Brksec 3013 PDF

Advanced IPSec with FlexVPN
BRKSEC-3013
Tom Alexander
Technical Leader
Objectives & Prerequisites
Session objectives:
Understand IKEv2 & FlexVPN Building blocks
Demonstrate the value-add of FlexVPN
Knowledge of FlexVPN Design and Deployment
Basic understanding of the following topics is required:
IPsec, IKEv1, PKI, AAA, RADIUS, AnyConnect
Experience with the following features is a plus:
DMVPN, EzVPN, Routing protocols
More FlexVPN
Proctor Led Lab : LABSEC-2630 - IPSec with FlexVPN (Friday 3/21 10-12 am)
Walk-in Self-Paced lab : LABSEC-1280 - FlexVPN in Practice (45 min)
Meet the Expert
Fred Detienne (Distinguished Engineer)
Tom Alexander (Technical Leader)
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
FlexVPN Introduction High Availability

Why FlexVPN Backup Mechanisms
FlexVPN Positioning Load Balancing
FlexVPN Building Blocks Remote Access
Overview
Basic Site to Site VPN
AnyConnect 3.0 Mobile
Shortcut Switching (FlexMesh)
Wrap-up
FlexVPN dVTI, AAA
Per peer features
AAA integration
Before We Begin...
For your Reference slides: Additional info slides:

Just for your reference when back at Rendered in the presentation PDF
work. (download it through the Cisco Live portal)
Not shown during the live presentation
Will not be covered in detail
Cover extra details or small additional
topics
FlexVPN Introduction
Why FlexVPN, IKEv2
EasyVPN, DMVPN and Crypto Maps
crypto isakmp policy 1
crypto isakmp policy 1
encr 3des
encr 3des crypto isakmp policy 1
authentication pre-share
authentication pre-share encr 3des
group 2
group 2 authentication pre-share
crypto isakmp client configuration group cisco
group 2
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
key cisco123
crypto isakmp client configuration group cisco
pool dvti mode transport
key pr3sh@r3dk3y
acl 100 crypto ipsec profile vpnprofile
pool vpnpool
crypto isakmp profile dvti set transform-set vpn-ts-set
acl 110
match identity group ciscointerface Tunnel0
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
ip address 10.0.0.254 255.255.255.0
client authentication list lvpn
crypto dynamic-map dynamicmap 10
ip nhrp map multicast dynamic
isakmp authorization list lvpn
set transform-set vpn-ts-set
client configuration address
iprespond
nhrp network-id 1
reverse-route
virtual-template 1 tunnel source Serial1/0 crypto map client-vpn-map client authentication list userauthen
crypto ipsec transform-set dvti esp-3des
tunnel esp-sha-hmac
mode gre multipoint crypto map client-vpn-map isakmp authorization list groupauthor
crypto ipsec profile dvti tunnel protection ipsec profile vpnprof crypto map client-vpn-map client configuration address initiate
set transform-set dvti
crypto map client-vpn-map client configuration address respond
set isakmp-profile dvti ip route 192.168.0.0 255.255.0.0 Null0router bgp 1
crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap
bgp tunnel
interface Virtual-Template1 type log-neighbor-changes
interface FastEthernet0/0
ip unnumbered Ethernet0/0 redistribute static
ip address 83.137.194.62 255.255.255.240
tunnel mode ipsec ipv4 neighbor DMVPN peer-group
crypto map client-vpn-map
bgpdvti
tunnel protection ipsec profile listen range 10.0.0.0/24 peer-group DMVPN
ip local pool vpnpool 10.10.1.1 10.10.1.254
ip local pool dvti 192.168.2.1 neighbor DMVPN remote-as 1
192.168.2.2
access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 10.0.0.2
no auto-summary
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
VPN Technology Selection
Death by a thousand questions
3rd party and
legacy support Hub & Spoke
AAA Manageability
Spoke Spoke
Failover time IPv4/IPv6 dual
Solution vs Direct
Failure detectionComponents stack
method Design complexity
Route Injection
Dual DMVPN Dynamic Routing Crypto Map or
Feature order Tunnels
Multi-Hub Homing
Per peer ACLs
Multi-ISP Homing Scalability Multicast
QoS support
High Availability
FlexVPN Unifies
Unified Overlay VPNs
Per-Peer QoS
direct (shortcut)
Spoke-spoke
Management
Config push
Full AAA
Dynamic
Per-peer
Failover
Failover
Routing
Routing
Remote
Access
Source
Interop
Simple
config
IPsec
VPN
Easy
No No Yes No Yes Yes No Yes Yes Yes Yes
VPN
DMVPN No Yes No Yes No partial No No No group No
Crypto
Yes No Yes No Yes poor No No No No No
Map
Flex VPN Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
One VPN to learn and deploy

Everything works no questions asked
Flex is IKEv2 Only
Why Flex now?
Authentication
Same
Integrity
Objectives
ISAKMP Privacy
RFC2408
DPD
Mode- Suite B
config IKE IKEv2 More Secure
RFC2409 RFC5996
DOI Anti-DoS
RFC2407
NAT-T PSK, RSA-Sig
Authentication EAP
Options
Hybrid Auth
Uses UDP ports 500 & 4500
Similar but Identity Exchange is Cleaner

Different
Main + Aggressive INITIAL
Acked notifications
FlexVPN Overview
What is FlexVPN?
IKEv2-based unified VPN technology that combines site-to-site, remote-access, hub-
spoke and spoke-to-spoke topologies
FlexVPN highlights
Unified CLI
Based on and compliant to IKEv2 standard
Unified infrastructure: leverages IOS Point-to-Point tunnel interface
Unified features: most features available across topologies
Key features: AAA, config-mode, dynamic routing, IPv6
Simplified config using smart-defaults
Interoperable with non-Cisco implementations
Easier to learn, market and manage
FlexVPN Building Blocks
13
FlexVPN and Interfaces
Hub 1 Tu0 Tu0

Hub 2
VT1 VT2
Site to Site
VA1 VA2 VA3 Remote Access
Hub & Spoke
Dynamic Mesh
Tu0 Static Tunnel

Tu0 Tu0
VT Virtual Template
Spoke 1 VT1 VA1 VA1 VT1 Spoke 2

Remote Virtual Access
VA
User
Sample FlexVPN Config All parameters tunable
per-peer via AAA
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local fqdn R1.cisco.com
authentication local rsa-sig
IKEv2 authentication remote pre-share
Parameters pki trustpoint TP sign
aaa authentication eap default
aaa authorization user eap
virtual-template 1
Hub & Spoke interface Virtual-Template1 type tunnel

ip unnumbered loopback0
tunnel protection ipsec profile default Dual Stack v4/v6
Remote Access
ip nhrp network-id 1
Interop & tunnel mode ipsec ipv4

Legacy Spoke-Spoke
crypto map peer shortcut switching
Only one local identity allowed
IKEv2 CLI Overview identity
identity
local
local
address 10.0.0.1
fqdn local.cisco.com
IKEv2 Profile Extensive CLI identity
identity
local
local
email local@cisco.com
dn Multiple match identity allowed
Self Identity Control match identity remote address 10.0.1.1

match identity remote fqdn remote.cisco.com
Match on peer IKE identity match identity remote email remote@cisco.com Same Type: Logically
match identity remote email domain cisco.com ORed
or certificate
match certificate certificate_map
match fvrf red

Match on local address and match address local 172.168.1.1 Different Type:
front VRF Logically ANDed
authentication local pre-share
authentication local rsa-sig Only one local method allowed
Asymmetric local & remote authentication local eap
authentication methods
authentication remote pre-share Multiple remote methods allowed
authentication remote rsa-sig
authentication remote eap
Local and AAA-based
Pre-Shared Keyring keyring local IOSKeyring
keyring aaa AAAlist
pki trustpoint <trustpoint_name>

