Skip to main content

Flex VPN

Cisco FLEX VPN with IKEv2


Large customers deploying IPSec VPN over IP networks are faced with high complexity and high cost of deploying multiple types of VPN to meet different types of connectivity requirements. Customers often have to learn different types of VPNs to manage and operate different types of network. And once a technology is selected for a deployment, migrating or adding functionality to enhance the VPN is often avoided. FlexVPN was created to simplify the deployment of VPNs, to address the complexity of multiple solutions, and as a unified ecosystem to cover all types of VPN: remote access, teleworker, site to site, mobility, managed security services, and others.


Cisco IOS FlexVPN Features and Benefits:

Cisco IOS FlexVPN is a unified VPN solution and provides the following benefits:

   Scalability: IKEv2 provides scalability feature with the help of IKEv2 Proposal, in which we can use multiple integrity, encryption & DH group types, which creates multiple possible combinations of Phase I Policies.

   More Secured Authentication: In IKEv2, we have a feature of IKEv2 keyring provides directional PSK, in which we can use different PSK based on the direction of flow as well as we have a feature of Using different Authentication types in both sides, such as PSK at one side & RSA at another side.

   Transport network: FlexVPN can be deployed either over a public internet or a private Multiprotocol Label Switching (MPLS) VPN network.

   Deployment style: Designed for the concentration of both site-to-site and remote access VPNs, one single FlexVPN deployment can accept both types of connection requests at the same time.

   Failover redundancy: Three different kinds of redundancy model can be implemented with FlexVPN:

     Dynamic routing protocols (such as Open Shortest Path First [OSPF], Enhanced Interior Gateway Routing Protocol [EIGRP], Border Gateway Protocol [BGP]) over FlexVPN tunnels. Path/head-end selection is based on dynamic routing metrics.
     IKEv2-based dynamic route distribution and server clustering.
     IPsec/IKEv2 active/standby stateful failover between two chassis (available in the future).

   Third-party compatibility: As the IT world transitions to cloud- and mobile-based computing, more and more VPN routers and VPN endpoints from different vendors are required. The Cisco IOS FlexVPN solution provides compatibility with any IKEv2-based third-party VPN vendors, including native VPN clients from Apple iOS and Android devices.

   IP Multicast support: FlexVPN natively supports IP Multicast in two ways:

     FlexVPN hub router replicates IP Multicast packets for each spoke.
     If the transport network supports native IP Multicast, the FlexVPN hub router can choose to have the transport network do multicast packet replication after IPsec encryption (available in the future).

   Superior quality of service (QoS): The architecture of Cisco IOS FlexVPN easily allows hierarchical QoS to be integrated at the per tunnel or per SA basis:

     Per tunnel QoS for each spoke at the FlexVPN hub router.
     Per tunnel QoS dynamically applied to direct traffic between spokes (available in the future).

   Centralized policy control: VPN dynamic policies such as split-tunnel policy, encryption network policy, Virtual Route Forwarding (VRF) selection, Domain Name System (DNS) server (for remote access), and so on can be fully integrated with the authentication, authorization, and accounting (AAA)/RADIUS server and applied at a per peer basis.

   VRF awareness: The Cisco IOS FlexVPN solution can be fully integrated with MPLS VPN networks for service provider type of deployment. Both Inside VRF and front-door VRF are supported. Inside VRF assignment policy can be managed by the centralized AAA server.


Configuration Example:


Task-1: Configure Flex VPN using S-VTI & D-VTI IKEv2 Setup between Hub & Spoke-1, where Spoke-1 is having dynamic WAN IP from Service Provider, so use S-VTI Tunnel on Spoke-1 towards Hub and D-VTI Tunnel on Hub towards Spoke-1.

Task-2: Configure Flex VPN using S-VTI IKEv2 tunnel between Hub & Spoke-2.

Task-3: Configure NHRP between Hub and Spoke-3 & Spoke-4 using IKEv2 S-VTI & D-VTI Tunnel Configuration, where Hub will provide IP Address dynamically to Spoke’s Tunnel interface using local pool and Spoke will form direct dynamic tunnel towards another spoke.

