FlexVPN Example Configuration and Setup Guide

What is FlexVPN spoke-to-spoke routing? ‹
What is the difference between FlexVPN and DMVPN? ‹
Configuring FlexVPN spoke-to-spoke routing with IPv4 ‹
Configuring FlexVPN spoke-to-spoke routing with IPv4 in VRF (two default routes) ‹
NHRP packets used with FlexVPN spoke-to-spoke ‹
Download section ‹

What is FlexVPN spoke-to-spoke routing?

FlexVPN allows for a variety of network designs including hub-and-spoke topologies. Dynamic spoke-to-spoke communication can be configured with FlexVPN. In such a scenario, spoke routers dynamically form IPSec tunnels with each other instead of routing traffic through the hub. This is similar to how DMVPN Phase 3 works, but FlexVPN provides several benefits mentioned in the next section. Spoke-to-spoke routing in FlexVPN uses the NHRP redirect feature on the hub, and NHRP shortcut feature on the spoke routers.

What is the difference between FlexVPN and DMVPN?

The following table lists several differences between DMVPN Phase 3 and FlexVPN with spoke-to-spoke communication.

DMVPN and FlexVPN comparison
DMVPN Phase 3	FlexVPN spoke-to-spoke
Older technology	Newer technology, thus newer software/hardware may be needed
NHRP is used to register with the hub, resolution and redirect (traffic indication) messages used to receive NBMA address of other spoke	NHRP registration is not used, instead the tunnel interface IP address is sent with IKEv2 routing, only NHRP resolution and redirect is used
Uses multipoint-GRE (mGRE) tunnels on hub and spoke	Uses dynamic-VTI (DVTI) tunnels on hub and spoke, and additionally the spoke routers also have a Static VTI (SVTI) point-to-point GRE tunnel configured towards the hub
IPSec is optional, if encryption is needed then IKEv1 or IKEv2 can be used	IPSec is mandatory, only IKEv2 can be used, Smart Defaults feature is available

Configuring FlexVPN spoke-to-spoke routing with IPv4

In the following scenario FlexVPN is configured in a hub-and-spoke model, and dynamic spoke-to-spoke communication is enabled. The dynamic spoke-to-spoke tunnels are encrypted with IPSec using IKEv2 to establish Security Associations (SA). The following are important aspects that enable this example design.

hub and spoke routers each have a Dynamic VTI (DVTI) template configured
each spoke also has one Static VTI (SVTI) tunnel configured, the hub does not have SVTI
symmetric pre-shared key authentication is configured under crypto ikev2 profile (instead of using crypto keyring)
iBGP is configured between hub and spoke, this requires IKEv2 routing configuration to advertise tunnel interface IP
NHRP redirect is configured on hub, NHRP shortcut on the spokes

FlexVPN dynamic spoke-to-spoke connectivity with DVTI, NHRP redirect on hub router and NHRP shortcut on spoke routers

Configuration:

R1 (Hub)

R1#show run int Lo10 | sec int
interface Loopback10
 ip address 10.0.0.1 255.255.255.255

R1#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
 description ** to Server **
 ip address 192.168.0.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45

R1#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
 description ** to internet access **
 ip address 172.16.1.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45

R1#show run int Virtual-Template10 | sec int
interface Virtual-Template10 type tunnel
 description ** Dynamic VTI for Spoke R2 and R3 **
 ip unnumbered Loopback10
 ip nhrp network-id 15
 ip nhrp redirect
 tunnel source GigabitEthernet0/1
 tunnel protection ipsec profile default

R1#show run | sec ^aaa n|^aaa a
aaa new-model
aaa authorization network AUTH-FLEXVPN local

R1#show run | sec ^crypto
crypto ikev2 authorization policy CRYPTO-AUTH 
 route set interface
crypto ikev2 profile default
 match identity remote address 172.16.0.0 255.255.0.0 
 authentication remote pre-share key p4ssw0rd.123
 authentication local pre-share key p4ssw0rd.123
 aaa authorization group psk list AUTH-FLEXVPN CRYPTO-AUTH
 virtual-template 10

R1#show run | sec ^router
router bgp 65001
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 neighbor 10.0.0.2 remote-as 65001
 neighbor 10.0.0.2 update-source Loopback10
 neighbor 10.0.0.3 remote-as 65001
 neighbor 10.0.0.3 update-source Loopback10
 !
 address-family ipv4
  network 192.168.0.0
  neighbor 10.0.0.2 activate
  neighbor 10.0.0.2 default-originate
  neighbor 10.0.0.3 activate
  neighbor 10.0.0.3 default-originate
 exit-address-family

