Identify use cases for FlexVPN
Flexible Virtual Private Network
3.2.b i Site-to-site, Server, Client, Spoke-to-Spoke
Introduction (not on blueprint)
General information on “FlexVPN Introduction”:
- Unified CLI for configuring different VPN types:
- Site-to-Site
- Hub-to-Spoke
- Spoke-to-Spoke
- Remote Access
- Support for features like AAA, IPv6, Routing, Multicast (even Spoke-to-Spoke!), … included
- Compliant with the IKEv2 standard
- IKEv2 configuration can be kept simple by using smart-defaults (Cisco’s recommended best practice settings)
- IKEv2 encrypts the whole packet, not only the payload (= GRE over IPsec)
- Differences between DMVPN and FlexVPN:
- Encryption (IKEv2 with IPsec) is now mandatory (was optional in DMVPN)
- No more NHRP needed (mandatory in DMVPN), except for Spoke-to-Spoke communication…
- FlexVPN server requires ip nhrp redirect
- FlexVPN client requires ip nhrp shortcut
- Interoperable with non-Cisco implementations and therefor works with 3rd party devices
- Spoke-to-Spoke routing adjacencies possible
- IP MTU (1400 bytes) and TCP MSS (IPv4: 1360 bytes, IPv6: 1340 bytes) should be adjusted to avoid fragmentation
Configuration considerations:
- Protocol overhead:
- To avoid fragmentation, it’s recommended to adjust the MTU and MSS of the tunnel interface
- IPv4: MTU 1400, MSS 1360
- IPv6: MTU 1400, MSS 1340
- Overlay routing protocol:
- Cisco recommends iBGP as the overlay routing protocol whereas the FlexVPN server is a route-reflector
Site-to-site
General information on “FlexVPN Site-to-site”:
- Used to connect two sites together
- Both sides will be configured with a VTI
“FlexVPN Site-to-site” CLI configuration commands:
## FlexVPN IPsec/IKEv2 Phase 1 configuration
Router(config)# crypto ikev2 profile [IKEV2-PROFILE-NAME]
Router(config-ikev2-profile)# authentication local pre-share key <key>
Router(config-ikev2-profile)# authentication remote pre-share key <key>
Router(config-ikev2-profile)# match identity remote address <ip>
Router(config-ikev2-profile)# identity local [options]
Router(config-ikev2-profile)# dpd <sec> <sec> on-demand
## FlexVPN IPsec Phase 2 configuration
Router(config)# crypto ipsec profile [IPSEC-PROFILE-NAME]
Router(ipsec-profile)# set ikev2-profile [IKEV2-PROFILE-NAME]
## FlexVPN site-to-site tunnel interface configuration
Router(config)# interface tunnel <id>
Router(config-if)# tunnel source <interface>
Router(config-if)# tunnel destination <ip>
Router(config-if)# tunnel protection ipsec profile [IPSEC-PROFILE-NAME]
Server
General information on “FlexVPN Server”:
- DMVPN hub = FlexVPN server
- Server can be configured to support multiple VPN types at the same time (Site-to-Site, Hub-to-Spoke, RA)
- Virtual-Templates are now used instead of VTIs
- For every new connection, a Virtual-Access interface will spawn which inherits the configuration of the Virtual-Template
- Allows for much more flexibility with additional features like QoS
“FlexVPN Server” CLI configuration commands:
## FlexVPN IPsec/IKEv2 Phase 1 configuration
Router(config)# crypto ikev2 profile [IKEV2-PROFILE-NAME]
Router(config-ikev2-profile)# authentication local pre-share key <key>
Router(config-ikev2-profile)# authentication remote pre-share key <key>
Router(config-ikev2-profile)# match identity remote address <ip>
Router(config-ikev2-profile)# identity local [options]
Router(config-ikev2-profile)# dpd <sec> <sec> on-demand
## FlexVPN IPsec Phase 2 configuration
Router(config)# crypto ipsec profile [IPSEC-PROFILE-NAME]
Router(ipsec-profile)# set ikev2-profile [IKEV2-PROFILE-NAME]
## FlexVPN server virtual-template interface configuration
Router(config)# interface virtual-template <id> type tunnel
Router(config-if)# ip unnumbered <loopback-if>
