Sie sind auf Seite 1von 98

Advanced IPSec with FlexVPN

BRKSEC-3013

Tom Alexander
Technical Leader
Objectives & Prerequisites
Session objectives:
Understand IKEv2 & FlexVPN Building blocks
Demonstrate the value-add of FlexVPN
Knowledge of FlexVPN Design and Deployment
Basic understanding of the following topics is required:
IPsec, IKEv1, PKI, AAA, RADIUS, AnyConnect
Experience with the following features is a plus:
DMVPN, EzVPN, Routing protocols
More FlexVPN
Proctor Led Lab : LABSEC-2630 - IPSec with FlexVPN (Friday 3/21 10-12 am)
Walk-in Self-Paced lab : LABSEC-1280 - FlexVPN in Practice (45 min)
Meet the Expert
Fred Detienne (Distinguished Engineer)
Tom Alexander (Technical Leader)
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda

FlexVPN Introduction High Availability


Why FlexVPN Backup Mechanisms
FlexVPN Positioning Load Balancing
FlexVPN Building Blocks Remote Access
Overview
Basic Site to Site VPN
AnyConnect 3.0 Mobile
Shortcut Switching (FlexMesh)
Wrap-up
FlexVPN dVTI, AAA
Per peer features
AAA integration

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Before We Begin...

For your Reference slides: Additional info slides:


Just for your reference when back at Rendered in the presentation PDF
work. (download it through the Cisco Live portal)
Not shown during the live presentation
Will not be covered in detail
Cover extra details or small additional
topics

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
FlexVPN Introduction
Why FlexVPN, IKEv2
EasyVPN, DMVPN and Crypto Maps
crypto isakmp policy 1
crypto isakmp policy 1
encr 3des
encr 3des crypto isakmp policy 1
authentication pre-share
authentication pre-share encr 3des
group 2
group 2 authentication pre-share
crypto isakmp client configuration group cisco
group 2
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
key cisco123
crypto isakmp client configuration group cisco
pool dvti mode transport
key pr3sh@r3dk3y
acl 100 crypto ipsec profile vpnprofile
pool vpnpool
crypto isakmp profile dvti set transform-set vpn-ts-set
acl 110
match identity group ciscointerface Tunnel0
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
ip address 10.0.0.254 255.255.255.0
client authentication list lvpn
crypto dynamic-map dynamicmap 10
ip nhrp map multicast dynamic
isakmp authorization list lvpn
set transform-set vpn-ts-set
client configuration address
iprespond
nhrp network-id 1
reverse-route
virtual-template 1 tunnel source Serial1/0 crypto map client-vpn-map client authentication list userauthen
crypto ipsec transform-set dvti esp-3des
tunnel esp-sha-hmac
mode gre multipoint crypto map client-vpn-map isakmp authorization list groupauthor
crypto ipsec profile dvti tunnel protection ipsec profile vpnprof crypto map client-vpn-map client configuration address initiate
set transform-set dvti
crypto map client-vpn-map client configuration address respond
set isakmp-profile dvti ip route 192.168.0.0 255.255.0.0 Null0router bgp 1
crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap
bgp tunnel
interface Virtual-Template1 type log-neighbor-changes
interface FastEthernet0/0
ip unnumbered Ethernet0/0 redistribute static
ip address 83.137.194.62 255.255.255.240
tunnel mode ipsec ipv4 neighbor DMVPN peer-group
crypto map client-vpn-map
bgpdvti
tunnel protection ipsec profile listen range 10.0.0.0/24 peer-group DMVPN
ip local pool vpnpool 10.10.1.1 10.10.1.254
ip local pool dvti 192.168.2.1 neighbor DMVPN remote-as 1
192.168.2.2
access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 10.0.0.2
no auto-summary
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
VPN Technology Selection
Death by a thousand questions
3rd party and
legacy support Hub & Spoke
AAA Manageability
Spoke Spoke
Failover time IPv4/IPv6 dual
Solution vs Direct
Failure detectionComponents stack
method Design complexity
Route Injection
Dual DMVPN Dynamic Routing Crypto Map or
Feature order Tunnels
Multi-Hub Homing
Per peer ACLs
Multi-ISP Homing Scalability Multicast
QoS support
High Availability

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
FlexVPN Unifies
Unified Overlay VPNs

Per-Peer QoS
direct (shortcut)
Spoke-spoke

Management
Config push

Full AAA
Dynamic

Per-peer
Failover

Failover
Routing

Routing

Remote
Access

Source
Interop

Simple

config
IPsec
VPN

Easy
No No Yes No Yes Yes No Yes Yes Yes Yes
VPN

DMVPN No Yes No Yes No partial No No No group No

Crypto
Yes No Yes No Yes poor No No No No No
Map

Flex VPN Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

One VPN to learn and deploy


Everything works no questions asked
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Flex is IKEv2 Only
Why Flex now?
Authentication

Same
Integrity
Objectives
ISAKMP Privacy
RFC2408
DPD
Mode- Suite B
config IKE IKEv2 More Secure
RFC2409 RFC5996
DOI Anti-DoS
RFC2407
NAT-T PSK, RSA-Sig
Authentication EAP
Options
Hybrid Auth

Uses UDP ports 500 & 4500

Similar but Identity Exchange is Cleaner


Different
Main + Aggressive INITIAL

Acked notifications

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
FlexVPN Overview
What is FlexVPN?
IKEv2-based unified VPN technology that combines site-to-site, remote-access, hub-
spoke and spoke-to-spoke topologies

FlexVPN highlights
Unified CLI
Based on and compliant to IKEv2 standard
Unified infrastructure: leverages IOS Point-to-Point tunnel interface
Unified features: most features available across topologies
Key features: AAA, config-mode, dynamic routing, IPv6
Simplified config using smart-defaults
Interoperable with non-Cisco implementations
Easier to learn, market and manage

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
FlexVPN Building Blocks
13
FlexVPN and Interfaces

Hub 1 Tu0 Tu0


Hub 2

VT1 VT2
Site to Site
VA1 VA2 VA3 Remote Access
Hub & Spoke
Dynamic Mesh

Tu0 Static Tunnel


Tu0 Tu0

VT Virtual Template

Spoke 1 VT1 VA1 VA1 VT1 Spoke 2


Remote Virtual Access
VA
User

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Sample FlexVPN Config All parameters tunable
per-peer via AAA
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local fqdn R1.cisco.com
authentication local rsa-sig
IKEv2 authentication remote pre-share
Parameters pki trustpoint TP sign
aaa authentication eap default
aaa authorization user eap
virtual-template 1

Hub & Spoke interface Virtual-Template1 type tunnel


ip unnumbered loopback0
tunnel protection ipsec profile default Dual Stack v4/v6
Remote Access
ip nhrp network-id 1

Interop & tunnel mode ipsec ipv4


Legacy Spoke-Spoke
crypto map peer shortcut switching

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
crypto ikev2 profile default
Only one local identity allowed
IKEv2 CLI Overview identity
identity
local
local
address 10.0.0.1
fqdn local.cisco.com
IKEv2 Profile Extensive CLI identity
identity
local
local
email local@cisco.com
dn Multiple match identity allowed

Self Identity Control match identity remote address 10.0.1.1


match identity remote fqdn remote.cisco.com
match identity remote fqdn domain cisco.com
Match on peer IKE identity match identity remote email remote@cisco.com Same Type: Logically
match identity remote email domain cisco.com ORed
or certificate
match certificate certificate_map

match fvrf red


Match on local address and match address local 172.168.1.1 Different Type:
front VRF Logically ANDed
authentication local pre-share
authentication local rsa-sig Only one local method allowed
Asymmetric local & remote authentication local eap
authentication methods
authentication remote pre-share Multiple remote methods allowed
authentication remote rsa-sig
authentication remote eap
Local and AAA-based
Pre-Shared Keyring keyring local IOSKeyring
keyring aaa AAAlist

pki trustpoint <trustpoint_name>


BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
IKEv2 Basic Negotiation
HDR, SAi1, KEi, Ni
Initiator Responder

HDR, SAr1, KEr, Nr [CERTREQ]

HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr}

HDR, SK {IDr, [CERT], AUTH, TSi, TSr}

HDR IKE Header IDi, IDr Initiator/Responder IKE Identity


Length
SAi, SAr Crypto algorithms proposed/accepted by the peer CERTREQ, CERT Certificate Request, Certificate Payload
KEi, KEr Initiator Key Exchange material AUTH Authentication data
Ni, Nr Initiator/Responder Nonce SA Proposal & Transform to create initial CHILD_SA
SK {...} Payload encrypted and integrity protected TSi, TSr Traffic Selectors (as src/dst proxies)
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
IKEv2 Profile Match Statements
match certificate <certificate map>

SubjectName:
CN=RouterName
O=Cisco
OU=Engineering
HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}
IssuerName:
CN=PKI Server
O=Cisco
OU=IT

match identity remote address


172.16.0.1
router.cisco.com match identity remote fqdn
router@cisco.com
match identity remote email

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
IPsec CLI Overview
Tunnel Protection

Transform set unchanged


crypto ipsec transform-set default esp-aes 128 esp-sha-hmac

IPsec profile defines SA crypto ipsec profile default


parameters and points to
set transform-set default
IKEv2 profile
set crypto ikev2 profile default
Dynamic and Static point-
to-point interfaces interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel protection ipsec profile default
Static point-to-point
interfaces interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source Ethernet0/0
Tunnel protection links to tunnel destination 172.16.2.1
to IPsec profile tunnel protection ipsec profile default

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Introducing Smart Defaults
Intelligent, reconfigurable defaults
crypto ipsec
crypto ipsectransform-set
transform-set
default
default crypto ikev2 profile default
esp-aes 128
esp-aes 128 esp-sha-hmac
esp-sha-hmac match identity remote address 10.0.1.1
authentication local rsa-sig
authentication remote rsa-sig
cryptoipsec
crypto ipsecprofile
profile
default
default aaa authorization user cert list default default
set transform-set default pki trustpoint TP
set crypto ikev2 profile default !
interface Tunnel0
cryptoikev2
crypto ikev2proposal
proposaldefault
default ip address 192.168.0.1 255.255.255.252
tunnel protection ipsec profile default
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha512 sha 256 sha1 md5 What you need to specify
group 5 2

cryptoikev2
crypto ikev2policy
policy
default
default
match fvrf any
proposal default

cryptoikev2
crypto ikev2authorization
authorization
policy
policy
default
default
route set interface
route accept any These constructs are the Smart Defaults
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Packet Forwarding
Basic Packet Forwarding

Layer 5+ IKE AAA BGP

Layer 4

Layer 3 Routing

Layer 2 Output
Eth0/0 features
Eth0/1
Input
features
Encapsulation

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
IKE Flow Creation

optional
Layer 5+ IKE AAA BGP

Layer 4 Remote private


networks added to
routing table

Layer 3

Layer 2 Per peer features


applied here by
IKEv2
Eth0/0 V-Access1 Eth0/1
LAN

Virtual-Access
Interface (Tunnel)
created by IKEv2

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAN 25
Packet Forwarding Tunnels & Features

Layer 5+ IKE AAA BGP

Layer 4 Post-encapsulation
Tunnel Protection

Layer 3 Routing Routing

Layer 2 Eth0/1

Eth0/0 V-Access1 Output


Input Output features Encapsulation
features (static or AAA) features
Encapsulation

Cleartext Traffic
(from corporate LAN) Encrypted traffic
(WAN)
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
FlexVPN AAA Integration
High-Level AAA Interactions
RA Client FlexVPN Server AAA Server
IKEv2 Initiator IKEv2 Responder RADIUS Server
RADIUS Client RADIUS NAS EAP Backend
EAP Supplicant EAP Authenticator

Cert. Authentication

Authentication PSK Authentication AAA PSK Retrieval

EAP Client Authentication

Cached Authorization
Authorization Local Authorisation

RADIUS Authorisation

Accounting RADIUS Accounting

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Authorisation Types
Not mutually exclusive May be combined
RADIUS (Access-Accept)
Implicit User Authorisation Local PSK = cisco!
Remote PSK = !ocsic Cached for
crypto ikev2 profile default
aaa authorization user {psk|eap} cached Other user attributes for joe authorisation

Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication

Explicit User Authorisation


crypto ikev2 profile default
aaa authorization user {psk|eap|cert} list list [name | name-mangler mangler]

Retrieves user attributes from RADIUS (local database not supported)

Explicit Group Authorisation Reverse order of precedence (group > user)


crypto ikev2 profile default
aaa authorization group {psk|eap|cert} [override] list list [name | name-mangler mangler]

Retrieves group attributes from RADIUS or local database


BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Attributes Merging
FlexVPN Server AAA Server
Received during
AAA-based authentication

Attribute Value
Cached User Attributes Received during explicit
Framed-IP-Address 10.0.0.101
user authorisation
ipsec:dns-servers 10.2.2.2 Explicit User Attributes take precedence

Explicit User Attributes Attribute Value


Framed-IP-Address 10.0.0.102
Attribute Value
Merged User Attributes
Framed-IP-Address 10.0.0.102
Received during explicit
ipsec:dns-servers 10.2.2.2 Merged User Attributes take precedence group authorisation
except if group override configured

Explicit Group Attributes Attribute Value


Attribute Value ipsec:dns-servers 10.2.2.3
Framed-IP-Address 10.0.0.102 ipsec:banner Welcome !
Final Merged Attributes
ipsec:dns-servers 10.2.2.2
ipsec:banner Welcome !

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Building Block IKEv2 Name Mangler
RA Client FlexVPN Server AAA Server
IKEv2 Initiator IKEv2 Responder RADIUS Server
RADIUS Client RADIUS NAS

IKEv2 Exchange
crypto ikev2 name-mangler extract-user
FQDN: joe.cisco.com fqdn hostname
Email: joe@cisco.com RA Client Identity
email username
DN: cn=joe,ou=IT,o=Cisco dn common-name
EAP: joe@cisco IKEv2 Name Mangler eap prefix delimiter @

AAA Username: joe


Static password
(configurable)
Local AAA Request RADIUS AAA Request
Username: joe Username: joe, password: cisco

Start with the peers IKE or EAP identity


Derive a username that is meaningful to AAA (local or RADIUS)
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Basic Site to Site VPN
Site-to-site configuration
IPv4 and static routing

172.16.1.1 172.16.2.1
192.168.1.0/24 192.168.2.0/24

crypto ikev2 keyring KR crypto ikev2 keyring KR


peer RightPeer Just a string peer LeftPeer
address 172.16.2.1 Peer address address 172.16.1.1
pre-shared-key local CISCO pre-shared-key local OCSIC
pre-shared key remote OCSIC pre-shared key remote CISCO

crypto ikev2 profile default crypto ikev2 profile default


match identity fqdn RouterRight.cisco.com match identity fqdn RouterLeft.cisco.com
identity local fqdn RouterLeft.cisco.com identity local fqdn RouterRight.cisco.com
authentication local pre-shared authentication local pre-shared
authentication remote pre-shared authentication remote pre-shared
keyring local KR keyring local KR

interface Tunnel0 interface Tunnel0


ip address 10.0.0.1 255.255.255.252 ip address 10.0.0.2 255.255.255.252
tunnel source FastEthernet0/0 tunnel source FastEthernet0/0
tunnel destination 172.16.2.1 tunnel destination 172.16.1.1
tunnel protection ipsec profile default Could use a routing tunnel protection ipsec profile default
protocol (IGP/BGP)
ip route 192.168.2.0 255.255.255.0 Tunnel0 ip route 192.168.1.0 255.255.255.0 Tunnel0
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site-to-site configuration
IPv6 and OSPF

172.16.1.1 172.16.2.1
2001:db8:cafe::/64 2001:db8:cafe::/64

ipv6 unicast-routing ipv6 unicast-routing

interface Tunnel0 interface Tunnel0


ipv6 address FE80::1 link-local ipv6 address FE80::2 link-local
ipv6 ospf 1 area 0 ipv6 ospf 1 area 0
tunnel source FastEthernet0/0 tunnel source FastEthernet0/0
tunnel destination 172.16.2.1 tunnel destination 172.16.1.1
tunnel protection ipsec profile default tunnel protection ipsec profile default

interface E0/0 interface E0/0


ipv6 address 2001:db8:cafe::1/64 ipv6 address 2001:db8:beef::1/64
ipv6 ospf 1 area 0 ipv6 ospf 1 area 0

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Shortcut Switching
With IKEv2 Policies
FlexVPN Mesh
Network Diagram with Hub Resiliency

192.168.100.0/24

.1 .2 .254

172.16.0.1 172.16.0.2
Virtual-Access
Interfaces

Static Tunnel
Virtual-Access Interface
Interfaces

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Hub & Spoke Bootstrap Config Exchange
192.168.100.0/24
.1 .254

192.168.1.0/24
172.16.1.1 172.16.0.1

SA Prop (AES-256, SHA-1, DH 5), KEi, Ni

SA Prop (AES-256, SHA-1, DH 5), KEr, Nr


Interfaces

Ethernet0/0: 172.16.1.1 Ethernet0/0: 172.16.0.1

Interfaces
Ethernet0/1: 192.168.1.1 IDi=Spoke1.cisco.com, Auth, TSi, TSr, Ethernet0/1: 192.168.100.1
Tunnel0: 10.0.0.1 Loopback0: 10.0.0.254/32
CFG_Req(IP4_SUBNET) VirtualAccess1: 10.0.0.254/32
Spoke Assigned Address
(optional)
IDr, cert, Auth, TSi, TSr,
Routing Table

Routing Table
172.16.0.1/32 172.16.1.254 (E0/0) 0.0.0.0/0 172.16.0.254 (E0/0)
192.168.1.0/24 Ethernet 0/1 CFG_Reply(IP4_SUBNET=10.0.0.254/32, 192.168.0.0/16; 192.168.100.0/24 Ethernet 0/1
10.0.0.254/32 Tunnel 0 IP4_ADDRESS=10.0.0.1) 10.0.0.1/32 VirtualAccess1
192.168.0.0/16 Tunnel 0 CFG_set(IP4_SUBNET=10.0.0.1/32, 192.168.1.0/24, 192.168.1.0/24 VirtualAccess1
10.0.0.1/32)
Supernet covering all CFG_ack()
spokes LAN prefixes
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
FlexVPN Hub and Spoke
IKE Exchange Routes / Policies
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
Routing Table

Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1 S 10.0.0.2 V-Access1
S 192.168.1.0/24 V-Access1 Tunnel 100 S 192.168.2.0/24 V-Access1

Physical: 172.16.0.1 Physical: 172.16.0.2


Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Physical: 172.16.1.1 Physical: 172.16.2.1


Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table

Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
FlexVPN Mesh w/ IKEv2 Routing
Shortcut Switching (1)
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
Routing Table

Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1 S 10.0.0.2 V-Access1
S 192.168.1.0/24 V-Access1 Tunnel 100 S 192.168.2.0/24 V-Access1

Physical: 172.16.0.1 Physical: 172.16.0.2


Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Physical: 172.16.1.1 Physical: 172.16.2.1


Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table

Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
FlexVPN Mesh w/ IKEv2 Routing
Policy Shortcut Switching (2)
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
Routing Table

Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1 S 10.0.0.2 V-Access1
S 192.168.1.0/24 V-Access1 Tunnel 100 S 192.168.2.0/24 V-Access1

Physical: 172.16.0.1 Resolution Physical: 172.16.0.2


Tunnel: 10.0.0.254 (192.168.2.2) Tunnel: 10.0.0.253

Physical: 172.16.1.1 Physical: 172.16.2.1


Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table

NHRP Table
10.0.0.2/32 172.16.2.1 Resolution Reply 10.0.0.1 172.16.1.1
192.168.2.0/24 172.16.2.1 (192.168.2.0/24)

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
Routing Table

Routing Table
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
H/S 10.0.0.2/32 V-Access1 H/S 10.0.0.1/32 V-Access1
H/S 192.168.2.0/24 V-Access1
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
FlexVPN Mesh w/ IKEv2 Policy
Shortcut Switching (3)
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
Routing Table

Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1 S 10.0.0.2 V-Access1
S 192.168.1.0/24 V-Access1 Tunnel 100 S 192.168.2.0/24 V-Access1

Physical: 172.16.0.1 Physical: 172.16.0.2


Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Physical: 172.16.1.1 Physical: 172.16.2.1


Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table

NHRP Table
10.0.0.2/32 172.16.2.1 10.0.0.1 172.16.1.1
192.168.2.0/24 172.16.2.1
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
Routing Table

Routing Table
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
H/S 10.0.0.2/32 V-Access1 H/S 10.0.0.1/32 V-Access1
H/S 192.168.2.0/24 V-Access1
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
FlexVPN Mesh (IKEv2 Routing)
Hub 1 Configuration
Static per-spoke
Accept connections features applied here
from Spokes
crypto ikev2 profile default interface Virtual-Template1 type tunnel
match identity remote fqdn domain cisco.com ip unnumbered Loopback0
NHRP is the magic
identity local fqdn Hub1.cisco.com ip nhrp network-id 1 All V-Access will be in
authentication remote rsa-sig Local or AAA spoke profiles ip nhrp redirect the same network-id
authentication local rsa-sig supported. Can even control ip access-group AllowMyBGP in
QoS, ZBF, NHRP redirect,
pki trustpoint TP network-id, tunnel protection ipsec profile default
dpd 10 2 on-demand ! Hub 1 dedicated overlay
aaa authorization group cert list default default interface Loopback0 address
virtual-template 1 ip address 10.0.0.254 255.255.255.255
! !
Inter-Hub link
crypto ikev2 authorization policy default interface Tunnel100 (not encrypted)
route set remote 10.0.0.0 255.0.0.0 ip unnumbered Loopback0
route set remote 192.168.0.0 255.255.0.0 ip nhrp network-id 1 Same NHRP network-id
ip nhrp redirect on v-access and inter-
tunnel source Ethernet0/1 hub link
tunnel destination 192.168.100.2
These prefixes can also be Defines which prefixes
set by RADIUS should be protected

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
FlexVPN Mesh (IKEv2 Routing)
Hub 2 Configuration

crypto ikev2 profile default interface Virtual-Template1 type tunnel


match identity remote fqdn domain cisco.com ip unnumbered Loopback0
identity local fqdn Hub2.cisco.com ip nhrp network-id 1
authentication remote rsa-sig ip nhrp redirect
authentication local rsa-sig Dedicated Identity ip access-group AllowMyBGP in
pki trustpoint TP (optional) tunnel protection ipsec profile default
dpd 10 2 on-demand ! Dedicated Overlay
aaa authorization group cert list default default interface Loopback0 Address
virtual-template 1 ip address 10.0.0.254 255.255.255.255
! !
crypto ikev2 authorization policy default interface Tunnel100
route set remote 10.0.0.0 255.0.0.0 ip unnumbered Loopback0
route set remote 192.168.0.0 255.255.0.0 ip nhrp network-id 1
ip nhrp redirect
tunnel source Ethernet0/1
tunnel destination 192.168.100.2

Configurations of Hub 1 and Hub 2 are almost identical!


BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
FlexVPN Mesh (IKEv2 Routing) QoS
Everywhere!
Spoke Configuration
interface Loopback0
ip address 10.0.0.2 255.255.255.255

interface Tunnel0
ip unnumbered Loopback0 Tunnel to Hub 1
crypto ikev2 profile default
match identity remote fqdn domain cisco.com ip nhrp network-id 1
ip nhrp shortcut virtual-template 1

QoS can be applied here


identity local fqdn Spoke2.cisco.com
authentication remote rsa-sig tunnel source Ethernet0/0
authentication local rsa-sig tunnel destination 172.16.0.1
Needed for tunnel tunnel protection ipsec profile default
pki trustpoint TP
dpd 10 2 on-demand
address exchange !
aaa authorization group cert list default default interface Tunnel1 Tunnel1 to Hub 2
virtual-template 1 ip unnumbered Loopback0
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
crypto ikev2 authorization policy default tunnel source Ethernet0/0
route set interface tunnel destination 172.16.0.2
route set interface e0/0 tunnel protection ipsec profile default

interface Virtual-Template1 type tunnel


ip unnumbered Loopback0
V-Template to clone for ip nhrp network-id 1
spoke-spoke tunnels ip nhrp shortcut virtual-template 1
tunnel protection ipsec profile default

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Shortcut Switching
With a routing protocol (BGP)
FlexVPN Mesh with BGP Routing
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
Routing Table

Routing Table
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100 .1 192.168.100.0/24 .2 S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1 S 10.0.0.2 V-Access1
B 192.168.1.0/24 10.0.0.1 Tunnel 100 B 192.168.2.0/24 10.0.0.2

Physical: 172.16.0.1 Physical: 172.16.0.2


Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Physical: 172.16.1.1 Physical: 172.16.2.1


Tunnel: 10.0.0.1 Tunnel: 10.0.0.2

NHRP Table
NHRP Table

- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0

Routing Table
Routing Table

C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1


S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 10.0.0.253/32 Tunnel1
B 192.168.0.0/16 10.0.0.254 B 192.168.0.0/16 10.0.0.253

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
FlexVPN Mesh (BGP)
Hub 1 Configuration
crypto ikev2 profile default Accept connections
match identity remote fqdn domain cisco.com from Spokes
identity local fqdn Hub1.cisco.com
authentication remote rsa-sig
authentication local rsa-sig Local or AAA spoke profiles
supported. Can even control QoS, ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2
pki trustpoint TP NHRP redirect, network-id, ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2
dpd 10 2 on-demand
aaa authorization group cert list default default Dynamically accept spoke
router bgp 1
virtual-template 1 BGP peering!
Static per-peer config here bgp log-neighbor-changes
bgp listen range 10.0.0.0/24 peer-group Flex
interface Virtual-Template1 type tunnel
!
ip unnumbered Loopback0
address-family ipv4
ip access-group AllowMyBGP in NHRP is the magic
All V-Access will be in neighbor Flex peer-group
ip nhrp network-id 1
the same network-id neighbor Flex remote-as 1
ip nhrp redirect
neighbor Flex timers 5 15
tunnel protection ipsec profile default
neighbor Flex next-hop-self all
Hub 1 dedicated overlay address redistribute static route-map rm
interface Loopback0
exit-address-family
ip address 10.0.0.254 255.255.255.255
! route-map filters static
Inter-Hub link route-map rm permit 10 routes to redistribute in
interface Tunnel100 (not encrypted) BGP
match tag 2
ip unnumbered Loopback0
ip nhrp network-id 1 Same NHRP network-id
ip nhrp redirect on v-access and inter-
tunnel source Ethernet0/1 hub link
tunnel destination 192.168.100.2
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
FlexVPN Mesh (BGP)
Hub 2 Configuration
crypto ikev2 profile default
ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2
match identity remote fqdn domain cisco.com
ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2
identity local fqdn Hub2.cisco.com
authentication remote rsa-sig
router bgp 1
authentication local rsa-sig Dedicated Identity
bgp log-neighbor-changes
pki trustpoint TP (optional) bgp listen range 10.0.0.0/24 peer-group Flex
dpd 10 2 on-demand
!
aaa authorization group cert list default default
address-family ipv4
virtual-template 1
redistribute static route-map rm
neighbor Flex peer-group
interface Virtual-Template1 type tunnel
neighbor Flex remote-as 1
ip unnumbered Loopback0
neighbor Flex timers 5 15
ip access-group AllowMyBGP in
neighbor Flex next-hop-self all
ip nhrp network-id 1
exit-address-family
ip nhrp redirect
!
tunnel protection ipsec profile default
route-map rm permit 10
Dedicated Overlay Address match tag 2
interface Loopback0
ip address 10.0.0.253 255.255.255.255

interface Tunnel100
ip unnumbered Loopback0
ip nhrp network-id 1
Almost the same as Hub 1 again!
ip nhrp redirect
tunnel source Ethernet0/1
tunnel destination 192.168.100.1
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
FlexVPN Mesh (BGP) QoS
Everywhere!
Spoke Configuration
crypto ikev2 profile default interface Loopback0
match identity remote fqdn domain cisco.com ip address 10.0.0.2 255.255.255.255
identity local fqdn Spoke2.cisco.com
authentication remote rsa-sig interface Tunnel0
authentication local rsa-sig ip unnumbered Loopback0 Tunnel to Hub 1
Needed for tunnel
pki trustpoint TP ip nhrp network-id 1
dpd 10 2 on-demand
address exchange
ip nhrp shortcut virtual-template 1

QoS can be applied here


aaa authorization group cert list default default tunnel source Ethernet0/0
virtual-template 1 tunnel destination 172.16.0.1
tunnel protection ipsec profile default
router bgp 1 !
bgp log-neighbor-changes interface Tunnel1 Tunnel1 to Hub 2
neighbor 10.0.0.253 remote-as 1 ip unnumbered Loopback0
neighbor 10.0.0.253 timers 5 15 ip nhrp network-id 1
neighbor 10.0.0.254 remote-as 1 ip nhrp shortcut virtual-template 1
neighbor 10.0.0.254 timers 5 15 tunnel source Ethernet0/0
! tunnel destination 172.16.0.2
address-family ipv4 tunnel protection ipsec profile default
network 192.168.2.0
neighbor 10.0.0.253 activate interface Virtual-Template1 type tunnel
neighbor 10.0.0.254 activate ip unnumbered Loopback0
maximum-paths ibgp 2 ip nhrp network-id 1
V-Template to clone for ip nhrp shortcut virtual-template 1
spoke-spoke tunnels tunnel protection ipsec profile default

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
FlexVPN Per-Peer Features
Provisioning Per-Peer Features
Central and Distributed Models Option #1:
Option #2: Group Features on
Virtual-Template
profiles on IOS
192.168.100.0/24
Some spokes .1 .254
with high
bandwidth
172.16.0.1
Option #3: Central
Some spokes Service Policy
belong to VRF enforcement on RADIUS
Red

Some spokes
belong to VRF Some spokes
Blue with low
bandwidth

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
VRF Injection 192.168.100.0/24

Hub injects traffic in chosen VRF 192.168.100.0/24

192.168.100.0/24
Hub private interface(s) in Inside VRF (light) .1 .1 .1 .2 .2 .2

Virtual-Access in iVRF 172.16.1.254 172.16.1.253

Wan in Global Routing Table


or Front VRF

Optional VRF on spokes


(Not in this example)

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Inside-VRF and Front-VRF

Layer 5+ IKE AAA BGP

Layer 4 Remote protected


prefix added to
iVRF table
Global Routing VRF Red VRF Blue VRF
Front Door VRFGreen
Layer 3 Table aka fVRF
Inside VRF
aka iVRF

Layer 2 Applied by IKEv2:


vrf forwarding Red
tunnel vrf Blue
Virtual-Access
Interface (Tunnel)
created by IKEv2

WAN

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Inside-VRF and Front-VRF

Layer 5+ IKE AAA BGP

Layer 4 Post-encapsulation
Tunnel Protection (encrypt)

Global Routing VRF Red VRF Blue VRF Green


Layer 3 Table

Layer 2 Input Output


Output
features features
features

Tunnel
Virtual-Access
Encapsulation
Interface (Tunnel)
created by IKEv2

LAN

WAN
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Hierarchical Shaper
Each Hub V-Access Needs Its Own Policy
Parent Shaper limits
total Bandwidth

1Mbps Pipe

Bandwidth
Priority Queuing Reservation

Fair Queuing
5Mbps Pipe

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Step 1 Define Policy Map(s)
class-map Control
match ip precedence 6
class-map Voice
match ip precedence 5

policy-map SubPolicy
class Control
bandwidth 20
20Kbps Guaranteed to Control
class Voice
priority percent 60 60% of Bandwidth for Voice

1Mbps to each tunnel 5Mbps to each tunnel


policy-map Silver policy-map Gold
class class-default class class-default
shape average 1000000 shape average 5000000
service-policy SubPolicy service-policy SubPolicy

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
iVRF + fVRF + QoS +

Layer 5+ IKE AAA BGP

Layer 4
Routes applied here

Global Routing VRF Red VRF Blue VRF Green


Layer 3 Table

Layer 2 Applied by IKEv2:


vrf forwarding Red
tunnel vrf Blue
service-policy out Gold
Any feature can be applied
here: NAT, NHRP
network-id, NHRP
redirect, FW Zone, QoS,
VRF, ACL

WAN
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Heavy Configuration
VRF Injection Hub Configuration
Option 1: Mapping with In-IOS configuration (without AAA)

Dedicated IKEv2
profile
crypto ikev2 profile BLUE crypto ikev2 profile RED crypto ikev2 profile GREEN
match identity fqdn domain blue match identity fqdn domain red match identity fqdn domain green
authentication local rsa-sig FQDN Domain authentication local rsa-sig authentication local rsa-sig
authentication remote rsa-sig is differentiator authentication remote rsa-sig authentication remote rsa-sig
pki trustpoint CA pki trustpoint CA pki trustpoint CA
dpd 10 2 on-demand dpd 10 2 on-demand dpd 10 2 on-demand
aaa authorization group cert list default default aaa authorization group cert list default default aaa authorization group cert list default default
virtual-template 1 virtual-template 2 virtual-template 3
Virtual-Template in VRF
interface virtual-template1 type tunnel interface virtual-template2 type tunnel interface virtual-template3 type tunnel
vrf forwarding BLUE vrf forwarding RED vrf forwarding GREEN
ip unnumbered loopback1 Loopback in VRF ip unnumbered loopback2 ip unnumbered loopback3
service-policy Gold out service-policy Gold out service-policy Silver out
tunnel protection ipsec profile default tunnel protection ipsec profile default tunnel protection ipsec profile default

Add NHRP,
ACLs,

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
VRF Injection Hub Configuration
Group profiles on IOS
Option 2: Mapping with AAA group based configuration
aaa attribute list blue
attribute type interface-config vrf forwarding BLUE
attribute type interface-config ip unnumbered loopback1
aaa new-model attribute type interface-config service-policy Gold out
Profiles on IOS aaa authorization network default local
crypto ikev2 authorization policy blue
crypto ikev2 profile default aaa attribute list blue
Common IKEv2 match identity any route set interface
profile identity local fqdn Hub1.cisco.com
authentication local rsa-sig aaa attribute list red
authentication remote rsa-sig attribute type interface-config vrf forwarding RED
Profile name attribute type interface-config ip unnumbered loopback2
extracted from pki trustpoint CA
attribute type interface-config service-policy Silver out
dpd 10 2 on-demand
Domain Name
aaa authorization group cert default name-mangler dom crypto ikev2 authorization policy red
virtual-template 1 aaa attribute list red
route set interface
interface virtual-template1 type tunnel
Vanilla Virtual- tunnel protection ipsec profile default aaa attribute list green
Template attribute type interface-config vrf forwarding GREEN
attribute type interface-config ip unnumbered loopback3
crypto ikev2 name-mangler dom attribute type interface-config service-policy GOLD out
fqdn domain
crypto ikev2 authorization policy green
aaa attribute list green
route set interface
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
VRF Injection Hub Configuration
Option 3: RADIUS based profiles Group profiles on RADIUS
Could be per peer profiles
or group+peer (derivation)

Profiles stored on aaa new-model Profile blue / password cisco


aaa authorization network default group RADIUS ipsec:route-accept=any
RADIUS server

RADIUS Group Profiles



aaa group server radius RADIUS ipsec:route-set=interface
server-private 192.168.100.2 auth-port 1812
ip:interface-config=vrf forwarding BLUE
ip:interface-config=ip unnumbered loopback 1
acct-port 1813 key cisco123
ip:interface-config=service-policy Gold out
Common IKEv2 crypto ikev2 profile default
profile match identity any Profile red / password cisco
identity local fqdn Hub1.cisco.com ipsec:route-accept=any
authentication local rsa-sig ipsec:route-set=interface
Profile name authentication remote rsa-sig ip:interface-config=vrf forwarding RED
extracted from pki trustpoint CA ip:interface-config=ip unnumbered loopback 2
aaa authorization group cert default name-mangler dom
ip:interface-config=service-policy Silver out
Domain Name
virtual-template 1
Profile green / password cisco
interface virtual-template1 type tunnel ipsec:route-accept=any
Vanilla Virtual- tunnel protection ipsec profile default ipsec:route-set=interface
Template ip:interface-config=vrf forwarding GREEN
crypto ikev2 name-mangler dom ip:interface-config=ip unnumbered loopback 3
fqdn domain ip:interface-config=service-policy Gold out

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
VRF Injection Hub Configuration
For both options: BGP and VRF configurations
vrf definition BLUE
ip route vrf BLUE 10.0.0.0 255.0.0.0 Null0 rd 1:1
Attract summaries ip route vrf BLUE 192.168.0.0 255.255.0.0 Null0 address-family ipv4
and drops non- ip route vrf RED 10.0.0.0 255.0.0.0 Null0 address-family ipv6
reachable prefixes ip route vrf RED 192.168.0.0 255.255.0.0 Null0
interface Loopback1
ip route vrf GREEN 10.0.0.0 255.0.0.0 Null0 vrf forwarding BLUE
ip route vrf GREEN 192.168.0.0 255.255.0.0 Null0 ip address 10.0.0.254 255.255.255.255
BGP dynamic peering
router bgp 1
bgp listen range 10.1.0.0/16 peer-group BluePeer
These address can bgp listen range 10.2.0.0/16 peer-group RedPeer vrf definition RED
not currently overlap bgp listen range 10.3.0.0/16 peer-group GreenPeer rd 2:2
! address-family ipv4
address-family ipv4 vrf BLUE address-family ipv6
Follow CSCtw69765. redistribute static
neighbor BluePeer peer-group
neighbor BluePeer remote-as 1 interface Loopback2
Each VRF has its own exit-address-family vrf forwarding RED
control section. ! ip address 10.0.0.254 255.255.255.255
address-family ipv4 vrf RED
redistribute static
Activate peer group in neighbor RedPeer peer-group
neighbor RedPeer remote-as 1 vrf definition GREEN
its corresponding VRF
exit-address-family rd 3:3
! address-family ipv4
address-family ipv4 vrf GREEN address-family ipv6
Redistributes above redistribute static
neighbor GreenPeer peer-group
statics into BGP neighbor GreenPeer remote-as 1 interface Loopback3
exit-address-family vrf forwarding GREEN
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved.
ip address 10.0.0.254 255.255.255.255
Cisco Public 61
VRF Injection Spoke Configuration
Vanilla IKE and BGP configurations
Profiles stored on aaa new-model
RADIUS server aaa authorization network default local

crypto ikev2 profile default


Plain simple IKEv2 match identity remote fqdn Hub1.cisco.com
profile Basic iBGP configuration
match identity remote fqdn Hub2.cisco.com
identity local fqdn spoke1.RED
IKEv2 Identity authentication remote rsa-sig
Defines Group authentication local rsa-sig
pki trustpoint TP router bgp 1
Required for config dpd 10 2 on-demand bgp log-neighbor-changes
exchange aaa authorization group cert list default default network 192.168.0.0 mask 255.255.0.0
! neighbor Hub peer-group
interface Loopback0 iBGP
ip address 10.1.0.2 255.255.255.255 neighbor Hub remote-as 1
! neighbor Hub next-hop-self
Tunnel to Hub1 interface Tunnel0 neighbor 10.0.0.253 peer-group Hub
ip unnumbered Loopback0 neighbor 10.0.0.254 peer-group Hub
tunnel source Ethernet0/0 maximum-paths ibgp 2 Two Hubs
tunnel destination 172.16.1.1
tunnel protection ipsec profile default
! Equal Cost Load Balancing
Tunnel to Hub2 interface Tunnel1
ip unnumbered Loopback0
tunnel source Ethernet0/0
tunnel destination 172.16.4.1
BRKSEC-3013 tunnel protection ipsec profile
2014 default
Cisco and/or its affiliates. All rights reserved. Cisco Public 62
High Availability
63
FlexVPN Backup
Routing Based Multi-Hub Resiliency (1)
192.168.100.0/24

.1 .2
172.16.0.1 172.16.0.2

Tunnels to both hubs


are constantly active

Traffic can transit via either


tunnel (active-standby) or both
tunnels (load-balancing)

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
FlexVPN Backup
Routing Based Multi-Hub Resiliency (2)
192.168.100.0/24

.1 .2
172.16.0.1 172.16.0.2
Hub 1 fails,
Tunnels go down

Traffic goes through


remaining tunnel

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Inter-hub BGP BFD keepalives
C 10.0.0.254 Loopback0 router bgp 1 router bgp 1 C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0 neighbor 192.168.0.2 remote-as 1 neighbor 192.168.0.2 Cremote-as 1
192.168.100.0/24 Eth0
Routing Table

Routing Table
S 192.168.0.0/16 Null0 tag 2 neighbor 192.168.0.2 fall-over bfd neighbor 192.168.0.1 Sfall-over bfd Null0 tag 2
192.168.0.0/16
S 10.0.0.0/8 Null0 tag 2 Hub 1 Hub 2 S 10.0.0.0/8 Null0 tag 2
S 1.0.0.1/32 Null0 tag 2 .1 192.168.100.0/24 .2 S 1.0.0.2/32 Null0 tag 2
B 1.0.0.2/32 Tunnel100 Dummy prefix B 1.0.0.1/32 Tunnel100
magic ingredient .1 Tunnel 100 .2
192.168.0.0/30
Physical: 172.16.0.1 Physical: 172.16.0.2
Tunnel: 10.0.0.254 Tunnel: 10.0.0.253
interface Tunnel100 interface Tunnel100
bfd interval 500 min_rx 50 multiplier 3 bfd interval 500 min_rx 50 multiplier 3

Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table

Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Spokes Connect Next-Hop w/ High Distance
C 10.0.0.254 Loopback0 router bgp 1 C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
tag 2 routes got redistributed in redistribute static route-map TAG2 C 192.168.100.0/24 Eth0
Routing Table

Routing Table
S 192.168.0.0/16 Null0 tag 2
BGP and advertised to the spokes route-map TAG2 S 192.168.0.0/16 Null0 tag 2
S 10.0.0.0/8 Null0 tag 2 Hub 1 match tag 2 Hub 2 S 10.0.0.0/8 Null0 tag 2
S 1.0.0.1/32 Null0 tag 2 .1 192.168.100.0/24 .2 S 1.0.0.2/32 Null0 tag 2
B 1.0.0.2/32 Tunnel100 B 1.0.0.1/32 Tunnel100
S 10.0.0.1 V-Access1 .1 Tunnel 100 .2 S 10.0.0.1 V-Access1
S 10.0.0.2 V-Access2 S 10.0.0.2 V-Access2
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1 B 192.168.1.0/24 10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1
B 192.168.2.0/24 10.0.0.2 B 192.168.2.0/24 10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254

Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 crypto ikev2 authorization policy default C 192.168.2.0/24 Eth0
Routing Table

Routing Table
C 10.0.0.1 Tunnel0 route accept any distance 210 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 dist. 210 S 10.0.0.254/32 Tunnel0 dist. 210
S 10.0.0.253/32 Tunnel1 dist. 210 S 10.0.0.253/32 Tunnel1 dist. 210
B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Traffic Flows recursive routing applies
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
Routing Table

Routing Table
S 192.168.0.0/16 Null0 tag 2 S 192.168.0.0/16 Null0 tag 2
S 10.0.0.0/8 Tunnel100 Hub 1 Hub 2 S 10.0.0.0/8 Tunnel100
S 1.0.0.1/32 Null0 tag 2 .1 192.168.100.0/24 .2 S 1.0.0.2/32 Null0 tag 2
B 1.0.0.2/32 Tunnel100 B 1.0.0.1/32 Tunnel100
S 10.0.0.1 V-Access1 .1 Tunnel 100 .2 S 10.0.0.1 V-Access1
S 10.0.0.2 V-Access2 S 10.0.0.2 V-Access2
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1 B 192.168.1.0/24 10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1
B 192.168.2.0/24 10.0.0.2 B 192.168.2.0/24 10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254

Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table

Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 dist. 210 S 10.0.0.254/32 Tunnel0 dist. 210
S 10.0.0.253/32 Tunnel1 dist. 210 S 10.0.0.253/32 Tunnel1 dist. 210
B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Say Hub 1 Crashed
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0

Routing Table
S 192.168.0.0/16 Tunnel100 tag 2
Hub 1 Hub 2 S 10.0.0.0/8 Null0 tag 2
.1 192.168.100.0/24 .2 S 1.0.0.2/32 Null0 tag 2
B 1.0.0.1/32 Tunnel100
.1 Tunnel 100 .2 S 10.0.0.1 V-Access1
S 10.0.0.2 V-Access2
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1

after 0.5 seconds: B 192.168.2.0/24 10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254
%BGP-5-ADJCHANGE: neighbor 192.168.0.1 Down

Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table

Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 dist. 210 S 10.0.0.254/32 Tunnel0 dist. 210
S 10.0.0.253/32 Tunnel1 dist. 210 S 10.0.0.253/32 Tunnel1 dist. 210
B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
We have achieved High-Availability
track timer msec 500 C 10.0.0.253 Loopback0
track 1 ip route 1.0.0.1 255.255.255.255 reachability C 192.168.100.0/24 Eth0

Routing Table
track 2 list boolean and S 192.168.0.0/16 Tunnel100 tag 2
object 1 not
Hub 1 Hub 2 S 10.0.0.0/8 Null0 tag 2
ip route 10.0.0.254
.1 192.168.100.0/24
255.255.255.255 Null0 tag .2
2 track 2 S 1.0.0.2/32 Null0 tag 2
B 1.0.0.1/32 Tunnel100
.1 Tunnel 100 .2 S 10.0.0.1 V-Access1
S 10.0.0.2 V-Access2
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1
Takes ~Tunnel:
1s B 192.168.2.0/24 10.0.0.2
10.0.0.253
Tunnel: 10.0.0.254
S 10.0.0.254/32 Null0 tag 2 track 2

Almost
immediate Depends on
# of spokes Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table

Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 Removed because exact
match with lower admin
S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 dist. 210 S 10.0.0.254/32 Tunnel0 dist. 210
distance exists
S 10.0.0.253/32 Tunnel1 dist. 210 S 10.0.0.253/32 Tunnel1 dist. 210
B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200
B 10.0.0.254/32 10.0.0.253 dist. 200 B 10.0.0.254/32 10.0.0.253 dist. 200
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
We have achieved High-Availability
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0

Routing Table
S 192.168.0.0/16 Tunnel100 tag 2
Hub 1 Hub 2 S 10.0.0.0/8 Null 0 tag 2
.1 192.168.100.0/24 .2 S 1.0.0.2/32 Null0
B 1.0.0.1/32 Tunnel100
.1 Tunnel 100 .2 S 10.0.0.1 V-Access1
S 10.0.0.2 V-Access2
192.168.0.0/30
B 192.168.1.0/24 10.0.0.1
Physical: 172.16.0.2
Physical: 172.16.0.1
B 192.168.2.0/24 10.0.0.2
Tunnel: 10.0.0.253
Tunnel: 10.0.0.254
S 10.0.0.254/32 Null0 tag 2 track 2

Physical: 172.16.2.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Tunnel: 10.0.0.1
NHRP Table

NHRP Table
- -

Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
Routing Table

Routing Table
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0

S 10.0.0.253/32 Tunnel1 dist. 210 S 10.0.0.253/32 Tunnel1 dist. 210


B 192.168.0.0/16 10.0.0.254 dist. 200 B 192.168.0.0/16 10.0.0.254 dist. 200
B 10.0.0.254/32 10.0.0.253 dist. 200 B 10.0.0.254/32 10.0.0.253 dist. 200
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
High Availability - Backup Peers
72
FlexVPN Backup
IKE Backup Peers (1)

192.168.100.0/24

.1 .2
Tunnels are set up 172.16.0.1 172.16.0.2
to a primary Hub

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
FlexVPN Backup
IKE Backup Peers (2)