Initial Configuration:

R1:

interface GigabitEthernet0/0
 ip address 192.1.10.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
end
interface Loopback0
 ip address 10.1.1.1 255.255.255.0
end


ip route 0.0.0.0 0.0.0.0 192.1.10.6

R2:

interface GigabitEthernet0/0
 ip address 192.1.20.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
end
!
interface Loopback0
 ip address 10.2.2.2 255.255.255.0
end


ip route 0.0.0.0 0.0.0.0 192.1.20.6

R3:

interface GigabitEthernet0/0
 ip address 192.1.30.3 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
end
!
interface Loopback0
 ip address 10.3.3.3 255.255.255.0
end


ip route 0.0.0.0 0.0.0.0 192.1.30.6

R4:

interface GigabitEthernet0/0
 ip address 192.1.40.4 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
end
!
interface Loopback0
 ip address 10.4.4.4 255.255.255.0
end


ip route 0.0.0.0 0.0.0.0 192.1.40.6

R5:

interface GigabitEthernet0/0
 ip address 192.1.50.5 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
end
!
interface Loopback0
 ip address 10.5.5.5 255.255.255.0
end


ip route 0.0.0.0 0.0.0.0 192.1.50.6

R6:

interface GigabitEthernet0/0
 ip address 192.1.10.6 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
end


interface GigabitEthernet0/1
 ip address 192.1.20.6 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
end

interface GigabitEthernet0/2
 ip address 192.1.30.6 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
end

interface GigabitEthernet0/3
 ip address 192.1.40.6 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
end

interface GigabitEthernet0/4
 ip address 192.1.50.6 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
end



 Task-1: Configure Flex VPN using S-VTI & D-VTI IKEv2 Setup between Hub & Spoke-1, where Spoke-1 is having dynamic WAN IP from Service Provider, so use S-VTI Tunnel on Spoke-1 towards Hub and D-VTI Tunnel on Hub towards Spoke-1.

Solution:

R2 [Spoke-1]:

Step-1: Configure Phase I

Step-1 [A]: Configure IKEv2 Proposal

crypto ikev2 proposal PROP-12 
 encryption 3des aes-cbc-128
 integrity md5 sha1
 group 2 5

Step-1 [B]: Configure IKEv2 Policy

crypto ikev2 policy POL-12 
 proposal PROP-12

Step-1 [C]: Configure IKEv2 Keyring:

crypto ikev2 keyring KR-12
 peer R1
  address 192.1.10.1
  pre-shared-key cisco123

Step-1 [D]: Configure IKEv2 Profile:

crypto ikev2 profile PROF-12
 match identity remote address 192.1.10.1 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring local KR-12

Step-2: Configure Phase II

crypto ipsec transform-set TSET-12 esp-3des esp-md5-hmac 

Step-3: Configure IPSEC Profile:

crypto ipsec profile IPSEC-12
 set transform-set TSET-12 
 set ikev2-profile PROF-12






Step-4: Configure S-VTI Tunnel interface towards Hub:

interface Tunnel1
 ip address 192.168.12.2 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 192.1.10.1
 tunnel protection ipsec profile IPSEC-12
end

Step-5: Configure Routing protocol:

router eigrp 1
 network 10.0.0.0
 network 192.168.12.0

R1 [HUB]:

Step-1: Configure Phase I

Step-1 [A]: Configure IKEv2 Proposal

crypto ikev2 proposal PROP-12 
 encryption 3des aes-cbc-128
 integrity md5 sha1
 group 2 5

Step-1 [B]: Configure IKEv2 Policy

crypto ikev2 policy POL-12 
 proposal PROP-12

Step-1 [C]: Configure IKEv2 Keyring:

crypto ikev2 keyring KR-12
 peer R2
  address 192.1.20.0 255.255.255.0
  pre-shared-key cisco123

Step-1 [D]: Configure IKEv2 Profile:

crypto ikev2 profile PROF-12
 match identity remote address 192.1.20.0 255.255.255.0
 authentication local pre-share
 authentication remote pre-share
 keyring local KR-12
 virtual-template 12


Step-2: Configure Phase II

crypto ipsec transform-set TSET-12 esp-3des esp-md5-hmac 



Step-3: Configure IPSEC Profile:

crypto ipsec profile IPSEC-12
 set transform-set TSET-12 
 set ikev2-profile PROF-12

Step-4: Configure D-VTI Tunnel Interface towards Spoke-1 [R2]:

interface Loopback12
 ip address 192.168.12.1 255.255.255.0
end

interface Virtual-Template12 type tunnel
 ip unnumbered Loopback12
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-12
end

Step-5: Configure Routing Protocol:

router eigrp 1
 network 10.0.0.0
 network 192.168.12.0

Verifications:

