Brksec 1050

An Overview of Site-to-Site Cisco
VPN Technologies
Nisha Kuruvilla Network Consulting Engineer, Advanced Services
Hector Mendoza Solutions Integration Architect, Advanced Services
Session BRKSEC-1050
Agenda
VPN Technology Positioning

SVTI, DVTI, DMVPN, GETVPN, and FlexVPN
Technology Overview
Why select said technology given network requirements
Configuration
Advantages/Disadvantages
Additional Points to Consider
Summary
VPN Technology Positioning
Hub /
Group Member
Public Private
Cloud DC/Headquarters Key Server
Cloud
CSR 1000V ASR 1000
Internet MPLS
MPLS Group
Member
ISR ATM (Remote Access

use-case)
Spoke A RA Hardware Client
Branch A (Site-to Site use-case)
Group
Member
ISR
Spoke B Connected Vehicle Desktop and Mobile clients
(IoT use-case) (Remote Access use-case)
Branch B (Site-to Site use-case)
RA client RA Software Clients
DMVPN Hub-Spoke GETVPN Control Plane FlexVPN

DMVPN Spoke-Spoke GETVPN Data Plane SSLVPN / FlexVPN
2016 Cisco
Secure
and/or its affiliates. All rights reserved.
BRKSEC-1050
Cisco Public 4
Access
Virtual Tunnel Interface (VTI)
Virtual Tunnel Interface
IPsec in tunnel mode between VPN peers
Simplifies VPN configuration by eliminating crypto maps, access control lists (ACLs), and Generic
Router Encapsulation (GRE)
Uses IOS tunnels, virtual interfaces and crypto socket infrastructure
There are 2 types of VTI static VTI and dynamic VTI (Enhanced Easy VPN)
Simplifies VPN design:
1:1 relationship between tunnels and sites with a dedicated logical interface using SVTI
Virtual template spawns virtual access interfaces for remote access connections using DVTI
More scalable alternative to GRE
VTI can support Quality of Service (QoS), multicast, and other routing functions that previously
required GRE
Limited VPN interoperability support with non-Cisco platforms
BRKSEC-1050 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Static VTI
Statically configured tunnel via tunnel mode ipsec ipv4/ipv6 and tunnel
protection
Always up IPsec tunnel initiated via configuration and not by traffic
Interface state tied to underlying crypto socket state (IPsec SA)
Can initiate and accept only one IPsec SA per VTI, using any any proxy
local ident (add/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (add/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
Routing determines traffic to be protected any packet forwarded to tunnel

interface is protected
IPsec SA re-keyed even in the absence of any traffic
What makes a SVTI a SVTI?
Partners Solution #1 Solution #2 Possibilities

Configuration crypto ipsec profile TP
set transform-set TSET
crypto ipsec profile TP
set transform-set TSET A. Solution #1
crypto map VPN 10 ipsec-isakmp
set peer 1.1.1.2
interface Tunnel0 interface Tunnel0 B. Solution #2
ip address 10.1.1.2 255.255.255.0 ip address 10.1.1.2 255.255.255.0
match address 100
tunnel source 1.1.1.2
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
C. Solutions #1 & #2
access-list 100 permit gre host 1.1.1.1 host 1.1.1.2
tunnel protection ipsec profile TP tunnel destination 1.1.1.1
tunnel protection ipsec profile TP
D. None of the Above
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/0
ip address 1.1.1.1 255.255.255.0
crypto map VPN
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
SVTI Configuration
IPSec Static Virtual Tunnel Interfaces
192.168.100.0/30
..
192.168.2.0/24
192.168.1.0/24 .1 .1
crypto isakmp policy 1 crypto isakmp policy 1

authentication pre-share authentication pre-share
encr aes encr aes
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TSET esp-aes esp-sha-hmac crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile TP crypto ipsec profile TP

set transform-set TSET set transform-set TSET
interface Tunnel0 interface Tunnel0

ip address 192.168.100.1 255.255.255.0 ip address 192.168.100.2 255.255.255.0
tunnel source FastEthernet0/0 tunnel source FastEthernet0/0
tunnel destination 1.1.1.2 tunnel destination 1.1.1.1
tunnel mode ipsec ipv4 tunnel mode ipsec ipv4
tunnel protection ipsec profile TP tunnel protection ipsec profile TP
ip route 192.168.2.0 255.255.255.0 Tunnel0 ip route 192.168.1.0 255.255.255.0 Tunnel0
When do you use it
Used with site-to-site VPNs to provide always-on traffic
protection
Need for routing protocols and/or multicast traffic to be
protected by IPsec tunnel
Eliminates the need of GRE
Need for QoS, firewall, or other security services on a per
tunnel basis
Target Deployment: 2 - 50 sites with point to point connectivity
and Cisco and Non-Cisco interoperability
SVTI
Advantages Disadvantages
Support for IGP dynamic routing protocol No support for non-IP protocols
over the VPN (EIGRP, OSPF, etc.)
Limited support for multi-vendor
Support for multicast
IPsec stateful failover not available
Application of features such as NAT,
Similar scaling properties of IPsec
ACLs, and QoS and apply them to clear-
text or encrypted text and GRE over IPsec
Only tunnel mode
Simpler configuration
IPsec sessions not tied to any interface
Dynamic VTI
Replaces dynamic crypto maps
Requires minimal configuration
Created on an incoming IPsec tunnel request
Dynamically instantiated IPsec virtual-access interface (not configurable)
cloned from a pre-defined virtual-template
Interface state tied to underlying crypto socket state (IPSec SA)
Can support multiple IPSec SAs per DVTI
Routes to client subnets are added using Reverse Route Injection (RRI)
Avoids the need for a routing protocol and hence scales better
Dynamic VTI
Mainly used as Enhanced Easy VPN server for terminating
Enhanced Easy VPN Remote
Legacy Easy VPN Remote
Easy VPN Remote supports 3 modes of operation
client mode
network extension mode
network extension plus mode
A single DVTI can terminate tunnels using static VTIs or crypto
map
Can only terminate and cannot initiate an IPSec tunnel (except
in the case of Enhanced Easy VPN Remote)
SVTI To DVTI
interface Tunnel0
ip unnumbered Loopback1
Branch tunnel source FastEthernet0
tunnel protection ipsec profile VTI
Crypto Head End
tunnel protect ipsec profile 192.168.2.1
Data Plane interface Virtual-Access n crypto isakmp profile
interface Virtual-Template n
Control Plane
Virtual-Access interface is spawned from the Virtual-Template
When do you use it
Scalable connectivity for remote-access VPNs
Need for QoS, firewall, or other security services on a per
tunnel basis
Single touch configuration needed on hub
No need for routing protocols as it uses reverse route
injection
Target Deployment: 50 10,000 sites with a hub-spoke
layout and Cisco and Non-Cisco interoperability
DVTI (SVTI to DVTI)
Spoke (SVTI) Hub (DVTI)

encr aes encr aes
group 2 group 2
crypto isakmp key cisco123 address 0.0.0.0 crypto isakmp key cisco123 address 0.0.0.0
crypto ipsec transform-set TSET esp-aes esp-sha- crypto isakmp profile VPN
hmac keyring default
match identity address 0.0.0.0
crypto ipsec profile TP virtual-template 1
crypto ipsec transform-set TSET esp-aes esp-sha-
interface Tunnel0 hmac
tunnel source 1.1.1.2 crypto ipsec profile TP
tunnel destination 1.1.1.1 set transform-set TSET
tunnel mode ipsec ipv4 set isakmp-profile VPN
interface Virtual-Template1 type tunnel
Enhanced EasyVPN Client To Server (using DVTI)
Enhanced Easy VPN remote: Enhanced Easy VPN server:
crypto ipsec client ezvpn EZ crypto isakmp client configuration group cisco
connect manual key cisco
group cisco key cisco dns 192.168.1.10
local-address Ethernet0/0 pool VPNPOOL
mode network-plus acl 101
peer 1.1.1.1
virtual-interface 1 crypto isakmp profile VPN
xauth userid mode interactive match identity group cisco
! isakmp authorization list default
interface Virtual-Template1 type tunnel client configuration address respond
ip unnumbered Loopback0 virtual-template 1
crypto ipsec transform-set TSET esp-3des esp-
interface Ethernet0/0 sha-hmac
ip address 1.1.1.3 255.255.255.0 crypto ipsec profile TP
crypto ipsec client ezvpn EZ set transform-set TSET
! set isakmp-profile VPN
interface Ethernet0/1
ip address 192.168.3.1 255.255.255.0 interface Virtual-Template1 type tunnel
crypto ipsec client ezvpn EZ inside ip unnumbered Loopback0
DVTI (SVTI to DVTI)
172.16.0.0/24
172.16.2.0/24
.1 .254
Hub
Spoke
1.1.1.1
Spoke (SVTI) Hub (DVTI)

encr aes encr aes
group 2 group 2
crypto isakmp key cisco123 address 0.0.0.0 crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp profile VPN

crypto ipsec transform-set TSET esp-aes esp-sha-hmac
keyring default
match identity address 0.0.0.0
crypto ipsec profile TP virtual-template 1
interface Tunnel0
ip unnumbered Loopback0 crypto ipsec profile TP
tunnel source 1.1.1.2 set transform-set TSET
tunnel destination 1.1.1.1 set isakmp-profile VPN
tunnel protection ipsec profile TP interface Virtual-Template1 type tunnel
Enhanced EasyVPN Client To Server (using DVTI)
192.168.1.0/24
192.168.3.0/24
.1 .254
Hub
Spoke
1.1.1.1
Enhanced Easy VPN remote: Enhanced Easy VPN server:
crypto ipsec client ezvpn EZ crypto isakmp client configuration group cisco
connect manual key cisco
group cisco key cisco dns 192.168.1.10
local-address Ethernet0/0 pool VPNPOOL
mode network-plus acl 101
peer 1.1.1.1
virtual-interface 1 crypto isakmp profile VPN
xauth userid mode interactive match identity group cisco
! isakmp authorization list default
interface Virtual-Template1 type tunnel client configuration address respond
ip unnumbered Loopback0 virtual-template 1
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
interface Ethernet0/0 crypto ipsec profile TP
ip address 1.1.1.3 255.255.255.0 set transform-set TSET
crypto ipsec client ezvpn EZ set isakmp-profile VPN
!
interface Ethernet0/1 interface Virtual-Template1 type tunnel
ip address 192.168.3.1 255.255.255.0 ip unnumbered Loopback0
crypto ipsec client ezvpn EZ inside tunnel mode ipsec ipv4
tunnel protection ipsec
BRKSEC-1050 2016 Ciscoprofile TPAll rights reserved.
and/or its affiliates. Cisco Public 19
DVTI
Simple configuration of headend once and Requires ip unnumbered
done
No support for non-IP protocols
Scalable
No direct spoke to spoke communication
Support for IGP dynamic routing protocol
over the VPN No IPsec stateful failover
Support for IP multicast