192.168.100.0/24

.1 .2
Hub 1 Fails 172.16.0.1 172.16.0.2

New tunnels are set up


to a backup Hub

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
FlexVPN Backup Also works with
Routing
Protocol
IKE Backup Peers (3) Spoke Config.
aaa authorization network default local Powerful Peer Syntax
peer <n> <ip>
crypto ikev2 profile default peer <n> <ip> track <x>
match certificate HUBMAP peer <n> <fqdn>
identity local fqdn Spoke1.cisco.com peer <n> <fqdn> track <x>
authentication remote rsa-sig
authentication local pre-shared
Nth source selected only if
keyring local
pki trustpoint CA corresponding track object is up
aaa authorization group cert list default default
Detect Hub Failure dpd 30 2 on-demand
RADIUS Backup List Attribute
crypto ikev2 client flexvpn default ipsec:ipsec-backup-gateway
client connect tunnel 0
To Primary Hub peer 1 172.16.1.254 Up to 10 backup gateways pushed by
peer 2 172.16.1.253 config-exchange
To Secondary Hub
interface Tunnel0
ip address negotiated
Destination tunnel source FastEthernet0/0 crypto ikev2 authorization policy default
managed by tunnel destination dynamic route set interface
FlexVPN tunnel protection ipsec profile default route set access-list 99

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
FlexVPN Backup Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
Trackers are required for this feature track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
!
crypto ikev2 flexvpn client remote1
10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2
!
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
FlexVPN Backup Tunnel Pivoting
Use when different Service Providers are used to connect to remote host

track 1 ip sla 1 reachability

crypto ikev2 flexvpn client remote1


peer 10.0.0.1
Service Provider 1 source 1 interface GigabitEthernet0/0 track 1
GigE0/0
source 2 interface Cellular0/0
client connect tunnel 0

interface Tunnel0
Client Hub ip address negotiated
Cellular0/0
Cellular Provider 2
tunnel source dynamic
tunnel destination dynamic

Tracker state (Up/Down)

ICMP-echo IP SLA probe


IPsec Tunnel

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
IKE Load Balancer
82
FlexVPN Backup
IKEv2 Load-Balancer Bootstrap

LAN

Slave Hub 2 Master Hub 1 Slave Hub 3

Standby Active Standby


CLB CLB
.12 Registration .5 .11 Registration .13

10.0.0.0/24 HSRP Election

1. HSRP Active Router election 2. CLB Registration


Winner takes over the VIP (.5) HSRP Standby become CLB Slaves
WAN and register to Master (HSRP Active)

On Hub 1:
*Nov 20 12:43:58.488: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.13 connected.
*Nov 20 12:43:58.493: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.12 connected.

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
FlexVPN Backup
IKEv2 Load-Balancer Client Connection

LAN
2. CLB Master selects the LLG 3. CLB Master sends a redirect
(Hub 3) to client to Hub 3

Slave Hub 2 Master Hub 1 Slave Hub 3

Standby Active Standby


.12 .5 .11 .13

10.0.0.0/24

WAN
1. Client sends IKE SA_INIT with
REDIRECT_SUPPORTED to
VIP (.5)

4. Client establishes IKEv2


session with LLG Hub (Hub 3)

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
IKEv2 Load-Balancer
Hub 1 Configuration
crypto ikev2 redirect gateway init
! Activates the sending of IKEv2 redirects during SA_INIT
crypto ikev2 profile default
match identity remote fqdn domain cisco.com !
identity local fqdn Hub1.cisco.com interface Ethernet0/0
authentication remote rsa-sig ip address 10.0.0.11 255.255.255.0
authentication local rsa-sig standby 1 ip 10.0.0.5
pki trustpoint TP standby 1 name vpngw HSRP Group Name must match
dpd 10 2 on-demand ! IKEv2 Cluster configuration
aaa authorization group cert list default default interface Loopback0
virtual-template 1 ip address 172.16.1.11 255.255.255.0
! !
crypto ikev2 authorization policy default interface Virtual-Template1 type tunnel
route set interface ip unnumbered Loopback0
! ip mtu 1400
crypto ikev2 cluster tunnel source Ethernet1/0
standby-group vpngw tunnel protection ipsec profile default
slave max-session 10
no shutdown

Configuration of slave hubs is almost identical (except HSRP priority)!

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
IKEv2 Load-Balancer
Client Configuration

crypto ikev2 authorization policy default


route set interface Activates IKEv2 redirection support and limit
! redirect count (DoS prevention)
crypto ikev2 redirect client max-redirects 10
!
crypto ikev2 profile default
match identity remote fqdn domain cisco.com interface Tunnel0
identity local fqdn Spoke2.cisco.com ip address 172.16.1.100 255.255.255.0
authentication remote rsa-sig ip mtu 1400
authentication local rsa-sig tunnel source Ethernet0/0
pki trustpoint TP tunnel destination dynamic
dpd 10 2 on-demand tunnel protection ipsec profile default
aaa authorization group cert list default default
virtual-template 1
!
crypto ikev2 client flexvpn VPN_LB
peer 1 10.0.0.5
client connect Tunnel0

FlexVPN Peer configured with


the VIP address only

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
FlexVPN Remote Access
FlexVPN Software Client Remote Access

Remote clients need additional information that arent usually exchanged:

IP address
Routes (Split tunnel)
DNS servers
Domain names

Exchange handled by IKEv2 configuration payload


Allows easy integration of many third party OS and
clients.

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
IKEv2 Configuration Exchange
Initiator (I) Responder (R)

I would like:
an IPv6 address
a DNS & WINS server
CFG_REQUEST a list of protected IPv6 subnets
Initiator (RA client) requests
IKE_AUTH configuration parameters
Your assigned IPv6 address is ...
from responder (RA server). Your DNS server is ...
CFG_REPLY
There is no WINS server
My protected IPv6 subnets are ...
CFG_SET
Derived from peer authorisation
INFORMATIONAL
Derived from peer authorisation
CFG_ACK Initiator and/or responder
sends unsolicited configuration My local IPv6 protected subnets are ...
CFG_SET parameters to its peer.
Acknowledged
INFORMATIONAL
CFG_ACK

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
EAP Authentication
RA Client FlexVPN Server AAA Server
IKEv2 Initiator IKEv2 Responder IKE RADIUS Server
RADIUS Client RADIUS NAS EAP Backend
EAP Supplicant EAP Authenticator

crypto ikev2 profile default RA server authenticates to client


authentication remote eap query-identity using IKE certificates (mandatory)
aaa authentication eap frad

IKEv2 RADIUS
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 / EAP-AKA / EAP-SIM / ...
Username-Password/Token/Mobile Authentication (One-Way)

IKEv2 RADIUS
TLS EAP-TLS TLS
TLS-Based Certificate Authentication (Mutual)

IKEv2 RADIUS
EAP-PEAP / EAP-TTLS
TLS EAP-MSCHAPv2 / EAP-TLS / ... TLS
TLS-Protected Nested Authentication (One-Way or Mutual)

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
EAP Authentication Packet Flow
RA Client FlexVPN Server AAA Server
IKEv2 Initiator IKEv2 Responder RADIUS Server
RADIUS Client RADIUS NAS EAP Backend
EAP Supplicant EAP Authenticator
IKEv2 (IKE_AUTH) crypto ikev2 profile default
IDi, CFG_REQ, no AUTH authentication remote eap query-identity
aaa authentication eap frad
IKEv2 (IKE_AUTH)
IDr, AUTH(RSA), EAP(ID-Request)
IKEv2 (IKE_AUTH) RADIUS (Access-Request)
EAP(ID-Response: IDEAP)
IKEv2 (IKE_AUTH) RADIUS (Access-Challenge)
EAP(EAP-Method-Pkt#1)
IKEv2 (IKE_AUTH) RADIUS (Access-Request)
EAP(EAP-Method-Pkt#2)
MSK MSK
IKEv2 (IKE_AUTH) RADIUS (Access-Accept)
EAP(Success) EAP(Success), MSK, User-Name, EAP Username
IKEv2 (IKE_AUTH) Other user attributes
AUTH(MSK) Cached for authorisation
IKEv2 (IKE_AUTH)
CFG_REPLY, AUTH(MSK)
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
AnyConnect Mobile Manual Connection
Certificate selection
Cisco ASA only
Connection name

Create new
manual connection

Server FQDN

Enable IKEv2
Select authentication method

Specify IKE ID for EAP methods

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
AnyConnect VPN Profile Editor

Add entry to server list

Server FQDN Connection name ... Resulting XML Profile


<ServerList>
<HostEntry>
<HostName>FlexVPN</HostName>
<HostAddress>flexra.cisco.com</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>EAP-GTC</AuthMethodDuringIKENegotiation>
<IKEIdentity>acvpn</IKEIdentity>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
...

