I have been familiar with the concept of an IPSEC Tunnel for quite some time but I never had a chance to play with it. That changed when I got the opportunity to configure a FlexVPN Tunnel in my lab. What is FlexVPN, you ask? It is Cisco’s latest implementation of the IPSEC Tunnel that uses the IKEv2 protocol. It is a way of combining multiple frameworks into a single, comprehensible set of CLI/API commands to ease the setup of remote access, site-to-site, and DMVPN topologies. A few of the benefits include:
- It uses IKEv2 protocol which is based on the RFC 4306.
- It is compatible with all the previous versions of IPSEC VPNs.
- It enables the creation of dynamic spoke to spoke tunnels.
- It supports IPv4 and IPv6 for transport and overlay protocol.
I will have additional links at the end of this post if you want to learn more about the theoretical aspects of FlexVPN. But, now it’s time to look at a sample FlexVPN configuration that I built in my lab. I used a Cisco CSR appliance as the hub and a Cisco ISR 4000 Series Router as the spoke in my design.
Hub Configuration:
## Defining an IP Pool from which the spoke will get an IP ip local pool mypool <<pool_start_IP>> <<pool_end_IP>> interface Loopback1 ip address <<loopback_IP>> 255.255.255.255 crypto ikev2 authorization policy default pool mypool route set interface interface virtual-template 1 type tunnel ip unnumbered Loopback1 tunnel source <<source_interface>> tunnel protection ipsec profile <<IPSEC_Profile>> ## Defining a Pre-Shared Password and also allowing anyone ## to initiate a VPN connection with the Hub crypto ikev2 keyring <<Keyring_Name>> peer ANY-PEER address 0.0.0.0 0.0.0.0 pre-shared-key local <<PSK_Password>> pre-shared-key remote <<PSK_Password>> crypto ikev2 profile <<Crypto_Profile>> match identity remote any identity local address <<CSR_WAN_IP>> authentication remote pre-share authentication local pre-share keyring local <<Keyring_Name>> virtual-template 1 aaa authorization group psk list default default local crypto ipsec profile <<IPSEC_Profile>> set ikev2-profile <<Crypto_Profile>>
Spoke Configuration:
crypto ikev2 authorization policy default route set interface route set remote ipv4 <<Mgmt_NW_HostAddr>> <<Mgmt_NW_Netmask>> ## Initiating a connection with the Hub using the same Pre-Shared Key crypto ikev2 keyring <<Keyring_Name>> peer SP-CSR address <<CSR_WAN_IP>> pre-shared-key local <<PSK_Password>> pre-shared-key remote <<PSK_Password>> crypto ikev2 profile <<Crypto_Profile>> match identity remote any identity local address <<ISR_WAN_IP>> authentication local pre-share authentication remote pre-share keyring local <<Keyring_Name>> aaa authorization group psk list default default local crypto ipsec profile <<IPSEC_Profile>> set ikev2-profile <<Crypto_Profile>> interface Tunnel0 ip address negotiated tunnel source GigabitEthernet0/0/1 tunnel destination <<CSR_WAN_IP>> tunnel protection ipsec profile <<IPSEC_Profile>>
This is a basic configuration which allows any spoke who has the preshared key to initiate a VPN connection. You can restrict the connection to specific spokes by specifying IP address range in the Hub’s configuration. You can also make it more secure if you want, by using Certificates instead of using Pre-Shared Keys. The main purpose of this post was to just get you started with a minimal configuration and then you can customize and secure it the way you want.
And as always if you want to learn more about FlexVPN, you can refer to these following links: