FlexVPN – DVTI – Dymanic Virtual Tunnel Interface

FlexVPN – DVTI – Dymanic Virtual Tunnel Interface

Using the configuration of the previous post we will configure R1 external interface as a Dynamic Virtual Tunnel Interface that will allow the dynamic creation of Virtual-Accesses one per connection.

We will also add a new Router R3 to the mix as another peer in the flexVPN topology to get a hub and spoke topology.

So, the starting configuration of R1 and R2 and most of the INTERNET configuration are the same as the one left in the FlexVPN – Site to Site – IKEv2 post so if you need it you can check it out.

R3 Configuration (Initial, IKEv2 FlexVPN, Routing)
hostname R3
!
! DHCP Server Configuration
ip dhcp pool LAN
 network 172.16.1.0 255.255.255.0
 default-router 172.16.1.254 
 dns-server 8.8.8.8 
 domain-name bsnetworking.blog
! 
! IKE Proposal (same as R2)
crypto ikev2 proposal IKEPROPOSAL 
 encryption aes-cbc-256
 integrity sha512
 group 14
!
! IKE Policy (Similar to R2)
crypto ikev2 policy IKEPOLICY
 ! Changed the local address to R3 address
 match address local 10.0.0.9
 proposal IKEPROPOSAL
!
! IKE Keyring (Similar to R2)
crypto ikev2 keyring KEYRING
 peer R1-ROUTER
  description R1 Keys
  address 10.0.0.1
  identity email R1@bsnetworking.blog
  ! Changed the local password to R3 password
  pre-shared-key local R3key12345
  pre-shared-key remote R1key12345
!
! IKE Profile (Similar to R2)
crypto ikev2 profile IKEPROFILE
 match identity remote email R1@bsnetworking.blog
 ! Changed the local identity to R3 identity
 identity local fqdn R3.bsnetworking.blog
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
!
! IPSEC Tranform-set (same as R2)
crypto ipsec transform-set TSET esp-aes 256 esp-sha512-hmac 
 mode tunnel
!
! IPSEC Profile (Same as R2)
crypto ipsec profile IPSECPROFILE
 set transform-set TSET 
 set ikev2-profile IKEPROFILE
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
! Interface tunnel configuration (same as R2)
interface Tunnel0
 ip unnumbered Loopback0
 tunnel source Ethernet0/3
 tunnel mode ipsec ipv4
 tunnel destination 10.0.0.1
 tunnel path-mtu-discovery
 tunnel protection ipsec profile IPSECPROFILE
!
! Local Interface Configuration
interface Ethernet0/0
 description LAN CONNECTION
 ip address 172.16.1.254 255.255.255.0
 ip nat inside
 no shutdown
!
! External Interface Configuration
interface Ethernet0/3
 description INTERNET CONNETION
 ip address 10.0.0.9 255.255.255.252
 ip nat outside
 no shutdown
!
! Routing Configuration
router eigrp 10
 network 3.3.3.3 0.0.0.0
 network 172.16.1.254 0.0.0.0
!
! Nat rule
ip nat inside source list NAT interface Ethernet0/3 overload
! Default Static Route
ip route 0.0.0.0 0.0.0.0 10.0.0.10
!
! NAT ACL
ip access-list extended NAT
 permit ip 172.16.1.0 0.0.0.255 any
 deny   ip any any
Changes on R1 Configuration from the previous post
Remove configurations
Added configuration
hostname R1
!
ip dhcp pool LAN
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.254 
 dns-server 8.8.8.8 
 domain-name bsnetworking.blog
!         
!
crypto ikev2 proposal IKEPROPOSAL 
 encryption aes-cbc-256
 integrity sha512
 group 14
!
crypto ikev2 policy IKEPOLICY 
 match address local 10.0.0.1
 proposal IKEPROPOSAL
!
! Add a new key to the existent keyring
crypto ikev2 keyring KEYRING
 peer R2-ROUTER
  description R2 Keys
  address 10.0.0.5
  identity fqdn R2.bsnetworking.blog
  pre-shared-key local R1key12345
  pre-shared-key remote R2key12345
 ! R3 Key
 peer R3-ROUTER
  description R3 Keys
  address 10.0.0.9
  identity fqdn R3.bsnetworking.blog
  pre-shared-key local R1key12345
  pre-shared-key remote R3key12345
 !
!
! Add new identity for R3
crypto ikev2 profile IKEPROFILE
 match identity remote fqdn R2.bsnetworking.blog
 ! R3 identity
 match identity remote fqdn R3.bsnetworking.blog
 identity local email R1@bsnetworking.blog
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
 ! Associate the template with the profile
 virtual-template 1
!
!
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha512-hmac 
 mode tunnel
!
crypto ipsec profile IPSECPROFILE
 set transform-set TSET 
 set ikev2-profile IKEPROFILE
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!         
interface Ethernet0/0
 description LAN CONNECTION
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 no shutdown
!
interface Ethernet0/1
 description INTERNET CONNETION
 ip address 10.0.0.1 255.255.255.252
 ip nat outside
 no shutdown
!
! Remote the configuration of tunnel interface
no interface tunnel 0
!interface Tunnel0
! ip unnumbered Loopback0
! tunnel source Ethernet0/1
! tunnel mode ipsec ipv4
! tunnel destination 10.0.0.5
! tunnel path-mtu-discovery
! tunnel protection ipsec profile IPSECPROFILE
!
! Configure the Virtual-Template (very similar to the tunnel configuration)
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel source Ethernet0/1
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile IPSECPROFILE
!
!
router eigrp 10
 network 1.1.1.1 0.0.0.0
 network 192.168.0.254 0.0.0.0
!

ip nat inside source list NAT interface Ethernet0/1 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.0.255 any
 deny   ip any any
Verification
R1#show ip interface brief
Interface        IP-Address     OK? Method Status                Protocol
Ethernet0/0      192.168.0.254  YES NVRAM  up                    up 
Ethernet0/1      10.0.0.1       YES NVRAM  up                    up 
Ethernet0/2      unassigned     YES NVRAM  administratively down down 
Ethernet0/3      unassigned     YES NVRAM  administratively down down 
Loopback0        1.1.1.1        YES NVRAM  up                    up 
NVI0             192.168.0.254  YES unset  up                    up 
Virtual-Access1  1.1.1.1        YES unset  up                    up 
Virtual-Access2  1.1.1.1        YES unset  up                    up 
Virtual-Template 1 1.1.1.1      YES unset  up                    down 

R1#show ip route eigrp 
<output omitted>
Gateway of last resort is 10.0.0.2 to network 0.0.0.0

  2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/27008000] via 2.2.2.2, 00:46:47, Virtual-Access1
  3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/27008000] via 3.3.3.3, 00:02:06, Virtual-Access2
  172.16.0.0/24 is subnetted, 2 subnets
D 172.16.0.0 [90/26905600] via 2.2.2.2, 00:46:47, Virtual-Access1
D 172.16.1.0 [90/26905600] via 3.3.3.3, 00:02:06, Virtual-Access2

Until the next post, stay good.

 

Advertisements