Support for per-branch QoS and traffic
shaping
Centralized Policy Push (Easy VPN)
Support for x-auth (Easy VPN)
Cross platform support
IPsec sessions not tied to any interface
Dynamic Multipoint VPN (DMVPN)
What is Dynamic Multipoint VPN?
DMVPN is a Cisco IOS software solution
for building IPsec+GRE VPNs in an
easy, dynamic and scalable manner
Configuration reduction and no-touch deployment

Dynamic spoke-spoke tunnels for partial/full mesh scaling
Can be used without IPsec Encryption (optional)
Wide variety of network designs and options
Dynamic Multipoint VPN (DMVPN)
Branch spoke sites establish an IPsec tunnel to and
SECURE ON-DEMAND TUNNELS
register with the hub site
IP routing exchanges prefix information for each site
Hub
BGP or EIGRP are typically used for scalability
IPsec
Branch n
With WAN interface IP address as the tunnel address, VPN
provider network does not need to route customer internal
IP prefixes
Data traffic flows over the DMVPN tunnels Branch 1
Branch 2
When traffic flows between spoke sites, the hub

assists the spokes to establish a site-to-site tunnel Traditional Static Tunnels
DMVPN On-Demand Tunnels
Per-tunnel QOS is applied to prevent hub site
Static Known IP Addresses
oversubscription to spoke sites
Dynamic Unknown IP Addresses
DMVPN Components
Next Hop Resolution Protocol (NHRP)
Creates a distributed (NHRP) mapping database of all the spokes tunnel to real (public
interface) addresses
Multipoint GRE Tunnel Interface (mGRE)
Single GRE interface to support multiple GRE/IPsec tunnels
Simplifies size and complexity of configuration
IPsec tunnel protection

Dynamically creates and applies encryption policies (optional)
Routing
Dynamic advertisement of branch networks; almost all routing protocols (EIGRP, RIP,
OSPF, BGP, ODR) are supported
What Triggers:
IPsec integrated with DMVPN, but not required
Packets Encapsulated in GRE, then Encrypted with IPsec
Both IKEv1 (ISAKMP) and IKEv2 supported
NHRP controls the tunnels, IPsec does encryption
Bringing up a tunnel
NHRP signals IPsec to setup encryption
ISAKMP/IKEv2 authenticates peer, generates SAs
IPsec responds to NHRP and the tunnel is activated
All NHRP and data traffic is Encrypted
Bringing down a tunnel
NHRP signals IPsec to tear down tunnel
IPsec can signal NHRP if encryption is cleared or lost
ISAKMP/IKEv2 Keepalives monitor state of spoke-spoke and spoke-hub tunnels
DMVPN How it works
Spokes build a dynamic permanent GRE/IPsec tunnel to the hub, but not to
other spokes. They register as clients of the NHRP server (hub)
When a spoke needs to send a packet to a destination (private) subnet behind
another spoke, it queries via NHRP for the real (outside) address of the
destination spoke
Now the originating spoke can initiate a dynamic GRE/IPsec tunnel to the
target spoke (because it knows the peer address)
The dynamic spoke-to-spoke tunnel is built over the mGRE interface
When traffic ceases then the spoke-to-spoke tunnel is removed
Static Spoke-Hub, Hub-Hub Tunnels
GRE, NHRP and IPsec configuration
p-pGRE or mGRE on spokes; mGRE on hubs
NHRP registration
Dynamically addressed spokes (DHCP, NAT,)
Data traffic on spoke-hub tunnels

All traffic for hub-and-spoke only networks
Spoke-spoke traffic while building spoke-spoke tunnels
Dynamic Spoke-Spoke Tunnels
GRE, NHRP and IPsec configuration
mGRE on both hub and spokes
Spoke-spoke unicast data traffic

Reduced load on hubs
Reduced latency
Single IPsec encrypt/decrypt
On demand tunnel - created when needed

NHRP resolutions and redirects
Find NHRP mappings for spoke-spoke tunnels
Terminology Core Network
192.168.128.0/17
Overlay Addresses
192.168.101.0/24 192.168.102.0/24
Tunnel Address
Hub 1 Hub 2
Tunnel: 10.0.0.101 Tunnel: 10.0.0.102
Physical: 172.16.101.1 Physical: 172.16.102.1
NBMA Address
Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
GRE/IPsec
Spoke 1 Tunnels
Spoke 2
192.168.1.0/24 192.168.2.0/24
Transport Network Overlay Network
DMVPN Tunnel Establishment Steps
DUAL DMVPN DESIGN
Single mGRE tunnel on Hub, two mGRE tunnels on Spokes
1. Spokes build a dynamic permanent GRE/IPsec tunnel to the hub 192.168.0.0/24
(NHRP server) and are registered as NHRP clients Physical: 172.17.0.5

Tunnel1: 10.0.1.1
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
2. Active-Active redundancy modeltwo or more hubs per spoke
3. All hubs are active and routing neighbors with spokes
4. Routing protocol routes are used to determine traffic forwarding Physical: (dynamic)
Tunnel0: 10.0.0.12
5. When a spoke needs to send a packet to a destination (private) Tunnel1: 10.0.1.12
subnet behind another spoke, it queries via NHRP for the real
(outside) address of the destination spoke
6. Originating spoke can initiate a dynamic GRE/IPsec tunnel to the .1
target spoke (because it knows the peer outside address) 192.168.2.0/24
7. The dynamic spoke-to-spoke tunnel is built over the mGRE interface Physical: (dynamic)
Tunnel0: 10.0.0.11
8. When traffic ceases then the spoke-to-spoke tunnel is removed Tunnel1: 10.0.1.11
.1 .1
192.168.1.0 /24 192.168.X.0 /24
DMVPN Phases
Phase 2 12.3(4)T Phase 3 12.4.(6)T
Phase 1 12.2(13)T
(Phase 1 +) (Phase 2 +)
Hub and spoke functionality Spoke to spoke functionality More network designs and
p-pGRE interface on mGRE interface on spokes greater scaling
spokes, mGRE on hubs Direct spoke to spoke data Same Spoke to Hub ratio
Simplified and smaller traffic reduces load on hubs No hub daisy-chain
configuration on hubs Hubs must interconnect in Spokes dont need full routing
Support dynamically daisy-chain table can summarize
addressed CPEs (NAT) Spoke must have full routing Spoke-spoke tunnel triggered
Support for routing table no summarization by hubs
protocols and multicast Spoke-spoke tunnel Remove routing protocol
Spokes dont need full triggered by spoke itself limitations
routing table can Routing protocol limitations NHRP routes/next-hops in
summarize on hubs RIB (15.2(1)T)
DMVPN Phase3
Data packet 192.168.0.1/24
NHRP Redirect Physical: 172.17.0.1
NHRP Resolution Tunnel0: 10.0.0.1
172.16.2.1
172.16.1.1 Physical: (dynamic)
Physical: (dynamic) Tunnel0: 10.0.0.12
Tunnel0: 10.0.0.11 Spoke B
Spoke A
192.168.2.1/24
192.168.1.1/24
Basic DMVPN Designs
Hub-and-spoke Order(n)
Spoke-to-spoke traffic via hub
Phase 1: Hub bandwidth and CPU limit VPN
SLB: Many identical hubs; increases CPU power and bandwidth limits
Spoke-to-spoke Order(n) Order(n2)
Control traffic; Hub and spoke; Hub to hub
Phase 2: (single)
Phase 3: (hierarchical)
Unicast Data traffic; Dynamic mesh
Spoke routers support spoke-hub and spoke-spoke tunnels currently in use.
Hub supports spoke-hub traffic and overflow from spoke-spoke traffic.
Network Virtualization
Basic DMVPN Designs
Dual DMVPN Single Hub Single DMVPN Dual Hub
Single mGRE tunnel on Hub, Single mGRE tunnel on all nodes
two p-pGRE tunnels on Spokes
192.168.0.0/24 192.168.0.0/24
.2 .1 .2 .1
Physical: 172.17.0.5 Physical: 172.17.0.1 Physical: 172.17.0.5 Physical: 172.17.0.1

