Flexvpn:: Created by Ahmad Ali E-Mail:, Mobile: 056 430 3717

FlexVPN:
o FlexVPN is a framework to configure IPSec VPNs on Cisco IOS devices only.

o FlexVPN was created to simplify the deployment of VPN solutions of all type.
o Such as Remote Access, Site-to-Site and Dynamic Multipoint VPN topologies.
o FlexVPN uses common configuration template for all types of VPN topologies.
o FlexVPN is based on Internet Key Exchange (IKEv2) and does not support IKEv1.
o FlexVPN is the Cisco’s way of configuring Internet Key Exchange Version 2 (IKEv2).
o Most of configuration commands begin with crypto Internet Key Exchange Version 2.
o IKEV2 come with “Smart Defaults” representing Cisco’s view of best practice design.
o Need single interface template on Hub to allow all types of incoming VPN connections.
o FlexVPN, unofficially called the Dynamic Multipoint Virtual Private Network Phase 4.
o Flexible VPN common umbrella term for all IKEv2 IPsec VPNs deployed on IOS routers.
o Flexible VPN (FlexVPN) is a latest way of configuring IP Security (IPSec) VPN with IKEv2.
o When use IKEv2 & deploy Site-to-Site Virtual Private Network, its call Flex Site-Site VPN.
o When use IKEv2 & deploy Remote Access VPN, we call it Flex Remote Access VPN.
o IKEv2 simplifies the message exchange and provides support for Voice over IP traffic.
o Flex VPNs offer unified and modular framework for all type of VPN implementation.
o Implement FlexVPN Site to Site using Crypto Maps, static VTI, DVTI & GRE IPSec tunnels.
o FlexVPN is new framework to configure IPsec VPN with IKE version 2 on IOS platforms .
1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

VTI (Virtual Tunnel Interface):
o VTI stands for Virtual Tunnel Interface is a full-featured routable interfaces.
o Many options applied to physical interfaces can be applied to virtual tunnel interface.
o IPsec Virtual Tunnel Interface (VTIs) support multicast traffic such as voice and video.
o IPsec Virtual Tunnel Interface (VTIs) require fewer SAs to support all types of traffic.
o Like GRE VTIs support all types of IP routing protocols, provides scalability & redundancy.
o Dynamic VTI tunnels should be for the hub in large Hub-and-Spoke implementations.
o Static VTI should be for the Spoke only in large Hub-and-Spoke implementations.
o SVTI configurations can be used for Site-to-Site connectivity tunnel always-on access.
o Enable dynamic routing protocols on tunnel interface without extra 24 bytes like GRE.
o Static VTI configuration reducing the bandwidth for sending the encrypted data.
o DVTI technology replaces dynamic crypto maps & the Dynamic Hub-and-Spoke method.
o DVTI technology replaces dynamic crypto maps & Hub-&-Spoke for establishing tunnels.
o DVTI requires smaller header 4 bytes compared to DMVPN which is additional 28 bytes.
o Static Virtual Tunnel Interface configurations can be used for site-to-site connectivity.
o Static Virtual Tunnel Interface (SVTI) provides always-on access between two sites.
o DVTIs can provide highly secure and scalable connectivity for remote-access VPNs.
o The DVTI (Dynamic VTIs) can be used for both the server and remote configuration.
o The tunnels provide an on-demand separate virtual access interface for each VPN session.
o Configuration of virtual access interfaces is cloned from virtual template configuration.
o Which includes the IPsec configuration and any Cisco IOS software feature configured.
o Dynamic VTIs function like any other real interface so that you can apply QoS, firewall etc.

Virtual Template and Virtual Access Interface:
o It is used to provide configuration for dynamically created Virtual-Access interfaces.
o When user/device requests to connect, Virtual-Access interface is dynamically created.
o Virtual-Access interface is dynamically created based on the configured virtual template.
o When the peer drops connection, the Virtual-Access interface automatically freed.
o Virtual template provides configuration template, configuration details can be customized.
o Based on dial-in peer identity via different authorization, either configured as authorization.
o Policy on the device holding the virtual template or defined in AAA server, such as Cisco ISE.
o One virtual template support different Virtual-Access interfaces with customized config.
o ‘Show interfaces virtual-access x configuration’ to display Virtual-Access interface config.
o Configuring IPSec tunnels can be administrative terrible if you have a lot of remote peers.
o In hub and spoke topologies, use VTIs (Virtual Tunnel Interface) to simplify configuration.
o With Dynamic Virtual tunnel interface DVTI, use single virtual template on hub router.
o Whenever new session is needed, router automatically creates virtual access interface.
o This Virtual Access Interface is cloned from the Virtual Template as many needed.
o Virtual Template makes it really easy to create lots of IPSec sessions with remote peers.
o On spoke routers, only have IPSec session with hub, use static VTIs with normal tunnel.
Smart Defaults:
o The FlexVPN configuration can be minimized using the IKEv2 Smart Defaults.
o These specify default values for all components except IKEv2 Profile & Keyring.
o The Smart defaults configuration can be modified as per your requirements.
o The Smart defaults can be displayed if use the command “show running-config all“.
o The default configuration can be disabled by using “no” before the command.
o The default mode for the default transform set is “Transport“, mode.
o Whereas all other transform sets the default mode is “Tunnel“ mode.
Show Command Description
R# show crypto ipsec transform-set default Display default setting of Transform Set
R# show crypto ipsec profile default Display default setting of IPSec Profile
R# show crypto ikev2 proposal default Display default IKEv2 Proposal
R# show crypto ikev2 policy default Display default IKEv2 Policy
R# show crypto ikev2 authorization policy default Display default IKEv2 Authorization Policy
Modifying R1(config)#crypto ikev2 proposal default

defaults R1(config-ikev2-proposal)# encryption aes-cbc-128
R1(config-ikev2-proposal)# Integrity md5
R1(config)# crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
Restoring R1(config)# default crypto ikev2 proposal
defaults R1(config)# default crypto ipsec transform-set
Disabling defaults R1(config)# no crypto ikev2 proposal default
R1(config)# no crypto ipsec transform-set default

Configuration Components:
The following IKEv2/IPSec configuration components are required for FlexVPN.
Component Description
IKEv2 Proposal Mandatory
Defines encryption, integrity algorithm, DH group used for protection.
Can specify multiple entries for each option.
Authentication method and SA lifetime NOT contained in proposal.
IKEv2 Policy Mandatory
Matches peers & associates the IKEv2 Proposal by binding already created
IKEv2 Proposal so it is selected for negotiation with the defined peer.
IKEv2 Keyring Mandatory only if using PSK authentication.
Used to define the pre-shared keys. Unlike IKEv1 this can be asymmetric,
one key for the local router and another for the remote router.
IKEv2 Profile Mandatory
Defines the local/remote IKEv2 identities (address/identity).
Defines the local/remote authentication type.
Defines IKEv2 keyring if using PSK authentication.
IPSec Specifics the acceptable security protocols and algorithms for the IPSec SA.
Transform Set
IPSec Profile References the IPSec Transform Set if NOT default.
References the IKEv2 Profile if NOT default.
IPSec Profile attached to the Tunnel interface.

Site-to-Site FlexVPN Configuration (S-VTI):
R1 Router Basic Configuration

R1(config)#interface f0/0
R1(config-if)#description Public IP to Internet
R1(config-if)#ip add 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config)#interface loopback1
R1(config-if)#description LAN IP
R1(config-if)#ip add 1.1.1.1 255.255.255.255
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.254
R2(config-if)#ip add192.168.23.2 255.255.255.0
R2(config-if)#ip add 2.2.2.2 255.255.255.255
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.254
Internet Router Basic Configuration
ISP(config)#interface f0/0
R1(config-if)#description Public IP to R1
ISP(config-if)# ip add 192.168.12.254 255.255.255.0
ISP(config-if)#no shutdown

Router R1 FlexVPN Configuration
R1(config)#ip domain-name test.com
R1(config)#crypto ikev2 keyring KR
R1(config-ikev2-keyring)#peer R2
R1(config-ikev2-keyring-peer)#address 192.168.23.2
R1(config-ikev2-keyring-peer)#pre-shared-key local cisco
R1(config-ikev2-keyring-peer)#pre-shared-key remote cisco
R1(config-ikev2-keyring)#crypto ikev2 profile PRO1
R1(config-ikev2-profile)#match identity remote fqdn R2.test.com
R1(config-ikev2-profile)#identity local fqdn R1.test.com
R1(config-ikev2-profile)#authentication local pre-share
R1(config-ikev2-profile)#authentication remote pre-share
R1(config-ikev2-profile)#keyring local KR
R1(config)#crypto ipsec profile default
R1(ipsec-profile)#set ikev2-profile PRO1
R1(config)#interface tunnel0
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#tunnel source fastEthernet 0/0
R1(config-if)#tunnel destination 192.168.23.2
R1(config-if)#tunnel protection ipsec profile default
Router R2 FlexVPN Configuration

