support@ntraas.com

FlexVPN

When looking into the various VPN solutions provided by Cisco you may ask yourself why some are even necessary, especially when providing transport over shared services such as the Internet, MPLS, VPLS, Carrier Ethernet, etc. Most VPN solutions are used for one particular reason: encryption, whether it's over those shared links or over the internet.

In this section we will be covering FlexVPN and its configuration; FlexVPN is an IKEv2 only technology and it works really well for Active/Standby Internet based VPN connectivity as well as internal encryption if GETVPN is unavailable and DMVPN is not to be used. FlexVPN is the best solution for situations where multiple internet facing remotes that will share an external NAT IP address as DMVPN doesn't support this.

FlexVPN is an IKEv2 and IPSEC based communication mechnaism allowing for multiple spoke devices to communicate dynamically in an authenticated and encrypted point to point VPN solution. The FlexVPN spokes create IPSEC tunnels between any configured peers, though only one at a time, and have the ability to run NHRP (like DMVPN) providing direct spoke-spoke ipsec tunnel connectivity.

As for routing you must include the Loopback interface as when we use the ip unnumbered loopback0 command it will use that loopback as its tunnel IP address. In this case I am allowing the EIGRP protocol to create the neighbor adjacencies to provide routing between both hubs and both spokes

or you can watch at youtube.com here

When configuring FlexVPN as it's very basic we will have the following configuration:

Hub 1

crypto ikev2 proposal FLEX-PROPOSAL
  encryption aes-cbc-128
  integrity sha1
  group 1
crypto ikev2 policy FLEX-POLICY
  proposal FLEX-PROPOSAL
crypto ikev2 profile FLEX-PROFILE
  match address local 172.16.0.14
  match identity remote any
  authentication remote pre-share key spokekey
  authentication local pre-share key hubkey
  virtual-template 1
crypto ipsec transform-set FLEX-TSET esp-aes esp-sha-hmac
  mode tunnel
crypto ipsec profile FLEX-IPSEC-PROFILE
  set transform-set FLEX-TSET
  set ikev2-profile FLEX-PROFILE

interface Loopback0
  ip address 14.14.14.14 255.255.255.255

interface Ethernet0/0
  ip address 172.16.0.14 255.255.255.0

interface Ethernet0/1
  ip address 172.17.0.14 255.255.255.0

interface Virtual-Template1 type tunnel
  ip unnumbered Loopback0
  tunnel source Ethernet0/0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile FLEX-IPSEC-PROFILE

router eigrp flex
  address-family ipv4 unicast autonomous-system 1
  network 14.14.14.14 0.0.0.0
  network 172.17.0.14 0.0.0.0



Hub 2

crypto ikev2 proposal FLEX-PROPOSAL
  encryption aes-cbc-128
  integrity sha1
  group 1
crypto ikev2 policy FLEX-POLICY
  proposal FLEX-PROPOSAL
crypto ikev2 profile FLEX-PROFILE
  match address local 172.16.0.17
  match identity remote any
  authentication remote pre-share key spokekey
  authentication local pre-share key hubkey
  virtual-template 1
crypto ipsec transform-set FLEX-TSET esp-aes esp-sha-hmac
  mode tunnel
crypto ipsec profile FLEX-IPSEC-PROFILE
  set transform-set FLEX-TSET
  set ikev2-profile FLEX-PROFILE

interface Loopback0
  ip address 17.17.17.17 255.255.255.255

interface Ethernet0/0
  ip address 172.16.0.17 255.255.255.0

interface Ethernet0/1
  ip address 172.17.0.17 255.255.255.0

interface Virtual-Template1 type tunnel
  ip unnumbered Loopback0
  tunnel source Ethernet0/0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile FLEX-IPSEC-PROFILE

router eigrp flex
  address-family ipv4 unicast autonomous-system 1
  network 17.17.17.17 0.0.0.0
  network 172.17.0.17 0.0.0.0


Spoke 1

crypto ikev2 proposal FLEX-PROPOSAL
  encryption aes-cbc-128
  integrity sha1
  group 1
crypto ikev2 policy FLEX-POLICY
  proposal FLEX-PROPOSAL
crypto ikev2 profile FLEX-PROFILE
  match address local 172.16.0.15
  match identity remote any
  authentication remote pre-share key hubkey
  authentication local pre-share key spokekey
crypto ikev2 client flexvpn FLEX-CLIENT
  peer 1 172.16.0.14
  peer 2 172.16.0.17
  client connect Tunnel1
crypto ipsec transform-set FLEX-TSET esp-aes esp-sha-hmac
  mode tunnel
crypto ipsec profile FLEX-IPSEC-PROFILE
  set transform-set FLEX-TSET
  set ikev2-profile FLEX-PROFILE

interface Loopback0
  ip address 15.15.15.15 255.255.255.255

interface Ethernet0/0
  ip address 172.16.0.15 255.255.255.0

interface Tunnel1
  ip unnumbered Loopback0
  tunnel source Ethernet0/0
  tunnel mode ipsec ipv4
  tunnel destination dynamic
  tunnel protection ipsec profile FLEX-IPSEC-PROFILE

router eigrp flex
  address-family ipv4 unicast autonomous-system 1
  network 15.15.15.15 0.0.0.0


Spoke 2

crypto ikev2 proposal FLEX-PROPOSAL
  encryption aes-cbc-128
  integrity sha1
  group 1
crypto ikev2 policy FLEX-POLICY
  proposal FLEX-PROPOSAL
crypto ikev2 profile FLEX-PROFILE
  match address local 172.16.0.16
  match identity remote any
  authentication remote pre-share key hubkey
  authentication local pre-share key spokekey
crypto ikev2 client flexvpn FLEX-CLIENT
  peer 1 172.16.0.14
  peer 2 172.16.0.17
  client connect Tunnel1
crypto ipsec transform-set FLEX-TSET esp-aes esp-sha-hmac
  mode tunnel
crypto ipsec profile FLEX-IPSEC-PROFILE
  set transform-set FLEX-TSET
  set ikev2-profile FLEX-PROFILE

interface Loopback0
  ip address 16.16.16.16 255.255.255.255

interface Ethernet0/0
  ip address 172.16.0.16 255.255.255.0

interface Tunnel1
  ip unnumbered Loopback0
  tunnel source Ethernet0/0
  tunnel mode ipsec ipv4
  tunnel destination dynamic
  tunnel protection ipsec profile FLEX-IPSEC-PROFILE

router eigrp flex
  address-family ipv4 unicast autonomous-system 1
  network 16.16.16.16 0.0.0.0

© Copyright nTRaaS. All Rights Reserved