IKEv2 Basic Negotiation
HDR, SAi1, KEi, Ni
Initiator Responder
HDR, SAr1, KEr, Nr [CERTREQ]
HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr}
HDR, SK {IDr, [CERT], AUTH, TSi, TSr}
HDR IKE Header IDi, IDr Initiator/Responder IKE Identity

Length
SAi, SAr Crypto algorithms proposed/accepted by the peer CERTREQ, CERT Certificate Request, Certificate Payload
KEi, KEr Initiator Key Exchange material AUTH Authentication data
Ni, Nr Initiator/Responder Nonce SA Proposal & Transform to create initial CHILD_SA
SK {...} Payload encrypted and integrity protected TSi, TSr Traffic Selectors (as src/dst proxies)
IKEv2 Profile Match Statements
match certificate <certificate map>
SubjectName:
CN=RouterName
O=Cisco
OU=Engineering
HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}
IssuerName:
CN=PKI Server
O=Cisco
OU=IT
match identity remote address

172.16.0.1
router.cisco.com match identity remote fqdn
router@cisco.com
match identity remote email
IPsec CLI Overview
Tunnel Protection
Transform set unchanged

crypto ipsec transform-set default esp-aes 128 esp-sha-hmac
IPsec profile defines SA crypto ipsec profile default

parameters and points to
set transform-set default
IKEv2 profile
set crypto ikev2 profile default
Dynamic and Static point-
to-point interfaces interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel protection ipsec profile default
Static point-to-point
interfaces interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source Ethernet0/0
Tunnel protection links to tunnel destination 172.16.2.1
to IPsec profile tunnel protection ipsec profile default
Introducing Smart Defaults
Intelligent, reconfigurable defaults
crypto ipsec
crypto ipsectransform-set
transform-set
default
default crypto ikev2 profile default
esp-aes 128
esp-aes 128 esp-sha-hmac
esp-sha-hmac match identity remote address 10.0.1.1
cryptoipsec
crypto ipsecprofile
profile
default
default aaa authorization user cert list default default
set transform-set default pki trustpoint TP
set crypto ikev2 profile default !
interface Tunnel0
cryptoikev2
crypto ikev2proposal
proposaldefault
default ip address 192.168.0.1 255.255.255.252
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha512 sha 256 sha1 md5 What you need to specify
group 5 2
cryptoikev2
crypto ikev2policy
policy
default
default
match fvrf any
proposal default
cryptoikev2
crypto ikev2authorization
authorization
policy
policy
default
default
route set interface
route accept any These constructs are the Smart Defaults
Packet Forwarding
Basic Packet Forwarding
Layer 5+ IKE AAA BGP
Layer 4
Layer 3 Routing
Layer 2 Output
Eth0/0 features
Eth0/1
Input
features
Encapsulation
IKE Flow Creation
optional
Layer 4 Remote private

networks added to
routing table
Layer 3
Layer 2 Per peer features

applied here by
IKEv2
Eth0/0 V-Access1 Eth0/1
LAN
Virtual-Access
Interface (Tunnel)
created by IKEv2
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAN 25
Packet Forwarding Tunnels & Features
Layer 4 Post-encapsulation
Tunnel Protection
Layer 3 Routing Routing
Layer 2 Eth0/1
Eth0/0 V-Access1 Output

Input Output features Encapsulation
features (static or AAA) features
Encapsulation
Cleartext Traffic
(from corporate LAN) Encrypted traffic
(WAN)
FlexVPN AAA Integration
High-Level AAA Interactions
RA Client FlexVPN Server AAA Server
IKEv2 Initiator IKEv2 Responder RADIUS Server
RADIUS Client RADIUS NAS EAP Backend
EAP Supplicant EAP Authenticator
Cert. Authentication
Authentication PSK Authentication AAA PSK Retrieval
EAP Client Authentication
Cached Authorization
Authorization Local Authorisation
RADIUS Authorisation
Accounting RADIUS Accounting
Authorisation Types
Not mutually exclusive May be combined
RADIUS (Access-Accept)
Implicit User Authorisation Local PSK = cisco!
Remote PSK = !ocsic Cached for
aaa authorization user {psk|eap} cached Other user attributes for joe authorisation
Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication
Explicit User Authorisation

aaa authorization user {psk|eap|cert} list list [name | name-mangler mangler]
Retrieves user attributes from RADIUS (local database not supported)
Explicit Group Authorisation Reverse order of precedence (group > user)

aaa authorization group {psk|eap|cert} [override] list list [name | name-mangler mangler]
Retrieves group attributes from RADIUS or local database

Attributes Merging
FlexVPN Server AAA Server
Received during
AAA-based authentication
Attribute Value
Cached User Attributes Received during explicit
Framed-IP-Address 10.0.0.101
user authorisation
ipsec:dns-servers 10.2.2.2 Explicit User Attributes take precedence
Explicit User Attributes Attribute Value

Attribute Value
Merged User Attributes
Received during explicit
ipsec:dns-servers 10.2.2.2 Merged User Attributes take precedence group authorisation
except if group override configured
Explicit Group Attributes Attribute Value

Attribute Value ipsec:dns-servers 10.2.2.3
Framed-IP-Address 10.0.0.102 ipsec:banner Welcome !
Final Merged Attributes
ipsec:dns-servers 10.2.2.2
ipsec:banner Welcome !
Building Block IKEv2 Name Mangler
RADIUS Client RADIUS NAS
IKEv2 Exchange
crypto ikev2 name-mangler extract-user
FQDN: joe.cisco.com fqdn hostname
Email: joe@cisco.com RA Client Identity
email username
DN: cn=joe,ou=IT,o=Cisco dn common-name
EAP: joe@cisco IKEv2 Name Mangler eap prefix delimiter @
AAA Username: joe

Static password
(configurable)
Local AAA Request RADIUS AAA Request
Username: joe Username: joe, password: cisco
Start with the peers IKE or EAP identity

Derive a username that is meaningful to AAA (local or RADIUS)
Basic Site to Site VPN
Site-to-site configuration
IPv4 and static routing
172.16.1.1 172.16.2.1
192.168.1.0/24 192.168.2.0/24
crypto ikev2 keyring KR crypto ikev2 keyring KR

peer RightPeer Just a string peer LeftPeer
address 172.16.2.1 Peer address address 172.16.1.1
pre-shared-key local CISCO pre-shared-key local OCSIC
pre-shared key remote OCSIC pre-shared key remote CISCO
crypto ikev2 profile default crypto ikev2 profile default

match identity fqdn RouterRight.cisco.com match identity fqdn RouterLeft.cisco.com
identity local fqdn RouterLeft.cisco.com identity local fqdn RouterRight.cisco.com
authentication local pre-shared authentication local pre-shared
authentication remote pre-shared authentication remote pre-shared
keyring local KR keyring local KR
interface Tunnel0 interface Tunnel0

ip address 10.0.0.1 255.255.255.252 ip address 10.0.0.2 255.255.255.252
tunnel source FastEthernet0/0 tunnel source FastEthernet0/0
tunnel destination 172.16.2.1 tunnel destination 172.16.1.1
tunnel protection ipsec profile default Could use a routing tunnel protection ipsec profile default
protocol (IGP/BGP)
ip route 192.168.2.0 255.255.255.0 Tunnel0 ip route 192.168.1.0 255.255.255.0 Tunnel0
Site-to-site configuration
IPv6 and OSPF
172.16.1.1 172.16.2.1
2001:db8:cafe::/64 2001:db8:cafe::/64
ipv6 unicast-routing ipv6 unicast-routing