Tunnel0: 10.0.1.1 Tunnel0: 10.0.0.1 Tunnel0: 10.0.0.2 Tunnel0: 10.0.0.1
Physical: (dynamic)
Tunnel0: 10.0.0.12 Physical: (dynamic)
Tunnel1: 10.0.1.12 Tunnel0: 10.0.0.12
Spoke B Spoke B .1
Physical: (dynamic) .1
Tunnel0: 10.0.0.11 Physical: (dynamic)
Tunnel1: 10.0.1.11 192.168.2.0/24 Tunnel0: 10.0.0.11 192.168.2.0/24
Spoke A Spoke A
.1 .1 ...
192.168.1.0 /24 192.168.1.0/24
= Dynamic Spoke-to-spoke
Multiple DMVPNs versus Single DMVPN
Multiple DMVPNs
Best for Hub-and-spoke only
Easier to manipulate RP metrics between DMVPNs for Load-sharing
EIGRP Route tags, Delay; iBGP Communities, MED; OSPF Cost
Performance Routing (PfR) selects between interfaces
Load-balancing over multiple ISPs (physical paths)
Load-balance data flows over tunnels Better statistical load-balancing
Single DMVPN
Best for spoke-spoke DMVPN
Can only build spoke-spoke within a DMVPN not between DMVPNs*
Slightly more difficult to manipulate RP metrics within DMVPN for Load-sharing
EIGRP Route tags, delay; iBGP Communities, MED; OSPF Cant do
Load-balancing over multiple ISPs (physical paths)
Load-balance tunnel destinations over physical paths Worse statistical load-balancing
DMVPN Combination Designs
Retail/Franchise Dual ISP
ISP ISP
1 2
Spoke-to-hub tunnels
Spoke-to-spoke tunnels
Spoke-hub-hub-spoke
tunnel
DMVPN Combination Designs (cont)
Hierarchical Server Load Balancing
Hub-to-hub tunnel
Quick review: Virtual Routing/Forwarding
Router maintains separate L3 forwarding information for each
VRF instance (RIB, FIB, routing protocols)
Two variants: VRF with MPLS, and VRF-Lite
Each interface belongs to a single VRF
For ip unnumbered, referenced interface must belong to the same VRF
If no VRF specified, interface belongs to the global VRF
VRF definition and assignment:
ip vrf red vrf definition red
rd 1:1 rd 1:1
Old CLI: ! New CLI: address-family ipv4
interface Ethernet0/0 exit-address-family
ip vrf forwarding red !
ip address 10.0.0.1 255.255.255.0 interface Ethernet0/0
vrf forwarding red
ip address 10.0.0.1 255.255.255.0
Quick review: forwarding & tunneling with VRF-Lite
Blue RIB/FIB Red RIB/FIB Global RIB/FIB Red RIB/FIB Orange RIB/FIB
Routing Routing Routing Routing Routing
Eth0/0 Eth0/1 Eth1/0 Eth1/1 Eth2/0 Eth2/1
Tunnel1 Tunnel2
interface Eth1/0 interface Eth2/0

interface Eth0/0 vrf forwarding red vrf forwarding red
vrf forwarding blue ! !
! interface Eth1/1 Front VRF interface Eth2/1
interface Eth0/1 ! no VRF = global vrf forwarding orange iVRF
vrf forwarding blue ! (fVRF) !
vrf forwarding red vrf forwarding red
tunnel source Eth1/1 tunnel vrf orange
Inside VRF (iVRF) tunnel source Eth2/1
DMVPN virtualization with VRF-Lite
Tunnel interface can be part of only one iVRF
one DMVPN Tunnel per iVRF needed
Spokes can be single-tenant or multi-tenant
(single-tenant not necessarily VRF-aware) Hub
Spoke-spoke direct communication

One pair of IPsec SAs per peer per iVRF
Spokes
DMVPN virtualization with VRF-Lite (2)
Convenient if only a few iVRFs
Main drawbacks:
Major configuration overhead if many iVRFs
One hub-spoke routing protocol neighborship per iVRF
Tunnel address ranges cannot overlap if hubs use the
BGP Dynamic Neighbors feature to peer with spokes
If separate authentication is needed for each DMVPN:
Different ISAKMP profiles required (different IKE credentials)
Different IPsec profiles required
Different source interfaces required (same source requires shared profile)
DMVPN virtualization with MPLS VPN
Single Tunnel interface in global VRF
MPLS VPN labels identify which iVRF
the tunneled traffic belongs to
Hub
BGP must be used as the routing protocol
between hubs & spokes
Separate IKE authentication not possible
Single pair of IPsec SAs per peer
Spokes
Tunnel0 MBGP Tunnel0
10.0.0.1/24 10.0.0.101/24
VRF red VRF red
VRF blue Spoke1 Hub1 VRF blue

(PE) Global VRF
(PE)
192.168.11.11 192.168.12.12 172.16.1.1 172.16.101.1 192.168.11.11 192.168.12.12

IPsec (ESP transport mode)
VPNv4 prefix from Hub1: GRE (protocol: 0x8847)
red:192.168.0.0/16 label 16 Label: 16
192.168.11.11 192.168.12.12
Tunnel interface in global, not part of any customer VRF

Hub and spokes act as PE routers, exchange VRF prefixes over MBGP
mGRE Tunnel creates a back-to-back connection
spoke LSR is the penultimate hop only the VPN label is pushed
LDP still required for a supported design
DMVPN Network Virtualization Designs
VRF-lite 2547oDMVPN
VRF-A tunnels VRF-A tunnels

VRF-B tunnels VRF-B tunnels
VRF-A to VRF-B Path (optional) VRF-A/B Tunnels
Where use VRFs
Either technique (iVRF or fVRF) is used to allow you to have two or more different routing tables to seperate the routing
of GRE+IPSec
packets from the routing of data IP packets. You can use both at the same time. These techniques can be used for
various deployment purposes:
Allow dynamic spoke-spoke tunnels when doing non-split-tunneling.
Separate routing of IPsec+GRE packets from data IP packets to protect against forwarding loops through the tunnel
interface (tunnel destination learned via the tunnel interface).
When using two ISPs being able to lock a GRE tunnel to one outside physical interface. Allows load balancing over both
ISPs when having to use a different tunnel source address for each ISP.
Allow DMVPN hub (or spoke) to be behind an MPLS network where, GRE+IPsec packets come in on an MPLS VPN.
Allow DMVPN hub to feed into an MPLS VPN. Data IP packets need be tagged to go into MPLS on the inside physical
interface.
Allow an ISP to use one DMVPN hub router to support multiple customers and keep the customer's data IP packets and
routing tables separate.
Intelligent WAN Deployment Models
Dual MPLS
Hybrid Dual Internet
Internet
Public Enterprise Public Enterprise Public
MPLS MPLS+ Internet

MPLS Internet
Branch Branch Branch
Highest SLA guarantees More BW for key applications Best price/performance

Tightly coupled to SP Balanced SLA guarantees Most SP flexibility
Expensive Moderately priced Enterprise responsible for SLAs
Consistent VPN Overlay Enables Security Across Transition

Intelligent WAN Solution
AVC Private
Cloud
Internet
Virtual
Private
Cloud
3G/4G-LTE
Branch
MPLS Public
WAAS PfR Cloud
Transport Intelligent Application Secure

Independent Path Control Optimization Connectivity
Consistent operational model Dynamic Application best Application visibility with Certified strong encryption
Simple provider migrations path based on policy performance monitoring Comprehensive threat
Scalable and modular design Load balancing for full Application acceleration defense
IPsec routing overlay design
utilization of bandwidth and bandwidth Cloud Web Security for
Improved network optimization secure direct Internet access
availability
IWAN with DMVPN (Flexible Secure WAN Design
Over Any Transport)
Transport-Independent Flexible Secure
Dynamic Full-Meshed
Simplifies WAN Design Proven Robust Security
Connectivity
Easy multi-homing over any Consistent design over all Certified crypto and firewall for
carrier service offering transports compliance
Single routing control plane with Automatic site-to-site IPsec Scalable design with high-
minimal peering to the provider tunnels performance cryptography in
Zero-touch hub configuration hardware
for new spokes
Internet
ASR 1000
WAN
ISR-G2
MPLS
Branch ASR 1000 Data Center
Other Features**
IPv6 and DMVPN:
IPv6 as overlay and transport is supported
Dual-stack: IPv6 & IPv4 data packets over the same mGRE tunnel(Phase 3 designs
only)
Per-tunnel QoS (Spoke-Hub, Hub-Spoke and Spoke-Spoke, IPv4 and IPv6),
Adaptive QoS
Multicast (Spoke- Hub)
TrustSec DMVPN Inline Tagging Support (only with IKEv2)
Hub and /or Spokes can be behind NAT devices
NAT: BRKSEC-1050 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Routing
Supports all routing protocols, except ISIS
Best routing protocols are EIGRP and BGP
Hubs are routing neighbors with spokes and other hubs
Spokes are only routing neighbors with hubs, not with other
spokes
Platform Support
IOS :3800, 2800, 1800, 870, 7200(G1), 7200(G2, VSA)
3900(E), 2900, 1900, 890, 880
IOS-XE : ASR1k, CSR1000v, ISR 4k
Hub Configuration
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
Phase I and Phase crypto ipsec transform-set TSET esp-aes esp-sha-hmac
II mode transport
interface Tunnel
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip nhrp authentication cisco
NHRP with IPSec ip nhrp map multicast dynamic
ip nhrp network-id 1111
ip nhrp redirect
tunnel key 10
no ip split-horizon eigrp 10
ip summary-address eigrp 10 192.168.0.0 255.255.0.0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
Spoke Configuration
encr aes
group 2
Phase I and crypto ipsec transform-set TSET esp-aes esp-sha-hmac
Phase II mode transport
interface Tunnel
ip address 10.0.0.2 255.255.255.0
no ip redirect
ip nhrp authentication cisco
ip nhrp map 10.0.0.1 172.17.0.1
NHRP with IPSec ip nhrp map multicast 172.17.0.1
ip nhrp nhs 10.0.0.1
ip nhrp shortcut
tunnel key 10
tunnel source FastEthernet0/0
tunnel mode gre multipoint
DMVPN
Dynamic partial or full mesh tunnels No support for non-IP protocols
IP multicast support IGP routing peers tend to limit the design
scalability
Supports dynamic routing protocols over the hub-
and-spoke No interoperability with non-Cisco platforms or
Cisco ASA
Supported on all Cisco IOS/IOS-XE router
platforms Some added complexity with configuration and
troubleshooting of DMVPN
IWAN Support
Multicast replication done on the Hub
Simplifies and shortens configurations
Per tunnel QoS possible
SGT (secure group tagging) with IKEv2
Cisco Prime Management
Group Encrypted Transport VPN
(GETVPN)
Tunnel-Less VPN - A New Security Model
Before: IPsec Point-to-Point Tunnels After: Tunnel-Less VPN
WAN
Scalabilityan issue (N^2 problem) Multicast
Overlay routing Scalable architecture for any-to-any connectivity

and encryption
Any-to-any instant connectivity cant be done to No overlaysnative routing
scale
Limited QoS
Any-to-any instant connectivity
Inefficient Multicast replication