R2(config)#ip domain-name test.com
R2(config)#crypto ikev2 keyring KR
R2(config-ikev2-keyring)#crypto ikev2 profile PRO1
R2(config-ikev2-profile)#match identity remote fqdn R1.test.com
R2(config-ikev2-profile)#identity local fqdn R2.test.com
R2(config-ikev2-profile)#keyring local KR
R2(config)#crypto ipsec profile default
R2(ipsec-profile)#set ikev2-profile PRO1
R2(config)#interface tunnel0
R2(config-if)#tunnel protection ipsec profile default

Routing on Site-To-Site FlexVPN:
Static Routing
R1(config)#ip route 2.2.2.2 255.255.255.255 tunnel0
R2(config)#ip route 1.1.1.1 255.255.255.255 tunnel0
R1 Dynamic Routing Protocol

R1(config)#router eigrp 1
R1(config-router)#network 1.1.1.1 0.0.0.0
R2(config-router)#no auto-summary
R2 Dynamic Routing Protocol
R2(config-router)#no auto-summary

Site-to-Site FlexVPN Configuration (D-VTI):

R1(config-if)#ip add 192.168.12.1 255.255.255.0
R1(config-if)#ip add 1.1.1.1 255.255.255.255
R1(config-if)#description For Virtual-Template tunnel
R1(config-if)#ip add 10.1.1.1 255.255.255.0
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.254
R2(config-if)#ip add192.168.23.2 255.255.255.0
R2(config-if)#ip add 2.2.2.2 255.255.255.255
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.254
Internet Router Basic Configuration

Router R1 FlexVPN (DVTI) Configuration
DVTI Interface
R1(config-if)#interface virtual-template 1 type tunnel
R1(config-if)#ip unnumbered loopback10
R1(config-if)#tunnel source f0/0
R1(config-if)#tunnel mode ipsec ipv4
IKEv2 Proposal
R1(config-if)#crypto ikev2 proposal prop1
R1(config-ikev2-proposal)#integrity md5
R1(config-ikev2-proposal)#group 2
R1(config-ikev2-proposal)# encryption 3des
IKEv2 Policy
R1(config)#crypto ikev2 policy pol1
R1(config-ikev2-policy)#proposal prop1
IKEv2 Keyring
R1(config)#crypto ikev2 keyring key1
IKEv2 Profile
R1(config-ikev2-keyring)#crypto ikev2 profile prof1
R1(config-ikev2-profile)#identity remote add 192.168.23.2 255.255.255.255
R1(config-ikev2-profile)#identity local address 192.168.12.1
R1(config-ikev2-profile)#keyring local key1
R1(config-ikev2-profile)#virtual-template 1
IPSec Transform Set
R1(config)#crypto ipsec transform-set TSET esp-3des esp-md5
IPSec Profile
R1(cfg-crypto-trans)#crypto ipsec profile IPPRO
R1(ipsec-profile)#set transform-set TSET
R1(ipsec-profile)#set ikev2-profile prof1
R1(ipsec-profile)#int virtual-template 1
R1(config-if)#tunnel protection ipsec profile IPPRO
Routing Protocol
R1(config-router)#no auto

Router R2 FlexVPN (SVTI) Configuration
IKEv2 Proposal
R2(config)#crypto ikev2 proposal prop1
R2(config-ikev2-proposal)# encryption 3des
IKEv2 Policy
R2(config-ikev2-proposal)#crypto ikev2 policy pol1
R2(config-ikev2-policy)#proposal prop1
IKEv2 Keyring
R2(config-ikev2-policy)#crypto ikev2 keyring key1
R2(config-ikev2-keyring)#peer HUB
IKEv2 Profile
R2(config-ikev2-keyring-peer)#crypto ikev2 profile prof1
R2(config-ikev2-profile)#match identity remote add 192.168.12.1
IPSec Transform Set
R2(config-ikev2-profile)#crypto ipsec transform-set TSET esp-3des esp-md5
IPSec Profile
R2(cfg-crypto-trans)#crypto ipsec profile IPPRO
SVTI Interface
R2(ipsec-profile)#interface tunnel 0
R2(config-if)#tunnel protection ipsec profile IPPRO
Routing Protocol
R2(config-router)#no auto
R1# show ip int brief
R1# show crypto ikev2 sa
R# show crypto ipsec sa