ipv6 address FE80::1 link-local ipv6 address FE80::2 link-local
ipv6 ospf 1 area 0 ipv6 ospf 1 area 0
tunnel source FastEthernet0/0 tunnel source FastEthernet0/0
tunnel destination 172.16.2.1 tunnel destination 172.16.1.1
tunnel protection ipsec profile default tunnel protection ipsec profile default
interface E0/0 interface E0/0

ipv6 address 2001:db8:cafe::1/64 ipv6 address 2001:db8:beef::1/64
ipv6 ospf 1 area 0 ipv6 ospf 1 area 0
Shortcut Switching
With IKEv2 Policies
FlexVPN Mesh
Network Diagram with Hub Resiliency
192.168.100.0/24
.1 .2 .254
172.16.0.1 172.16.0.2
Virtual-Access
Interfaces
Static Tunnel
Virtual-Access Interface
Interfaces
Hub & Spoke Bootstrap Config Exchange
192.168.100.0/24
.1 .254
192.168.1.0/24
172.16.1.1 172.16.0.1
SA Prop (AES-256, SHA-1, DH 5), KEi, Ni
SA Prop (AES-256, SHA-1, DH 5), KEr, Nr

Interfaces
Ethernet0/0: 172.16.1.1 Ethernet0/0: 172.16.0.1
Interfaces
Ethernet0/1: 192.168.1.1 IDi=Spoke1.cisco.com, Auth, TSi, TSr, Ethernet0/1: 192.168.100.1
Tunnel0: 10.0.0.1 Loopback0: 10.0.0.254/32
CFG_Req(IP4_SUBNET) VirtualAccess1: 10.0.0.254/32
Spoke Assigned Address
(optional)
IDr, cert, Auth, TSi, TSr,
Routing Table
Routing Table
172.16.0.1/32 172.16.1.254 (E0/0) 0.0.0.0/0 172.16.0.254 (E0/0)
192.168.1.0/24 Ethernet 0/1 CFG_Reply(IP4_SUBNET=10.0.0.254/32, 192.168.0.0/16; 192.168.100.0/24 Ethernet 0/1
10.0.0.254/32 Tunnel 0 IP4_ADDRESS=10.0.0.1) 10.0.0.1/32 VirtualAccess1
192.168.0.0/16 Tunnel 0 CFG_set(IP4_SUBNET=10.0.0.1/32, 192.168.1.0/24, 192.168.1.0/24 VirtualAccess1
10.0.0.1/32)
Supernet covering all CFG_ack()
spokes LAN prefixes
FlexVPN Hub and Spoke
IKE Exchange Routes / Policies
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
Routing Table
Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1 S 10.0.0.2 V-Access1
S 192.168.1.0/24 V-Access1 Tunnel 100 S 192.168.2.0/24 V-Access1
Physical: 172.16.0.1 Physical: 172.16.0.2

Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
FlexVPN Mesh w/ IKEv2 Routing
Shortcut Switching (1)
Routing Table
Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100

Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
FlexVPN Mesh w/ IKEv2 Routing
Policy Shortcut Switching (2)
Routing Table
Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100
Physical: 172.16.0.1 Resolution Physical: 172.16.0.2

Tunnel: 10.0.0.254 (192.168.2.2) Tunnel: 10.0.0.253

Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table
NHRP Table
10.0.0.2/32 172.16.2.1 Resolution Reply 10.0.0.1 172.16.1.1
192.168.2.0/24 172.16.2.1 (192.168.2.0/24)
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
Routing Table
Routing Table
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
H/S 10.0.0.2/32 V-Access1 H/S 10.0.0.1/32 V-Access1
H/S 192.168.2.0/24 V-Access1
FlexVPN Mesh w/ IKEv2 Policy
Shortcut Switching (3)
Routing Table
Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100

Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table
NHRP Table
10.0.0.2/32 172.16.2.1 10.0.0.1 172.16.1.1
192.168.2.0/24 172.16.2.1
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
Routing Table
Routing Table
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
H/S 10.0.0.2/32 V-Access1 H/S 10.0.0.1/32 V-Access1
H/S 192.168.2.0/24 V-Access1
FlexVPN Mesh (IKEv2 Routing)
Hub 1 Configuration
Static per-spoke
Accept connections features applied here
from Spokes
crypto ikev2 profile default interface Virtual-Template1 type tunnel
match identity remote fqdn domain cisco.com ip unnumbered Loopback0
NHRP is the magic
identity local fqdn Hub1.cisco.com ip nhrp network-id 1 All V-Access will be in
authentication remote rsa-sig Local or AAA spoke profiles ip nhrp redirect the same network-id
authentication local rsa-sig supported. Can even control ip access-group AllowMyBGP in
QoS, ZBF, NHRP redirect,
pki trustpoint TP network-id, tunnel protection ipsec profile default
dpd 10 2 on-demand ! Hub 1 dedicated overlay
aaa authorization group cert list default default interface Loopback0 address
virtual-template 1 ip address 10.0.0.254 255.255.255.255
! !
Inter-Hub link
crypto ikev2 authorization policy default interface Tunnel100 (not encrypted)
route set remote 10.0.0.0 255.0.0.0 ip unnumbered Loopback0
route set remote 192.168.0.0 255.255.0.0 ip nhrp network-id 1 Same NHRP network-id
ip nhrp redirect on v-access and inter-
tunnel source Ethernet0/1 hub link
tunnel destination 192.168.100.2
These prefixes can also be Defines which prefixes
set by RADIUS should be protected
FlexVPN Mesh (IKEv2 Routing)
Hub 2 Configuration
crypto ikev2 profile default interface Virtual-Template1 type tunnel

match identity remote fqdn domain cisco.com ip unnumbered Loopback0
identity local fqdn Hub2.cisco.com ip nhrp network-id 1
authentication remote rsa-sig ip nhrp redirect
authentication local rsa-sig Dedicated Identity ip access-group AllowMyBGP in
pki trustpoint TP (optional) tunnel protection ipsec profile default
dpd 10 2 on-demand ! Dedicated Overlay
aaa authorization group cert list default default interface Loopback0 Address
! !
crypto ikev2 authorization policy default interface Tunnel100
route set remote 10.0.0.0 255.0.0.0 ip unnumbered Loopback0
route set remote 192.168.0.0 255.255.0.0 ip nhrp network-id 1
ip nhrp redirect
Configurations of Hub 1 and Hub 2 are almost identical!

FlexVPN Mesh (IKEv2 Routing) QoS
Everywhere!
Spoke Configuration
interface Loopback0
ip address 10.0.0.2 255.255.255.255
interface Tunnel0
ip unnumbered Loopback0 Tunnel to Hub 1
match identity remote fqdn domain cisco.com ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
QoS can be applied here

identity local fqdn Spoke2.cisco.com
authentication remote rsa-sig tunnel source Ethernet0/0
authentication local rsa-sig tunnel destination 172.16.0.1
Needed for tunnel tunnel protection ipsec profile default
pki trustpoint TP
dpd 10 2 on-demand
address exchange !
aaa authorization group cert list default default interface Tunnel1 Tunnel1 to Hub 2
virtual-template 1 ip unnumbered Loopback0
crypto ikev2 authorization policy default tunnel source Ethernet0/0
route set interface tunnel destination 172.16.0.2
route set interface e0/0 tunnel protection ipsec profile default
interface Virtual-Template1 type tunnel

V-Template to clone for ip nhrp network-id 1
spoke-spoke tunnels ip nhrp shortcut virtual-template 1
Shortcut Switching
With a routing protocol (BGP)
FlexVPN Mesh with BGP Routing
Routing Table
Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100
B 192.168.1.0/24 10.0.0.1 Tunnel 100 B 192.168.2.0/24 10.0.0.2

Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1

S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
B 192.168.0.0/16 10.0.0.254 B 192.168.0.0/16 10.0.0.253
FlexVPN Mesh (BGP)
Hub 1 Configuration
crypto ikev2 profile default Accept connections
match identity remote fqdn domain cisco.com from Spokes
identity local fqdn Hub1.cisco.com
authentication local rsa-sig Local or AAA spoke profiles
supported. Can even control QoS, ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2
pki trustpoint TP NHRP redirect, network-id, ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2
dpd 10 2 on-demand
aaa authorization group cert list default default Dynamically accept spoke
router bgp 1
virtual-template 1 BGP peering!
Static per-peer config here bgp log-neighbor-changes
bgp listen range 10.0.0.0/24 peer-group Flex
!
address-family ipv4
ip access-group AllowMyBGP in NHRP is the magic
All V-Access will be in neighbor Flex peer-group
the same network-id neighbor Flex remote-as 1
ip nhrp redirect
neighbor Flex timers 5 15
neighbor Flex next-hop-self all
Hub 1 dedicated overlay address redistribute static route-map rm
interface Loopback0
exit-address-family
ip address 10.0.0.254 255.255.255.255
! route-map filters static
Inter-Hub link route-map rm permit 10 routes to redistribute in
interface Tunnel100 (not encrypted) BGP
match tag 2
ip nhrp network-id 1 Same NHRP network-id
ip nhrp redirect on v-access and inter-
tunnel source Ethernet0/1 hub link
FlexVPN Mesh (BGP)
Hub 2 Configuration
ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2
ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2
identity local fqdn Hub2.cisco.com
router bgp 1
authentication local rsa-sig Dedicated Identity
bgp log-neighbor-changes
pki trustpoint TP (optional) bgp listen range 10.0.0.0/24 peer-group Flex
dpd 10 2 on-demand
!
aaa authorization group cert list default default
address-family ipv4
virtual-template 1
redistribute static route-map rm
neighbor Flex peer-group
neighbor Flex remote-as 1
neighbor Flex timers 5 15
ip access-group AllowMyBGP in
neighbor Flex next-hop-self all
exit-address-family
ip nhrp redirect
!
route-map rm permit 10
Dedicated Overlay Address match tag 2
interface Loopback0
ip address 10.0.0.253 255.255.255.255
interface Tunnel100
Almost the same as Hub 1 again!
ip nhrp redirect
FlexVPN Mesh (BGP) QoS
Everywhere!
Spoke Configuration
crypto ikev2 profile default interface Loopback0
match identity remote fqdn domain cisco.com ip address 10.0.0.2 255.255.255.255
identity local fqdn Spoke2.cisco.com
authentication remote rsa-sig interface Tunnel0
authentication local rsa-sig ip unnumbered Loopback0 Tunnel to Hub 1
Needed for tunnel
pki trustpoint TP ip nhrp network-id 1
dpd 10 2 on-demand
address exchange
QoS can be applied here

aaa authorization group cert list default default tunnel source Ethernet0/0
virtual-template 1 tunnel destination 172.16.0.1
router bgp 1 !
bgp log-neighbor-changes interface Tunnel1 Tunnel1 to Hub 2
neighbor 10.0.0.253 remote-as 1 ip unnumbered Loopback0
neighbor 10.0.0.253 timers 5 15 ip nhrp network-id 1
neighbor 10.0.0.254 remote-as 1 ip nhrp shortcut virtual-template 1
neighbor 10.0.0.254 timers 5 15 tunnel source Ethernet0/0
! tunnel destination 172.16.0.2
address-family ipv4 tunnel protection ipsec profile default
network 192.168.2.0
neighbor 10.0.0.253 activate interface Virtual-Template1 type tunnel
neighbor 10.0.0.254 activate ip unnumbered Loopback0
maximum-paths ibgp 2 ip nhrp network-id 1
V-Template to clone for ip nhrp shortcut virtual-template 1
spoke-spoke tunnels tunnel protection ipsec profile default
FlexVPN Per-Peer Features
Provisioning Per-Peer Features
Central and Distributed Models Option #1:
Option #2: Group Features on
Virtual-Template
profiles on IOS
192.168.100.0/24
Some spokes .1 .254
with high
bandwidth
172.16.0.1
Option #3: Central
Some spokes Service Policy
belong to VRF enforcement on RADIUS
Red
Some spokes
belong to VRF Some spokes
Blue with low
bandwidth
VRF Injection 192.168.100.0/24
Hub injects traffic in chosen VRF 192.168.100.0/24
192.168.100.0/24
Hub private interface(s) in Inside VRF (light) .1 .1 .1 .2 .2 .2
Virtual-Access in iVRF 172.16.1.254 172.16.1.253
Wan in Global Routing Table

or Front VRF
Optional VRF on spokes

(Not in this example)
Inside-VRF and Front-VRF
Layer 4 Remote protected

prefix added to
iVRF table
Global Routing VRF Red VRF Blue VRF
Front Door VRFGreen
Layer 3 Table aka fVRF
Inside VRF
aka iVRF
Layer 2 Applied by IKEv2:

vrf forwarding Red
tunnel vrf Blue
Virtual-Access
Interface (Tunnel)
created by IKEv2
WAN
Inside-VRF and Front-VRF
Layer 4 Post-encapsulation
Tunnel Protection (encrypt)
Global Routing VRF Red VRF Blue VRF Green

Layer 3 Table
Layer 2 Input Output

Output
features features
features
Tunnel
Virtual-Access
Encapsulation
Interface (Tunnel)
created by IKEv2
LAN
WAN
Hierarchical Shaper
Each Hub V-Access Needs Its Own Policy
Parent Shaper limits
total Bandwidth
1Mbps Pipe
Bandwidth
Priority Queuing Reservation
Fair Queuing
5Mbps Pipe
Step 1 Define Policy Map(s)
class-map Control
match ip precedence 6
class-map Voice
match ip precedence 5
policy-map SubPolicy
class Control
bandwidth 20
20Kbps Guaranteed to Control
class Voice
priority percent 60 60% of Bandwidth for Voice
1Mbps to each tunnel 5Mbps to each tunnel

policy-map Silver policy-map Gold
class class-default class class-default
shape average 1000000 shape average 5000000
service-policy SubPolicy service-policy SubPolicy
iVRF + fVRF + QoS +
Layer 4
Routes applied here
Global Routing VRF Red VRF Blue VRF Green

Layer 3 Table
Layer 2 Applied by IKEv2:

