Scribd
Upload
200 views27 pages

10.1 9. Flex VPN

Flex VPN allows combining different VPN types under one configuration. It can configure point-to-point VPNs using S-VTI/D-VTI interfaces or spoke-to-spoke VPNs using NHRP. The document outlines the steps to configure a site-to-site Flex VPN using S-VTI between routers with static IPs, and a spoke-to-spoke Flex VPN with dynamic spoke IPs, pooling IP addresses at the hub for distribution. Phase 1 and 2 IKE and IPsec parameters are configured along with EIGRP routing.

Uploaded by

Petko Kolev
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
200 views27 pages

10.1 9. Flex VPN

Flex VPN allows combining different VPN types under one configuration. It can configure point-to-point VPNs using S-VTI/D-VTI interfaces or spoke-to-spoke VPNs using NHRP. The document outlines the steps to configure a site-to-site Flex VPN using S-VTI between routers with static IPs, and a spoke-to-spoke Flex VPN with dynamic spoke IPs, pooling IP addresses at the hub for distribution. Phase 1 and 2 IKE and IPsec parameters are configured along with EIGRP routing.

Uploaded by

Petko Kolev
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 27

c

Flex VPN
KHAWAR BUTT
CCIE # 12353 [R/S, SECURITY, SP, DC, VOICE, STORAGE & CCDE]
Outline
 Flex VPN
 Configuring Flex VPN – Point – To – Point using S-VTI / D-VTI Interfaces.
 Configuring Flex VPN – Spoke – To –c Spoke using NHRP
Flex Overview
 Flex VPN allows you the ability to configure different types of VPNs under
one configuration set.

 We have looked at a Point – To – Point


c setup using either Crypto Maps or S-
VTI. We have looked at the configuration of a Multi-point VPN using DMVPN.
We have the ability to configure Remote Access VPNs using AnyConnect. All
these are different types of VPNs requiring a different command set.

 Flex VPN allows you to combine the capability of all these VPNs under one
common configuration set.
Flex VPN – Site – To – Site using S-VTI / D-VTI
Internet
10.1.1.0/24 10.2.2.0/24

c
199.1.1.0/24 Dynamic IP
R1 R2

10.1.2.0/24 10.2.1.0/24

Configure an IPSec LAN – To – LAN VPN to encrypt the traffic between the internal private
networks using Flex VPN. R2 has a Dynamic Public IP assigned.
Flex VPN Site – To Site – Step # 1
Step 1. Configure Phase I Parameters
R1 R2

! 1A. Configure an IKEv2 Proposal ! 1A. Configure an IKEv2 Proposal

crypto ikev2 proposal PROP-1


c crypto ikev2 proposal PROP-1
encryption 3des encryption 3des
integrity md5 sha1 integrity md5 sha1
group 2 5 group 2 5

! 1B. Configure an IKEv2 Policy and call the proposal ! 1B. Configure an IKEv2 Policy and call the proposal

crypto ikev2 policy POL-1 crypto ikev2 policy POL-1


proposal PROP-1 proposal PROP-1
Flex VPN Site – To Site – Step # 1
Step 1. Configure Phase I Parameters
R1 R2

! 1C. Configure an IKEv2 Keyring ! 1C. Configure an IKEv2 Keyring

crypto ikev2 keyring KR-1 c crypto ikev2 keyring KR-1


peer R2 peer R1
address 0.0.0.0 address 199.1.1.1
pre-shared-key cisco123 pre-shared-key cisco123

! 1D. Configure an IKEv2 Profile. ! 1D. Configure an IKEv2 Profile.

crypto ikev2 profile IKEv2-PROF crypto ikev2 profile IKEv2-PROF


match identity remote address 0.0.0.0 match identity remote address 199.1.1.1
authentication local pre-share authentication local pre-share
authentication remote pre-share authentication remote pre-share
keyring local KR1 keyring local KR1
Flex VPN Site – To Site – Step # 2
Step 2. Configure Phase II Parameters

R1
c
Crypto ipsec transform-set TSET esp-3des esp-sha-hmac

R2

Crypto ipsec transform-set TSET esp-3des esp-sha-hmac


Flex VPN Site – To Site – Step # 3
Step 3. Configure an IPSec Profile to link the Transform-set and the IKEv2 Profile to it.

R1
c
Crypto ipsec profile IPROF
set transform-set TSET
set ikev2-profile IKEv2-PROF

R2

Crypto ipsec profile IPROF


set transform-set TSET
set ikev2-profile IKEv2-PROF
Flex VPN Site – To Site – Step # 4
Step 4. Create the IPSec based Tunnel (Static-Virtual Tunnel Interface)

R1 R2

Interface Loopback 11 c Interface Tunnel 1


ip address 192.168.1.1 255.255.255.0 ip address 192.168.1.2 255.255.255.0
tunnel source E 0/0
!
tunnel destination 199.1.1.1
Interface virtual-template 1 type Tunnel
tunnel mode ipsec ipv4
ip unnumbered Loopback 11
tunnel protection ipsec profile IPROF
tunnel source E 0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPROF
!
Crypto ikev2 profile IKEv2-PROF
virtual-template 1
Flex VPN Site – To Site – Step # 5
Step 5. Configure a Dynamic Routing Protocol to route the internal LAN Segments

R1

Router eigrp 111 c


network 192.168.1.0
network 10.0.0.0

R2

Router eigrp 111


network 192.168.1.0
network 10.0.0.0
Flex VPN – Spoke – To – Spoke
10.3.3.0/24

Los
Angeles
150.5.5.0/24
10.1.1.0/24 c10.2.2.0/24

199.1.1.0/24
Internet 200.1.1.0/24

Dubai London
75.1.1.0/24

Sydney

10.4.4.0/24
Flex VPN Spoke – To – Spoke - Hub
Step 1. Configure Phase I Parameters
R1