R1#show run | sec ^ip route
ip route 172.16.0.0 255.255.0.0 172.16.1.1

R2 (Spoke)

R2#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
 description ** to Host1 **
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45

R2#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
 description ** to internet access **
 ip address 172.16.2.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45

R2#show run int Tu10 | sec int 
interface Tunnel10
 description ** FlexVPN Static VTI **
 ip address 10.0.0.2 255.255.255.255
 ip nhrp network-id 15
 ip nhrp shortcut virtual-template 10
 tunnel source 172.16.2.2
 tunnel destination 172.16.1.2
 tunnel protection ipsec profile default

R2#show run int Virtual-Template10 | sec int
interface Virtual-Template10 type tunnel
 description ** Dynamic VTI for FlexVPN spoke-to-spoke **
 ip unnumbered Tunnel10
 ip nhrp network-id 15
 ip nhrp shortcut virtual-template 10
 tunnel protection ipsec profile default
 
R2#show run | sec ^aaa n|^aaa a
aaa new-model
aaa authorization network AUTH-FLEXVPN local 

R2#show run | sec ^crypto
crypto ikev2 authorization policy CRYPTO-AUTH 
 route set interface
crypto ikev2 profile default
 match identity remote address 172.16.0.0 255.255.0.0 
 authentication remote pre-share key p4ssw0rd.123
 authentication local pre-share key p4ssw0rd.123
 aaa authorization group psk list AUTH-FLEXVPN CRYPTO-AUTH
 virtual-template 10

R2#show run | sec ^router
router bgp 65001
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 neighbor 10.0.0.1 remote-as 65001
 neighbor 10.0.0.1 update-source Tunnel10
 !
 address-family ipv4
  network 192.168.1.0
  neighbor 10.0.0.1 activate
 exit-address-family

R2#show run | sec ^ip route
ip route 172.16.0.0 255.255.0.0 172.16.2.1

R3 (Spoke)

R3#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
 description ** to Host2 **
 ip address 192.168.2.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45

R3#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
 description ** to internet access **
 ip address 172.16.3.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45

R3#show run int Tu10 | sec int 
interface Tunnel10
 description ** FlexVPN Static VTI **
 ip address 10.0.0.3 255.255.255.255
 ip nhrp network-id 15
 ip nhrp shortcut virtual-template 10
 tunnel source 172.16.3.2
 tunnel destination 172.16.1.2
 tunnel protection ipsec profile default

R3#show run int Virtual-Template10 | sec int
interface Virtual-Template10 type tunnel
 description ** Dynamic VTI for FlexVPN spoke-to-spoke **
 ip unnumbered Tunnel10
 ip nhrp network-id 15
 ip nhrp shortcut virtual-template 10
 tunnel protection ipsec profile default

R3#show run | sec ^aaa n|^aaa a
aaa new-model
aaa authorization network AUTH-FLEXVPN local

R3#show run | sec ^crypto
crypto ikev2 authorization policy CRYPTO-AUTH 
 route set interface
crypto ikev2 profile default
 match identity remote address 172.16.0.0 255.255.0.0 
 authentication remote pre-share key p4ssw0rd.123
 authentication local pre-share key p4ssw0rd.123
 aaa authorization group psk list AUTH-FLEXVPN CRYPTO-AUTH
 virtual-template 10

R3#show run | sec ^router
router bgp 65001
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 neighbor 10.0.0.1 remote-as 65001
 neighbor 10.0.0.1 update-source Tunnel10
 !
 address-family ipv4
  network 192.168.2.0
  neighbor 10.0.0.1 activate
 exit-address-family

R3#show run | sec ^ip route
ip route 172.16.0.0 255.255.0.0 172.16.3.1

Host1

Host1#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
 description ** to R2 **
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45

Host1#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 192.168.1.2

Host1#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 47/48/49 ms        « Host1 can reach the Server



Host1#trace 192.168.0.1 probe 1
Type escape sequence to abort.
Tracing the route to 192.168.0.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.2 1 msec
  2 10.0.0.1 47 msec              « Tunnel interface IP on hub R1
  3 192.168.0.1 48 msec




Host1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/48/49 ms        « Host1 can reach Host2




Host1#trace 192.168.2.1 probe 1
Type escape sequence to abort.
Tracing the route to 192.168.2.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.2 2 msec
  2 10.0.0.3 48 msec              « Tunnel interface IP on spoke R3 (direct spoke-to-spoke communication)
  3 192.168.2.1 48 msec