vrf forwarding Red
tunnel vrf Blue
service-policy out Gold
Any feature can be applied
here: NAT, NHRP
network-id, NHRP
redirect, FW Zone, QoS,
VRF, ACL
WAN
Heavy Configuration
VRF Injection Hub Configuration
Option 1: Mapping with In-IOS configuration (without AAA)
Dedicated IKEv2
profile
crypto ikev2 profile BLUE crypto ikev2 profile RED crypto ikev2 profile GREEN
match identity fqdn domain blue match identity fqdn domain red match identity fqdn domain green
authentication local rsa-sig FQDN Domain authentication local rsa-sig authentication local rsa-sig
authentication remote rsa-sig is differentiator authentication remote rsa-sig authentication remote rsa-sig
pki trustpoint CA pki trustpoint CA pki trustpoint CA
dpd 10 2 on-demand dpd 10 2 on-demand dpd 10 2 on-demand
aaa authorization group cert list default default aaa authorization group cert list default default aaa authorization group cert list default default
virtual-template 1 virtual-template 2 virtual-template 3
Virtual-Template in VRF
interface virtual-template1 type tunnel interface virtual-template2 type tunnel interface virtual-template3 type tunnel
vrf forwarding BLUE vrf forwarding RED vrf forwarding GREEN
ip unnumbered loopback1 Loopback in VRF ip unnumbered loopback2 ip unnumbered loopback3
service-policy Gold out service-policy Gold out service-policy Silver out
tunnel protection ipsec profile default tunnel protection ipsec profile default tunnel protection ipsec profile default
Add NHRP,
ACLs,
Group profiles on IOS
Option 2: Mapping with AAA group based configuration
aaa attribute list blue
attribute type interface-config vrf forwarding BLUE
attribute type interface-config ip unnumbered loopback1
aaa new-model attribute type interface-config service-policy Gold out
Profiles on IOS aaa authorization network default local
crypto ikev2 authorization policy blue
crypto ikev2 profile default aaa attribute list blue
Common IKEv2 match identity any route set interface
profile identity local fqdn Hub1.cisco.com
authentication local rsa-sig aaa attribute list red
authentication remote rsa-sig attribute type interface-config vrf forwarding RED
Profile name attribute type interface-config ip unnumbered loopback2
extracted from pki trustpoint CA
attribute type interface-config service-policy Silver out
dpd 10 2 on-demand
Domain Name
aaa authorization group cert default name-mangler dom crypto ikev2 authorization policy red
virtual-template 1 aaa attribute list red
route set interface
interface virtual-template1 type tunnel
Vanilla Virtual- tunnel protection ipsec profile default aaa attribute list green
Template attribute type interface-config vrf forwarding GREEN
attribute type interface-config ip unnumbered loopback3
crypto ikev2 name-mangler dom attribute type interface-config service-policy GOLD out
fqdn domain
crypto ikev2 authorization policy green
aaa attribute list green
route set interface
Option 3: RADIUS based profiles Group profiles on RADIUS
Could be per peer profiles
or group+peer (derivation)
Profiles stored on aaa new-model Profile blue / password cisco

aaa authorization network default group RADIUS ipsec:route-accept=any
RADIUS server
RADIUS Group Profiles

aaa group server radius RADIUS ipsec:route-set=interface
server-private 192.168.100.2 auth-port 1812
ip:interface-config=vrf forwarding BLUE
ip:interface-config=ip unnumbered loopback 1
acct-port 1813 key cisco123
ip:interface-config=service-policy Gold out
Common IKEv2 crypto ikev2 profile default
profile match identity any Profile red / password cisco
identity local fqdn Hub1.cisco.com ipsec:route-accept=any
authentication local rsa-sig ipsec:route-set=interface
Profile name authentication remote rsa-sig ip:interface-config=vrf forwarding RED
extracted from pki trustpoint CA ip:interface-config=ip unnumbered loopback 2
aaa authorization group cert default name-mangler dom
ip:interface-config=service-policy Silver out
Domain Name
virtual-template 1
Profile green / password cisco
interface virtual-template1 type tunnel ipsec:route-accept=any
Vanilla Virtual- tunnel protection ipsec profile default ipsec:route-set=interface
Template ip:interface-config=vrf forwarding GREEN
crypto ikev2 name-mangler dom ip:interface-config=ip unnumbered loopback 3
fqdn domain ip:interface-config=service-policy Gold out
For both options: BGP and VRF configurations
vrf definition BLUE
ip route vrf BLUE 10.0.0.0 255.0.0.0 Null0 rd 1:1
Attract summaries ip route vrf BLUE 192.168.0.0 255.255.0.0 Null0 address-family ipv4
and drops non- ip route vrf RED 10.0.0.0 255.0.0.0 Null0 address-family ipv6
reachable prefixes ip route vrf RED 192.168.0.0 255.255.0.0 Null0
interface Loopback1
ip route vrf GREEN 10.0.0.0 255.0.0.0 Null0 vrf forwarding BLUE
ip route vrf GREEN 192.168.0.0 255.255.0.0 Null0 ip address 10.0.0.254 255.255.255.255
BGP dynamic peering
router bgp 1
bgp listen range 10.1.0.0/16 peer-group BluePeer
These address can bgp listen range 10.2.0.0/16 peer-group RedPeer vrf definition RED
not currently overlap bgp listen range 10.3.0.0/16 peer-group GreenPeer rd 2:2
! address-family ipv4
address-family ipv4 vrf BLUE address-family ipv6
Follow CSCtw69765. redistribute static
neighbor BluePeer peer-group
neighbor BluePeer remote-as 1 interface Loopback2
Each VRF has its own exit-address-family vrf forwarding RED
control section. ! ip address 10.0.0.254 255.255.255.255
address-family ipv4 vrf RED
redistribute static
Activate peer group in neighbor RedPeer peer-group
neighbor RedPeer remote-as 1 vrf definition GREEN
its corresponding VRF
exit-address-family rd 3:3
! address-family ipv4
address-family ipv4 vrf GREEN address-family ipv6
Redistributes above redistribute static
neighbor GreenPeer peer-group
statics into BGP neighbor GreenPeer remote-as 1 interface Loopback3
exit-address-family vrf forwarding GREEN
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved.
ip address 10.0.0.254 255.255.255.255
Cisco Public 61
VRF Injection Spoke Configuration
Vanilla IKE and BGP configurations
Profiles stored on aaa new-model
RADIUS server aaa authorization network default local

Plain simple IKEv2 match identity remote fqdn Hub1.cisco.com
profile Basic iBGP configuration
match identity remote fqdn Hub2.cisco.com
identity local fqdn spoke1.RED
IKEv2 Identity authentication remote rsa-sig
Defines Group authentication local rsa-sig
pki trustpoint TP router bgp 1
Required for config dpd 10 2 on-demand bgp log-neighbor-changes
exchange aaa authorization group cert list default default network 192.168.0.0 mask 255.255.0.0
! neighbor Hub peer-group
interface Loopback0 iBGP
ip address 10.1.0.2 255.255.255.255 neighbor Hub remote-as 1
! neighbor Hub next-hop-self
Tunnel to Hub1 interface Tunnel0 neighbor 10.0.0.253 peer-group Hub
ip unnumbered Loopback0 neighbor 10.0.0.254 peer-group Hub
tunnel source Ethernet0/0 maximum-paths ibgp 2 Two Hubs
! Equal Cost Load Balancing
Tunnel to Hub2 interface Tunnel1
BRKSEC-3013 tunnel protection ipsec profile
2014 default
Cisco and/or its affiliates. All rights reserved. Cisco Public 62
High Availability
63
FlexVPN Backup
Routing Based Multi-Hub Resiliency (1)
192.168.100.0/24
.1 .2
172.16.0.1 172.16.0.2
Tunnels to both hubs

are constantly active
Traffic can transit via either

tunnel (active-standby) or both
tunnels (load-balancing)
FlexVPN Backup
Routing Based Multi-Hub Resiliency (2)
192.168.100.0/24
.1 .2
172.16.0.1 172.16.0.2
Hub 1 fails,
Tunnels go down
Traffic goes through

remaining tunnel
Inter-hub BGP BFD keepalives
C 10.0.0.254 Loopback0 router bgp 1 router bgp 1 C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0 neighbor 192.168.0.2 remote-as 1 neighbor 192.168.0.2 Cremote-as 1
192.168.100.0/24 Eth0
Routing Table
Routing Table
S 192.168.0.0/16 Null0 tag 2 neighbor 192.168.0.2 fall-over bfd neighbor 192.168.0.1 Sfall-over bfd Null0 tag 2
192.168.0.0/16
S 10.0.0.0/8 Null0 tag 2 Hub 1 Hub 2 S 10.0.0.0/8 Null0 tag 2
S 1.0.0.1/32 Null0 tag 2 .1 192.168.100.0/24 .2 S 1.0.0.2/32 Null0 tag 2
B 1.0.0.2/32 Tunnel100 Dummy prefix B 1.0.0.1/32 Tunnel100
magic ingredient .1 Tunnel 100 .2
192.168.0.0/30
Tunnel: 10.0.0.254 Tunnel: 10.0.0.253
bfd interval 500 min_rx 50 multiplier 3 bfd interval 500 min_rx 50 multiplier 3
Physical: 172.16.2.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
Spokes Connect Next-Hop w/ High Distance
C 10.0.0.254 Loopback0 router bgp 1 C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
tag 2 routes got redistributed in redistribute static route-map TAG2 C 192.168.100.0/24 Eth0
Routing Table
Routing Table
S 192.168.0.0/16 Null0 tag 2
BGP and advertised to the spokes route-map TAG2 S 192.168.0.0/16 Null0 tag 2
S 10.0.0.0/8 Null0 tag 2 Hub 1 match tag 2 Hub 2 S 10.0.0.0/8 Null0 tag 2
B 1.0.0.2/32 Tunnel100 B 1.0.0.1/32 Tunnel100
S 10.0.0.1 V-Access1 .1 Tunnel 100 .2 S 10.0.0.1 V-Access1
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1 B 192.168.1.0/24 10.0.0.1
B 192.168.2.0/24 10.0.0.2 B 192.168.2.0/24 10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 crypto ikev2 authorization policy default C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 route accept any distance 210 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 dist. 210 S 10.0.0.254/32 Tunnel0 dist. 210
B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200
Traffic Flows recursive routing applies
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
Routing Table
Routing Table
S 192.168.0.0/16 Null0 tag 2 S 192.168.0.0/16 Null0 tag 2
B 1.0.0.2/32 Tunnel100 B 1.0.0.1/32 Tunnel100
S 10.0.0.1 V-Access1 .1 Tunnel 100 .2 S 10.0.0.1 V-Access1
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1 B 192.168.1.0/24 10.0.0.1
B 192.168.2.0/24 10.0.0.2 B 192.168.2.0/24 10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200
Say Hub 1 Crashed
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
Routing Table
S 192.168.0.0/16 Tunnel100 tag 2
Hub 1 Hub 2 S 10.0.0.0/8 Null0 tag 2
.1 192.168.100.0/24 .2 S 1.0.0.2/32 Null0 tag 2
B 1.0.0.1/32 Tunnel100
.1 Tunnel 100 .2 S 10.0.0.1 V-Access1
S 10.0.0.2 V-Access2
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1

after 0.5 seconds: B 192.168.2.0/24 10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254
%BGP-5-ADJCHANGE: neighbor 192.168.0.1 Down
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200
We have achieved High-Availability
track timer msec 500 C 10.0.0.253 Loopback0
track 1 ip route 1.0.0.1 255.255.255.255 reachability C 192.168.100.0/24 Eth0
Routing Table
track 2 list boolean and S 192.168.0.0/16 Tunnel100 tag 2
object 1 not
Hub 1 Hub 2 S 10.0.0.0/8 Null0 tag 2
ip route 10.0.0.254
.1 192.168.100.0/24
255.255.255.255 Null0 tag .2
2 track 2 S 1.0.0.2/32 Null0 tag 2
B 1.0.0.1/32 Tunnel100
.1 Tunnel 100 .2 S 10.0.0.1 V-Access1
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1
Takes ~Tunnel:
1s B 192.168.2.0/24 10.0.0.2
10.0.0.253
Tunnel: 10.0.0.254
S 10.0.0.254/32 Null0 tag 2 track 2
Almost
immediate Depends on
# of spokes Physical: 172.16.2.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 Removed because exact
match with lower admin
S 0.0.0.0/0 Dialer0
distance exists
B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200
B 10.0.0.254/32 10.0.0.253 dist. 200 B 10.0.0.254/32 10.0.0.253 dist. 200
We have achieved High-Availability
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
Routing Table
S 192.168.0.0/16 Tunnel100 tag 2
Hub 1 Hub 2 S 10.0.0.0/8 Null 0 tag 2
.1 192.168.100.0/24 .2 S 1.0.0.2/32 Null0
B 1.0.0.1/32 Tunnel100
.1 Tunnel 100 .2 S 10.0.0.1 V-Access1
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1
B 192.168.2.0/24 10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254
S 10.0.0.254/32 Null0 tag 2 track 2
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0

B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200
B 10.0.0.254/32 10.0.0.253 dist. 200 B 10.0.0.254/32 10.0.0.253 dist. 200
High Availability - Backup Peers
72
FlexVPN Backup
IKE Backup Peers (1)
192.168.100.0/24
.1 .2
Tunnels are set up 172.16.0.1 172.16.0.2
to a primary Hub
FlexVPN Backup
IKE Backup Peers (2)
192.168.100.0/24
.1 .2
Hub 1 Fails 172.16.0.1 172.16.0.2
New tunnels are set up

to a backup Hub
FlexVPN Backup Also works with
Routing
Protocol
IKE Backup Peers (3) Spoke Config.
aaa authorization network default local Powerful Peer Syntax
peer <n> <ip>
crypto ikev2 profile default peer <n> <ip> track <x>
match certificate HUBMAP peer <n> <fqdn>
identity local fqdn Spoke1.cisco.com peer <n> <fqdn> track <x>
authentication local pre-shared
Nth source selected only if
keyring local
pki trustpoint CA corresponding track object is up
Detect Hub Failure dpd 30 2 on-demand
RADIUS Backup List Attribute
crypto ikev2 client flexvpn default ipsec:ipsec-backup-gateway
client connect tunnel 0
To Primary Hub peer 1 172.16.1.254 Up to 10 backup gateways pushed by
peer 2 172.16.1.253 config-exchange
To Secondary Hub
interface Tunnel0
ip address negotiated
Destination tunnel source FastEthernet0/0 crypto ikev2 authorization policy default
managed by tunnel destination dynamic route set interface
FlexVPN tunnel protection ipsec profile default route set access-list 99
FlexVPN Backup Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2
!
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)
ICMP-echo IP SLA probe

IPsec Tunnel
FlexVPN Backup Tunnel Pivoting
Use when different Service Providers are used to connect to remote host
crypto ikev2 flexvpn client remote1

peer 10.0.0.1
Service Provider 1 source 1 interface GigabitEthernet0/0 track 1
GigE0/0
source 2 interface Cellular0/0
client connect tunnel 0
interface Tunnel0
Client Hub ip address negotiated
Cellular0/0
Cellular Provider 2
tunnel source dynamic
tunnel destination dynamic

Tracker state (Up/Down)
ICMP-echo IP SLA probe

IPsec Tunnel
IKE Load Balancer
82
FlexVPN Backup
IKEv2 Load-Balancer Bootstrap
LAN
Slave Hub 2 Master Hub 1 Slave Hub 3
Standby Active Standby

CLB CLB
.12 Registration .5 .11 Registration .13
10.0.0.0/24 HSRP Election
1. HSRP Active Router election 2. CLB Registration

Winner takes over the VIP (.5) HSRP Standby become CLB Slaves
WAN and register to Master (HSRP Active)
On Hub 1:
*Nov 20 12:43:58.488: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.13 connected.
*Nov 20 12:43:58.493: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.12 connected.
FlexVPN Backup
IKEv2 Load-Balancer Client Connection
LAN
2. CLB Master selects the LLG 3. CLB Master sends a redirect
(Hub 3) to client to Hub 3
Slave Hub 2 Master Hub 1 Slave Hub 3
Standby Active Standby