Enhanced QoS
Efficient Multicast replication
Cisco Group Encrypted Transport (GET) VPN
Cisco GET VPN delivers a revolutionary solution for tunnel-less, any-
to-any branch confidential communications
Large-scale any-to-any
encrypted communications
Native routing without tunnel
Any-to-Any
Any-to-Any overlay
Connectivity
Connectivity
Native Multicast support -
improves application
Cisco GET performance
VPN Transport agnostic - private
LAN/WAN, IP, MPLS
Scalable Real Time
Header Preservation
IPSec Tunnel Mode vs. GETVPN
IP Header IP Payload
IP Packet
IPSec
New IP Header ESP IP Header IP Payload
Tunnel Mode
IPSec header inserted by VPN Gateway
New IP Address requires overlay routing
IP Header IP Payload
IP Packet
GETVPN Preserved Header ESP IP Header IP Payload
IP header preserved by VPN Gateway

Preserved IP Address uses original routing plane
When should it be used?
Securing an already secure network
Efficient secure multicast traffic
Deploying voice or similar collaborative

applications requiring any-to-any encryption
Encrypting IP packets over satellite links
Main Components of GETVPN
GDOI (Group Domain of Interpretation,RFC 6407)
Cryptographic protocol for group key management
Key Servers (KSs)
IOS devices responsible for creating /maintaining control plane
Distributing keys to the group members
Group Members (GMs)

IOS devices used for encryption/decryption
Group Security Associations
Tunnel-less Network
No Peer-to-Peer Tunnel required
IPsec SAs shared by GMs
IP Address Preservation
Original IP Address preserved
GDOI Reuses IKE on UDP 848
Peer to Peer IPsec negotiation:
IKE Phase 1
IPSec IPSec
Peer IKE Phase 2/IPsec SAs
Peer
IPsec Negotiations with GDOI (GETVPN)

- Follows the IKE Phase 1
IKE Phase 1
Group Key
Member GDOI Registration/Download IPsec SAs Server
GDOI defines a Re-key exchange for subsequent key updates

Can use multicast for efficiency
Group Key
Member GDOI Rekey Server
How does it work?
Group Members (GMs) register via GDOI with the Key Server (KS)
KS authenticates & authorizes the GMs
KS returns a set of IPsec SAs for the GMs to use
GM3 GM4
GM2
GM5
GM1
GM6
GM9 KS
GM8 GM7
How does it work? (contd)
Data Plane Encryption
GMs exchange encrypted traffic using the group keys
Traffic uses IPSec Tunnel Mode with address preservation
GM3
GM4
GM2
GM5
GM1
GM6
GM9 KS
GM8 GM7
How does it work? (contd)
Periodic Rekey of Keys
KS pushes out replacement IPsec keys before current IPsec keys expire
Unicast rekey or Multicast rekey
GM3 GM4
GM2
GM5
GM1
GM6
GM9 KS
GM8 GM7
Cooperative Key Servers - Redundancy
A list of trusted key servers
Manages common set of keys and security policies for GMs
Cooperative KS1 Cooperative KS2
Subnet 1
Subnet 2
GM 1
GM 2
IP Network
Subnet 4 Subnet 3
GM 4 GM 3
Cooperative KS3
Group Security Elements
Proprietary: KS Cooperative
Group Policy Key Servers Protocol
Key Encryption Key (KEK)
Traffic Encryption Key

(TEK) Group
Routing Member
Members
Group
Member
Group
RFC3547:
Member
Group Domain of
Group
Interpretation (GDOI)
Member
Policy Management ACL
Permit ACLs can only be pushed from KS
Deny ACLs can be configured locally on GM or pushed from KS
Local GM ACL has precedence over downloaded KS ACL
KS Permit: Any-Any
GM
10.0.1.0/24 10.0.3.0/24
IP Deny: Link Local

GM
INET
GM
10.0.2.0/24
Deny: Link Local GM
Design Application
If for, Internet based environments, GETVPN can be deployed with DMVPN
LISP as the overlay
Native Multicast
Other Features**
Supports Dual Stack (IPv4 and IPv6)
VRF aware (Data and control (GDOI) plane)
TrustSec Inline Tagging Support
NAT
IKEv2 (G-IKEv2)
** Note: Version Dependent
Platforms Supported
Key Server Group Member
ASR 1k, 7200,ISR-G2 (39xx, ASR 1k,7200,39xx, 29xx, 19xx,

29xx, 19xx), ISR 4k 87x,88x,89x
Note: The same device cannot be a GM and KS
KS Configuration
!
encr aes
Phase I and Phase II authentication pre-share
!
!
crypto ipsec profile GETVPN
!
access-list 150 permit ip any host 225.1.1.1
!
access-list 160 deny eigrp any any
ACL defining encryption access-list 160 deny pim any any
domain access-list 160 deny udp any any eq 848
access-list 160 permit ip any any
KS Configuration (Cont.)
crypto gdoi group GETVPN
GDOI Group ID identity number 1234
server local
!rekey address ipv4 150 !
Rekey Properties rekey lifetime seconds 14400
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN
rekey transport unicast
sa ipsec 1
profile GETVPN
Encryption ACL
match address ipv4 160
address ipv4 1.1.1.1
Source address for rekeys redundancy
local priority 10
peer address ipv4 1.1.1.2
!
GM Configuration
!
Phase I parameters crypto isakmp policy 10
encr aes
!
crypto gdoi group getvpn1
identity number 1234
GDOI Config and Applying server address ipv4 1.1.1.1
to Interface !
crypto map GETVPN 10 gdoi
set group getvpn1
!
interface FastEthernet0/0
crypto map GETVPN
GETVPN
Any-to-Any large scale (Site-to-Site) Suited for private IP network
infrastructure
Multicast replication in IP WAN network
Does not support non-IP
Route Distribution Model + Stateful protocols
Group Protection Cisco routers only
Address Preservation - hence works well
with QoS and traffic engineering
SGT support
Hub-Spoke + Spoke-Spoke Solutions
Problem Statement Customer Needs Choose DMVPN When
Extend LANs over WAN
On-demand spoke-spoke tunnels
Consume services from a centralized location
IKEv1 or IKEv2
Prevent man-in-the-middle attacks
Distributed Policy Management and Pair-wise keys
Data confidentiality
Branch-to-HQ and Branch-to-Branch connectivity
Any-to-Any connectivity
Transport: Internet or multiple transport types (IP,
MPLS) co-exist
Separation of customer and provider routing domains
Support for NAT-T
Choose GETVPN When
Any-to-Any and Tunnel-less

G-IKEv1 or G-IKEv2
Centralized Policy Management and Group Keys
Transport type: MPLS or Private WAN
Native multicast replication
Hub-Spoke + Spoke-Spoke VPN Solutions
Components and Services Interaction
Key PfRv
Technology Overlay Type AVC WAAS QoS
Management 3
DMVPN mGRE Tunnel Pair-wise Yes Yes Yes Adaptive
Per-Tunnel
GETVPN LISP Tunnel- Group Keys N/A Yes Yes Egress-Interface
less
PfRv3 works only with DMVPN (single routing domain)

PfRv3 does not work with GETVPN
Customers can continue to deploy GETVPN with LISP (WAN) or without LISP (private WAN)
FlexVPN
Flex VPN Overview
IKEv2 based unified VPN that combines site-to-site, remote-access, hub-spoke
and spoke-spoke topologies
FlexVPN combines multiple frameworks into a single, comprehensive set of CLI
and binds it together offering more flexibility and a means to extend functionality
in the future
FlexVPN offers a simple but modular framework that extensively uses the tunnel
interface paradigm
IKEv2 is a major protocol update
IWAN NOT supported
VPN Technology Selection
Death by a thousand questions
3rd party and legacy
support Hub & Spoke
AAA Manageability
Failover time
Spoke Spoke Direct
Solution vs Components IPv4/IPv6 dual stack
Failure detection method
Design complexity
Route Injection
Dual DMVPN Dynamic Routing
Crypto Map or Tunnels
Feature order
Multi-Hub Homing
Per peer ACLs
Scalability Multicast
Multi-ISP Homing
QoS support
High Availability
EasyVPN, DMVPN and Crypto Maps
crypto isakmp client configuration group cisco
key cisco123
pool dvti
acl 100 crypto isakmp client configuration group cisco
crypto isakmp profile dvti key pr3sh@r3dk3y
match identity group cisco pool vpnpool
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
client authentication list lvpn acl 110
mode transport
isakmp authorization list lvpn
crypto ipsec profile vpnprofile
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
client configuration address respond vpn-ts-set crypto dynamic-map dynamicmap 10
set transform-set
virtual-template 1 set transform-set vpn-ts-set
interface Tunnel0
crypto ipsec transform-setipdvti esp-3des esp-sha-hmac reverse-route
address 10.0.0.254 255.255.255.0
crypto ipsec profile dvti ip nhrp map multicast dynamic crypto map client-vpn-map client authentication list userauthen
crypto map client-vpn-map isakmp authorization list groupauthor
set transform-set dvti ip nhrp network-id 1
crypto map client-vpn-map client configuration address initiate
set isakmp-profile dvti tunnel source Serial1/0
crypto map client-vpn-map client configuration address respond
tunnel
interface Virtual-Template1 typemode gre multipoint
tunnel
crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap
ip unnumbered Ethernet0/0tunnel protection ipsec profile vpnprof
interface FastEthernet0/0
ip address 83.137.194.62 255.255.255.240
tunnel protection ipsec profile dvti
crypto map client-vpn-map
ip local pool dvti 192.168.2.1 192.168.2.2
ip local pool vpnpool 10.10.1.1 10.10.1.254
ip route 0.0.0.0 0.0.0.0 10.0.0.2 access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
Benefits of FlexVPN
You can run Flex along all your previous IPsec VPNs. Most scenarios will
allow coexistence of previous configuration and Flex
Based on IKEv2 and not IKEv1, which improves almost all aspects of
negotiation and protocol stability
Using GRE over IPsec or VTI as encapsulation. GRE allows you to run
almost anything over it. IPsec provides security for payload
Utilizing virtual interfaces - allowing per-spoke features like firewall, QoS,
ACLs, etc
Remote access server and client (software and hardware) - similar to
EZVPN
Dynamic spoke to spoke tunnels - similar to DMVPN
Ease of configuration by using built-in defaults - no longer will you need to
define policies, transform sets etc.
When do you use it
Customer requires IKEv2 features
Customer desires to build site-to-site, remote-access, hub-
spoke and spoke-spoke topologies utilizing a unified CLI
Large Scale deployment (of spoke to spoke and hub and
spoke)
Customer wishes to reduce learning curve of
implementing multiple different types of VPN connectivity
Target Deployment: 50 10,000 sites with a hub-spoke
layout and Cisco and Non-Cisco interoperability, IoT
Comparing IKEv1 & IKEv2
EAP-Only IKEv2
Authentication
RFC 5998 Same