Only applies to EAP


authentication methods

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
AnyConnect Headend Config EAP (All Methods)
aaa group server radius frad
server-private 172.16.0.254 key cisco
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 aaa authentication login frad group frad
Client IKE ID = KEY-ID string configured in XML profile crypto ikev2 profile default
Server selects IKEv2 profile based on KEYID string match identity remote key-id acvpn
identity local dn
EAP query-identity prompts user for credentials authentication remote eap query-identity
authentication local rsa-sig
EAP ID = username entered by user pki trustpoint root sign
Password authentication against AAA user database aaa authentication eap frad
aaa authorization user eap cached
Returned attributes cached for implicit authorisation virtual-template 1

# RADIUS User definition


joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
IKE

IKEv2 RADIUS
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2

EAP Username-Password Authentication

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Before we part
Route Exchange Protocol Selection
Branch-Hub Use case

IKEv2 Simple, large scale Static (No Simple branches Identity-based Lossy networks High density hubs
redistribution (< 20 prefixes) route filtering
IGPIKE)
BGP Simple to complex, Dynamic Complex branches Powerful route Lossy networks High density hubs
large scale (Redistribution (> 20 prefixes) filtering not up to 350K routes
IGP BGP) identity based
EIGRP Simple to complex Dynamic Semi-complex Intermediate route Lossless networks < 5000 prefixes at
not (Redistribution branches filtering not (very rare) hub
recommended IGP IGP) (> 20 prefixes) identity based
at large scale

Hub-Hub Use case


BGP Large amount of Road to scalability Powerful route
prefixes (up to filtering
1M)
IGP (EIGRP, OSPF) < 5000 prefixes Perceived simplicity
total

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
High-End Scalability & Performances 15.4(1)S
Release ISR 4451 ASR1001 ASR1002-F ASR1000- ASR1000- ASR1000- ASR1000- ASR1000- ASR1000-
15.2(1)S+ ESP5 ESP10 ESP20 ESP40 ESP100 ESP200
w/out QoS
Throughput 1.2 / 1.8 / 1Gbps 1 / 0.8 1.8 / 1 4 / 2.5 7 / 6 Gbps 11 / 7.4 29 / 16 78 / 59
(Max / IMIX) 0.8Gbps Gbps Gbps Gbps Gbps Gbps Gbps
Max tunnels 2000 4000 1000 1000 1000 / 1000 / 1000 / -- / 4000 -- / 4000
(RP1 / RP2) 4000 4000 4000
EIGRP 2000 4000 1000 1000 1000 / 1000 / 1000 / -- / 4000 -- / 4000
neighbours (1000 (1000
4000 4000 4000 (1000 (1000
recommended) recommended) recommended) recommended)
(1000 (1000 (1000
recommended) recommended) recommended)

BGP 2000 4000 1000 1000 1000 / 1000 / 1000 / -- / 4000 -- / 4000
neighbours 4000 4000 4000

Release 3.5 ASR1001 ASR1000- ASR1000-


w/ QoS ESP20 ESP40
Throughput 1.8 / 1Gbps 7 / 6 Gbps 11 / 7.4 Gbps
(Max / IMIX)
Max tunnels 4000* 4000 4000
(RP2 only) (16K Queues) (128K Queues) (128K Queues)

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
High-End Scalability & Performances 15.4(2)S
Release ISR 4451 ASR1001 ASR1000- ASR1000- ASR1000- ASR1000- ASR1000- ASR1000-
15.2(1)S+ ESP5 ESP10 ESP20 ESP40 ESP100 ESP200
w/out QoS
Throughput 1.2 / 1.8 / 1Gbps 1.8 / 1 Gbps 4 / 2.5 Gbps 7 / 6 Gbps 11 / 7.4 29 / 16 78 / 59
(Max / IMIX) 0.8Gbps Gbps Gbps Gbps
Max tunnels 2000 4000 1000 1000 / 1000 / 1000 / -- / 10,000 -- / 10,000
(RP1 / RP2) 10,000 10,000 10,000
EIGRP 2000 4000 1000 1000 / 4000 1000 / 4000 1000 / 4000 -- / 4000 -- / 4000
(1000 (1000 (1000 (1000 (1000 (1000 (1000
neighbours recommended) recommended) recommended) recommended) recommended) recommended) recommended)

IKE Routing 2000 4000 1000 10,000 10,000 10,000 10,000 10,000

BGP 2000 4000 1000 1000 / 1000 / 1000 / -- / 10,000 -- / 10,000


neighbours 10,000 10,000 10,000

Release 15.3(3)S ISR 4451 ASR1001 ASR1000- ASR1000-


w/ QoS ESP20 ESP40
Throughput 1.2 / 0.8 1.8 / 1 Gbps 7 / 6 Gbps 11 / 7.4 Gbps
(Max / IMIX) Gbps
Max tunnels 2000 4000* 10,000 10,000
(RP2 only) (16K Queues) (128K Queues) (128K Queues)

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
FlexVPN - ISR G2 Scalability
Platform Sec-K9 SEC-K9 + HSEC-K9
Recommended Max Recommended Max
3945E Up to 225 Up to 225 Up to 2000 Up to 3000
3925E Up to 225 Up to 225 Up to 1500 Up to 3000
3945 Up to 225 Up to 225 Up to 1000 Up to 2000
3925 Up to 225 Up to 225 Up to 750 Up to 1500
2951 Up to 225 Up to 225 Up to 500 Up to 1000
2921 Up to 225 Up to 225 Up to 400 Up to 900
2911 Up to 225 Up to 225 HSEC-K9 license does not apply since
the max. encrypted tunnel count is below
2901 Up to 150 Up to 225
the restricted limits.
1941 Up to 150 Up to 225
1921 TBD TBD

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
75% CPU, IMIX,
IPsec/AES, single
FlexVPN - ISR G2 Performances tunnel

Platform Sec-K9 (Mbps) SEC-K9 + HSEC-K9 (Mbps)


Recommended Max Recommended Max
3945E Up to 170 Up to 170 Up to 670 Up to 1503
3925E Up to 170 Up to 170 Up to 477 Up to 1497
3945 Up to 170 Up to 170 Up to 179 Up to 848
3925 Up to 154 Up to 170 Up to 154 Up to 770
2951 Up to 103 Up to 170 Up to 103 Up to 228
2921 Up to 72 Up to 170 Up to 72 Up to 207
2911 Up to 61 Up to 164 HSEC-K9 license does not apply since
the max. encrypted tunnel count is below
2901 Up to 53 Up to 154
the restricted limits.
1941 Up to 48 Up to 156
1921 Up to 44 N/A
891 Up to 66 N/A
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
FlexVPN CCO Documentation
CCO doc link
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-mt/sec-flex-vpn-15-
mt-book.html
Reflects latest release (currently 15.4(1)T)
Doc organised into chapters
FlexVPN Site-Site
FlexVPN Server
FlexVPN Client
FlexVPN Spoke-Spoke
FlexVPN Load-Balancer
FlexVPN Reconnect
Appendix-1: FlexVPN Radius Attributes
Appendix-2: Legacy VPNs
Changes across releases
Documentation reflects latest release
Behaviour/CLI changes noted in corresponding sections
BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Useful Links
FlexVPN Sample Configurations
http://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

Past FlexVPN session from Ciscolive


BRKSEC-2881 - VPN Remote Access with IOS & Introduction to FlexVPN (2014 Milan)
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=76563&backBtn=true

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2014 Polo Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
Directly from your mobile device on the Cisco Live
Mobile App
By visiting the Cisco Live Mobile Site
www.ciscoliveaustralia.com/mobile
Visit any Cisco Live Internet Station located
throughout the venue
Polo Shirts can be collected in the World of Solutions Learn online with Cisco Live!
on Friday 21 March 12:00pm - 2:00pm
Visit us online after the conference for full
access to session videos and presentations.
www.CiscoLiveAPAC.com

BRKSEC-3013 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 108