Cisco’s FlexVPN is a framework to configure IPSEC VPN’s on newer Cisco IOS devices, it was created to simplify the deployment of VPN solutions. It uses a common configuration template for all VPN types. FlexVPN is based on IKEv2 and does not support IKEv1. IKEv2 is a spoke and hub VPN technology. Example: R1 is the HUB, R2 & R3 are the spokes. We’ll use EIGRP as the routing protocol. Starting with the HUB, R1: !ipsec transform set crypto ipsec…
GETVPN is Cisco’s implementation of the GDOI standard (Group Domain of Interpretation). GDOI was originally created to allow for a less-cumbersome way to encrypt multicast traffic, an alternative to GRE over IPSEC tunnels. These days, GETVPN is used for private networks like MPLS where you use a single Security Association for all routers in a group. It gets around traditional IPSEC’s scaling issue (IPSEC being point to point) by issuing a single IPSEC SA for all routers in the group….
Site to Site VPN tunnels can be authenticated by using digital certificates instead of using pre-shared keys. With certificates, each peer gets a certificate from a centralized CA (certificate authority). When peers want to use IPsec they exchange the certificates to authenticate. The biggest advantage of using certificate based VPN’s is they are easier to scale up. Let’s say you have a home office and 3 branch offices connected via site to site VPN’s, and these VPN’s are protected using…
What is a GRE tunnel? Generic Routing Encapsulation (GRE) is a tunneling protocol that lets you run a routing protocol between endpoints. This example will create a GRE tunnel between two routers and will run EIGRP between the two. Topology Summary: 192.168.13.0/24 will be the Tunnel Network IP block Router-1 lo0 10.1.1.0/24 e0/0 192.1.12.2 Router-2 lo0 10.2.2.0/24 e0/0 192.1.23.2 Router-1 interface tunnel1 ip address 192.168.13.1 255.255.255.0 tunnel source 192.1.12.1 tunnel destination 192.1.23.3 router eigrp 100 no auto-summ net 192.168.13.0 net…
Five steps to configuring an IPSec Site to Site VPN! Configure Phase I – ISAKMP Parameters Configure Phase II – ESP Parameters Configure the interesting traffic ACL Link the above parameters to each other using a Crypto Map Apply the Crpyto Map to the outbound interface Notes: Items below between < > are meant to be replaced with a value Phase 1 parameters: pre shared key: cisco123 Peer IP: 192.1.23.3 Phase 1 encryption: 3des Phase 1 hash: md5 Phase 1…