A technology taking quite a bit of my time these days is Flex VPN (or flex as we refer to it).
Flex VPN is a new framework to configure IPsec VPN with IKE version 2 (IKEv2) on IOS platforms .
The word framework is an intended one; You will notice that a lot of configuration is still the same or familiar, but multiple capabilities have ended up in one configuration block.
Why develop Flex?
Flex is a way to combine multiple frameworks (crypto maps, ezvpn, DMVPN) into single, comprehendible set of CLI and bind it together with something offering more flexibility and means to extend functionality in future.
Quite frankly we learned a lot of things from our customers deploying crypto maps, DMVPN, VTIs, it was time to collapse this knowledge and extend what we can do to better fit today's world.
Benefits of Flex
FlexVPN is on old friend with new clothes and a new heart. It still allows you to do all the cool things but in a better way.
You can run Flex along all your previous IPsec VPNs. Most scenarios will allow coexistence of previous configuration and flex.
based on IKEv2 and not IKEv1, which improves almost all aspects of negotiation and protocol stability.
using GRE over IPsec or VTI as encapsulation. GRE allows you to run almost anything over it. IPsec provides security for payload.
supports IPv6 and IPv4 for transport and overlay protocol.
Multiple functionalities achievable with one framework .
Utilizing virtual interfaces - allowing per-spoke features like firewall, QoS, ACLs, etc.
Remote access server and client (software and hardware) - similar to ezvpn.
Dynamic spoke to spoke tunnels - familiar to everyone who knows DMVPN.
Ease of conffiguration by using sane defaults - no longer will you need to define policies, transform sets etc, IKEv2 has built in defaults that make sense and will be updated.
What is working with Flex.
Since Flex is based on IKEv2, there a restriction currently in place on what platforms support it:
- 2nd generation of ISRs (19xx,29xx,39xx platforms). Remember to check for sec-k9 or hsec-k9 license!
- ASR 1000.
Note: 7200p images might have IKEv2 and CLI present, but at the time of writing, we do not support Flex on 7200/7200p.
On software client side
Anyconnect 3.0 using IKEv2/IPsec.
Windows 7's built in IKEv2 based IPsec client.
What platforms will work with Flex in future
Since Flex is based on GRE over IPsec or VTI, bound together with IKEv2, other vendors should be able to connect.
At the time of writing ASA support for flex is not yet implmented.
Learn about the rapidly evolving cyberthreat landscape and how both organizations and users can protect themselves as we transition to a forever hybrid world through a conversation with Cisco Talos Security Research Leader for Europe, Middle East, Africa,...
Hi, although on ISE Installation Guide - 2.7, section Cisco ISE Administration Node Ports, there is no evidence of the use of port 8905, only on then section Cisco ISE Policy Service Node Ports, the result of the following command shows otherwise (Pr...
We have a pair of FTD 4110's that have been sitting in a closet for 3 years, but we're dusting them off and trying to upgrade the software. I transferred the software and see it as an 'available update,' but the status is 'not-installed' and I don't see a...
I've seen discussion in these forums and mention in the ISE Posture Best Practices about using the av-pair termination-action-modifier=1 setting to tell the NAD to use the same authentication method from the original authentication. This is def...
When configuring Do1X we can configure timers like this:dot1x timeout quiet-period 300
dot1x timeout tx-period 5
dot1x max-reauth-req 1But how do we configure timers for MAB authentication? Does it use the same values as Dot1X?