R2#show crypto session brief
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating 
        K - No IKE
ivrf = (none)
Peer            I/F          Username        Group/Phase1_id          Uptime   Status
172.16.1.2      Tu10                         172.16.1.2               01:58:58 UA   
172.16.3.2      Vi1                          172.16.3.2               00:00:45 UA         « IPSec SA dynamically created between spokes





R2#show crypto session      
Crypto session current status

Interface: Tunnel10
Profile: default
Session status: UP-ACTIVE     
Peer: 172.16.1.2 port 500 
  Session ID: 1  
  IKEv2 SA: local 172.16.2.2/500 remote 172.16.1.2/500 Active 
  IPSEC FLOW: permit 47 host 172.16.2.2 host 172.16.1.2 
        Active SAs: 2, origin: crypto map

Interface: Virtual-Access1                   « Virtual-Access (DVTI) interface used for direct spoke-to-spoke traffic
Profile: default
Session status: UP-ACTIVE     
Peer: 172.16.3.2 port 500 
  Session ID: 9  
  IKEv2 SA: local 172.16.2.2/500 remote 172.16.3.2/500 Active 
  IPSEC FLOW: permit 47 host 172.16.2.2 host 172.16.3.2 
        Active SAs: 2, origin: crypto map






R2#show ip route | beg Ga
Gateway of last resort is 10.0.0.1 to network 0.0.0.0

B*    0.0.0.0/0 [200/0] via 10.0.0.1, 01:52:08             « BGP default route received from hub R1
      10.0.0.0/32 is subnetted, 3 subnets
S        10.0.0.1 is directly connected, Tunnel10          « IKEv2 route received from hub R1
C        10.0.0.2 is directly connected, Tunnel10
H        10.0.0.3 is directly connected, 00:01:18, Virtual-Access1      « NHRP dynamically installs spoke R3 tunnel IP
      172.16.0.0/16 is variably subnetted, 3 subnets, 3 masks
S        172.16.0.0/16 [1/0] via 172.16.2.1
C        172.16.2.0/30 is directly connected, GigabitEthernet0/1
L        172.16.2.2/32 is directly connected, GigabitEthernet0/1
B     192.168.0.0/24 [200/0] via 10.0.0.1, 01:52:23
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/0
L        192.168.1.2/32 is directly connected, GigabitEthernet0/0
H     192.168.2.0/24 [250/255] via 10.0.0.3, 00:01:18, Virtual-Access1  « NHRP dynamically installs Site 2 prefix





R2#show ip route nhrp | beg Ga                   « The following two routes are installed by NHRP
Gateway of last resort is 10.0.0.1 to network 0.0.0.0

      10.0.0.0/32 is subnetted, 3 subnets
H        10.0.0.3 is directly connected, 00:02:39, Virtual-Access1                  
H     192.168.2.0/24 [250/255] via 10.0.0.3, 00:02:39, Virtual-Access1





R2#show ip route 192.168.2.0     
Routing entry for 192.168.2.0/24
  Known via "nhrp", distance 250, metric 255           « NHRP routes have an AD of 250
  Tag 15
  Last update from 10.0.0.3 on Virtual-Access1, 00:02:49 ago
  Routing Descriptor Blocks:
  * 10.0.0.3, from 10.0.0.3, 00:02:49 ago, via Virtual-Access1
      Route metric is 255, traffic share count is 1
      Route tag 15                                     « NHRP network-ID is used as a route tag

Direct spoke-to-spoke communication is possible by leveraging the Next-Hop Resolution Protocol (NHRP) redirect and shortcut features. The NHRP cache is used on the spoke routers to dynamically install prefixes received about a neighboring spoke router. The following outputs from spoke router R2 display the NHRP cache and shortcut route.

R2#show ip nhrp summary
IP NHRP cache 2 entries, 864 bytes
    0 static  2 dynamic  0 incomplete         « Two dynamic entries installed with NHRP




R2#show ip nhrp detail
10.0.0.3/32 via 10.0.0.3
   Virtual-Access1 created 00:00:04, expire 00:09:55
   Type: dynamic, Flags: router implicit nhop rib nho 
   NBMA address: 172.16.3.2                   « This is the internet access (underlay/transport) IP address on spoke R3
   Preference: 255
192.168.1.0/24 via 10.0.0.2
   Virtual-Access1 created 00:00:04, expire 00:09:55
   Type: dynamic, Flags: router unique local 
   NBMA address: 172.16.2.2 
   Preference: 255
    (no-socket) 
  Requester: 10.0.0.3 Request ID: 6




