRAM up up
Loopback1 10.1.13.1 YES NVRAM up up
Virtual-Access1 10.1.13.1 YES unset up up
Virtual-Access3 10.1.13.1 YES unset up up
Virtual-Template1 10.1.13.1 YES unset up down
R1#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 200.1.13.1/500 200.1.13.3/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/805 sec
CE id: 1008, Session-id: 8
Status Description: Negotiation done
Local spi: 6DA77F42416228A6 Remote spi: 9976E63D4188DC7D
Local id: 200.1.13.1
Remote id: 200.1.13.3
--output omitted--
Assigned host addr: 192.168.0.8
Initiator of SA : No
Tunnel-id Local Remote fvrf/ivrf Status
1 200.1.13.1/500 200.1.13.2/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/810 sec
CE id: 1007, Session-id: 7
Status Description: Negotiation done
Local spi: 70F0AED65297DAA7 Remote spi: A9B2A69F6356488D
Local id: 200.1.13.1
Remote id: 200.1.13.2
--output omitted--
Assigned host addr: 192.168.0.7
Initiator of SA : No
R1#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 192.168.0.8 Vi3 13 00:21:20 319 1914 0 20
1 192.168.0.7 Vi1 12 00:21:24 669 4014 0 20
0 192.168.1.4 Fa1/0 12 02:57:47 374 2244 0 43
R2#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 200.1.13.2 YES NVRAM up up
Loopback0 192.168.2.1 YES NVRAM up up
Tunnel0 192.168.0.7 YES NVRAM up up
R2#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 200.1.13.2/500 200.1.13.1/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/2328 sec
CE id: 1002, Session-id: 1
Status Description: Negotiation done
Local spi: ACCBEC54E66FCE2A Remote spi: 1488E670B2CD5A14
Local id: 200.1.13.2
Remote id: 200.1.13.1
--output omitted--
Initiator of SA : Yes
Pushed IP address: 192.168.0.7
R2#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.13.1 Tu0 13 00:22:17 568 3408 0 48
R2#sh ip route
--output omitted--
Gateway of last resort is not set
10.0.0.0/32 is subnetted, 2 subnets
S 10.1.13.1 is directly connected, Tunnel0
D 10.1.13.4 [90/27010560] via 10.1.13.1, 00:23:19
192.168.0.0/32 is subnetted, 1 subnets
C 192.168.0.7 is directly connected, Tunnel0
D 192.168.1.0/24 [90/26882560] via 10.1.13.1, 00:23:19
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Loopback0
L 192.168.2.1/32 is directly connected, Loopback0
D 192.168.3.0/24 [90/27264000] via 10.1.13.1, 00:23:15
200.1.13.0/24 is variably subnetted, 2 subnets, 2 masks
C 200.1.13.0/24 is directly connected, FastEthernet0/0
L 200.1.13.2/32 is directly connected, FastEthernet0/0
Other commands:
HUB#show interfaces virtual-access 1 configuration
HUB#show interfaces virtual-access 3 configuration
HUB#show crypto ipsec sa
HUB#show crypto session
HUB#show crypto engine connections active
Symmetric Routing
R5>ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/137/164 ms
R5>ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/162/220 ms
R5>traceroute 192.168.2.1
Type escape sequence to abort.
Tracing the route to 192.168.2.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.1 36 msec 92 msec 52 msec
2 192.168.0.7 196 msec 200 msec *
R5>traceroute 192.168.3.1
Type escape sequence to abort.
Tracing the route to 192.168.3.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.1 68 msec 56 msec 44 msec
2 192.168.0.8 172 msec 292 msec *
R2#ping 192.168.1.5 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/166/200 ms
R2#traceroute 192.168.1.5
Type escape sequence to abort.
Tracing the route to 192.168.1.5
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.13.1 180 msec 128 msec 216 msec
2 192.168.1.5 204 msec 224 msec *
Testing connectivity between spokes
R3#ping 192.168.2.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 212/237/264 ms
Spokes use hubs as next hops.
