Large customers deploying IPSec VPN over IP networks are faced with high complexity and high cost of deploying multiple types of VPN to meet different types of connectivity requirements. Customers often have to learn different types of VPNs to manage and operate different types of network. And once a technology is selected for a deployment, migrating or adding functionality to enhance the VPN is often avoided. FlexVPN was created to simplify the deployment of VPNs, to address the complexity of multiple solutions, and as a unified ecosystem to cover all types of VPN: remote access, teleworker, site to site, mobility, managed security services, and others. See Figure 1.
Figure 1. Typical Cisco IOS FlexVPN Deployment
• Transport network: FlexVPN can be deployed either over a public internet or a private Multiprotocol Label Switching (MPLS) VPN network.
• Deployment style: Designed for the concentration of both site-to-site and remote access VPNs, one single FlexVPN deployment can accept both types of connection requests at the same time.
• Failover redundancy: Three different kinds of redundancy model can be implemented with FlexVPN:
– Dynamic routing protocols (such as Open Shortest Path First [OSPF], Enhanced Interior Gateway Routing Protocol [EIGRP], Border Gateway Protocol [BGP]) over FlexVPN tunnels. Path/head-end selection is based on dynamic routing metrics.
– IKEv2-based dynamic route distribution and server clustering.
– IPsec/IKEv2 active/standby stateful failover between two chassis (available in the future).
• Third-party compatibility: As the IT world transitions to cloud- and mobile-based computing, more and more VPN routers and VPN endpoints from different vendors are required. The Cisco IOS FlexVPN solution provides compatibility with any IKEv2-based third-party VPN vendors, including native VPN clients from Apple iOS and Android devices.
• IP Multicast support: FlexVPN natively supports IP Multicast in two ways:
– FlexVPN hub router replicates IP Multicast packets for each spoke.
– If the transport network supports native IP Multicast, the FlexVPN hub router can choose to have the transport network do multicast packet replication after IPsec encryption (available in the future).
• Superior quality of service (QoS): The architecture of Cisco IOS FlexVPN easily allows hierarchical QoS to be integrated at the per tunnel or per SA basis:
– Per tunnel QoS for each spoke at the FlexVPN hub router.
– Per tunnel QoS dynamically applied to direct traffic between spokes (available in the future).
• Centralized policy control: VPN dynamic policies such as split-tunnel policy, encryption network policy, Virtual Route Forwarding (VRF) selection, Domain Name System (DNS) server (for remote access), and so on can be fully integrated with the authentication, authorization, and accounting (AAA)/RADIUS server and applied at a per peer basis.
• VRF awareness: The Cisco IOS FlexVPN solution can be fully integrated with MPLS VPN networks for service provider type of deployment. Both Inside VRF and front-door VRF are supported. Inside VRF assignment policy can be managed by the centralized AAA server.
Table 1. Platform Support
• Cisco IOS FlexVPN Configuration Guide: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-vpn-15-2mt-book.html
• Cisco IOS Software 15.2M/T Release Notes: http://www.cisco.com/en/US/partner/docs/ios/15_2m_and_t/release/notes/15_2m_and_t.html
• Cisco IOS FlexVPN Command References (look under Security and VPN): http://www.cisco.com/en/US/partner/products/ps11746/prod_command_reference_list.html
• IPsec VPN Design: http://www.ciscopress.com/bookstore/product.asp?isbn=1587051117