Integrity
Objectives
DPD Childless IKEv2 Confidentiality

ISAKMP
RFC 6023
RFC 2408
Suite-B
IPSec DOI IKEv2
RFC 2407 IKEv1 Mode IKEv2 RFC 5996
More Secure
Anti-DoS
Config
IKE IKEv2 Redirect
RFC 2409 RFC 5685 PSK, RSA-Sig
NAT-T Authentication
EAP Auth.
Etc. ... Options
Hybrid Auth.
Cleaner Identity/Key Exchange
Similar but Uses UDP Ports 500 & 4500

Different
Main + Aggressive INITIAL
Acknowledged Notifications
Key Differentiators
IKEv1 IKEv2
Auth messages 6 max Open ended
First IPsec SA 9 msgs min ~ 4-6 msgs min

Authentication pubkey-sig, pubkey-encr, PSK Pubkey-sig, PSK, EAP
Anti-DOS Never worked Works!
IKE rekey Requires re-auth (expensive) No re-auth
Notifies Fire & Forget Acknowledged
IKEv2 Exchange Overview
Initiator (I) Responder (R)
IKEv2 Security Association (SA) establishment

IKE_SA_INIT (proposal selection, key exchange)
Mutual authentication & identity exchange

Initial IPSec SAs establishment
IKE_AUTH Certificate exchange (optional)
Configuration exchange (optional)
Additional IPSec SAs establishment

CREATE_CHILD_SA
IKEv2 & IPSec SA rekey
Can be (I R) with ACK or (R I) with ACK

INFORMATIONAL Notifications (SA deletion, liveness check, ...)
Configuration exchange (one or both ways)
IKEv2 Configuration Exchange
Initiator (I) Responder (R)
I would like:
an IPv6 address
a DNS & WINS server
CFG_REQUEST a list of protected IPv6 subnets
Initiator (RA client) requests
IKE_AUTH configuration parameters from
responder (RA server). Your assigned IPv6 address is ...
CFG_REPLY Your DNS server is ...
There is no WINS server
My protected IPv6 subnets are ...
CFG_SET
Derived from peer authorization
INFORMATIONAL
Derived from peer authorization
CFG_ACK Initiator and/or responder
sends unsolicited configuration My local IPv6 protected subnets are ...
CFG_SET parameters to its peer.
Acknowledged
INFORMATIONAL
CFG_ACK
IKEv2 CLI Overview
crypto ikev2 proposal PROP-1
IKEv2 Proposal encryption aes-cbc-128 3des
integrity sha1
group 2
!
crypto ikev2 policy SITE-POLICY
IKEv2 Policy binds Proposal to proposal prop-1
peer
!
crypto ikev2 keyring V2-KEYRING
Keyring supports asymmetric peer cisco
PSKs address 10.0.1.1
pre-shared-key local CISCO
pre-shared-key remote OCSIC
!
IKEv2 Authorization Policy crypto ikev2 authorization policy AUTH-POLICY
(contains attributes for local AAA route set interface
& config. exchange) route accept any
crypto ikev2 profile default
Only one local identity allowed
IKEv2 CLI Overview identity local address 10.0.0.1
[identity local fqdn local.cisco.com]
IKEv2 Profile Extensive CLI [identity local email local@cisco.com]
[identity local dn]
Multiple match identity allowed
match identity remote address 10.0.1.1
Self Identity Control
match identity remote fqdn remote.cisco.com
match identity remote fqdn domain cisco.com
match identity remote email remote@cisco.com
Match on peer IKE identity match identity remote email domain cisco.com
or certificate match certificate certificate_map
match fvrf red

match address local 172.168.1.1
Match on local address and
front VRF authentication local pre-share
[authentication local rsa-sig]
Only one local method allowed
[authentication local eap]
Asymmetric local & remote authentication remote pre-share

authentication methods authentication remote rsa-sig Multiple remote methods allowed
authentication remote eap
keyring local IOSKeyring

Local and AAA-based
keyring aaa AAAlist
Pre-Shared Keyring
pki trustpoint <trustpoint_name>
IKEv2 CLI Overview
IPsec no further change
crypto ipsec transform-set TS esp-aes 128 esp-sha-hmac

!
crypto ipsec profile IPSEC-PROFILE
set transform-set TS
IPsec profile points to
set crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile
!
ip unnumbered Ethernet0/0
tunnel source Ethernet0/0
Tunnel protection tunnel mode ipsec ipv4
links IPsec to tunnel tunnel protection ipsec profile IPSEC-PROFILE
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source Ethernet0/0
tunnel protection ipsec profile IPSEC-PROFILE
Introducing Smart Defaults
Intelligent, reconfigurable defaults
Pre-existing constructs:
crypto ikev2 proposal
AES-CBC 256, 192,128 , 3DES / SHA-512,384,256, SHA-1, MD5 / group 5, 2
crypto ikev2 policy (match any)
crypto ipsec transform-set (AES-128, 3DES / SHA, MD5)
crypto ipsec profile default (default transform set, ikev2 profile default)
Only an IKEv2 profile called default needs to be created
authentication local rsa-sig
authentication remote rsa-sig Example full config
pki trustpoint TP using smart defaults
!
interface Tunnel0
ip address 192.168.0.1 255.255.255.252
tunnel protection ipsec profile default
Reconfigurable Defaults
All defaults can be modified, deactivated and restored
Default proposals pre-configured
for IKEv2
for IPsec
crypto ikev2 proposal default
Modifying defaults encryption aes-cbc-128
hash md5
crypto ipsec transform-set default aes-cbc 256 sha-

hmac
default crypto ikev2 proposal
Restoring defaults
default crypto ipsec transform-set
Disabling defaults no crypto ikev2 proposal default
no crypto ipsec transform-set default
Building Block IKEv2 Name Mangler
RA Client FlexVPN Server AAA Server
IKEv2 Initiator IKEv2 Responder RADIUS Server
RADIUS Client RADIUS NAS
IKEv2 Exchange
crypto ikev2 name-mangler extract-user
FQDN: joe.cisco.com fqdn hostname
Email: joe@cisco.com RA Client Identity email username
DN: cn=joe,ou=IT,o=Cisco dn common-name
EAP: joe@cisco IKEv2 Name Mangler eap prefix delimiter @
AAA Username: joe Static password

(configurable)
Local AAA Request RADIUS AAA Request

Username: joe Username: joe, password: cisco
Start with the peers IKE or EAP identity

Derive a username that is meaningful to AAA (local or RADIUS)
FlexVPN and AAA
Authentication, Authorization & Accounting
IKEv2 communicates with IOS AAA subsystem
AAA list name
Local database (IKEv2 Authorization Policy) aaa new-model
aaa author network local-db local
Remote database (RADIUS) aaa author network remote-db group radius
Protocols in play: IKEv2, RADIUS, EAP

AAA-based authentication:
Pre-shared keys stored on RADIUS server
EAP over IKEv2 & RADIUS
Authorization:
Implicit authorization (re-uses attributes received during authentication)
Explicit authorization (local or remote, group- & user-level)
Accounting
Authorization Types
Not mutually exclusive May be combined
RADIUS (Access-Accept)
Implicit User Authorization Local PSK = cisco!
Remote PSK = !ocsic Cached for
aaa authorization user {psk|eap} cached Other user attributes for joe authorization
Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication
Explicit User Authorization

aaa authorization user {psk|eap|cert} list list [name | name-mangler mangler]
Retrieves user attributes from RADIUS (local database not supported)
Explicit Group Authorization Reverse order of precedence (group > user)

aaa authorization group {psk|eap|cert} [override] list list [name | name-mangler mangler]
Retrieves group attributes from RADIUS or local database

Attributes Merging
FlexVPN Server AAA Server
Received during
AAA-based authentication
Attribute Value Cached User Attributes Received during explicit

Framed-IP-Address 10.0.0.101 user authorization
ipsec:dns-servers 10.2.2.2
Explicit User Attributes take precedence
Explicit User Attributes Attribute Value
Framed-IP-Address 10.0.0.102
Attribute Value Merged User Attributes
Framed-IP-Address 10.0.0.102 Received during explicit
ipsec:dns-servers 10.2.2.2 Merged User Attributes take precedence group authorization
except if group override configured
Explicit Group Attributes Attribute Value
Attribute Value ipsec:dns-servers 10.2.2.3
Framed-IP-Address 10.0.0.102 Final Merged Attributes ipsec:banner Welcome !
ipsec:dns-servers 10.2.2.2
ipsec:banner Welcome !
Modular Building Blocks
Tunneling Authentication Tunnel Config Config Mode
Method Source
GRE/IPsec Certificate Static Local config
Pure IPsec Pre-shared Key Dynamic RADIUS
EAP (initiator) crypto map Hybrid
Security policy & routing

