Cisco FlexVPN Configuration

I have been familiar with the concept of an IPSEC Tunnel for quite some time but I never had a chance to play with it. That changed when I got the opportunity to configure a FlexVPN Tunnel in my lab. What is FlexVPN, you ask? It is Cisco’s latest implementation of the IPSEC Tunnel that uses the IKEv2 protocol. It is a way of combining multiple frameworks into a single, comprehensible set of CLI/API commands to ease the setup of remote access, site-to-site, and DMVPN topologies. A few of the benefits include:

  1. It uses IKEv2 protocol which is based on the RFC 4306.
  2. It is compatible with all the previous versions of IPSEC VPNs.
  3. It enables the creation of dynamic spoke to spoke tunnels.
  4. It supports IPv4 and IPv6 for transport and overlay protocol.

I will have additional links at the end of this post if you want to learn more about the theoretical aspects of FlexVPN. But, now it’s time to look at a sample FlexVPN configuration that I built in my lab. I used a Cisco CSR appliance as the hub and a Cisco ISR 4000 Series Router as the spoke in my design.

Hub Configuration:

## Defining an IP Pool from which the spoke will get an IP
ip local pool mypool <<pool_start_IP>> <<pool_end_IP>>
 
interface Loopback1
 ip address <<loopback_IP>> 255.255.255.255

crypto ikev2 authorization policy default
 pool mypool
 route set interface

interface virtual-template 1 type tunnel
 ip unnumbered Loopback1
 tunnel source <<source_interface>>
 tunnel protection ipsec profile <<IPSEC_Profile>>
 
## Defining a Pre-Shared Password and also allowing anyone
## to initiate a VPN connection with the Hub
crypto ikev2 keyring <<Keyring_Name>>
 peer ANY-PEER
 address 0.0.0.0 0.0.0.0
 pre-shared-key local <<PSK_Password>>
 pre-shared-key remote <<PSK_Password>>

 crypto ikev2 profile <<Crypto_Profile>>
 match identity remote any
 identity local address <<CSR_WAN_IP>>
 authentication remote pre-share
 authentication local pre-share
 keyring local <<Keyring_Name>>
 virtual-template 1
 aaa authorization group psk list default default local
 
 crypto ipsec profile <<IPSEC_Profile>>
 set ikev2-profile <<Crypto_Profile>>

Spoke Configuration: 

crypto ikev2 authorization policy default
 route set interface
 route set remote ipv4 <<Mgmt_NW_HostAddr>> <<Mgmt_NW_Netmask>>

## Initiating a connection with the Hub using the same Pre-Shared Key
crypto ikev2 keyring <<Keyring_Name>>
peer SP-CSR
  address <<CSR_WAN_IP>>
  pre-shared-key local <<PSK_Password>>
  pre-shared-key remote <<PSK_Password>>

crypto ikev2 profile <<Crypto_Profile>>
match identity remote any
identity local address <<ISR_WAN_IP>>
authentication local pre-share
authentication remote pre-share
keyring local <<Keyring_Name>>
aaa authorization group psk list default default local

crypto ipsec profile <<IPSEC_Profile>>
set ikev2-profile <<Crypto_Profile>>
 
interface Tunnel0
ip address negotiated
tunnel source GigabitEthernet0/0/1
tunnel destination <<CSR_WAN_IP>>
tunnel protection ipsec profile <<IPSEC_Profile>>

This is a basic configuration which allows any spoke who has the preshared key to initiate a VPN connection. You can restrict the connection to specific spokes by specifying IP address range in the Hub’s configuration. You can also make it more secure if you want, by using Certificates instead of using Pre-Shared Keys. The main purpose of this post was to just get you started with a minimal configuration and then you can customize and secure it the way you want.

And as always if you want to learn more about FlexVPN, you can refer to these following links:

  1. http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-mt/sec-flex-vpn-15-mt-book/sec-intro-ikev2-flex.html
  2. http://packetpushers.net/cisco-flexvpn-dmvpn-high-level-design/
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s