R1#show ip route 10.2.2.0 
Routing entry for 10.2.2.0/24
  Known via "eigrp 1", distance 90, metric 27008000, type internal
  Redistributing via eigrp 1
  Last update from 192.168.12.2 on Virtual-Access1, 01:04:27 ago
  Routing Descriptor Blocks:
  * 192.168.12.2, from 192.168.12.2, 01:04:27 ago, via Virtual-Access1
      Route metric is 27008000, traffic share count is 1
      Total delay is 55000 microseconds, minimum bandwidth is 100 Kbit
      Reliability 255/255, minimum MTU 1446 bytes
      Loading 1/255, Hops 1
R1#

R1#show ip interface brief
Virtual-Access1            192.168.12.1    YES unset  up                    up   
Virtual-Template12         192.168.12.1    YES unset  up                    down    

R1#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 
Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         192.1.10.1/500        192.1.20.2/500        none/none            READY  
      Encr: 3DES, PRF: MD5, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/7432 sec




R1#ping 10.2.2.2 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 15/19/27 ms


Task-2: Configure Flex VPN using S-VTI IKEv2 tunnel between Hub & Spoke-2.

Solution:

R1 [HUB]:

Step-1: Configure Phase I

Step-1 [A]: Configure IKEv2 Proposal

crypto ikev2 proposal PROP-15 
 encryption 3des aes-cbc-128
 integrity md5 sha1
 group 2 5

Step-1 [B]: Configure IKEv2 Policy

crypto ikev2 policy POL-15
 proposal PROP-15

Step-1 [C]: Configure IKEv2 Keyring:

crypto ikev2 keyring KR-15
 peer R5
  address 192.1.50.5
  pre-shared-key cisco123

Step-1 [D]: Configure IKEv2 Profile:

crypto ikev2 profile PROF-15
 match identity remote address 192.1.50.5 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring local KR-15

Step-2: Configure Phase II

crypto ipsec transform-set TSET-15 esp-3des esp-md5-hmac 

Step-3: Configure IPSEC Profile:

crypto ipsec profile IPSEC-15
 set transform-set TSET-15 
 set ikev2-profile PROF-15


Step-4: Configure S-VTI Tunnel interface towards Hub:

interface Tunnel1
 ip address 192.168.15.1 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 192.1.50.5
 tunnel protection ipsec profile IPSEC-15
end

Step-5: Configure Routing protocol:

router eigrp 1
 network 10.0.0.0
 network 192.168.15.0

R5 [Spoke-2]:

Step-1: Configure Phase I

Step-1 [A]: Configure IKEv2 Proposal

crypto ikev2 proposal PROP-15 
 encryption 3des aes-cbc-128
 integrity md5 sha1
 group 2 5

Step-1 [B]: Configure IKEv2 Policy

crypto ikev2 policy POL-15
 proposal PROP-15

Step-1 [C]: Configure IKEv2 Keyring:

crypto ikev2 keyring KR-15
 peer R5
  address 192.1.10.1
  pre-shared-key cisco123

Step-1 [D]: Configure IKEv2 Profile:

crypto ikev2 profile PROF-15
 match identity remote address 192.1.10.1 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring local KR-15

Step-2: Configure Phase II

crypto ipsec transform-set TSET-15 esp-3des esp-md5-hmac 

Step-3: Configure IPSEC Profile:

crypto ipsec profile IPSEC-15
 set transform-set TSET-15 
 set ikev2-profile PROF-15


Step-4: Configure S-VTI Tunnel interface towards Hub:

interface Tunnel1
 ip address 192.168.15.5 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 192.1.10.1
 tunnel protection ipsec profile IPSEC-15
end

Step-5: Configure Routing protocol:

router eigrp 1
 network 10.0.0.0
 network 192.168.15.0

Verification

R1#show ip int br               
Tunnel15                   192.168.15.1    YES manual up                    up      

R1#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 
Tunnel-id Local                 Remote                fvrf/ivrf            Status 
3         192.1.10.1/500        192.1.50.5/500        none/none            READY  
      Encr: 3DES, PRF: MD5, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/6668 sec

R1#show ip route 10.5.5.5
Routing entry for 10.5.5.0/24
  Known via "eigrp 1", distance 90, metric 27008000, type internal
  Redistributing via eigrp 1
  Last update from 192.168.15.5 on Tunnel15, 01:51:30 ago
  Routing Descriptor Blocks:
  * 192.168.15.5, from 192.168.15.5, 01:51:30 ago, via Tunnel15
      Route metric is 27008000, traffic share count is 1
      Total delay is 55000 microseconds, minimum bandwidth is 100 Kbit
      Reliability 255/255, minimum MTU 1446 bytes
      Loading 1/255, Hops 1