R2#show ip nhrp shortcut       
10.0.0.3/32 via 10.0.0.3                      « Tunnel interface IP address on spoke R3 installed as shortcut route spoke R2
   Virtual-Access1 created 00:01:17, expire 00:08:42
   Type: dynamic, Flags: router implicit nhop rib nho 
   NBMA address: 172.16.3.2

Configuring FlexVPN spoke-to-spoke routing with IPv4 in VRF (two default routes)

The following example topology uses VRF Gold to connect the three locations with FlexVPN. This design allows two default routes to be used on the spoke routers. One default route is received in VRF Gold through the FlexVPN tunnel with BGP (from the hub router). However, the local internet provider also requires a default route in the spoke's global routing table (RIB). With the VRF configuration this is possible, and two default routes can both be used, one for the underlay/internet transport network, and another for the overlay/FlexVPN network.

Configuration:

R1 (Hub)

R1#show run | sec ^vrf
vrf definition Gold
 rd 1:1
 !
 address-family ipv4
 exit-address-family

R1#show run int Lo10 | sec int
interface Loopback10
 vrf forwarding Gold
 ip address 10.0.0.1 255.255.255.255

R1#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
 description ** to Server **
 no ip address
 duplex auto
 speed auto
 media-type rj45

R1#show run int Gi0/0.10 | sec int
interface GigabitEthernet0/0.10
 description ** to Server in VRF Gold (VLAN 10) **
 encapsulation dot1Q 10
 vrf forwarding Gold
 ip address 192.168.0.2 255.255.255.0

R1#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
 description ** to internet access **
 ip address 172.16.1.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45

R1#show run int Virtual-Template10 | sec int
interface Virtual-Template10 type tunnel
 description ** Dynamic VTI for Spoke R2 and R3 **
 vrf forwarding Gold
 ip unnumbered Loopback10
 ip nhrp network-id 15
 ip nhrp redirect
 tunnel source GigabitEthernet0/1
 tunnel protection ipsec profile default

R1#show run | sec ^aaa n|^aaa a
aaa new-model
aaa authorization network AUTH-FLEXVPN local

R1#show run | sec ^crypto
crypto ikev2 authorization policy CRYPTO-AUTH 
 route set interface
crypto ikev2 profile default
 match identity remote address 172.16.0.0 255.255.0.0 
 authentication remote pre-share key p4ssw0rd.123
 authentication local pre-share key p4ssw0rd.123
 aaa authorization group psk list AUTH-FLEXVPN CRYPTO-AUTH
 virtual-template 10

R1#show run | sec ^router bgp
router bgp 65001
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf Gold
  network 192.168.0.0
  neighbor 10.0.0.2 remote-as 65001
  neighbor 10.0.0.2 update-source Loopback10
  neighbor 10.0.0.2 activate
  neighbor 10.0.0.2 default-originate
  neighbor 10.0.0.3 remote-as 65001
  neighbor 10.0.0.3 update-source Loopback10
  neighbor 10.0.0.3 activate
  neighbor 10.0.0.3 default-originate
 exit-address-family

R1#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 172.16.1.1

R2 (Spoke)

R2#show run | sec ^vrf
vrf definition Gold
 rd 1:1
 !
 address-family ipv4
 exit-address-family

R2#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
 description ** to Host1 **
 no ip address
 duplex auto
 speed auto
 media-type rj45

R2#show run int Gi0/0.10 | sec int
interface GigabitEthernet0/0.10
 description ** to Host1 in VRF Gold (VLAN 10) **
 encapsulation dot1Q 10
 vrf forwarding Gold
 ip address 192.168.1.2 255.255.255.0

R2#show run int Gi0/1 | sec int   
interface GigabitEthernet0/1
 description ** to internet access **
 ip address 172.16.2.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45

R2#show run int Tu10 | sec int
interface Tunnel10
 description ** FlexVPN Static VTI **
 vrf forwarding Gold
 ip address 10.0.0.2 255.255.255.255
 ip nhrp network-id 15
 ip nhrp shortcut virtual-template 10
 tunnel source 172.16.2.2
 tunnel destination 172.16.1.2
 tunnel protection ipsec profile default

R2#show run int Virtual-Template10 | sec int
interface Virtual-Template10 type tunnel
 description ** Dynamic VTI for FlexVPN spoke-to-spoke **
 vrf forwarding Gold
 ip unnumbered Tunnel10
 ip nhrp network-id 15
 ip nhrp shortcut virtual-template 10
 tunnel protection ipsec profile default