Router(config-if)# tunnel source <if>
Router(config-if)# tunnel protection ipsec profile [IPSEC-PROFILE-NAME]
Client
General information on “FlexVPN Client”:
- DMVPN spoke = FlexVPN client
- With the FlexVPN client connect command, several peers (servers) for a single tunnel can be specified
“FlexVPN Client” CLI configuration commands:
## FlexVPN IPsec/IKEv2 Phase 1 configuration
Router(config)# crypto ikev2 profile [IKEV2-PROFILE-NAME]
Router(config-ikev2-profile)# authentication local pre-share key <key>
Router(config-ikev2-profile)# authentication remote pre-share key <key>
Router(config-ikev2-profile)# match identity remote address <ip>
Router(config-ikev2-profile)# identity local [options]
Router(config-ikev2-profile)# dpd <sec> <sec> on-demand
## FlexVPN IPsec Phase 2 configuration
Router(config)# crypto ipsec profile [IPSEC-PROFILE-NAME]
Router(ipsec-profile)# set ikev2-profile [IKEV2-PROFILE-NAME]
## FlexVPN client "client connect" option configuration
Router(config)# crypto ikev2 client flexvpn [FLEXVPN-CLIENT-NAME]
Router(config-ikev2-flexvpn)# peer <id> <ip>
Router(config-ikev2-flexvpn)# client connect <tunnel-if>
## FlexVPN client tunnel interface configuration
Router(config)# interface tunnel <id>
Router(config-if)# ip unnumbered <loopback-if>
Router(config-if)# tunnel source <interface>
Router(config-if)# tunnel destination dynamic
Router(config-if)# tunnel protection ipsec profile [IPSEC-PROFILE-NAME]
Spoke-to-Spoke
General information on “FlexVPN Spoke-to-Spoke”:
- Spoke-to-Spoke communication is done via NHRP
- This requires additional configuration on the hub and spokes
“FlexVPN Spoke-to-Spoke” CLI configuration commands:
## ==============
## FlexVPN server
## ==============
## FlexVPN spoke-to-spoke additional server configuration
Router(config)# interface virtual-template <id>
Router(config-if)# ip nhrp network-id <id>
Router(config-if)# ip nhrp redirect
## ==============
## FlexVPN client
## ==============
## FlexVPN spoke-to-spoke additional client configuration
Router(config)# crypto ikev2 profile [IKEV2-PROFILE-NAME]
Router(config-ikev2-profile)# virtual-template <id>
Router(config)# interface virtual-template <id> type tunnel
Router(config-if)# ip unnumbered <loopback-if>
Router(config-if)# ip nhrp network-id <id>
Router(config-if)# ip nhrp shortcut virtual-template <id>
Router(config-if)# tunnel source <interface>
Router(config-if)# tunnel protection ipsec profile [IPSEC-PROFILE-NAME]
Router(config)# interface tunnel <id>
Router(config-if)# ip nhrp network-id <id>
Router(config-if)# ip nhrp shortcut virtual-template <id>
Route propagation with IKEv2 (Not on blueprint)
General information on “Route propagation with IKEv2 (Not on blueprint)":
- Instead of using a dynamic routing protocol, static routes can be automatically propagated with the IKEv2 SA
- In conjunction with spoke-to-spoke tunnels NHO will be applied to those routes
Configuration considerations:
- route set interface = Tunnel IP address will be propagated as /32
“FlexVPN Route propagation with IKEv2” CLI configuration commands:
## Configuring AAA to allow route propagation
Router(config)# aaa new-model
Router(config)# aaa authorization network <list> <database/group/...>
## Configuring an ACL which defines the to-be-propagated routes
Router(config)# ip access-list standard [NAME]
Router(config-std-nacl)# permit <subnet> <wildcardmask>
## Configuring an IKEv2 authorization policy to allow route propagation
Router(config)# crypto ikev2 authorization policy [NAME]
Router(config-ikev2-author-policy)# route set interface
Router(config-ikev2-author-policy)# route set access-list [ACL-NAME]
## Modifying the existing IKEv2 profile to enable route propagation
Router(config)# crypto ikev2 profile [NAME]
