Showing results for 
Search instead for 
Did you mean: 

BLOG (No Title)

Marcin Latosiewicz
Cisco Employee


What is Flex VPN?

A technology taking quite a bit of my time these days is Flex VPN (or flex as we refer to it).

Flex VPN is a new framework to configure IPsec VPN with IKE version 2 (IKEv2) on IOS platforms .

The word framework is an intended one; You will notice that a lot of configuration is still the same or familiar, but multiple capabilities have ended up in one configuration block.

Why develop Flex?

Flex is a way to combine multiple frameworks (crypto maps, ezvpn, DMVPN) into single, comprehendible set of CLI and bind it together with something offering more flexibility and means to extend functionality in future.

Quite frankly we learned a lot of things from our customers deploying crypto maps, DMVPN, VTIs, it was time to collapse this knowledge and extend what we can do to better fit today's world.

Benefits of Flex

FlexVPN is on old friend with new clothes and a new heart. It still allows you to do all the cool things but in a better way.

  • You can run Flex along all your previous IPsec VPNs. Most scenarios will allow coexistence of previous configuration and flex.
  • based on IKEv2 and not IKEv1, which improves almost all aspects of negotiation and protocol stability.
  • using GRE over IPsec or VTI as encapsulation. GRE allows you to run almost anything over it. IPsec provides security for payload.
  • supports IPv6 and IPv4 for transport and overlay protocol.
  • Multiple functionalities achievable with one framework .
  • Utilizing virtual interfaces - allowing per-spoke features like firewall, QoS, ACLs, etc.
  • Remote access server and client (software and hardware) - similar to ezvpn.
  • Dynamic spoke to spoke tunnels - familiar to everyone who knows DMVPN.
  • Ease of conffiguration by using sane defaults - no longer will you need to define policies, transform sets etc, IKEv2 has built in defaults that make sense and will be updated.

What is working with Flex.


Since Flex is based on IKEv2, there a restriction currently in place on what platforms support it:

- 2nd generation of ISRs (19xx,29xx,39xx platforms). Remember to check for sec-k9 or hsec-k9 license!

- ASR 1000.

Note: 7200p images might have IKEv2 and CLI present, but at the time of writing, we do not support Flex on 7200/7200p.

On software client side

  • Anyconnect 3.0 using IKEv2/IPsec.
  • Windows 7's built in IKEv2 based IPsec client.

What platforms will work with Flex in future

Since Flex is based on GRE over IPsec or VTI, bound together with IKEv2, other vendors should be able to connect.

At the time of writing ASA support for flex is not yet implmented.

Where can I learn more?


More about IKEv2

How to configure Flex VPN on ISRs

Configuration guide for Flex on ASR 1k:


Over coming weeks we will publish documents on supportforums showing different ways to deploy this functionality.

Comments? Feedback? Questions?

Feel free to ask in comments section of this post.


Good read.

What are the redundancy options for FlexVPN Server?

If stateless redundancy is acceptable, can we just use HSRP as the address the AnyCOnnect clients point to?

Marcin Latosiewicz
Cisco Employee


AFAIR, Tunnel protection still only allows stateful HA cluster.

That being said, IKEv2 has built in redirection feature & we have a IOS IKEv2 clustering solution for Flex that should be made available  in coming weeks, that will allow redundancy.

Obviously I can't give you too many details or (unfortunately) when it's going to be exactly available, but you can get that info through your SE.



Frederic Detienne
Cisco Employee

Hi Dan,

Yes, you can point the clients to the HSRP address as you proposed.

Best regards,


Frederic Detienne
Cisco Employee

Hi Dan,

I forgot to answer the first part of your question.

Flex supports a variety of backup options depending on the client (IOS or AnyConnect).

For IOS branch routers:

  . Dual active tunnels

  . Tunnel pivot

  . Multiple peer + backup list

With anyconnect or IOS branch routers:

  . HSRP (stateless failover)

  . DNS based hub resolution (allowing inter geographical load balancing and backup)

As Marcin stated, an IKEv2 based load balancer that doubles as an N+1 backup strategy will be available in 3.8 (nov release) on ASR and 15.3M (July release) on ISR g2. As usual with future features, better monitor status through your account team to verify the item is on track.

Best regards,



Hi Fred,

Thanks for the answers.

