Table of Contents
FlexVPN is a flexible and scalable Virtual Private Network (VPN) solution. The Static Virtual Tunnel Interface (SVTI) VPN model that the CGR 1000 used previously required explicit management of tunnel endpoints and associated routes, which is not scalable. FlexVPN simplifies the deployment of VPNs by providing a unified VPN framework that is compatible with legacy VPN technologies.
- Based on open standards-based IKEv2 security technology
- Integrates various topologies and VPN functions under one framework
- Can coexist with previous VPN configurations
- Allows use of a single tunnel for both IPv4 and IPv6
- Uses virtual interfaces, which allow per-spoke features such as firewalls, ACLs, and QoS
- Supports static and dynamic routing
- Minimizes configuration by using IKEv2 Smart Defaults (see the “Default Settings” section)
- IP Security (IPsec)—A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPsec provides these security services at the IP layer. IPsec uses Internet Key Exchange (IKE) to handle negotiation of protocols and algorithms based on the local policy, and generate the encryption and authentication keys to be used by IPsec. IPsec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
- Internet Key Exchange Version 2 (IKEv2)—A key exchange protocol that provides authentication of IPsec peers, negotiates IPsec security associations, and establishes IPsec keys.
For more information about supported standards and component technologies, see the “Supported Standards for Use with IKE” section in the “Configuring Internet Key Exchange for IPsec VPNs” module in the Internet Key Exchange for IPsec VPNs Configuration Guide, Cisco IOS Release 15M&T.
- Site-to-site—Basic IKEv2 configuration between two sites
- Hub-to-spoke—Multiple routers connected to a hub router using virtual access interfaces and P2P tunnels. In this configuration, the CGR 1000 functions as a client (spoke).
- IKEv2 initiator—An IKE peer that initiates an IKE exchange.
- IKEv2 responder—An IKE peer that responds to a request for an IKE exchange.
- IKEv2 Name Mangler—Used to derive the username for IKEv2 authorization and obtain the AAA preshared key from the peer IKE identity.
- AAA-based pre-shared key—Shared secret stored on a RADIUS server.
- IKEv2 Authorization—Provides policy for authenticated session.
- Config-mode—Allows IKE peers to exchange configuration information such as IP addresses and subnets. The IKEv2 authorization is the source of the config-mode data.
The CGR 1000 supports the IKEv2 FlexVPN client feature. Functioning as the FlexVPN client (spoke) in a hub-and-spoke configuration, the CGR 1000 establishes a secure IPsec VPN tunnel to a FlexVPN server such as the Cisco ASR 1000 Series Router. Each FlexVPN client is associated with a unique tunnel interface, which implies that the IPsec security association (SA) retrieved by the specific FlexVPN client is bound to the tunnel interface.
- GRE encapsulation support that allows IPv4/IPv6 over IPv4 /IPv6
- Dynamic routing protocol support
- Route exchange through config-mode
- Dynamic BGP peering through config-mode
- Backup Gateways
- Dial backup
- Split DNS
- Learning Peer Networks
For more information about the FlexVPN client and related features, see the section Information About the FlexVPN Client in the FlexVPN and Internet Key Exchange Version 2 Configuration Guide, Cisco IOS Release 15M&T.
To configure FlexVPN, you should be familiar with the concepts and tasks in the documents listed in the “Related Documents” section.
- You cannot configure an option that is not supported on a specific platform. For example, in a security protocol, the capability of the hardware-crypto engine is important, and you cannot specify the Triple Data Encryption Standard (3DES) or the Advanced Encryption Standard (AES) type of encryption transform in a nonexportable image, or specify an encryption algorithm that a crypto engine does not support.
- Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption white paper.
- If your network is live, make sure that you understand the potential impact of any command.
- CGR 1000 performance may degrade when the following encryption algorithms are used because they are supported only using the software-crypto engine: DES, 3DES, SEAL, MD5, and GMAC.
- Secure Sockets Layer VPN (SSLVPN) is not supported.
For more information about smart defaults, see the “IKEv2 Smart Defaults” section in the “Information About Internet Key Exchange Version 2” module in the FlexVPN and Internet Key Exchange Version 2 Configuration Guide, Cisco IOS Release 15M&T.
This section lists the tasks in the FlexVPN and Internet Key Exchange Version 2 Configuration Guide, Cisco IOS Release 15M&T required to configure FlexVPN site-to-site and FlexVPN client.
To configure FlexVPN site-to-site, perform these tasks in the section How to Configure Internet Key Exchange Version 2 in the FlexVPN and Internet Key Exchange Version 2 Configuration Guide, Cisco IOS Release 15M&T :
To configure the FlexVPN client, perform these tasks in the How to Configure the FlexVPN Client section in the FlexVPN and Internet Key Exchange Version 2 Configuration Guide, Cisco IOS Release 15M&T :
Note With the Smart Defaults feature, a default configuration is displayed in the corresponding show command with default as a keyword and with no argument. For example, the show crypto ikev2 proposal default command displays the default IKEv2 proposal, and the show crypto ikev2 proposal command displays the default IKEv2 proposal, along with any user-configured proposals.
See the following sections in the FlexVPN and Internet Key Exchange Version 2 Configuration Guide, Cisco IOS Release 15M&T for configuration examples:
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html .
Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.This document is to be used in conjunction with the documents listed in the “Related Documents” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.