Does anyone have generic clean clean configurations to build a flexvpn server and a Cisco router as a client?
Hi @ReneMolenaar I’ve followed the Hub and Spoke guide but it just overall doesn’t seem clear to me or to be working when I have it mostly setup.
Logic
ISR > Comcast (not ISP provided - public IP) > Internet < Comcast (ISP provided modem - no public IP but IPsec ports are not blocked) < ISR
Hi Matthew,
What exactly are you trying to achieve? Do you have multiple clients or just one?
Should it be site to site or does the client side only need to access resources on the “server” side?
Rene
One for right now and for this case it would only be client side access. Access would be an IP phone and using the built-in wireless to supply access for the corp devices accessing the corp network. Preferably full tunnel.
I would start simple. If you only have branch site, start with a simple site to site tunnel:
If there is a high chance you’ll have multiple sites, invest the time to learn hub and spoke:
Try both or one of the two in an emulator first so you can test it without worrying if there is anything on your production routers that might mess things up.
When it works, see if you can communicate with wired clients on both ends. When that works, see if it works with a wireless client.
Later, add some access-lists on the branch routers to prevent traffic from leaving the branch router to the main site.
There are quite some moving parts but if you lab this step-by-step you can do it. If flexvpn is relatively new to you and you try to configure everything in production right away, things get can confusing and frustrating.
Rene
Thanks for that. I’ll work on your suggestion(s).
@ReneMolenaar I did got the flexvpn with smart defaults working. I can access the advertised subnets as well from the client side - Neat!
Only problem I’m having working out is while the site to site is up and ACL is defined I cannot access internet from the subnet I have client side. Ping from the router comes back okay to 1.1.1.1 but not vlan 6 [192.168.6.0 255.255.255.0]. DHCP gets assigned just fine.
Hello Matthew
From my understanding, you want the client side to access the Internet through the tunnel, and from the ISP at the corporate side, correct? I assume that’s what you mean when you say “full tunnel”. The only thing I can suggest is to:
- check your ACLs to ensure that all of the traffic from your client side is being matched by the ACL and tunneled.
- check that routing on the corporate side is configured such that the subnet on the client side is reachable, so that return traffic will reach your VLAN 6 subnet.
Let us know how your troubleshooting goes so that we can help you further.
I hope this has been helpful!
Laz
Just an update… While I didn’t get the full tunnel “hairpin” working over the FlexVPN site to site I was able to get split tunnel working but not via the ACL rule. I kept getting a recursive routing error in the log. Couldn’t figure out the root cause but remove the crypto ikev2 authorization policy from the profile and tunnel started working. I had to manually set the route on each ISR using the ip route 192.168.xx.xx 255.255.255.0 tun0 though.
Its working for now. If all works out I’ll look into a better way to scale and use some routing protocol so the routers learn the routes automatically.
Hello Matthew!
Thanks for keeping us updated on your progress and sharing your experience with the forum. It adds to the value of the forum because we all get to benefit from your experience! Let us know of your progress in determining the best way to scale your deployment!
Thanks again!
Laz