Regarding HSRP, as I understand, FlexVPN will respond to requests coming to the HSRP's virtual IP  address, and all further communications with the remote access client, such as DPD/rekeying etc, will use that HSRP address as the source address. Am I correct?

What will happen if the router will stop being the active HSRP? will is drop all it's FlexVPN connections? I hope so... For regular VPN, the one with crypto-maps, we have the redundancy keyword when applying a crypto-map on an interface. I can't find anything similar with FlexVPN which ties it to the HSRP status of an interface.



Frederic Detienne
Cisco Employee

Hi Dan,

sorry for the late reply; I am traveling and my agenda is quite busy (and messy).

You are correct: the HSRP active server will take all requests. There is nothing special to configure (no specific CLI).

Here is what happens:

Assume two servers A & B. Initially A is active, B is standby. All the clients are connected on the active A.

A goes down (standby or shut down or reboot or phyiscal interface down...). B becomes the active server.

If A reboots or hangs or crashes, the SA's are lost and that's easy. If A simply loses its connectivity to the WAN,  the virtual-access interfaces will go in up-down state (i.e. line protocol down state). They will come back up if the HSRP state swings back otherwise, they just "hang" there. They will possibly be deleted because of DPD, idle timer or simply lifetime expiration. So regardless of what happens, the SA's do not interfere anymore.

The clients then discover the VIP (which is now B) does not own the SA's thanks to the liveness check and rebuild the SA's with B.

The liveness check takes the longest time in this process. (28s). We are working on a mechanism to make this faster (almost immediate) but the feature is not committed.

To be honest, I strongly recommend active-active tunnels (i.e. both hubs active, each spoke dual homed) instead of HSRP because the mechanism is more straightforward (tunnels are always up and can be monitored - no bad surprise at failover time). The only advantage of HSRP is that it consumes a single public IP address instead of two but if you can spend an IP address wisely, I would say it is on having active-active instead.

best regards,



hi -  we are trying to get FlexVPN on ASR1k working to a remote site which is hidden behind a NAT, using GRE as the tunnel encapsulation: this doesn't work.

If we keep the same config but change the tunnel type to 'Tunnel mode ipsec ipv4’  it works fine

Using GRE tunnel encapsulation to a CPE IP which is not hidden behind a NAT - this also works.

Does anyone know if there is a known limitation on doing FlexVPN using GRE tunnel encapsuation to a CPE which sits behind a NAT?

We want to use GRE as it's the only way we've been able to get V6 and V4 attributes applied by RADIUS; we found this didn't work with 'Tunnel mode ipsec ipv4’ as the tunnel encapsulation.

All help gratefully received!


Marcin Latosiewicz
Cisco Employee


This is what you're looking for I think:

If not open up a TAC case, basic NAT traversal works OK in all scenarios I've tested.



Thanks Marcin - we are only trying to make 1 tunnel behind a NAT work, not 2 as in the Bug description....Did you test FlexVPN with a GRE tunnel for just one CPE behind a NAT?

Marcin Latosiewicz
Cisco Employee

I've done tests for both GRE and VTI behind NAT also with multiple peers (to reproduce the bug). Granted that not all my test were done with ASR1k - I'm not a testing engineer ;-)

We've seen probelms with NAT-T but quite early on.

Open up a TAC case we'd need to look into the config and most likely QFP drops.

You can also check parts of QPF yourself (shameless plug)

Also, when opening TAC case, it would help to know what doesn't work - is it establishing the tunnel or passing data


We did open a case yesterday but not heard back yet, hence I posted on here just to see if it's a known problem: i'll get some debugs and follow your very handy-looking doc

Many thanks!

Calin C.


This article mention Cisco 7200 for Hardware platform in contradiction with the following link:

Did anybody tested the FlexVPN solution on 7200 series? I have some laying around and I would like to setup a test environment if it's really supported.



Cisco Employee

Hi, Calin:

The data sheet is correct - flexvpn is not supported on the 7200 platform. We'll try to get this corrected.



Dennis Leon



 see that this is supported on - 2nd generation of ISRs (19xx,29xx,39xx platforms).

But, it does not say anything about the little ISR routers, the 800 series, does these  little ISRs support FlexVPN ?




helo Marcin Latosiewicz 

Can i configure Flex VPN on 5510 ASA with security+  license. (IKEv1 ) or on 1841 Router?

Is there any need of special License ?

Content for Community-Ad