FlexVPN Site to Site – IKEv2

FlexVPN Site to Site – IKEv2

What is a FlexVPN?

Cisco answers: “FlexVPN is Cisco’s implementation of the IKEv2 standard featuring a unified paradigm and CLI that combines site to site, remote access, hub and spoke topologies and partial meshes (spoke to spoke direct).

FlexVPN offers a simple but modular framework that extensively uses the tunnel interface paradigm while remaining compatible with legacy VPN implementations using crypto maps.”

What are the benefits of FlexVPN?

Cisco answers:

  • “Transport network: FlexVPN can be deployed either over a public internet or a private Multiprotocol Label Switching (MPLS) VPN network.
  • Deployment style: Designed for the concentration of both site-to-site and remote access VPNs, one single FlexVPN deployment can accept both types of connection requests at the same time.
  • Failover redundancy: Three different kinds of redundancy model can be implemented with FlexVPN:
    • Dynamic routing protocols (such as Open Shortest Path First [OSPF], Enhanced Interior Gateway Routing Protocol [EIGRP], Border Gateway Protocol [BGP]) over FlexVPN tunnels. Path/head-end selection is based on dynamic routing metrics.
    • IKEv2-based dynamic route distribution and server clustering.
    • IPsec/IKEv2 active/standby stateful failover between two chassis (available in the future).
  • Third-party compatibility: As the IT world transitions to cloud- and mobile-based computing, more and more VPN routers and VPN endpoints from different vendors are required. The Cisco IOS FlexVPN solution provides compatibility with any IKEv2-based third-party VPN vendors, including native VPN clients from Apple iOS and Android devices.
  • IP Multicast support: FlexVPN natively supports IP Multicast in two ways:
    • FlexVPN hub router replicates IP Multicast packets for each spoke.
    • If the transport network supports native IP Multicast, the FlexVPN hub router can choose to have the transport network do multicast packet replication after IPsec encryption (available in the future).
  • Superior quality of service (QoS): The architecture of Cisco IOS FlexVPN easily allows hierarchical QoS to be integrated at the per tunnel or per SA basis:
    • Per tunnel QoS for each spoke at the FlexVPN hub router.
    • Per tunnel QoS dynamically applied to direct traffic between spokes (available in the future).
  • Centralized policy control: VPN dynamic policies such as split-tunnel policy, encryption network policy, Virtual Route Forwarding (VRF) selection, Domain Name System (DNS) server (for remote access), and so on can be fully integrated with the authentication, authorization, and accounting (AAA)/RADIUS server and applied at a per peer basis.
  • VRF awareness: The Cisco IOS FlexVPN solution can be fully integrated with MPLS VPN networks for service provider type of deployment. Both Inside VRF and front-door VRF are supported. Inside VRF assignment policy can be managed by the centralized AAA server.
FlexVpn Configuration Parameters
  • IKEv2 Tunnel (former called IKE Phase 1)
    • Proposal – encryption algorithm, hash algorithm, dh group, authentication.
    • KeyRings – multiple authentication key may exist.
    • Policy – connection restriction
    • Profile – peer identification and authentication methods
  • IPSec Tunnel (former called IKE Phase 2)
    • Transform-Set – traffic protection rules
    • Profile – creation of the ipsec profile
Topology

