cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3256
Views
30
Helpful
14
Replies

Dynamic VTI - IKEV2 - Cisco ASR

shaheryar.khan
Level 1
Level 1

Hello Everyone,

 

Can anyone explain how Dynamic VTI - IKEV2 works , if possible share some sample configurations for ASR and ASA.

 

Thanks

 

5 Accepted Solutions

Accepted Solutions

@shaheryar.khan A DVTI on the Cisco ASR and ISE router uses FlexVPN configuration.

A DVTI uses a virtual template on the hub(s), the spoke routers use static VTI. On the hub routers a dynamic virtual-access interface is dynamically created for each connected spoke router.

 

Refer to these FlexVPN guides for more information

https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

 

ASA does not support DVTI, only static VTI.

 

View solution in original post

@shaheryar.khan yes, FlexVPN is the name of the solution which uses DVTI and VTI.

View solution in original post

@shaheryar.khan just don't setup the spoke-to-spoke configuration. So on the spoke routers don't configure a DVTI (used to communicate with the spokes), just setup a SVTI to the hub. Therefore all traffic goes via the hub.

View solution in original post

@shaheryar.khan  
If remove ip nhrp success please send me last full config.

View solution in original post

14 Replies 14

@shaheryar.khan A DVTI on the Cisco ASR and ISE router uses FlexVPN configuration.

A DVTI uses a virtual template on the hub(s), the spoke routers use static VTI. On the hub routers a dynamic virtual-access interface is dynamically created for each connected spoke router.

 

Refer to these FlexVPN guides for more information

https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

 

ASA does not support DVTI, only static VTI.

 

shaheryar.khan
Level 1
Level 1

Thanks @Rob Ingram quick response, do you think BGP supports DVTI type of configuration ?

@shaheryar.khan Yes BGP certainly is supported.

@Rob Ingram  Thanks again, Can you please share a Cisco document that shows BGP configuration implement on the DVTI or Flex VPN

 

Thanks

@shaheryar.khan that first link I provided had multiple examples, of which this one has examples of BGP configuration.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/118888-configure-flexvpn-00.html

 

I appreciated for your help. Looks like DVTI and FLEX vpn are same concept?

@shaheryar.khan yes, FlexVPN is the name of the solution which uses DVTI and VTI.

Screen Shot 2022-04-07 at 6.04.29 PM.png
ASR DVTI can work as HUB and ASA SVTI can work as Spoke IF there are many Peer IF NOT
ASR and ASA connect via SVTI. 

shaheryar.khan
Level 1
Level 1

If I do not want to allow Spoke-to-Spoke communication in FLex VPN BGP. Is it possible to remove the IP nhrp configuration? Does it still work?

@shaheryar.khan just don't setup the spoke-to-spoke configuration. So on the spoke routers don't configure a DVTI (used to communicate with the spokes), just setup a SVTI to the hub. Therefore all traffic goes via the hub.

@shaheryar.khan  
If remove ip nhrp success please send me last full config.

This is working config someone gave me . but i have not tried yet.

*****************************************************
Flex VPN - S-VTI/D-VTI Combination
*****************************************************

------------
R2 - S-VTI <--- SPOKE
------------

! 1. Phase I A. Configure an IKEv2 Proposal

crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5

! 1. Phase I B. Configure an IKEv2 Policy and call the Proposal

crypto ikev2 policy POL1
proposal PROP1

! 1. Phase I C. Configure an IKEv2 Keyring

crypto ikev2 keyring KR1
peer R1
address 192.1.10.1
pre-shared-key cisco123

! 1. Phase I D. Configure an IKEv2 Profile that will later on be linked to your Crypto Map

crypto ikev2 profile IKEv2-PROF
match identity remote address 192.1.10.1
authentication local pre-share
authentication remote pre-share
keyring local KR1

! 2. Transform Set

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

! 3. IPSec Profile

Crypto ipsec profile IPROF
set transform-set TSET
set ikev2-profile IKEv2-PROF

! 4. Tunnel Interface

Interface Tunnel 1
ip address 192.168.1.2 255.255.255.0
tunnel source E 0/0
tunnel destination 192.1.10.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPROF

! 5. Run the Routing Protocol

router eigrp 123
network 192.168.1.0
network 10.0.0.0
network 172.16.0.0

------------
R1 - D-VTI <--- Home
------------

! 1. Phase I A. Configure an IKEv2 Proposal

crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5

! 1. Phase I B. Configure an IKEv2 Policy and call the Proposal

crypto ikev2 policy POL1
proposal PROP1

! 1. Phase I C. Configure an IKEv2 Keyring

crypto ikev2 keyring KR1
peer R2
address 0.0.0.0
pre-shared-key cisco123

! 1. Phase I D. Configure an IKEv2 Profile that will later on be linked to your Crypto Map

crypto ikev2 profile IKEv2-PROF
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local KR1
virtual-template 1

! 2. Transform Set

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

! 3. IPSec Profile

Crypto ipsec profile IPROF
set transform-set TSET
set ikev2-profile IKEv2-PROF

! 4. Tunnel Interface

Interface Loopback99
ip address 192.168.1.1 255.255.255.0
!
Interface virtual-template 1 type tunnel
ip unnumbered loopback99
tunnel source E 0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPROF
!
crypto ikev2 profile IKEv2-PROF
virtual-template 1

! 5. Run the Routing Protocol

router eigrp 123
network 192.168.1.0
network 10.0.0.0
network 172.16.0.0

@shaheryar.khan I wouldn't use those crypto algorithms, they are weak an insecure, the pre-built in IKEv2 smart defaults algorithms are more secure. 

 

If you want to define your own specific algorithms, use AES CBC/SHA 256 at a minimum or AES-GCM. Example:

 

crypto ikev2 proposal PROP1
encryption aes-cbc-256
group 19 20 21
integrity sha256
!
crypto ikev2 policy POL1
proposal PROP1
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac

 

 

@Rob IngramI agreed, It was just a sample configuration.