R2#show run | sec ^aaa n|^aaa a
aaa new-model
aaa authorization network AUTH-FLEXVPN local

R2#show run | sec ^crypto 
crypto ikev2 authorization policy CRYPTO-AUTH 
 route set interface
crypto ikev2 profile default
 match identity remote address 172.16.0.0 255.255.0.0 
 authentication remote pre-share key p4ssw0rd.123
 authentication local pre-share key p4ssw0rd.123
 aaa authorization group psk list AUTH-FLEXVPN CRYPTO-AUTH
 virtual-template 10

R2#show run | sec ^router bgp 
router bgp 65001
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf Gold
  network 192.168.1.0
  neighbor 10.0.0.1 remote-as 65001
  neighbor 10.0.0.1 update-source Tunnel10
  neighbor 10.0.0.1 activate
 exit-address-family

R2#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 172.16.2.1

R3 (Spoke)

R3#show run | sec ^vrf
vrf definition Gold
 rd 1:1
 !
 address-family ipv4
 exit-address-family

R3#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
 description ** to Host2 **
 no ip address
 duplex auto
 speed auto
 media-type rj45
 
R3#show run int Gi0/0.10 | sec int
interface GigabitEthernet0/0.10
 description ** to Host2 in VRF Gold (VLAN 10) **
 encapsulation dot1Q 10
 vrf forwarding Gold
 ip address 192.168.2.2 255.255.255.0

R3#show run int Gi0/1 | sec int   
interface GigabitEthernet0/1
 description ** to internet access **
 ip address 172.16.3.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45

R3#show run int Tu10 | sec int 
interface Tunnel10
 description ** FlexVPN Static VTI **
 vrf forwarding Gold
 ip address 10.0.0.3 255.255.255.255
 ip nhrp network-id 15
 ip nhrp shortcut virtual-template 10
 tunnel source 172.16.3.2
 tunnel destination 172.16.1.2
 tunnel protection ipsec profile default

R3#show run | sec ^aaa n|^aaa a
aaa new-model
aaa authorization network AUTH-FLEXVPN local 

R3#show run | sec ^crypto
crypto ikev2 authorization policy CRYPTO-AUTH 
 route set interface
crypto ikev2 profile default
 match identity remote address 172.16.0.0 255.255.0.0 
 authentication remote pre-share key p4ssw0rd.123
 authentication local pre-share key p4ssw0rd.123
 aaa authorization group psk list AUTH-FLEXVPN CRYPTO-AUTH
 virtual-template 10

R3#show run | sec ^router bgp
router bgp 65001
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf Gold
  network 192.168.2.0
  neighbor 10.0.0.1 remote-as 65001
  neighbor 10.0.0.1 update-source Tunnel10
  neighbor 10.0.0.1 activate
 exit-address-family

R3#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 172.16.3.1

Host

Host1#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
 description ** to R2 **
 no ip address
 duplex auto
 speed auto
 media-type rj45

Host1#show run int Gi0/0.10 | sec int 
interface GigabitEthernet0/0.10
 description ** to R2 in VLAN 10 **
 encapsulation dot1Q 10
 ip address 192.168.1.1 255.255.255.0

Host1#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 192.168.1.2

R2#show ip route | beg Ga
Gateway of last resort is 172.16.2.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.2.1                   « On spoke R2 a default route is used to reach the internet provider
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.2.0/30 is directly connected, GigabitEthernet0/1
L        172.16.2.2/32 is directly connected, GigabitEthernet0/1




R2#show ip route vrf Gold | beg Ga
Gateway of last resort is 10.0.0.1 to network 0.0.0.0

B*    0.0.0.0/0 [200/0] via 10.0.0.1, 00:28:31         « On spoke R2 a VRF default route is used to reach the FlexVPN network
      10.0.0.0/32 is subnetted, 3 subnets
S        10.0.0.1 is directly connected, Tunnel10
C        10.0.0.2 is directly connected, Tunnel10
S   %    10.0.0.3 is directly connected, Virtual-Access1
B     192.168.0.0/24 [200/0] via 10.0.0.1, 00:28:31
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/0.10
L        192.168.1.2/32 is directly connected, GigabitEthernet0/0.10




Host1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/93/94 ms              « Host1 can reach Host2




Host1#trace 192.168.2.1 probe 1
Type escape sequence to abort.
Tracing the route to 192.168.2.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.2 1 msec
  2 10.0.0.3 47 msec                         « Spoke R3 Tunnel IP address (direct spoke-to-spoke connectivity)
  3 192.168.2.1 48 msec

NHRP packets used with FlexVPN spoke-to-spoke

The following output is taken from the hub router R1 and from the spoke router R2. The outputs show the various NHRP packets used during the FlexVPN spoke-to-spoke operation. Note that the general mechanisms are similar to DMVPN Phase 3 however there are no NHRP registration messages exchanged.

