FLEX VPN: Sample LAN-to-LAN configuration with Dynamic Routing

As a follow on to our FLEX VPN Overview  (http://wp.me/p1loe7-fJ) and to the first post presenting a sample configuration  (http://wp.me/p1loe7-hX), we will now examine a site-to-site scenario that relies on Cisco EIGRP to forward packets over the VPN tunnel. The only modification in our reference environment was the replacement of static routes by a dynamic routing protocol on the participant ISR G2 routers. Some new commands (not explored in the first article) will be used here in an attempt to help you build a tool set that might be handy on your monitoring and troubleshooting tasks.

Figures 1 and 2, respectively summarize the main settings on the HUB and on the SPOKE. Using a routing protocol not only brings scalability to your deployment but also simplies maintenance.

Figure 1: Main settings on HUB1

As depicted in the topologies, the EIGRP adjacency is built over the GRE Tunnel interface (whose subnet is 10.190.1.0/24). After the routers become neighbors, the LAN subnets that need IPSec protection services (10.200.101.0/24 on the HUB and 10.200.201.0/24 on the SPOKE) are advertised to the remote peer. Detailed reachability information for our sample network is provided in Figure 5.

Figure 2: Main settings on SPOKE1

Figure 3 registers the type of information unveiled by the show crypto ikev2 session detail command.

Figure 3: Detailed information about the IKEv2 Session

Figure 4 brings a partial output of the show crypto ipsec sa command and characterizes that the tunnel in place, which is secured by the profile IPSEC-PROFILE1, uses the GRE protocol (notice the permit 47 statement on the IPSEC FLOW).

Figure 4: Information about the IPSec SA and Tunnel interface

Figure 5 reveals connectivity details from the HUB perspective. The show ip route command clearly demonstrates that the EIGRP updates flow trough the GRE tunnel, whereas the show ip cef commands are insightful with respect to forwarding activities. Notice that the show ip cef exact-route even displays the underlying interface used to reach the tunnel destination (172.20.1.1, associated with Loopback 2000 on the SPOKE).

Figure 5: Routing and Forwarding information

It would be instructive at this point to compare the current scenario with that one covering static routes (http://wp.me/p1loe7-hX), document the commands already analyzed and make sure you understand the overall structure (and building blocks) of a FLEX VPN policy.

** Related Posts:

** Additional Reading:

Leave a comment

Filed under English, Security, VPN

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s