IKEv2 routing
BGP
Static routes
Reverse-Route Injection
EIGRP or anything else!
Site-to-Site Use Cases
FlexVPN Site-to-Site Configuration using Crypto Maps
FlexVPN Site-to-Site SVTI-SVTI Configuration using Digital Certificates
FlexVPN Site-to-Site IPv6 over IPv4 using GRE Encapsulation (in
reference slides)
FlexVPN Hub & Spoke DVTI-SVTI using IKEv2 Routing
FlexVPN Hub & Spoke using Flex Client
FlexVPN Dynamic Spoke to Spoke
MPLS over FlexVPN
FlexVPN Site-to-Site Configuration using Crypto Maps
192.168.2.0/24
192.168.1.0/24
1.1.1.1 1.1.1.2
crypto ipsec ikev2 ipsec-proposal IPROP

crypto ikev2 keyring ASA Just a string protocol esp encryption aes
peer ASA protocol esp integrity sha-1
address 1.1.1.2 Peer address
pre-shared-key cisco crypto map VPN 10 match address CRYPTOACL
crypto map VPN 10 set peer 1.1.1.1
crypto ikev2 profile PROF crypto map VPN 10 set ikev2 ipsec-proposal IPROP
match identity remote address 1.1.1.2 255.255.255.255 crypto map VPN interface outside
authentication local pre-share crypto ikev2 policy 1
authentication remote pre-share encryption aes
keyring ASA integrity sha
group 5
crypto ipsec transform-set TSET esp-aes esp-sha-hmac prf sha
crypto map VPN 10 ipsec-isakmp crypto ikev2 enable outside ASA requires local-
set peer 1.1.1.2 authentication
set transform-set TSET tunnel-group 1.1.1.1 type ipsec-l2l
CM references IKEv2 tunnel-group 1.1.1.1 ipsec-attributes
set ikev2-profile PROF ikev2 remote-authentication pre-shared-key cisco
match address CRYPTOACL Profile ikev2 local-authentication pre-shared-key cisco
ip access-list extended CRYPTOACL access-list CRYPTOACL extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 255.255.255.0
ip route 0.0.0.0 0.0.0.0 1.1.1.2 route outside 192.168.1.0 255.255.255.0 1.1.1.1 1
FlexVPN Site-to-Site SVTI-SVTI Configuration using
Digital Certificates
Static Tunnel Static Tunnel
192.168.2.0/24
192.168.1.0/24 hub.cisco.com spoke1.cisco.com
1.1.1.1 1.1.1.2
crypto pki trustpoint PKI crypto pki trustpoint PKI

enrollment url http://1.1.1.1:80 enrollment url http://1.1.1.1:80
serial-number Certificate enrollment serial-number
subject-name cn=hub.cisco.com subject-name cn=spoke1.cisco.com
revocation-check none revocation-check none
crypto pki certificate map CERTMAP 10 Certificate Map to crypto pki certificate map CERTMAP 10
subject-name co spoke1.cisco.com match peers identity subject-name co hub.cisco.com
crypto ikev2 profile default crypto ikev2 profile default
match certificate CERTMAP match certificate CERTMAP
identity local dn identity local dn
authentication remote rsa-sig authentication remote rsa-sig
authentication local rsa-sig authentication local rsa-sig
pki trustpoint PKI pki trustpoint PKI
dpd 10 2 on-demand dpd 10 2 on-demand
ip address 10.1.1.1 255.255.255.252 Could use a ip address 10.1.1.2 255.255.255.252
tunnel source FastEthernet0/0 tunnel source FastEthernet0/0
tunnel mode ipsec ipv4 routing protocol tunnel mode ipsec ipv4
tunnel destination 1.1.1.2 (IGP/BGP) tunnel destination 1.1.1.1
tunnel protection ipsec profile default tunnel protection ipsec profile default
FlexVPN Site-to-Site IPv6 over IPv4 using GRE
Encapsulation
2001:0:0:2::1/64
2001:0:0:1::1/64
Static Tunnel
192.168.2.0/24
Static Tunnel
192.168.1.0/24
1.1.1.1 2.2.2.1
crypto ikev2 keyring KR crypto ikev2 keyring KR

peer SPOKE2 peer SPOKE1
address 2.2.2.1 Asymmetric PSKs address 1.1.1.1
pre-shared-key local CISCO pre-shared-key local CICSO
pre-shared-key remote CICSO pre-shared-key remote CISCO
crypto ikev2 profile default crypto ikev2 profile default
match identity remote address 2.2.2.1 255.255.255.255 match identity remote address 1.1.1.1 255.255.255.255
authentication remote pre-share authentication remote pre-share
authentication local pre-share authentication local pre-share
keyring local KR keyring local KR
Tunneling IPv6 over
ip address 10.1.1.1 255.255.255.0 IPv4 Tunnel ip address 10.1.1.2 255.255.255.0
ipv6 address FE80::1 link-local ipv6 address FE80::2 link-local
tunnel source Ethernet0/0 Could use a tunnel source Ethernet0/0
tunnel destination 2.2.2.1 tunnel destination 1.1.1.1
tunnel protection ipsec profile default routing protocol tunnel protection ipsec profile default
(IGP/BGP)
ipv6 route 2001:0:0:2::/64 Tunnel0 ipv6 route 2001:0:0:1::/64 Tunnel0
Network Diagram
192.168.1.0/24
.1 .254
Virtual-Access Interfaces
200.1.1.2
192.168.2.0/24
Static Tunnel Interface
Hub configuration
192.168.1.0/24
192.168.2.0/24
.1 .254
Hub
Spoke
200.1.1.2
.1
AAA authorization
method list aaa authorization network FLEX local
IKEv2 authorization crypto ikev2 keyring SPOKES

peer ALL
policy named address 0.0.0.0 0.0.0.0 interface Virtual-Template1 type tunnel
FLEXAUTHOR pre-shared-key cisco123
ip unnumbered FastEthernet0/1
crypto ikev2 authorization policy FLEXAUTHOR
pool FLEXPOOL tunnel protection ipsec profile default
route set interface
route set access-list 99
ip local pool FLEXPOOL 10.1.1.1 10.1.1.10
match identity remote address 0.0.0.0 Spoke Tunnel IP Pool
Creates Virtual- authentication remote pre-share
authentication local pre-share
Access from Virtual- keyring local SPOKES access-list 99 permit 192.168.0.0 0.0.255.255
Template dpd 10 2 periodic
aaa authorization group psk list FLEX FLEXAUTHOR
virtual-template 1 IKE v2 Route
Spoke ConfigurationSpoke configuration
192.168.1.0/24
192.168.2.0/24
.1 .254
Hub
Spoke
200.1.1.2
.1
aaa authorization network FLEX local
crypto ikev2 keyring HUB
peer HUB
address 200.1.1.2
pre-shared-key cisco123
Advertising tunnel
interface IP and crypto ikev2 authorization policy FLEXAUTHOR
192.168.2.0/24 subnet route set interface
route set access-list 99
match identity remote address 200.1.1.2 255.255.255.255 interface Tunnel0
authentication remote pre-share IP Address Assignment
Local Authorization authentication local pre-share ip address negotiated from FLEXPOOL
keyring local HUB tunnel source Ethernet0/0
dpd 10 2 periodic
aaa authorization group psk list FLEX FLEXAUTHOR tunnel destination 200.1.1.2
tunnel protection ipsec profile default
IKE v2 Route access-list 99 permit 192.168.2.0 0.0.0.255
FlexVPN Server
FlexVPN Server is an IKEv2 RA Server that provides the IKEv2
headend functionality for Remote Access and Hub-Spoke topologies.
FlexVPN Server Features include
Peer Authentication Using EAP
Per-user Attributes allows fetching per-user session attributes from
AAA via IKEv2 authorization
IKEv2 Multi-SA dVTI
Supported Remote Access Clients include Microsoft Windows7/8
IKEv2 Client, Cisco IKEv2 AnyConnect Client, and Cisco IOS FlexVPN
client
FlexVPN Client
FlexVPN Client provides the IKEv2 Remote Access Client functionality
FlexVPN Client Highlights
GRE encapsulation support that allows IPv4/IPv6 over IPv4/IPv6
Dynamic routing protocol support
Route exchange via config mode
Dynamic BGP peering
FlexVPN Client Features

Backup Gateways
Dial backup
Split DNS
NAT
Network Diagram
192.168.1.0/24
.1 .254
200.1.1.2
192.168.2.0/24
Static Tunnel Interface with
FlexVPN client
Hub configuration
192.168.1.0/24
192.168.2.0/24
.1 .2
Hub 1 Hub 2
Spoke
.1
200.1.1.1 200.1.1.2
Wildcard PSK
Keyring
crypto ikev2 keyring SPOKES
IKEv2 profile named peer ALL
default address 0.0.0.0 0.0.0.0
Creates Virtual- interface Virtual-Template1 type tunnel
Access from Virtual-
crypto ikev2 profile default ip unnumbered Ethernet0/1
Template match identity remote address 0.0.0.0 tunnel source Ethernet0/0
authentication remote pre-share tunnel protection ipsec profile default
authentication local pre-share
keyring local SPOKES router eigrp 1
dpd 10 2 periodic network 192.168.1.1 0.0.0.0
virtual-template 1
IGP Routing
Spoke Configuration
192.168.1.0/24
192.168.2.0/24
.1 .2
Hub 1 Hub 2
Spoke
.1
200.1.1.1 200.1.1.2
crypto ikev2 keyring HUBS

peer HUB1
address 200.1.1.1
peer HUB2
address 200.1.1.2
crypto ikev2 profile default interface Tunnel0
authentication remote pre-share ip unnumbered Ethernet0/1
authentication local pre-share tunnel source Ethernet0/0
keyring local HUBS tunnel destination dynamic
dpd 10 2 periodic
Client FlexVPN tunnel protection ipsec profile default
crypto ikev2 client flexvpn FLEXCLIENT
construct peer 1 200.1.1.1
Tunnel destination selected
peer 2 200.1.1.2 router eigrp 1 from flexvpn client
client connect Tunnel0 network 192.168.1.1 0.0.0.0
Spoke Dynamic Tunnel Source/Destination
192.168.2.0/24
192.168.1.0/24
.1 .2
.1
E0/0
E0/1 200.1.1.1 200.1.1.2
crypto ikev2 keyring PEERS track 1 ip sla 1