​
NOTE If you use IPSec IP encapsulation for tunnel on GNS3, pings between spokes will fail.
Failover
Now, let’s shutdown the fa0/0 interface on R1 and delete the IKEv2 SAs on spokes:
R1(config)#int fa0/0
R1(config-if)#shut
*Dec 2 17:22:42.743: %TRACKING-5-STATE: 1 interface Fa0/0 line-protocol Up->Down
*Dec 2 17:22:42.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
*Dec 2 17:22:43.015: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.0.7 (Virtual-Access1) is down: interface down
*Dec 2 17:22:43.171: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 1 state Active -> Speak
*Dec 2 17:22:44.739: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Dec 2 17:22:45.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
*Dec 2 17:22:47.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Dec 2 17:22:47.847: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.0.8 (Virtual-Access3) is down: interface down
In this lab, when a hub router fails, the other takes over the control:
R4#
*Dec 2 16:57:04.627: %SYS-5-CONFIG_I: Configured from console by console
*Dec 2 17:22:51.111: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 1 state Standby -> Active
*Dec 2 17:24:03.835: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
*Dec 2 17:24:04.147: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
*Dec 2 17:24:08.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*Dec 2 17:24:08.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
*Dec 2 17:24:09.339: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.0.17 (Virtual-Access1) is up: new adjacency
*Dec 2 17:24:13.383: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.0.18 (Virtual-Access2) is up: new adjacency
R4#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 200.1.13.4/500 200.1.13.2/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
--output omitted--
Assigned host addr: 192.168.0.18
Initiator of SA : No
Remote subnets:
192.168.0.18 255.255.255.255
Tunnel-id Local Remote fvrf/ivrf Status
1 200.1.13.4/500 200.1.13.3/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
--output omitted--
Assigned host addr: 192.168.0.17
Initiator of SA : No
IPv6 Crypto IKEv2 SA
Assymetric routing after the Original HSRP Primary Router Recovers from an Outage
R1(config)#int fa0/0
R1(config-if)#no shut
R1#
*Dec 2 17:30:38.187: %TRACKING-5-STATE: 1 interface Fa0/0 line-protocol Down->Up
*Dec 2 17:30:39.603: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 1 state Standby -> Active
*Dec 2 17:30:40.163: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 2 17:30:41.163: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R4#
*Dec 2 17:30:47.351: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 1 state Active -> Speak
*Dec 2 17:30:57.919: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 1 state Speak -> Standby
As you can see, with this implementation R4’s tunnels keep active. In order to re-stablish the tunnels on R1:
R4#clear crypto ikev2 sa
​
Finally, we achieve symmetric routing again but using manual intervention.
Dynamic tunnels between spokes
FlexVPN Spoke to spoke using standard GNS3 is not possible, because ip nhrp redirect command fails. No dynamic tunnels between spokes.
​
The complete configuration for spokes’ tunnels to achieve direct spoke to spoke connectivity are:
​
interface Tunnel0
ip address negotiated
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
tunnel source FastEthernet0/0
tunnel destination dynamic
tunnel protection ipsec profile IPSEC-PROFILE
!
interface Virtual-Template1 type tunnel
ip unnumbered tunnel 0
ip nhrp network-id 1
ip nhrp redirect <-- Not necessary in this lab
ip nhrp shortcut virtual-template 1
tunnel source fa0/0
tunnel protection ipsec profile IPSEC-PROFILE
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
dpd 60 2 on-demand
keyring local mykeys
aaa authorization group psk list default default
virtual-template 1
For hubs:
​
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
ip nhrp network-id 1
ip nhrp redirect
tunnel source FastEthernet0/0
tunnel protection ipsec profile IPSEC-PROFILE
NOTE The new commands added to the configuration are hightlighted in bold. I couldn’t test this latter configuration, but I think it should work in a real environment.
NOTE: Your e-mail will not be shown in the output. You can use an invalid e-mail, if you want.
Thank you for your co-operation in helping me to improve.