Hi,

Thank you so much for this! 

1.Is ikev2 supported on the latest IOS for 1941 or 3945?

2.The source of my tunnel is a ISP based AP/router which will be connected to the cisco router and used as a WAN interface on one of the gigabit interfaces?

I am planning to use this configuration for the flex VPN(hub)  server later,. will it work?

Loopback 192.168.10.1/24(emulate LAN)----HUB(1941or3945)---->gig0/0<----ISP router 

hostname FLEX-SERVER
!
aaa new-model
aaa authorization network IKE_LIST local
!
crypto ikev2 authorization policy default
route set access-list PROTECTED_ACL
!
crypto ikev2 keyring ANY
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
!
crypto ikev2 profile FLEX_SERVER_PROF
match identity remote address 0.0.0.0
identity local address 10.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local ANY
aaa authorization group psk list IKE_LIST default
virtual-template 1
!
crypto ipsec profile default
set ikev2-profile FLEX_SERVER_PROF
!
interface Loopback0
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEtherenet0/0
ip address 10.0.0.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEtherenet0/0
tunnel source GigabitEtherenet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
ip access-list standard PROTECTED_ACL
permit 192.168.10.0 0.0.0.255
!

 many thanks again!

@tanyatamir53355 

Yes, IKEv2 will be supported on those ISR G2 routers.

You may wish to specify the IKEv2 Proposal and IPSec Transform Sets manually on each routers, the defaults may change depending on the different vesion each router is running.

Normally I'd specify a loopback interface for the ip unnumbered interface, rather than the outside/external physical interface.

Yes.

Use EIGRP or BGP, instead of OSPF. If you use a dynamic routing protocol, you no longer need IKEv2 authorisation to push out the IKEv2 routes (as defined in your ACL PROTECTED_ACL) to the remote peer.

Again Many thanks for this Rob! 

I am about to test this practically in a hour or so. I will give a feedback on this ASAP! 

1.

Only confusion I am having is since I will be using my ISP vDSL router/AP as a WAN interface for the ISR router so therefore, the ISP router local address is 192.168.0.1/24, the physical interface on router that it’s connected to will be configured as gig0/0 192.168.0.254/24 same subnet of course. 

Now the public IP address is provided by the ISP to their vDSL router/AP. 

What I am trying to say is when setting up native windows VPN client in order to connect to the above hub configuration for example, will I use the public ip address as the VPN server address? 

2. The other issue is the isp public address might be a dynamic address(seems static for last two weeks lol) 

Does this mean I will probably need to configure DNS server like no-ip which can be integrated into IOS I believe.

3. Do I need a license in order to use IKEv2? On the 1941 or 3945

You will need NAT setup on the ISP router, which translates the public IP address to the gig0/0 interface IP address of the cisco router. The client will connect to the public IP address, yes you'd need some kind of IP/DNS setup.

You'll need the security license on the router

Going back to dynamic routing protocol, you won't be able to set this up to a Windows client, you'll need to continue to use IKEv2 routing. Dynamic routing will only work if both devices are routers.

@Rob Ingram @Just curious, on your recommendation to use EIGRP or BGP instead of OSPF?

Is there any specific reason as to why you made that recommendation in this particular scenario?

I am just working on gaining my CCNA, and the new syllabus only covers one dynamic routing protocol—> OSPF?

but I noticed a lot of people having issues with OSPF and tunnels generally.

@tanyatamir53355 

Cisco recommend using BGP or EIGRP

https://www.ciscolive.com/global/on-demand-library.html?search.event=ciscoliveus2020&search=flexvpn#/session/1573153557176001Jgqh

OSPF (link-state protocol) requires every router running OSPF to have an identical and up to date OSPF database, any routing changes is replicated to all routers. Even if no routing changes, routes updates are sent at regular intervals to all OSPF router.

EIGRP doesn't need to know about all the routers and has a unique topology table, any changes are not replicated amongst the other routers running EIGRP. EIGRP does not sent periodic updates. EIGRP is less chatty, which can be useful in large VPN designs.

@Rob Ingram 

Thats makes total sense! thank for clearing this up!

You will need NAT setup on the ISP router, translate the public IP address to the outside interface of the route, you need to forward UDP/500 and UDP/4500. You'll have to figure out how to do that yourself, I don't know configure whatever cheap plastic consumer ISP router you have.

Hi there again,

Nat(overload)is already on these ISP based router as default. There isn’t any configuration for NAT just DMZ and other stuff like uPnP.   

I am certain PAT is already there otherwise only one of my devices would have been online.

so from the Cisco router gig0/0(192.168.0.254) I can ping the router (192.168.0.1). I can also ping the outside 8.8.8.8 from the router(going/and received via gig0/0 which is the isp router)

Subsequently, the Cisco router has got connectivity to the internet. Does this sound good to go? 

in regards to the license my 1941 has K9/v05 does the k9 represent the security license?

I am very grateful for this. Many thanks 

No PAT will be used for outbound NAT, providing you with internet access. You need a static NAT inbound, to map your public IP address on the ISP router to the private IP address of the cisco router, using the ports I previously provided.