R1#ping 10.5.5.5 so
R1#ping 10.5.5.5 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/18/26 ms

R5#show ip route 10.2.2.2 
Routing entry for 10.2.2.0/24
  Known via "eigrp 1", distance 90, metric 28288000, type internal
  Redistributing via eigrp 1
  Last update from 192.168.15.1 on Tunnel15, 01:28:53 ago
  Routing Descriptor Blocks:
  * 192.168.15.1, from 192.168.15.1, 01:28:53 ago, via Tunnel15
      Route metric is 28288000, traffic share count is 1
      Total delay is 105000 microseconds, minimum bandwidth is 100 Kbit
      Reliability 255/255, minimum MTU 1446 bytes
      Loading 1/255, Hops 2

R5#ping 10.2.2.2 so 10.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.5.5.5 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/38 ms

R5#traceroute 10.2.2.2 source 10.5.5.5
Type escape sequence to abort.
Tracing the route to 10.2.2.2
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.15.1 12 msec 22 msec 14 msec
  2 192.168.12.2 29 msec *  32 msec
R5#


Task-3: Configure NHRP between Hub and Spoke-3 & Spoke-4 using IKEv2 S-VTI & D-VTI Tunnel Configuration, where Hub will provide IP Address dynamically to Spoke’s Tunnel interface using local pool and Spoke will form direct dynamic tunnel towards another spoke.

Solution:

Step-1: Configure AAA Authorization list, IP Pool and policy to propagate IP Addresses to the tunnel interfaces for the clients:

aaa new-model
aaa authorization network default local 

ip local pool FLEX 192.168.134.5 192.168.134.254

crypto ikev2 authorization policy NHRP 
 pool FLEX
 route set interface

Note:   route set interface’ command is use on Hub & Spoke both to advertise tunnel ip to neighbour as a static route.

Step-2: Configure Phase I

Step-2 [A]: Configure IKEv2 Proposal

crypto ikev2 proposal PROP-134 
 encryption 3des aes-cbc-128
 integrity md5 sha1
 group 2 5

Step-2 [B]: Configure IKEv2 Policy

crypto ikev2 policy POL-134
 proposal PROP-134

Step-2 [C]: Configure IKEv2 Keyring:

crypto ikev2 keyring KR-134
 peer R3-R4
  address 0.0.0.0
  pre-shared-key cisco123

Step-2 [D]: Configure IKEv2 Profile:

crypto ikev2 profile PROF-134
 match identity remote address 0.0.0.0 0.0.0.0
 authentication local pre-share
 authentication remote pre-share
 keyring local KR-134
 virtual-template 134
 aaa authorization group psk list NHRP NHRP

Step-3: Configure Phase II

crypto ipsec transform-set TSET-134 esp-3des esp-md5-hmac 

Step-4: Configure IPSEC Profile:

crypto ipsec profile IPSEC-134
 set transform-set TSET-134 
 set ikev2-profile PROF-134

Step-5: Configure NHRP Interface:

interface Loopback134
 ip address 192.168.134.1 255.255.255.0
end

interface Virtual-Template134 type tunnel
 ip unnumbered Loopback134
 ip nhrp network-id 134
 ip nhrp redirect
 tunnel source GigabitEthernet0/0
 tunnel protection ipsec profile IPSEC-134
end
router eigrp 1
 network 192.168.134.0

R3 [Spoke-3]:

Step-1: Configure AAA Authorization list and policy:

aaa new-model
aaa authorization network default local 

crypto ikev2 authorization policy NHRP 
 route set interface

Step-2: Configure Phase I

Step-2 [A]: Configure IKEv2 Proposal

crypto ikev2 proposal PROP-134 
 encryption 3des aes-cbc-128
 integrity md5 sha1
 group 2 5

Step-2 [B]: Configure IKEv2 Policy

crypto ikev2 policy POL-134
 proposal PROP-134

Step-2 [C]: Configure IKEv2 Keyring:

crypto ikev2 keyring KR-134
 peer R1-R4
  address 0.0.0.0
  pre-shared-key cisco123

Step-2 [D]: Configure IKEv2 Profile:

crypto ikev2 profile PROF-134
 match identity remote address 0.0.0.0 0.0.0.0
 authentication local pre-share
 authentication remote pre-share
 keyring local KR-134
 virtual-template 134
 aaa authorization group psk list NHRP NHRP