delay down 10 up 10
peer ALL
interface Tunnel0 address 0.0.0.0 0.0.0.0 track 2 ip sla 2
pre-shared-key cisco delay down 10 up 10
crypto ikev2 profile PROF track 3 list boolean and
tunnel source dynamic match identity remote address 0.0.0.0 object 2 not
tunnel destination dynamic authentication remote pre-share ip sla 1

authentication local pre-share icmp-echo 200.1.1.1
tunnel protection ipsec profile keyring local PEERS frequency 5
dpd 30 2 on-demand ip sla schedule 1 life forever start-time now
default
ip sla 2
crypto ikev2 client flexvpn FLEXCLIENT icmp-echo 209.1.2.2 source-interface Ethernet0/0
peer 1 200.1.1.1 track 1 frequency 5
peer 2 200.1.1.2 ip sla schedule 2 life forever start-time now
peer reactivate interface Ethernet0/0
source 1 Ethernet0/0 track 2 ip address 209.1.2.1 255.255.255.0
source 2 Ethernet0/1 track 3
client connect Tunnel0 interface Ethernet0/1
ip address 209.1.3.1 255.255.255.0
crypto ipsec profile default ip route 0.0.0.0 0.0.0.0 209.1.2.2 track 2
set ikev2-profile PROF ip route 0.0.0.0 0.0.0.0 209.1.3.2 track 3
FlexVPN Spoke to Spoke
FlexVPN Hub-Spoke, Spoke-Spoke
Uses sVTI/dVTI, NHRP and routing protocol
No NHRP registrations from spokes to hub
No GRE multipoint interface
Routing Protocol
Routing protocol run over FlexVPN hub-spoke tunnels
Allows spokes to learn networks behind other spokes
NHRP
Resolves spoke overlay addresses to transport addresses
IPSec Virtual-Access Interface (VA)
IPSec VA created on either side, per spoke tunnel
FlexVPN Hub and Spoke IKE Route Exchange
C 10.0.0.254 Loopback0 C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100 Hub 1 Hub 2 S 192.168.0.0/16 Tunnel100
Routing
Routing
S 10.0.0.0/8 Tunnel100 192.168.100.0/24 S 10.0.0.0/8 Tunnel100
Table
Table
.1 .2
S 10.0.0.1 V-Access1 S 10.0.0.2 V-Access1
S 192.168.1.0/24 V-Access1 Tunnel 100 S 192.168.2.0/24 V-Access1

Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
Routing
Routing
S 10.0.0.254/32 Tunnel0
Table
Table
S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
FlexVPN Mesh Indirection
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
Routing
Routing
S 10.0.0.0/8 Tunnel100 192.168.100.0/24 S 10.0.0.0/8 Tunnel100
Table
Table
.1 .2

Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table
NHRP Table
- -
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
Routing
Routing
Table
S 10.0.0.254/32 Tunnel0
Table
S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
FlexVPN Mesh Resolution
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
Routing
Routing
S 10.0.0.0/8 Tunnel100 192.168.100.0/24 S 10.0.0.0/8 Tunnel100
Table
Table
.1 .2
Physical: 172.16.0.1 Resolution Physical: 172.16.0.2

Tunnel: 10.0.0.254 (192.168.2.2) Tunnel: 10.0.0.253

Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table
NHRP Table
10.0.0.2/32 172.16.2.1 Resolution Reply 10.0.0.1 172.16.1.1
192.168.2.0/24 172.16.2.1 (192.168.2.0/24)
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0
Routing
Routing
S 10.0.0.253/32 Tunnel1
Table
Table
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
H/S 10.0.0.2/32 V-Access1 H/S 10.0.0.1/32 V-Access1
H/S 192.168.2.0/24 V-Access1 BRKSEC-1050 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
FlexVPN Mesh Shortcut Forwarding
C 192.168.100.0/24 Eth0 C 192.168.100.0/24 Eth0
Routing
Routing
S 10.0.0.0/8 Tunnel100 192.168.100.0/24 S 10.0.0.0/8 Tunnel100
Table
Table
.1 .2

Tunnel: 10.0.0.254 Tunnel: 10.0.0.253

Tunnel: 10.0.0.1 Tunnel: 10.0.0.2
NHRP Table
NHRP Table
10.0.0.2/32 172.16.2.1 10.0.0.1 172.16.1.1
192.168.2.0/24 172.16.2.1
Spoke 1 Spoke 2
192.168.1.0/24 192.168.2.0/24
C 192.168.1.0/24 Eth0 C 192.168.2.0/24 Eth0
C 10.0.0.1 Tunnel0 C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0
Routing
Routing
S 10.0.0.253/32 Tunnel1
Table
Table
S 192.168.0.0/16 Tunnel0 S 192.168.0.0/16 Tunnel1
H/S 10.0.0.2/32 V-Access1 H/S 10.0.0.1/32 V-Access1
H/S 192.168.2.0/24 V-Access1 BRKSEC-1050 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
FlexVPN Spoke to Spoke Protocol Flow
Hub-Spoke tunnels
1. Spokes connect to hub, IPSec-VA created on hub for each spoke
2. IPSec-VAs for all spokes share network id
3. Hub learns spoke networks via routing protocol over hub-spoke tunnels
4. Hub advertizes summarized route (via hub) to all spokes
NHRP redirect
1. Spoke to spoke traffic forwarded to hub
2. Hub detects ingress and egress interfaces(IPSec-VAs) share NHRP network id
3. Hub sends NHRP traffic redirect indication to source spoke with destination spoke overlay
address
FlexVPN Spoke to Spoke Protocol Flow
NHRP Resolution
1. Spoke receiving redirect initiates NHRP resolution via hub to resolve destination
spoke
2. Hub forwards resolution request to destination spoke
3. Destination spoke receives resolution request, creates VA and crypto tunnel to
source spoke
4. Destination spoke sends resolution reply over spoke-spoke direct tunnel
5. Destination spoke adds NHRP cache entry for source spoke
NHRP Shortcut
1. Source spoke receives NHRP resolution reply

2. Source spoke adds NHRP cache entry and shortcut route for destination spoke
FlexVPN Spoke to Spoke Network Diagram
172.16.0.0/24
.1 .254
200.1.1.2
172.16.2.0/24
Static Tunnel Interface
FlexVPN Spoke to Spoke Hub configuration
172.16.0.0/24
172.16.2.0/24
.1 .254
Hub
Spoke
200.1.1.2

peer ALL
address 0.0.0.0 0.0.0.0
Wildcard PSK pre-shared-key cisco123
authentication remote pre-share
authentication local pre-share Creates Virtual-Access
keyring local SPOKES from Virtual-Template
virtual-template 1
IKEv2 Profile
referencing Virtual- router eigrp 100
Template distribute-list EIGRP_SUMMARY out Virtual-Template1 interface Virtual-Template1 type tunnel
network 172.16.0.1 0.0.0.0 ip unnumbered FastEthernet0/1
redistribute static metric 1500 10 10 1 1500
ip route 172.16.0.0 255.255.0.0 Null0 ip nhrp redirect
Routing via EIGRP
ip access-list standard EIGRP_SUMMARY tunnel protection ipsec profile default
permit 172.16.0.0 0.0.255.255
FlexVPN Spoke to Spoke Spoke configuration
172.16.0.0/24
172.16.2.0/24
.1 .254
Hub
Spoke
200.1.1.2

peer ALL
address 0.0.0.0 0.0.0.0
crypto ikev2 profile default Virtual-Template is used for
match identity remote address 0.0.0.0 Spoke-Spoke Communication
authentication remote pre-share
authentication local pre-share interface Virtual-Template1 type tunnel
keyring local SPOKES ip unnumbered FastEthernet0/1
virtual-template 1 ip nhrp network-id 1
ip nhrp holdtime 300
Tunnel0 is used for Hub- interface Tunnel0 ip nhrp shortcut virtual-template 1
Spoke Communication ip unnumbered FastEthernet0/1 tunnel protection ipsec profile default
ip nhrp network-id 1 !
ip nhrp holdtime 300 !
ip nhrp shortcut virtual-template 1 router eigrp 100
tunnel source FastEthernet0/0 network 172.16.2.1 0.0.0.0
Shortcut switching tunnel destination 200.1.1.2 passive-interface default Prevent EIGRP Neighbors
tunnel protection ipsec profile default no passive-interface Tunnel0 on VAI
no passive-interface Ethernet0/1
Summary Route Advertisement
Redistributing a static route pointing to null0 (Preferred option). This option allows to have control over summary and
redistribution without touching hub's VT configuration.
ip route 172.16.0.0 255.255.0.0 Null0

ip access-list standard EIGRP_SUMMARY
permit 172.16.0.0 0.0.255.255
router eigrp 100
distribute-list EIGRP_SUMMARY out Virtual-Template1
redistribute static metric 1500 10 10 1 1500
DMVPN-style summary address on Virtual-template. This configuration is not recommended because of internal
processing and replication of said summary to each virtual access. It is shown here for reference:

ip summary-address eigrp 100 172.16.0.0 255.255.0.0
MPLS VPN over Flex 192.168.100.0/24
192.168.100.0/24
Objective: end-to-end VRF separation `
192.168.100.0/24
.1 .1 .1 .2 .2 .2
172.16.1.254 172.16.1.253
.1 .1 .1
192.168.1.0/24
192.168.1.0/24
192.168.1.0/24
.1 .1
192.168.2.0/24
.1 .1 .1 192.168.3.0/24 .1
192.168.2.0/24 192.168.3.0/24
192.168.2.0/24
BRKSEC-1050 2016
192.168.3.0/24
Cisco and/or its affiliates. All rights reserved. Cisco Public 122
192.168.100.0/24
MPLS VPN over Flex 192.168.100.0/24
Going LDP Free 192.168.100.0/24
Hub private interface(s) in inside VRF .1 .1 .1 .2 .2 .2
or MPLS
Virtual-Access in GRT, run MPLS 172.16.1.254 172.16.1.253
Tunnels create back-to-back links