Router(config-ikev2-profile)# aaa authorization group psk list [AAA-LIST] [IKEV2-AUTH-POLICY]
3.2.a ii IPsec/IKEv2 using pre-shared key
General information on “IPsec/IKEv2 using pre-shared key”:
- IPsec/IKEv2 is tightly integrated into and required for FlexVPN
Configuration considerations:
- 7 steps are required to configure IPsec with IKEv2 and PSK:
| Steps | Mandatory/Optional | Comments |
|---|---|---|
| IKEv2 Proposal (Phase 1) | Optional | Defaults are defined |
| IKEv2 Policy (Phase 1) | Optional | Mandatory for F-VRF |
| IKEv2 Keyring (Phase 1) | Optional | |
| IKEv2 Profile (Phase 1) | Mandatory | |
| IPsec Transform-Set (Phase 2) | Mandatory | |
| IPsec Profile (Phase 2) | Mandatory | |
| Applying IPsec Profile to Tunnel Interface | Mandatory |
- Show commands output:
- ISAKMP SA status has to be QM_IDLE in order for Phase 2 to work
- IKEv2 SA status has to be READY in order for Phase 2 to work
- IPsec SA status has to be…
- Equal for pkts encaps/encrypt/digest
- Equal for decaps/decrypt/verify
“FlexVPN IPsec/IKEv2 using pre-shared key” CLI configuration commands:
## ===================
## IPsec/IKEv2 Phase 1
## ===================
## IPsec/IKEv2 Phase 1 configuration
Router(config)# crypto ikev2 proposal [NAME]
Router(config-ikev2-proposal)# encryption [options]
Router(config-ikev2-proposal)# integrity [options]
Router(config-ikev2-proposal)# group [options]
Router(config)# crypto ikev2 policy [NAME]
Router(config-ikev2-policy)# proposal [NAME]
Router(config)# crypto ikev2 keyring [NAME]
Router(config-ikev2-keyring)# peer [NAME]
Router(config-ikev2-keyring-peer)# address <peer-nbma-ip>
Router(config-ikev2-keyring-peer)# pre-shared-key <key>
Router(config)# crypto ikev2 profile [NAME]
Router(config-ikev2-profile)# authentication local pre-share
Router(config-ikev2-profile)# authentication remote pre-share
Router(config-ikev2-profile)# match identity remote address <ip>
Router(config-ikev2-profile)# keyring local [NAME]
Router(config-ikev2-profile)# dpd <sec> <sec> on-demand
## =============
## IPsec Phase 2
## =============
## IPsec Phase 2 configuration
Router(config)# crypto ipsec transform-set [NAME] [options]
Router(cfg-crypto-trans)# mode transport
Router(config)# crypto ipsec profile <name>
Router(ipsec-profile)# set transform-set [NAME]
Router(ipsec-profile)# set ikev2-profile [NAME]
## ==============
## Enabling IPsec
## ==============
## Enabling IPsec on the tunnel interface
Router(config)# interface <if>
Router(config-if)# tunnel protection ipsec profile <ipsec-profile-name>
“FlexVPN IPsec/IKEv2 using pre-shared key” CLI show commands:
## Showing IPsec/ISAKMP (IKEv1) Phase 1 security associations
Router# show crypto isakmp sa
## Showing IPsec/IKEv2 Phase 1 security associations
Router# show crypto ikev2 sa
## Showing IPsec Phase 2 security associations
Router# show crypto ipsec sa
3.2.b x MPLS over FlexVPN
General information on “MPLS over FlexVPN”:
- Used for separation of different networks sometimes w/ overlapping address space) (just like “normal” MPLS)
- Supported MPLS operations: pop (dispose), route, push (impose)
- Doesn’t support MPLS swap operation (= no label switching!)
- Based on NHRP instead of LDP because LDP uses keep-alives and therefor spoke-to-spoke tunnels would never be terminated
Configuration considerations:
- Only option:
- Hub and Spokes: Configure mpls nhrp on all tunnel interfaces which belong to the FlexVPN solution
- Hub and Spokes: Configure iBGP VPNv4 between spokes and hub
- Hub only: Summarize the routes for each VRF
- Using the hub as RR is not supported/recommended by Cisco!
“MPLS over FlexVPN” CLI configuration commands:
## Enabling MPLS NHRP on all FlexVPN interfaces
Router(config)# interface <if>
Router(config-if)# mpls nhrp