R1#show ip nhrp traffic interface Virtual-Access 1
Virtual-Access1: Max-send limit:10000Pkts/10Sec, Usage:0%
   Sent: Total 5
         3 Resolution Request  0 Resolution Reply  0 Registration Request  
         0 Registration Reply  0 Purge Request  0 Purge Reply  
         0 Error Indication  2 Traffic Indication  0 Redirect Suppress  
   Rcvd: Total 3
         3 Resolution Request  0 Resolution Reply  0 Registration Request  
         0 Registration Reply  0 Purge Request  0 Purge Reply  
         0 Error Indication  0 Traffic Indication  0 Redirect Suppress




R2#show ip nhrp traffic interface Tu10 
Tunnel10: Max-send limit:10000Pkts/10Sec, Usage:0%
   Sent: Total 17
         17 Resolution Request  0 Resolution Reply  0 Registration Request  
         0 Registration Reply  0 Purge Request  0 Purge Reply  
         0 Error Indication  0 Traffic Indication  0 Redirect Suppress  
   Rcvd: Total 40
         24 Resolution Request  0 Resolution Reply  0 Registration Request  
         0 Registration Reply  0 Purge Request  0 Purge Reply  
         0 Error Indication  16 Traffic Indication  0 Redirect Suppress




R2#show ip nhrp traffic interface Virtual-Access 1
Virtual-Access1: Max-send limit:10000Pkts/10Sec, Usage:0%
   Sent: Total 3
         2 Resolution Request  1 Resolution Reply  0 Registration Request  
         0 Registration Reply  0 Purge Request  0 Purge Reply  
         0 Error Indication  0 Traffic Indication  0 Redirect Suppress  
   Rcvd: Total 3
         0 Resolution Request  3 Resolution Reply  0 Registration Request  
         0 Registration Reply  0 Purge Request  0 Purge Reply  
         0 Error Indication  0 Traffic Indication  0 Redirect Suppress

Download section

Disclaimer: You download and use files from networkstudysite.com at your own risk.

Lab YAML file:

FlexVPN IPv4 spoke-to-spoke (not in VRF), configured with iBGP between Hub and Spokes — flexvpn-ipv4-spoke-to-spoke.yaml

Packet capture:

flexvpn-ipsec-ikev2-exchange-spoke-to-spoke.pcap — First IKEv2 Security Association (SA) with Hub router (IP address 172.16.1.2), then dynamic IKEv2 SA with remote Spoke (IP address 172.16.3.2) using encrypted NHRP message exchange

How to use these files:

With YAML files you can easily recreate the example labs on networkstudysite.com. Learn more in this short guide.

Explore 313 packet captures

You can find more information at the following external links:

By clicking on the links below, you are leaving the networkstudysite.com website.

Cisco - Configuring FlexVPN Spoke to Spoke

Cisco - Configuration Examples and TechNotes

RFC 2332 - NBMA Next Hop Resolution Protocol (NHRP)

RFC 5996 - Internet Key Exchange Protocol Version 2 (IKEv2)

Disclaimer:

Use at your own risk: networkstudysite.com makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information found on this website. Full disclaimer on the About page.

networkstudysite.com does not install browser cookies to collect or store your data.

Thank you for your interest in this blog post!

Looking for something else? View infographics, explore the archives or read the recommended posts below:

- View infographics -

- Discover archives -

Disclaimer

FlexVPN Example Configuration and Setup Guide

What is FlexVPN spoke-to-spoke routing?

What is the difference between FlexVPN and DMVPN?

Configuring FlexVPN spoke-to-spoke routing with IPv4

Configuring FlexVPN spoke-to-spoke routing with IPv4 in VRF (two default routes)

NHRP packets used with FlexVPN spoke-to-spoke

Download section

Recommended posts:

» IPSec VPN Dynamic VTI Configuration with IKEv1 and IKEv2

» IKEv2 Routing Configuration in FlexVPN Hub and Spoke Design

» DMVPN Introduction and Example Configuration Explained