LDP not needed !!
Spoke tunnels run MPLS
Private interfaces in VRFs

.1 .1 .1
192.168.1.0/24
192.168.1.0/24
192.168.1.0/24
.1 .1
192.168.2.0/24
.1 .1 .1 192.168.3.0/24 .1
192.168.2.0/24 192.168.3.0/24
192.168.2.0/24
BRKSEC-1050 2016
192.168.3.0/24
Cisco and/or its affiliates. All rights reserved. Cisco Public 123
FlexVPN HW Client Redundancy Configurations
Backup Gateway IKEv2 Load Balancer Tunnel Pivot
Hub Hub
Hub
HSRPVIP
Hub Hub
ISP1 ISP2
Spoke
Hub Hub
IP SLA/track failure detection IP SLA/track failure detection

HSRP for clustering
Multiple peer definition under Multiple tunnel source
IKEv2 Redirect based on
client block definition under client block
Least Loaded Gateway
Dynamic tunnel destination Dynamic tunnel source
FlexVPN Backup Peers (1)
192.168.100.0/24
.1 .2
Tunnels are set up 172.16.0.1 172.16.0.2
to a primary Hub
FlexVPN Backup Peers (2)
192.168.100.0/24
.1 .2
172.16.0.1 172.16.0.2
Hub 1 Fails
New tunnels are set up

to a backup Hub
Also works
with Routing
Protocol
FlexVPN Backup Peers (3) Spoke Config.

aaa authorization network default local Powerful Peer Syntax
peer <n> <ip>
crypto ikev2 profile default peer <n> <ip> track <x>
match certificate HUBMAP peer <n> <fqdn>
identity local fqdn Spoke1.cisco.com peer <n> <fqdn> track <x>
authentication remote rsa-sig
authentication local pre-shared
Nth source selected only if
keyring local
pki trustpoint CA
corresponding track object is up
aaa authorization group cert list default default
Detect Hub Failure dpd 30 2 on-demand
RADIUS Backup List Attribute
crypto ikev2 client flexvpn default ipsec:ipsec-backup-gateway
client connect tunnel 0
To Primary Hub peer 1 172.16.1.254 Up to 10 backup gateways pushed by
peer 2 172.16.1.253
To Secondary Hub config-exchange
interface Tunnel0
ip address negotiated
Destination
tunnel source FastEthernet0/0 crypto ikev2 authorization policy
managed by
tunnel destination dynamic route set interface
FlexVPN tunnel protection ipsec profile default route set access-list 99
FlexVPN Downloadable Backup Peer List
Static Peer List
(Locally Configured)
Downloadable Peer List Peer 1 is selected initially
(sequence number based)
Seq 10: Peer 1 If Peer 1 fails, Peer 2 is selected

(sequence number based)
Seq 20: Peer 2
Upon connection to Peer 2, a downloadable
peer list is received
Seq 30: Peer 3 Seq 10: Peer 2.1
Upon failure of Peer 2, Peer 2.1 then 2.2
are selected (part of downloadable peer
Seq 20: Peer 2.2 list)
Downloadable list peers are used until

last downloadable list peer fails
Upon successful connection to next peer in

static list is deleted
FlexVPN Backup Re-activation of Primary Peer
Allow re-establishing tunnel directly to preferred
peer as soon as it is available again
track 1 ip sla 1 reachability
Trackers are required for this feature track 2 ip sla 2 reachability
crypto ikev2 flexvpn client remote1

10.0.0.1 peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
10.0.0.2 !
client
interface Tunnel0
ip address negotiated

10.0.0.3 tunnel destination dynamic

Tracker state (Up/Down)
ICMP-echo IP SLA probe
IPsec Tunnel
FlexVPN Backup Groups
Warrant that a peer, belonging to different peer-lists in the same crypto ikev2 flexvpn client remote1
backup group, is never active in multiple peer-list at a given time peer 1 10.0.0.1
peer 2 10.0.0.2
peer 3 10.0.0.3
backup group 1
client connect Tunnel0
peer 1 10.0.0.1
Hub 1
peer 2 10.0.0.2
10.0.0.1 peer 3 10.0.0.3 10.0.0.1 cannot be used as
Tu0 Service Provider 1 backup group 1 already active in remote1
client connect Tunnel1 peer-list from same group
Hub 2 !
interface Tunnel0
Client Tu1 10.0.0.2 ip address negotiated
Service Provider 2

tunnel destination dynamic
Hub 3
interface Tunnel1
10.0.0.3 ip address negotiated


FlexVPN Tunnel Pivot
Use when different Service Providers are used to connect to remote host

peer 10.0.0.1
Service Provider 1 source 1 interface GigabitEthernet0/0 track 1
GigE0/0
source 2 interface FastEthernet2/0
client connect tunnel 0
interface Tunnel0
Client Hub ip address negotiated
FastE2/0
Service Provider 2
tunnel source dynamic

Tracker state (Up/Down)
ICMP-echo IP SLA probe
IPsec Tunnel
FlexVPN
Leverages IKEv2 Protocol Not backward compatible with IKEv1
Large Scale Hub-Spoke with dynamic spoke-
Currently supported only on ISR-G2s, ASR1k,
to-spoke
CSR-1000v, ISR-NG (4000 series)
VPN Concentrator for Remote Access
Can be deployed either on public or private
networks
Centralized Policy Management with AAA
Failover (dynamic and IKEv2 based routing)
Multicast
Per-tunnel QoS at Hub
3rd Party Compatible
VPN Selection Criteria for Key Solutions
Key Solutions DMVPN GETVPN SSLVPN Easy VPN FlexVPN IPsec VPN
(mGRE, p-p (Tunnel-less) (TLS) (IPsec (dVTI, IKEv2) (CM, VTI, p-
GRE) tunnels, pGRE)
IKEv1)
IOT Yes Yes Yes No Yes No
IWAN Yes N/A N/A N/A N/A N/A
DCI N/A Yes N/A N/A N/A No
MPLS-o-mGRE N/A Yes N/A N/A N/A No
MPLS-o-DMVPN Yes N/A N/A N/A N/A N/A
Yes = Supported and Recommended No = Supported but Not-Recommended
IWAN-based deployments must use DMVPN

IOT deployments can use either of DMVPN, GETVPN, SSLVPN, FlexVPN
Summary
Features Standard IPsec GRE over IPsec Easy VPN/DVTI SVTI DMVPN GETVPN FlexVPN
3rd Party Compatibility x x x x x
AAA attributes support x x x
Dynamically addressed
spoke
x x x x x
Dynamic Routing x x x x x x
Dynamic Spoke to Spoke
tunnel
x x x
IKEv2 x x x
Public Transport x x x x x x
IPv6 x x x x x x
IP Multicast x x x x x x
NAT x x x x x x
Inline tagging (IKEv2) x x x x x x
QoS x x x x x x x
VRF x x x x x x x
IWAN x
IoT x
DCI x
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Complete Your Online Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.
Complete your session surveys
through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.
Dont forget: Cisco Live sessions will be available

for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions
Thank you

Brksec 1050

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Brksec 1050

Hochgeladen von

Copyright:

Verfügbare Formate

An Overview of Site-to-Site Cisco

VPN Technology Positioning

ISR ATM (Remote Access

DMVPN Hub-Spoke GETVPN Control Plane FlexVPN

Routing determines traffic to be protected any packet forwarded to tunnel

Partners Solution #1 Solution #2 Possibilities

crypto isakmp policy 1 crypto isakmp policy 1

crypto ipsec profile TP crypto ipsec profile TP

interface Tunnel0 interface Tunnel0

ip route 192.168.2.0 255.255.255.0 Tunnel0 ip route 192.168.1.0 255.255.255.0 Tunnel0

tunnel protect ipsec profile 192.168.2.1

Data Plane interface Virtual-Access n crypto isakmp profile

Virtual-Access interface is spawned from the Virtual-Template

crypto isakmp policy 1 crypto isakmp policy 1

Spoke (SVTI) Hub (DVTI)

crypto isakmp policy 1 crypto isakmp policy 1

crypto isakmp profile VPN

Enhanced Easy VPN remote: Enhanced Easy VPN server:

Support for IP multicast

Configuration reduction and no-touch deployment

When traffic flows between spoke sites, the hub

IPsec tunnel protection

Data traffic on spoke-hub tunnels

Spoke-spoke unicast data traffic

On demand tunnel - created when needed

Transport Network Overlay Network

(NHRP server) and are registered as NHRP clients Physical: 172.17.0.5

192.168.1.0 /24 192.168.X.0 /24

Physical: 172.17.0.5 Physical: 172.17.0.1 Physical: 172.17.0.5 Physical: 172.17.0.1

Routing Routing Routing Routing Routing

Eth0/0 Eth0/1 Eth1/0 Eth1/1 Eth2/0 Eth2/1

interface Eth1/0 interface Eth2/0

Spoke-spoke direct communication

VRF red VRF red

VRF blue Spoke1 Hub1 VRF blue

192.168.11.11 192.168.12.12 172.16.1.1 172.16.101.1 192.168.11.11 192.168.12.12

Tunnel interface in global, not part of any customer VRF

VRF-A tunnels VRF-A tunnels

Allow dynamic spoke-spoke tunnels when doing non-split-tunneling.

MPLS MPLS+ Internet

Branch Branch Branch

Highest SLA guarantees More BW for key applications Best price/performance

Consistent VPN Overlay Enables Security Across Transition

Transport Intelligent Application Secure

Before: IPsec Point-to-Point Tunnels After: Tunnel-Less VPN

Scalabilityan issue (N^2 problem) Multicast

Overlay routing Scalable architecture for any-to-any connectivity

Inefficient Multicast replication

GETVPN Preserved Header ESP IP Header IP Payload

IP header preserved by VPN Gateway

Efficient secure multicast traffic

Deploying voice or similar collaborative

Encrypting IP packets over satellite links

Group Members (GMs)

IPsec Negotiations with GDOI (GETVPN)

GDOI defines a Re-key exchange for subsequent key updates

Cooperative KS1 Cooperative KS2

Key Encryption Key (KEK)

Traffic Encryption Key

IP Deny: Link Local

** Note: Version Dependent

Key Server Group Member

ASR 1k, 7200,ISR-G2 (39xx, ASR 1k,7200,39xx, 29xx, 19xx,