Hub and Spoke FlexVPN Configuration:
o In FlexVPN Hub & Spoke design spoke routers are configured with normal Static VTI.
o In FlexVPN Spoke routers configure with tunnel destination of the Hub’s IP address.
o In FlexVPN Hub & Spoke design The Hub however is configured with a Dynamic VTI.
o DVTI on Hub router is not configured with a static mapping to the peer’s IP address.
o VTI Hub is created dynamically from preconfigured tunnel template Virtual-Template.
o In FlexVPN Hub & Spoke design when a tunnel is initiated by the spoke Router/Peer.
o Dynamic tunnel spawns a separate “Virtual-Access” interface for each spoke Tunnel.
o It is inheriting the configuration from the cloned the Template (Virtual-Template).

R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#ip add 11.11.11.1 255.255.255.0
R1(config-if)#ip add 10.10.1.1 255.255.255.0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.254

R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#ip add 10.10.2.1 255.255.255.0
R2(config)#ip route 0.0.0.0 0.0.0.0 2.2.2.254

R3(config-if)#ip add 3.3.3.3 255.255.255.0
R3(config-if)#ip add 10.10.3.1 255.255.255.0
R3(config)#ip route 0.0.0.0 0.0.0.0 3.3.3.254

R4(config)#interface FastEthernet0/0
R4(config)#interface Loopback1
R4(config)#interface Loopback4
ISP Router Basic Configuration

ISP(config-if)#ip add 1.1.1.254 255.255.255.0

SVTI (Static Virtual Tunnel Interface) Configuration:
R1 to R4 SVTI Configuration
R1(config)#crypto ikev2 proposal pro1
R1(config-ikev2-proposal)#encryption 3des
R1(config-ikev2-policy)#proposal pro1
R1(config-ikev2-profile)# identity remote address 11.11.11.4 255.255.255.255
R1(config)#crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
R1(config)#crypto ipsec profile ipprof1
R1(config)#interface tunnel 1
R1(config-if)#ip unnumbered loopback 4
R1(config-if)#tunnel protection ipsec profile ipprof1
R1(config-router)#network 192.168.1.0

R4 to R1 SVTI Configuration
R4(config-ikev2-profile)#match identity remote address 11.11.11.1
R4(config)#crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
R4(config)#interface tunnel 1

Dynamic Virtual Tunnel Interface (DVTI):
R1 (Hub) to R2 & R3 (Spokes) DVTI Configuration

R1(config)#int loopback 10
R1(config-if)#ip add 10.1.1.1 255.255.255.0
R1(config)#int virtual-template 10 type tunnel
R1(config-ikev2-keyring-peer)#peer R3
R1(config-ikev2-profile)#virtual-template 10
R1(config)#crypto ipsec transform-set TSET2 esp-aes 256 esp-sha-hmac
R1(ipsec-profile)#set transform-set TSET2
R1(config)#int virtual-template 10 type tunnel
R1(config-if)#no ip split-horizon eigrp 1

R2 (Spoke) to R1 (Hub) SVTI Configuration
R2(config)#int tunnel 1

R3 (Spoke) to R1 (Hub) SVTI Configuration
R2(config)#int tunnel 1

Flexvpn:: Created by Ahmad Ali E-Mail:, Mobile: 056 430 3717

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Flexvpn:: Created by Ahmad Ali E-Mail:, Mobile: 056 430 3717

Caricato da

Copyright:

Formati disponibili

FlexVPN:

o FlexVPN is a framework to configure IPSec VPNs on Cisco IOS devices only.

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Modifying R1(config)#crypto ikev2 proposal default

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

R1 Router Basic Configuration

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Router R2 FlexVPN Configuration

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

R1 Dynamic Routing Protocol

7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

R1 Router Basic Configuration

8 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

9 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

10 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

R1 Router Basic Configuration

12 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

R3 Router Basic Configuration

R4 Router Basic Configuration

ISP Router Basic Configuration

13 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

14 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

15 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

R1 (Hub) to R2 & R3 (Spokes) DVTI Configuration

16 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

17 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

18 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Potrebbero piacerti anche