Step-3: Configure Phase II

crypto ipsec transform-set TSET-134 esp-3des esp-md5-hmac 

Step-4: Configure IPSEC profile:

crypto ipsec profile IPSEC-134
 set transform-set TSET-134 
 set ikev2-profile PROF-134
Step-5: Configure NHRP Interface:

interface Tunnel134
 ip address negotiated
 ip nhrp network-id 134
 ip nhrp shortcut virtual-template 154
 tunnel source GigabitEthernet0/0
 tunnel destination 192.1.10.1
 tunnel protection ipsec profile IPROF-134
end

Note: Tunnel Interface is use to Establish S-VTI – D-VTI Hub & Spoke Setup.

interface Virtual-Template154 type tunnel
 ip unnumbered Tunnel134
 ip nhrp network-id 134
 ip nhrp shortcut virtual-template 154
 tunnel source GigabitEthernet0/0
 tunnel protection ipsec profile IPROF-134
end

Note: D-VTI Virtual-Template interface is use to create dynamic tunnel Spoke to Spoke.

Step-6: Configure Routing protocols:

router eigrp 1
 network 10.0.0.0
 network 192.168.134.0

R4 [Spoke-4]:

Step-1: Configure AAA Authorization list and policy:

aaa new-model
aaa authorization network default local 

crypto ikev2 authorization policy NHRP 
 route set interface

Step-2: Configure Phase I

Step-2 [A]: Configure IKEv2 Proposal

crypto ikev2 proposal PROP-134 
 encryption 3des aes-cbc-128
 integrity md5 sha1
 group 2 5

Step-2 [B]: Configure IKEv2 Policy

crypto ikev2 policy POL-134
 proposal PROP-134

Step-2 [C]: Configure IKEv2 Keyring:

crypto ikev2 keyring KR-134
 peer R1-R3
  address 0.0.0.0
  pre-shared-key cisco123

Step-2 [D]: Configure IKEv2 Profile:

crypto ikev2 profile PROF-134
 match identity remote address 0.0.0.0 0.0.0.0
 authentication local pre-share
 authentication remote pre-share
 keyring local KR-134
 virtual-template 134
 aaa authorization group psk list NHRP NHRP

Step-3: Configure Phase II

crypto ipsec transform-set TSET-134 esp-3des esp-md5-hmac 

Step-4: Configure IPSEC profile:

crypto ipsec profile IPSEC-134
 set transform-set TSET-134 
 set ikev2-profile PROF-134
Step-5: Configure NHRP Interface:

interface Tunnel134
 ip address negotiated
 ip nhrp network-id 134
 ip nhrp shortcut virtual-template 154
 tunnel source GigabitEthernet0/0
 tunnel destination 192.1.10.1
 tunnel protection ipsec profile IPROF-134
end

Note: Tunnel Interface is use to Establish S-VTI – D-VTI Hub & Spoke Setup.

interface Virtual-Template154 type tunnel
 ip unnumbered Tunnel134
 ip nhrp network-id 134
 ip nhrp shortcut virtual-template 154
 tunnel source GigabitEthernet0/0
 tunnel protection ipsec profile IPROF-134
end

Note: D-VTI Virtual-Template interface is use to create dynamic tunnel Spoke to Spoke.

Step-6: Configure Routing protocols:

router eigrp 1
 network 10.0.0.0
 network 192.168.134.0


Thank You !!!

Comments

Post a Comment

Popular posts from this blog

VRF Aware IPSEC Site-to-Site VPN

VRF [Virtual Routing & Forwarding] Virtual Private Networks (VPNs) provide a secure way for customers to share bandwidth over an ISP backbone network. A VPN is a collection of sites sharing a common routing table. A customer site is connected to the service provider network by one or more interfaces, and the service provider associates each interface with a VPN routing table. A VPN routing table is called a  VPN routing/forwarding (VRF) table. About VRF-lite VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs, but a Layer 3 interface cannot belong to more than one VRF at any time. Terminology ·  ...
1 comment
Read more

Introduction to Segment Routing

Segment Routing Introduction Before we proceed to understand the segment routing technology, we must understand that SR is a technology and every technology has made for a solution. So, first, we need to understand the solution and its need. All the Service providers are facing following issues with current infrastructure: 1.     A lot of manual configuration for reserving the path in the SP Core network for a different type of traffics. 2.     Lack of application-level visibility which leads to classifying network based on only IP, Port and QoS classification. 3.     Lack of application integration with the network. 4.     No centralized control over the path based on different type of services. 5.     No end-to-end visibility from Data Center to an End user, which leads to sub-optimal paths for application in different domains. 6.     The separate signaling protocol is r...
2 comments
Read more