Cisco FlexVPN

Cisco FlexVPN

Cisco’s FlexVPN is a framework to configure IPSEC VPN’s on newer Cisco IOS devices, it was created to simplify the deployment of VPN solutions. It uses a common configuration template for all VPN types. FlexVPN is based on IKEv2 and does not support IKEv1.

IKEv2 is a spoke and hub VPN technology.

Example: R1 is the HUB, R2 & R3 are the spokes. We’ll use EIGRP as the routing protocol.

Starting with the HUB, R1:

!ipsec transform set
crypto ipsec transform-set IKEv2 esp-3des esp-sha-hma
mode transport
!
!IKEv2 Keyring for R2
crypto ikev2 keyring Flex_key_R2
peer R2
address 7.7.7.7
pre-shared-key cisco
!
!IKEv2 Keyring for R3
crypto ikev2 keyring Flex_key_R3
peer R3
address 7.7.7.8
pre-shared-key cisco
!
!IKEv2 Profile for R2
crypto ikev2 profile Flex_IKEv2_R2
match identitiy remote address 7.7.7.7 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local Flex_key_R2
!
!IKEv2 Profile for R3
crypto ikev2 profile Flex_IKEv2_R3
match identity remote address 7.7.7.8 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local Flex_key_R3
!
!ipsec profile for R2
crypto ipsec profile R2
set ikev2-profile Flex_IKEv2_R2
!
!ipsec profile for R3
crypto ipsec profile R3
set ikev2-profile Flex_IKEv2_R3
!
!interface tunnel for R2
interface Tunnel22
description Tunnel_to_R2
ip address (interface IP and subnet mask)
tunnel source g2
tunnel destination 7.7.7.7
tunnel protection ipsec profile R2
!
!interface tunnel for R3
interface Tunnel23
description Tunnel_to_R3
ip address (interface IP and subnet mask)
tunnel source g3
tunnel destination 7.7.7.8
tunnel protection ipsec profile R3
!
!setup routing
router eigrp 22
network x.x.x.x 0.0.0.255
!
router eigrp 23
network x.x.x.x 0.0.0.255
!

Next up is the first Spoke, R2:

!
!ipsec transform set
crypto ipsec transform-set IKEv2 esp-3des esp-sha-hma
mode transport
!
!IKEv2 Keyring for this spoke
crypto ikev2 keyring Flex_key_R2
peer R1
address 7.7.7.1 255.255.255.255
pre-shared-key cisco
!
!IKEv2 Profile for this spoke
crypto ikev2 profile Flex_IKEv2_R2
match identitiy remote address 7.7.7.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local Flex_key_R2
!
!ipsec profile for this spoke
crypto ipsec profile R2
set ikev2-profile Flex_IKEv2_R2
!
!interface tunnel for this spoke
interface Tunnel22
description Tunnel_to_R1
ip address (interface IP and subnet mask)
tunnel source g2
tunnel destination 7.7.7.1
tunnel protection ipsec profile R2
!
!setup routing for this spoke
router eigrp 22
network x.x.x.x 0.0.0.255
!

For R3, repeat R2 configuration but modify the IP’s for that spoke.

Leave a Reply

Your email address will not be published. Required fields are marked *