Understanding FlexVPNs
Introduction
FlexVPN Components
IKEv2 Keyring
IKEv2 Profile
IPSec Profile
Virtual Template
Tunnel Interface
Conclusion
Introduction
We knew IPSec VPNs, DMVPNs, and GETVPNs; however, all of these VPNs have shortfalls. For example, DMVPNs and GETVPNs are Cisco Proprietary. GETVPNs can only be used on private networks. Now, IPSec VPNs are a standard; however, IKEv1 can be cracked. In addition, IKEv1 can also be subject to a denial‑of‑service attack.
Now, Cisco wanted to be more inclusive of other vendors, and this is where FlexVPNs come in. And FlexVPNs are a standards‑based VPN developed by Cisco. Unlike DMVPNs and GETVPNs, FlexVPNs support connections from other vendors. In addition, FlexVPNs are more resistant to a denial‑of‑service attack than IPSec VPNs. And what is possibly one of the best features of FlexVPNs is that a single FlexVPN deployment could support both site‑to‑site and remote access VPNs at the same time from the same configuration. One of the major differences between IPSec VPNs and FlexVPNs is that FlexVPNs will use IKEv2 as standard. In fact, FlexVPN only supports IKEv2.
FlexVPNs, as the name suggests, they are flexible. They can be configured as point‑to‑point VPNs very similar to IPsec VPNs or they can be configured as a full‑mesh VPN similar to what we have we GETVPNs and DMVPNs. Now unlike DMVPNs and GETVPNs, FlexVPNs do support connections from other vendors. But the main difference between any of these VPN types and FlexVPNs is that FlexVPNs use IKE version 2 to negotiate tunnel parameters. They still use IPsec for data encryption.
GETVPNs are multipoint, but they can only be used on private networks. FlexVPNs, however, can be point to point, or even they can be point to multipoint. Basically, the remote sites can communicate directly, if required. So let's say, for example, we have five sites connected to the internet, one is the headquarters, and the rest are branches. Well, the headquarters would have the hub, and the branches would all have spokes. The hub would be a server, and the spokes would all be clients.
When you configure a FlexVPN, you must create a policy exactly the same way as you would for IPSec or DMVPNs. Now with GETVPNs, the policies were created on the key server, and these were pushed to the group members as per the group ID. Cisco has used a similar idea for FlexVPNs, and this is known as centralized policy control. Basically, the policies are stored on a RADIUS server. And when the peer connects, the RADIUS server will set the split tunnel policy, the encryption policy, if it's to use a VRF, and any DNS servers it needs to use.
So back in our example network, in the headquarters where the FlexVPN server is located, we also have a RADIUS server. If the FlexVPN client wishes to connect, it will send its logging details to the Flex VPN server. The FlexVPN server will forward this to the RADIUS server. The RADIUS server will then tell the FlexVPN server whether or not those log‑in details are correct, and if they are, it will then state which policy to use, for example, AES encryption or a particular access list.
One major benefit of using FlexVPNs is that FlexVPNs support failover and redundancy, and it can do this one of three ways. The first one is that IKEv2 can dynamically add routes to routing tables. The next option is to use dynamic routing. So basically, you have dynamic routing protocols such as OSPF, EIGRP, or BGP, and these can send updates over the FlexVPN tunnels themselves. And finally, we've got IPSec Active/Standby, and this is where we have a pair of routers acting as an Active/Standby pair.
And finally, one last benefit of FlexVPNs is that they support quality of service. Basically, quality of service is a way of controlling traffic if there's any periods of congestion. It'll either drop or shape traffic, depending on what the settings are. Quality of service also allows you to send traffic such as voice as a high priority. Any low priority traffic, such as web browsing, can then be dropped if required in order to make way for voice traffic. When it comes to supporting quality of service, FlexVPN offers per peer quality of service, which means you can create individual policies for individual branches, say, for example, you don't want to have quality of service policies in a warehouse, but you do for a major branch.
FlexVPN Components
There are multiple components that need to be configured in order for a FlexVPN to work. Here is the list for primary components for FlexVPNs:
- IKEv2 Keyring
- IKEv2 Profile
- IPsec Profile
- Virtual Template
- Tunnel Interface
IKEv2 Keyring:
With IKE version 1, we use the command crypto isakmp key in order to add a preshared key to the VPN. With FlexVPNs, we have to use an IKE version 2 keyring. So basically, a keyring is used to store identity credentials and to add preshared keys. Identity credentials are basically usernames, IP address. It could be based on a domain name, you could use email addresses, or you could use a key ID. And IKE version 2 keyrings are actually quite flexible. You could use a single keyring with a single entry for all peers, or you could create multiple entries for multiple peers if you wanted to, which could mean each peer could have their own individual pre‑shared‑key.
IKEv2 Profile:
IKE version 2 profiles are used to identify peers. Basically, IKE version 2 profiles hold what we call non-negotiable parameters. So these parameters would include authentication methods, such as preshared key or public key infrastructure, and the local and remote identities. In addition, if you're going to be configuring virtual templates, then you need to specify the virtual template number in the IKE version 2 profiles. IKEv2 profiles tell FlexVPN servers how to authenticate and how clients should authenticate to it. The profiles also tell endpoints which virtual template to use, and virtual templates are used to create virtual access interfaces. In addition, IKEv2 profiles must also contain an AnyConnect ID.
IPsec Profile:
Basically, an IPsec profile adds additional parameters to a transform set. These parameters include the security association lifetimes and the IKE version 2 profile. Under IPsec profile, you can add the IKE version 2 profile and a transform set to the IPsec profile. If we don't specify a transform set, then the IPsec profile will use defaults.
Virtual Template:
The virtual templates or virtual tunnel interfaces provide a base configuration for virtual access interfaces. This base configuration includes which IPSec profile to use, any MTU, MSS settings, and which IP address to use as a next hop, any other NHRP commands if necessary. Then finally, we had to attach the IPsec profile.
And virtual access interfaces are created whenever a FlexVPN client builds a tunnel with a FlexVPN server. And virtual access interfaces are basically the tunnel termination interface, and they're created when hubs build tunnels with spokes. The virtual access interfaces are created automatically and destroyed when they're no longer needed.
Now typically, we would create a virtual template on the hub. And on the spokes, we would create tunnel interfaces. However, in a full mesh environment, we would also create virtual templates on the spokes for spoke‑to‑spoke communication.
Tunnel Interface:
The branch routers, also known as spokes, will also require the creation of virtual templates. However, before we can create them, we also need to create tunnel interfaces, and the reason why we need to create tunnel interfaces in addition to the virtual templates is because this will allow the spokes to connect to the hub.
For the Tunnel Interface we will assign IP addresses, set the MTU, MSS, tunnel source and the tunnel destination, if required NHRP network ID, NHRP shortcut commands based on the type of deployment type (Full Mesh). Finally, we need to attach the IPsec profile.
Conclusion:
FlexVPN is theoretically huge concept because it built upon IKEv2 and offers wide variety of features and practically offers simplified VPN deployment. I don’t want to go with the pages of theoretical information. It is brief introduction about FlexVPN and it’s components. This information is helpful to understand the configuration of FlexVPN which we are going to see in another article.