.12 .5 .11 .13
10.0.0.0/24
WAN
1. Client sends IKE SA_INIT with
REDIRECT_SUPPORTED to
VIP (.5)
4. Client establishes IKEv2

session with LLG Hub (Hub 3)
IKEv2 Load-Balancer
Hub 1 Configuration
crypto ikev2 redirect gateway init
! Activates the sending of IKEv2 redirects during SA_INIT
match identity remote fqdn domain cisco.com !
identity local fqdn Hub1.cisco.com interface Ethernet0/0
authentication remote rsa-sig ip address 10.0.0.11 255.255.255.0
authentication local rsa-sig standby 1 ip 10.0.0.5
pki trustpoint TP standby 1 name vpngw HSRP Group Name must match
dpd 10 2 on-demand ! IKEv2 Cluster configuration
aaa authorization group cert list default default interface Loopback0
! !
crypto ikev2 authorization policy default interface Virtual-Template1 type tunnel
route set interface ip unnumbered Loopback0
! ip mtu 1400
crypto ikev2 cluster tunnel source Ethernet1/0
standby-group vpngw tunnel protection ipsec profile default
slave max-session 10
no shutdown
Configuration of slave hubs is almost identical (except HSRP priority)!
IKEv2 Load-Balancer
Client Configuration
crypto ikev2 authorization policy default

route set interface Activates IKEv2 redirection support and limit
! redirect count (DoS prevention)
crypto ikev2 redirect client max-redirects 10
!
match identity remote fqdn domain cisco.com interface Tunnel0
identity local fqdn Spoke2.cisco.com ip address 172.16.1.100 255.255.255.0
authentication remote rsa-sig ip mtu 1400
authentication local rsa-sig tunnel source Ethernet0/0
pki trustpoint TP tunnel destination dynamic
dpd 10 2 on-demand tunnel protection ipsec profile default
virtual-template 1
!
crypto ikev2 client flexvpn VPN_LB
peer 1 10.0.0.5
client connect Tunnel0
FlexVPN Peer configured with

the VIP address only
FlexVPN Remote Access
FlexVPN Software Client Remote Access
Remote clients need additional information that arent usually exchanged:
IP address
Routes (Split tunnel)
DNS servers
Domain names
Exchange handled by IKEv2 configuration payload

Allows easy integration of many third party OS and
clients.
IKEv2 Configuration Exchange
Initiator (I) Responder (R)
I would like:
an IPv6 address
a DNS & WINS server
CFG_REQUEST a list of protected IPv6 subnets
Initiator (RA client) requests
IKE_AUTH configuration parameters
Your assigned IPv6 address is ...
from responder (RA server). Your DNS server is ...
CFG_REPLY
There is no WINS server
My protected IPv6 subnets are ...
CFG_SET
Derived from peer authorisation
INFORMATIONAL
Derived from peer authorisation
CFG_ACK Initiator and/or responder
sends unsolicited configuration My local IPv6 protected subnets are ...
CFG_SET parameters to its peer.
Acknowledged
INFORMATIONAL
CFG_ACK
EAP Authentication
IKEv2 Initiator IKEv2 Responder IKE RADIUS Server
crypto ikev2 profile default RA server authenticates to client

authentication remote eap query-identity using IKE certificates (mandatory)
aaa authentication eap frad
IKEv2 RADIUS
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 / EAP-AKA / EAP-SIM / ...
Username-Password/Token/Mobile Authentication (One-Way)
IKEv2 RADIUS
TLS EAP-TLS TLS
TLS-Based Certificate Authentication (Mutual)
IKEv2 RADIUS
EAP-PEAP / EAP-TTLS
TLS EAP-MSCHAPv2 / EAP-TLS / ... TLS
TLS-Protected Nested Authentication (One-Way or Mutual)
EAP Authentication Packet Flow
IKEv2 (IKE_AUTH) crypto ikev2 profile default
IDi, CFG_REQ, no AUTH authentication remote eap query-identity
aaa authentication eap frad
IKEv2 (IKE_AUTH)
IDr, AUTH(RSA), EAP(ID-Request)
IKEv2 (IKE_AUTH) RADIUS (Access-Request)
EAP(ID-Response: IDEAP)
IKEv2 (IKE_AUTH) RADIUS (Access-Challenge)
EAP(EAP-Method-Pkt#1)
IKEv2 (IKE_AUTH) RADIUS (Access-Request)
EAP(EAP-Method-Pkt#2)
MSK MSK
IKEv2 (IKE_AUTH) RADIUS (Access-Accept)
EAP(Success) EAP(Success), MSK, User-Name, EAP Username
IKEv2 (IKE_AUTH) Other user attributes
AUTH(MSK) Cached for authorisation
IKEv2 (IKE_AUTH)
CFG_REPLY, AUTH(MSK)
AnyConnect Mobile Manual Connection
Certificate selection
Cisco ASA only
Connection name
Create new
manual connection
Server FQDN
Enable IKEv2
Select authentication method
Specify IKE ID for EAP methods
AnyConnect VPN Profile Editor
Add entry to server list
Server FQDN Connection name ... Resulting XML Profile

<ServerList>
<HostEntry>
<HostName>FlexVPN</HostName>
<HostAddress>flexra.cisco.com</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>EAP-GTC</AuthMethodDuringIKENegotiation>
<IKEIdentity>acvpn</IKEIdentity>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
...
Only applies to EAP

authentication methods
AnyConnect Headend Config EAP (All Methods)
aaa group server radius frad
server-private 172.16.0.254 key cisco
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 aaa authentication login frad group frad
Client IKE ID = KEY-ID string configured in XML profile crypto ikev2 profile default
Server selects IKEv2 profile based on KEYID string match identity remote key-id acvpn
identity local dn
EAP query-identity prompts user for credentials authentication remote eap query-identity
EAP ID = username entered by user pki trustpoint root sign
Password authentication against AAA user database aaa authentication eap frad
aaa authorization user eap cached
Returned attributes cached for implicit authorisation virtual-template 1
# RADIUS User definition

joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
IKE
IKEv2 RADIUS
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2
EAP Username-Password Authentication
Before we part
Route Exchange Protocol Selection
Branch-Hub Use case
IKEv2 Simple, large scale Static (No Simple branches Identity-based Lossy networks High density hubs
redistribution (< 20 prefixes) route filtering
IGPIKE)
BGP Simple to complex, Dynamic Complex branches Powerful route Lossy networks High density hubs
large scale (Redistribution (> 20 prefixes) filtering not up to 350K routes
IGP BGP) identity based
EIGRP Simple to complex Dynamic Semi-complex Intermediate route Lossless networks < 5000 prefixes at
not (Redistribution branches filtering not (very rare) hub
recommended IGP IGP) (> 20 prefixes) identity based
at large scale
Hub-Hub Use case

