As a follow on to our FLEX VPN Overview (http://wp.me/p1loe7-fJ) and to the first post presenting a sample configuration (http://wp.me/p1loe7-hX), we will now examine a site-to-site scenario that relies on Cisco EIGRP to forward packets over the VPN tunnel. The only modification in our reference environment was the replacement of static routes by a dynamic routing protocol on the participant ISR G2 routers. Some new commands (not explored in the first article) will be used here in an attempt to help you build a tool set that might be handy on your monitoring and troubleshooting tasks.
Figures 1 and 2, respectively summarize the main settings on the HUB and on the SPOKE. Using a routing protocol not only brings scalability to your deployment but also simplies maintenance.
As depicted in the topologies, the EIGRP adjacency is built over the GRE Tunnel interface (whose subnet is 10.190.1.0/24). After the routers become neighbors, the LAN subnets that need IPSec protection services (10.200.101.0/24 on the HUB and 10.200.201.0/24 on the SPOKE) are advertised to the remote peer. Detailed reachability information for our sample network is provided in Figure 5.
Figure 3 registers the type of information unveiled by the show crypto ikev2 session detail command.
Figure 4 brings a partial output of the show crypto ipsec sa command and characterizes that the tunnel in place, which is secured by the profile IPSEC-PROFILE1, uses the GRE protocol (notice the permit 47 statement on the IPSEC FLOW).
Figure 5 reveals connectivity details from the HUB perspective. The show ip route command clearly demonstrates that the EIGRP updates flow trough the GRE tunnel, whereas the show ip cef commands are insightful with respect to forwarding activities. Notice that the show ip cef exact-route even displays the underlying interface used to reach the tunnel destination (172.20.1.1, associated with Loopback 2000 on the SPOKE).
It would be instructive at this point to compare the current scenario with that one covering static routes (http://wp.me/p1loe7-hX), document the commands already analyzed and make sure you understand the overall structure (and building blocks) of a FLEX VPN policy.
** Related Posts:
- FLEX VPN series: https://alexandremspmoraes.wordpress.com/tag/flex-vpn/
** Additional Reading:
- FLEX VPN configuration guide: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-3s/sec-flex-vpn-xe-3s-book.pdf
- FLEX VPN authentication options: http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a3.html#GUID-D1894BF4-475E-4513-BF9A-9F3FE5276021