flexvpn-s2s-1

Initial Configuration
hostname INTERNET
!
! Interface configuration (Internet)
interface Ethernet0/0
 description INTERNET CONNECTION
 ip address dhcp
 ip nat outside
 no shutdown
!
! Interface configuration (R1)
interface Ethernet0/1
 description R1 CONNECTION
 ip address 10.0.0.2 255.255.255.252
 ip nat inside
 no shutdown
!
! Interface configuration (R2)
interface Ethernet0/2
 description R2 CONNECTION
 ip address 10.0.0.6 255.255.255.252
 ip nat inside
 no shutdown
!
! PAT 
ip nat inside source list NAT interface Ethernet0/0 overload
!
! ACL (PAT)
ip access-list extended NAT
 permit ip 10.0.0.0 0.0.0.7 any
 deny ip any any
hostname R1
!
! DHCP Server configuration
ip dhcp pool LAN
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.254 
 dns-server 8.8.8.8 
 domain-name bsnetworking.blog
!
! Domain configuration for the device (R1)
ip domain name bsnetworking.blog
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
! Interface configuration (Internal)
interface Ethernet0/0
 description LAN CONNECTION
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 no shutdown
!
! Interface configuration (External)
interface Ethernet0/1
 description INTERNET CONNETION
 ip address 10.0.0.1 255.255.255.252
 ip nat outside
 no shutdown
!
! PAT Configuration
ip nat inside source list NAT interface Ethernet0/1 overload
!
! Routing (Default Static Route)
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
! ACL (PAT)
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.0.255 any
 deny ip any any
hostname R2
!
! DHCP Server configuration
ip dhcp pool LAN
 network 172.16.0.0 255.255.255.0
 default-router 172.16.0.254 
 dns-server 8.8.8.8 
 domain-name bsnetworking.blog
!
! Domain configuration for the device (R1)
ip domain name bsnetworking.blog
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
! Interface configuration (Internal)
interface Ethernet0/0
 description LAN CONNECTION
 ip address 172.16.0.254 255.255.255.0
 ip nat inside
 no shutdown
!
! Interface configuration (External)
interface Ethernet0/2
 description INTERNET CONNETION
 ip address 10.0.0.5 255.255.255.252
 ip nat outside
 no shutdown
!
! PAT Configuration
ip nat inside source list NAT interface Ethernet0/2 overload
!
! Routing (Default Static Route)
ip route 0.0.0.0 0.0.0.0 10.0.0.6
!
! ACL (PAT)
ip access-list extended NAT
 permit ip 172.16.0.0 0.0.0.255 any
 deny ip any any
FlexVPN Configuration
! R1 Configuration
! IKE Proposal 
crypto ikev2 proposal IKEPROPOSAL 
 encryption aes-cbc-256
 integrity sha512
 group 14
!
!IKE POLICY
crypto ikev2 policy IKEPOLICY
 ! Interface sddress where the connection will be received 
 match address local 10.0.0.1
 ! IKE Proposal to use
 proposal IKEPROPOSAL
!
! KEYRING
crypto ikev2 keyring KEYRING
 ! Key Identification
 peer R2
  description R2 PSK Authentication 
  ! Peer address
  address 10.0.0.5
  ! Peer identification defined in the IKE PROFILE
  identity fqdn R2.bsnetworking.blog
  ! Remote and local shared key (different keys are possible in IKEv2)
  pre-shared-key local R1key12345
  pre-shared-key remote R2key12345
!
! IKE PROFILE
crypto ikev2 profile IKEPROFILE
 ! Identity sent by the remote host 
 match identity remote fqdn R2.bsnetworking.blog
 ! Identity used by the local host
 identity local email r1@bsnetworking.blog
 ! Authentication used, pre-shared in this case
 authentication remote pre-share
 authentication local pre-share
 ! Identification Keyring of the keyring that holds the keys 
 keyring local KEYRING
!
! IPSec rules applied on the user traffic
crypto ipsec transform-set TSET esp-aes 256 esp-sha512-hmac 
 mode tunnel
!
! IPSec Profile
crypto ipsec profile IPSECPROFILE
 ! Transform-set to use
 set transform-set TSET
 ! Ike Profile to associate 
 set ikev2-profile IKEPROFILE
!
! Tunnel Configuration
interface Tunnel0
 ip unnumbered Loopback0
 tunnel source Ethernet0/1
 tunnel mode ipsec ipv4
 tunnel destination 10.0.0.5
 tunnel path-mtu-discovery
 ! Protect the tunnel with the IPSec Profile
 tunnel protection ipsec profile IPSECPROFILE
!
! Routing Configuration
router eigrp 10
 network 1.1.1.1 0.0.0.0
 network 192.168.0.254 0.0.0.0
! R2 Configuration
! IKE Proposal 
crypto ikev2 proposal IKEPROPOSAL 
 encryption aes-cbc-256
 integrity sha512
 group 14
!
!IKE POLICY
crypto ikev2 policy IKEPOLICY
 ! Interface sddress where the connection will be received 
 match address local 10.0.0.5
 ! IKE Proposal to use
 proposal IKEPROPOSAL
!
! KEYRING
crypto ikev2 keyring KEYRING
 ! Key Identification
 peer R1
  description R1 PSK Authentication 
  ! Peer address
  address 10.0.0.1
  ! Peer identification defined in the IKE PROFILE
  identity email r1@bsnetworking.blog
  ! Remote and local shared key (different keys are possible in IKEv2)
  pre-shared-key local R2key12345
  pre-shared-key remote R1key12345
!
! IKE PROFILE
crypto ikev2 profile IKEPROFILE
 ! Identity sent by the remote host 
 match identity remote email r1@bsnetworking.blog
 ! Identity used by the local host
 identity local fqdn R2.bsnetworking.blog
 ! Authentication used, pre-shared in this case
 authentication remote pre-share
 authentication local pre-share
 ! Identification Keyring of the keyring that holds the keys 
 keyring local KEYRING
!
! IPSec rules applied on the user traffic
crypto ipsec transform-set TSET esp-aes 256 esp-sha512-hmac 
 mode tunnel
!
! IPSec Profile
crypto ipsec profile IPSECPROFILE
 ! Transform-set to use
 set transform-set TSET
 ! Ike Profile to associate 
 set ikev2-profile IKEPROFILE
!
! Tunnel Configuration
interface Tunnel0
 ip unnumbered Loopback0
 tunnel source Ethernet0/2
 tunnel mode ipsec ipv4
 tunnel destination 10.0.0.1
 tunnel path-mtu-discovery
 ! Protect the tunnel with the IPSec Profile
 tunnel protection ipsec profile IPSECPROFILE
!
! Routing Configuration
router eigrp 10
 network 2.2.2.2 0.0.0.0
 network 172.16.0.254 0.0.0.0
Verification
R1# show ip interface brief 
Interface    IP-Address    OK? Method Status                Protocol
Ethernet0/0  192.168.0.254 YES NVRAM  up                    up 
Ethernet0/1  10.0.0.1      YES NVRAM  up                    up 
Ethernet0/2  unassigned    YES NVRAM  administratively down down 
Ethernet0/3  unassigned    YES NVRAM  administratively down down 
Loopback0    1.1.1.1       YES NVRAM  up                    up 
NVI0         192.168.0.254 YES unset  up                    up 
Tunnel0      1.1.1.1       YES TFTP   up                    up 

R1# show ip route eigrp


 2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/27008000] via 2.2.2.2, 08:12:59, Tunnel0
 172.16.0.0/24 is subnetted, 1 subnets
D 172.16.0.0 [90/26905600] via 2.2.2.2, 08:12:59, Tunnel0

R1# ping 172.16.0.254 source 192.168.0.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.254, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.254 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
R1#
Configuration Scheme

flexvpn-s2s-3

Video

Until next post, stay good.

Advertisements

2 thoughts on “FlexVPN Site to Site – IKEv2

Comments are closed.