! 1A. Configure an IKEv2 Proposal

crypto ikev2 proposal PROP-1


c
encryption 3des
integrity md5 sha1
group 2 5

! 1B. Configure an IKEv2 Policy and call the proposal

crypto ikev2 policy POL-1


proposal PROP-1
Flex VPN Spoke – To – Spoke - Hub
Step 1. Configure Phase I Parameters
R1

! 1C. Configure an IKEv2 Keyring

crypto ikev2 keyring KR-1 c


peer SPOKES
address 0.0.0.0
pre-shared-key cisco123

! 1D. Configure an IKEv2 Profile.

crypto ikev2 profile IKEv2-PROF


match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local KR1
Flex VPN Spoke – To – Spoke - Hub
Step 2. Configure Phase II Parameters

R1
c
Crypto ipsec transform-set TSET esp-3des esp-sha-hmac
Flex VPN Spoke – To – Spoke - Hub
Step 3. Configure an IPSec Profile to link the Transform-set and the IKEv2 Profile to it.

R1
c
Crypto ipsec profile IPROF
set transform-set TSET
set ikev2-profile IKEv2-PROF

R2
Crypto ipsec profile IPROF
set transform-set TSET
set ikev2-profile IKEv2-PROF
Flex VPN Spoke – To – Spoke - Hub
Step 4. Create the Virtual Tunnel based on NHRP

R1

Interface Loopback11 c
ip address 192.168.1.1 255.255.255.0
!
Interface virtual-template 1 type tunnel
ip unnumbered Loopback 11
tunnel source E 0/0
ip nhrp network-id 111
ip nhrp redirect
tunnel protection ipsec profile IPROF
!
crypto ikev2 profile IKEv2-PROF
virtual-template 1
Flex VPN Spoke – To – Spoke - Hub
Step 5. Configure a Dynamic Routing Protocol to route the internal LAN Segments

R1

Router eigrp 111 c


network 192.168.1.0
network 10.0.0.0
Flex VPN Spoke – To – Spoke - Hub
Step 6. Configure the parameters to push down the IP Address and Static IP Mapping of the Tunnel
Interface to the spokes
R1

! 6A. Configure a Pool of IP Addresses to be assigned to the Tunnel Interfaces of the spokes
c
ip local pool POOL-A 192.168.1.11 192.168.1.254

! 6B. Configure an IKEv2 Authorization policy. This policy will be used to push configuration to the peers

aaa new-model
aaa authorization network default local
crypto ikev2 authorization policy default
pool POOL-A
route set interface

! 6C. Apply the IKEv2 Authorization Policy to the IKEv2 Profile.

crypto ikev2 profile IKEv2-PROF


aaa authorization group override psk list default default
Flex VPN Spoke – To – Spoke - Spokes
Step 1. Configure Phase I Parameters
R2 – R3 – R4

! 1A. Configure an IKEv2 Proposal

crypto ikev2 proposal PROP-1


c
encryption 3des
integrity md5 sha1
group 2 5

! 1B. Configure an IKEv2 Policy and call the proposal

crypto ikev2 policy POL-1


proposal PROP-1
Flex VPN Spoke – To – Spoke - Spokes
Step 1. Configure Phase I Parameters
R2 – R3 – R4

! 1C. Configure an IKEv2 Keyring

crypto ikev2 keyring KR-1 c


peer ALL
address 0.0.0.0
pre-shared-key cisco123

! 1D. Configure an IKEv2 Profile.

crypto ikev2 profile IKEv2-PROF


match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local KR1
Flex VPN Spoke – To – Spoke - Spokes
Step 2. Configure Phase II Parameters

R2 – R3 – R4
c
Crypto ipsec transform-set TSET esp-3des esp-sha-hmac
Flex VPN Spoke – To – Spoke - Spokes
Step 3. Configure an IPSec Profile to link the Transform-set and the IKEv2 Profile to it.

R2 – R3 – R4
c
Crypto ipsec profile IPROF
set transform-set TSET
set ikev2-profile IKEv2-PROF
Flex VPN Spoke – To – Spoke - Spokes
Step 4. Create the S-VTI and the D-VTI Template on the Spokes

R2 – R3 – R4

Interface tunnel 1 c
ip address negotiated
tunnel source E 0/0
tunnel destination 150.5.5.1
ip nhrp network-id 111
ip nhrp shortcut virtual-template 1
tunnel protection ipsec profile IPROF
Flex VPN Spoke – To – Spoke - Spokes
Step 4. Create the S-VTI and the D-VTI Template on the Spokes

R2 – R3 – R4

Interface virtual-template 1 type tunnel c


ip unnumbered tunnel 1
tunnel source E 0/0
ip nhrp network-id 111
tunnel protection ipsec profile IPROF
!
crypto ikev2 profile IKEv2-PROF
virtual-template 1
Flex VPN Spoke – To – Spoke - Spokes
Step 5. Configure a Dynamic Routing Protocol to route the internal LAN Segments

R2 – R3 – R4

Router eigrp 111 c


network 192.168.1.0
network 10.0.0.0
Flex VPN Spoke – To – Spoke - Spokes
Step 6. Configure the parameters to push down the IP Address and Static IP Mapping of the Tunnel
Interface to the spokes
R2 – R3 – R4

c be used to push configuration to the peers


6A. Configure an IKEv2 Authorization policy. This policy will

aaa new-model
aaa authorization network default local
!
crypto ikev2 authorization policy default
route set interface

6B. Apply the IKEv2 Authorization Policy to the IKEv2 Profile.

crypto ikev2 profile IKEv2-PROF


aaa authorization group override psk list default default
Whiteboard

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy