Understanding FlexVPNs
Introduction
FlexVPN Components
IKEv2 Keyring
IKEv2 Profile
IPSec Profile
Virtual Template
Tunnel Interface
Conclusion
Introduction
We knew IPSec VPNs, DMVPNs, and GETVPNs; however, all of these VPNs have shortfalls. For example, DMVPNs and GETVPNs are Cisco Proprietary. GETVPNs can only be used on private networks. Now, IPSec VPNs are a standard; however, IKEv1 can be cracked. In addition, IKEv1 can also be subject to a denial‑of‑service attack.
Now, Cisco wanted to be more inclusive of other vendors, and this is where FlexVPNs come in. And FlexVPNs are a standards‑based VPN developed by Cisco. Unlike DMVPNs and GETVPNs, FlexVPNs support connections from other vendors. In addition, FlexVPNs are more resistant to a denial‑of‑service attack than IPSec VPNs. And what is possibly one of the best features of FlexVPNs is that a single FlexVPN deployment could support both site‑to‑site and remote access VPNs at the same time from the same configuration. One of the major differences between IPSec VPNs and FlexVPNs is that FlexVPNs will use IKEv2 as standard. In fact, FlexVPN only supports IKEv2.
FlexVPNs, as the name suggests, they are flexible. They can be configured as point‑to‑point VPNs very similar to IPsec VPNs or they can be configured as a full‑mesh VPN similar to what we have we GETVPNs and DMVPNs. Now unlike DMVPNs and GETVPNs, FlexVPNs do support connections from other vendors. But the main difference between any of these VPN types and FlexVPNs is that FlexVPNs use IKE version 2 to negotiate tunnel parameters. They still use IPsec for data encryption.
FlexVPN Components
There are multiple components that need to be configured in order for a FlexVPN to work. Here is the list for primary components for FlexVPNs:
- IKEv2 Keyring
- IKEv2 Profile
- IPsec Profile
- Virtual Template
- Tunnel Interface
IKEv2 Keyring:
With IKE version 1, we use the command crypto isakmp key in order to add a preshared key to the VPN. With FlexVPNs, we have to use an IKE version 2 keyring. So basically, a keyring is used to store identity credentials and to add preshared keys. Identity credentials are basically usernames, IP address. It could be based on a domain name, you could use email addresses, or you could use a key ID. And IKE version 2 keyrings are actually quite flexible. You could use a single keyring with a single entry for all peers, or you could create multiple entries for multiple peers if you wanted to, which could mean each peer could have their own individual pre‑shared‑key.
IKEv2 Profile:
IKE version 2 profiles are used to identify peers. Basically, IKE version 2 profiles hold what we call non-negotiable parameters. So these parameters would include authentication methods, such as preshared key or public key infrastructure, and the local and remote identities. In addition, if you're going to be configuring virtual templates, then you need to specify the virtual template number in the IKE version 2 profiles. IKEv2 profiles tell FlexVPN servers how to authenticate and how clients should authenticate to it. The profiles also tell endpoints which virtual template to use, and virtual templates are used to create virtual access interfaces. In addition, IKEv2 profiles must also contain an AnyConnect ID.
IPsec Profile:
Basically, an IPsec profile adds additional parameters to a transform set. These parameters include the security association lifetimes and the IKE version 2 profile. Under IPsec profile, you can add the IKE version 2 profile and a transform set to the IPsec profile. If we don't specify a transform set, then the IPsec profile will use defaults.
Virtual Template:
The virtual templates or virtual tunnel interfaces provide a base configuration for virtual access interfaces. This base configuration includes which IPSec profile to use, any MTU, MSS settings, and which IP address to use as a next hop, any other NHRP commands if necessary. Then finally, we had to attach the IPsec profile.
And virtual access interfaces are created whenever a FlexVPN client builds a tunnel with a FlexVPN server. And virtual access interfaces are basically the tunnel termination interface, and they're created when hubs build tunnels with spokes. The virtual access interfaces are created automatically and destroyed when they're no longer needed.
Now typically, we would create a virtual template on the hub. And on the spokes, we would create tunnel interfaces. However, in a full mesh environment, we would also create virtual templates on the spokes for spoke‑to‑spoke communication.
Tunnel Interface:
The branch routers, also known as spokes, will also require the creation of virtual templates. However, before we can create them, we also need to create tunnel interfaces, and the reason why we need to create tunnel interfaces in addition to the virtual templates is because this will allow the spokes to connect to the hub.
For the Tunnel Interface we will assign IP addresses, set the MTU, MSS, tunnel source and the tunnel destination, if required NHRP network ID, NHRP shortcut commands based on the type of deployment type (Full Mesh). Finally, we need to attach the IPsec profile.
Conclusion:
FlexVPN is theoretically huge concept because it built upon IKEv2 and offers wide variety of features and practically offers simplified VPN deployment. I don’t want to go with the pages of theoretical information. It is brief introduction about FlexVPN and it’s components. This information is helpful to understand the configuration of FlexVPN which we are going to see in another article.