BGP Large amount of Road to scalability Powerful route
prefixes (up to filtering
1M)
IGP (EIGRP, OSPF) < 5000 prefixes Perceived simplicity
total
High-End Scalability & Performances 15.4(1)S
Release ISR 4451 ASR1001 ASR1002-F ASR1000- ASR1000- ASR1000- ASR1000- ASR1000- ASR1000-
15.2(1)S+ ESP5 ESP10 ESP20 ESP40 ESP100 ESP200
w/out QoS
Throughput 1.2 / 1.8 / 1Gbps 1 / 0.8 1.8 / 1 4 / 2.5 7 / 6 Gbps 11 / 7.4 29 / 16 78 / 59
(Max / IMIX) 0.8Gbps Gbps Gbps Gbps Gbps Gbps Gbps
Max tunnels 2000 4000 1000 1000 1000 / 1000 / 1000 / -- / 4000 -- / 4000
(RP1 / RP2) 4000 4000 4000
EIGRP 2000 4000 1000 1000 1000 / 1000 / 1000 / -- / 4000 -- / 4000
neighbours (1000 (1000
4000 4000 4000 (1000 (1000
recommended) recommended) recommended) recommended)
(1000 (1000 (1000
recommended) recommended) recommended)
BGP 2000 4000 1000 1000 1000 / 1000 / 1000 / -- / 4000 -- / 4000
neighbours 4000 4000 4000
Release 3.5 ASR1001 ASR1000- ASR1000-

w/ QoS ESP20 ESP40
Throughput 1.8 / 1Gbps 7 / 6 Gbps 11 / 7.4 Gbps
(Max / IMIX)
Max tunnels 4000* 4000 4000
(RP2 only) (16K Queues) (128K Queues) (128K Queues)
High-End Scalability & Performances 15.4(2)S
Release ISR 4451 ASR1001 ASR1000- ASR1000- ASR1000- ASR1000- ASR1000- ASR1000-
15.2(1)S+ ESP5 ESP10 ESP20 ESP40 ESP100 ESP200
w/out QoS
Throughput 1.2 / 1.8 / 1Gbps 1.8 / 1 Gbps 4 / 2.5 Gbps 7 / 6 Gbps 11 / 7.4 29 / 16 78 / 59
(Max / IMIX) 0.8Gbps Gbps Gbps Gbps
Max tunnels 2000 4000 1000 1000 / 1000 / 1000 / -- / 10,000 -- / 10,000
(RP1 / RP2) 10,000 10,000 10,000
EIGRP 2000 4000 1000 1000 / 4000 1000 / 4000 1000 / 4000 -- / 4000 -- / 4000
(1000 (1000 (1000 (1000 (1000 (1000 (1000
neighbours recommended) recommended) recommended) recommended) recommended) recommended) recommended)
IKE Routing 2000 4000 1000 10,000 10,000 10,000 10,000 10,000
BGP 2000 4000 1000 1000 / 1000 / 1000 / -- / 10,000 -- / 10,000

neighbours 10,000 10,000 10,000
Release 15.3(3)S ISR 4451 ASR1001 ASR1000- ASR1000-

w/ QoS ESP20 ESP40
Throughput 1.2 / 0.8 1.8 / 1 Gbps 7 / 6 Gbps 11 / 7.4 Gbps
(Max / IMIX) Gbps
Max tunnels 2000 4000* 10,000 10,000
(RP2 only) (16K Queues) (128K Queues) (128K Queues)
FlexVPN - ISR G2 Scalability
Platform Sec-K9 SEC-K9 + HSEC-K9
Recommended Max Recommended Max
3945E Up to 225 Up to 225 Up to 2000 Up to 3000
3945 Up to 225 Up to 225 Up to 1000 Up to 2000
2911 Up to 225 Up to 225 HSEC-K9 license does not apply since
the max. encrypted tunnel count is below
2901 Up to 150 Up to 225
the restricted limits.
1941 Up to 150 Up to 225
1921 TBD TBD
75% CPU, IMIX,
IPsec/AES, single
FlexVPN - ISR G2 Performances tunnel
Platform Sec-K9 (Mbps) SEC-K9 + HSEC-K9 (Mbps)

Recommended Max Recommended Max
2911 Up to 61 Up to 164 HSEC-K9 license does not apply since
the max. encrypted tunnel count is below
2901 Up to 53 Up to 154
the restricted limits.
1941 Up to 48 Up to 156
1921 Up to 44 N/A
891 Up to 66 N/A
FlexVPN CCO Documentation
CCO doc link
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-mt/sec-flex-vpn-15-
mt-book.html
Reflects latest release (currently 15.4(1)T)
Doc organised into chapters
FlexVPN Site-Site
FlexVPN Server
FlexVPN Client
FlexVPN Spoke-Spoke
FlexVPN Load-Balancer
FlexVPN Reconnect
Appendix-1: FlexVPN Radius Attributes
Appendix-2: Legacy VPNs
Changes across releases
Documentation reflects latest release
Behaviour/CLI changes noted in corresponding sections
FlexVPN Useful Links
FlexVPN Sample Configurations
http://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
Past FlexVPN session from Ciscolive

BRKSEC-2881 - VPN Remote Access with IOS & Introduction to FlexVPN (2014 Milan)
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76563&backBtn=true
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2014 Polo Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
Directly from your mobile device on the Cisco Live
Mobile App
By visiting the Cisco Live Mobile Site
www.ciscoliveaustralia.com/mobile
Visit any Cisco Live Internet Station located
throughout the venue
Polo Shirts can be collected in the World of Solutions Learn online with Cisco Live!
on Friday 21 March 12:00pm - 2:00pm
Visit us online after the conference for full
access to session videos and presentations.
www.CiscoLiveAPAC.com

Brksec 3013 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Brksec 3013 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Advanced IPSec with FlexVPN

FlexVPN Introduction High Availability

For your Reference slides: Additional info slides:

DMVPN No Yes No Yes No partial No No No group No

One VPN to learn and deploy

Uses UDP ports 500 & 4500

Similar but Identity Exchange is Cleaner

Hub 1 Tu0 Tu0

Tu0 Static Tunnel

Spoke 1 VT1 VA1 VA1 VT1 Spoke 2

Hub & Spoke interface Virtual-Template1 type tunnel

Interop & tunnel mode ipsec ipv4

Self Identity Control match identity remote address 10.0.1.1

match fvrf red

pki trustpoint <trustpoint_name>

HDR, SAr1, KEr, Nr [CERTREQ]

HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr}

HDR, SK {IDr, [CERT], AUTH, TSi, TSr}

HDR IKE Header IDi, IDr Initiator/Responder IKE Identity

match identity remote address

Transform set unchanged

IPsec profile defines SA crypto ipsec profile default

Layer 5+ IKE AAA BGP

Layer 4 Remote private

Layer 2 Per peer features

Layer 5+ IKE AAA BGP

Layer 3 Routing Routing

Eth0/0 V-Access1 Output

Authentication PSK Authentication AAA PSK Retrieval

EAP Client Authentication

Accounting RADIUS Accounting

Explicit User Authorisation

Retrieves user attributes from RADIUS (local database not supported)

Explicit Group Authorisation Reverse order of precedence (group > user)

Retrieves group attributes from RADIUS or local database

Explicit User Attributes Attribute Value

Explicit Group Attributes Attribute Value

AAA Username: joe

Start with the peers IKE or EAP identity

crypto ikev2 keyring KR crypto ikev2 keyring KR

crypto ikev2 profile default crypto ikev2 profile default

interface Tunnel0 interface Tunnel0

ipv6 unicast-routing ipv6 unicast-routing

interface Tunnel0 interface Tunnel0

interface E0/0 interface E0/0

SA Prop (AES-256, SHA-1, DH 5), KEi, Ni

SA Prop (AES-256, SHA-1, DH 5), KEr, Nr

Ethernet0/0: 172.16.1.1 Ethernet0/0: 172.16.0.1

Physical: 172.16.0.1 Physical: 172.16.0.2

Physical: 172.16.1.1 Physical: 172.16.2.1

Physical: 172.16.0.1 Physical: 172.16.0.2

Physical: 172.16.1.1 Physical: 172.16.2.1

Physical: 172.16.0.1 Resolution Physical: 172.16.0.2

Physical: 172.16.1.1 Physical: 172.16.2.1

Physical: 172.16.0.1 Physical: 172.16.0.2

Physical: 172.16.1.1 Physical: 172.16.2.1

crypto ikev2 profile default interface Virtual-Template1 type tunnel

Configurations of Hub 1 and Hub 2 are almost identical!

QoS can be applied here

interface Virtual-Template1 type tunnel

Physical: 172.16.0.1 Physical: 172.16.0.2

Physical: 172.16.1.1 Physical: 172.16.2.1

C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1