an overview of site-to-site cisco vpn...

Nisha Kuruvilla – Network Consulting Engineer, Advanced Services

Hector Mendoza – Solutions Integration Architect, Advanced Services

Session BRKSEC-1050

An Overview of Site-to-Site Cisco VPN Technologies

• VPN Technology Positioning

• SVTI, DVTI, DMVPN, GETVPN, and FlexVPN

• Technology Overview

• Why select said technology given network requirements

• Configuration

• Advantages/Disadvantages

• Additional Points to Consider

• Summary

Agenda

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

VPN Technology Positioning

Public Cloud

Private Cloud

Connected Vehicle

(IoT use-case)

ATM (Remote Access

use-case)

Desktop and Mobile clients

(Remote Access use-case)Branch B (Site-to Site use-case)

Branch A (Site-to Site use-case)

DC/Headquarters

Spoke A

Spoke B

ASR 1000CSR 1000V

ISR

ISR

RA Software ClientsRA client

RA Hardware Client

Internet MPLS

Secure

Access

MPLS

Group

Member

Group

Member

Hub /

Group Member

Key Server

DMVPN Hub-Spoke

DMVPN Spoke-Spoke

GETVPN Control Plane

GETVPN Data Plane

FlexVPN

SSLVPN / FlexVPN BRKSEC-1050 4

Virtual Tunnel Interface (VTI)


Virtual Tunnel Interface

• IPsec in tunnel mode between VPN peers

• Simplifies VPN configuration by eliminating crypto maps, access control lists (ACLs), and Generic Router Encapsulation (GRE)

• Uses IOS tunnels, virtual interfaces and crypto socket infrastructure

• There are 2 types of VTI – static VTI and dynamic VTI (Enhanced Easy VPN)

• Simplifies VPN design:

• 1:1 relationship between tunnels and sites with a dedicated logical interface using SVTI

• Virtual template spawns virtual access interfaces for remote access connections using DVTI

• More scalable alternative to GRE

• VTI can support Quality of Service (QoS), multicast, and other routing functions that previously required GRE

• Limited VPN interoperability support with non-Cisco platforms

BRKSEC-1050 6


Static VTI

Statically configured tunnel via ‘tunnel mode ipsec ipv4/ipv6’ and tunnel protection

Always up – IPsec tunnel initiated via configuration and not by traffic

Interface state tied to underlying crypto socket state (IPsec SA)

Can initiate and accept only one IPsec SA per VTI, using ‘any any’ proxylocal ident (add/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (add/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

Routing determines traffic to be protected – any packet forwarded to tunnel interface is protected

IPsec SA re-keyed even in the absence of any traffic

BRKSEC-1050 7


Partner’s Configurationcrypto map VPN 10 ipsec-isakmpset peer 1.1.1.2set transform-set TSET match address 100

access-list 100 permit gre host 1.1.1.1 host 1.1.1.2

interface Tunnel0ip address 10.1.1.1 255.255.255.0tunnel source 1.1.1.1tunnel destination 1.1.1.2

interface Ethernet0/0ip address 1.1.1.1 255.255.255.0crypto map VPN

Solution #1crypto ipsec profile TPset transform-set TSET

interface Tunnel0ip address 10.1.1.2 255.255.255.0tunnel source 1.1.1.2tunnel destination 1.1.1.1tunnel protection ipsec profile TP

Solution #2crypto ipsec profile TPset transform-set TSET

interface Tunnel0ip address 10.1.1.2 255.255.255.0tunnel source 1.1.1.2tunnel mode ipsec ipv4tunnel destination 1.1.1.1tunnel protection ipsec profile TP

Possibilities

A. Solution #1B. Solution #2C. Solutions #1 & #2D. None of the Above

What makes a SVTI a SVTI?

8


SVTI Configuration

crypto isakmp policy 1authentication pre-shareencr aes

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

crypto ipsec profile TPset transform-set TSET

interface Tunnel0

ip address 192.168.100.1 255.255.255.0tunnel source FastEthernet0/0tunnel destination 1.1.1.2tunnel mode ipsec ipv4tunnel protection ipsec profile TP

ip route 192.168.2.0 255.255.255.0 Tunnel0

IPSec Static Virtual Tunnel Interfaces

.1

..

.1

192.168.100.0/30192.168.2.0/24

192.168.1.0/24

crypto isakmp policy 1authentication pre-shareencr aes



crypto ipsec profile TPset transform-set TSET

interface Tunnel0

ip address 192.168.100.2 255.255.255.0tunnel source FastEthernet0/0tunnel destination 1.1.1.1tunnel mode ipsec ipv4tunnel protection ipsec profile TP

ip route 192.168.1.0 255.255.255.0 Tunnel0

BRKSEC-1050 9


When do you use it

Used with site-to-site VPNs – to provide always-on traffic protection

Need for routing protocols and/or multicast traffic to be protected by IPsec tunnel

Eliminates the need of GRE

Need for QoS, firewall, or other security services on a per tunnel basis

Target Deployment: 2 - 50 sites with point to point connectivity and Cisco and Non-Cisco interoperability

BRKSEC-1050 10


SVTIAdvantages

• Support for IGP dynamic routing protocol over the VPN (EIGRP, OSPF, etc.)

• Support for multicast

• Application of features such as NAT, ACLs, and QoS and apply them to clear-text or encrypted text

• Simpler configuration

• IPsec sessions not tied to any interface

Disadvantages

• No support for non-IP protocols

• Limited support for multi-vendor

• IPsec stateful failover not available

• Similar scaling properties of IPsec and GRE over IPsec

• Only tunnel mode

BRKSEC-1050 11


Dynamic VTI

Replaces dynamic crypto maps

Requires minimal configuration

Created on an incoming IPsec tunnel request

Dynamically instantiated IPsec virtual-access interface (not configurable) cloned from a pre-defined virtual-template

Interface state tied to underlying crypto socket state (IPSec SA)

Can support multiple IPSec SAs per DVTI

Routes to client subnets are added using Reverse Route Injection (RRI)

Avoids the need for a routing protocol and hence scales better

BRKSEC-1050 12


Dynamic VTI

Mainly used as Enhanced Easy VPN server for terminating• Enhanced Easy VPN Remote

• Legacy Easy VPN Remote

Easy VPN Remote supports 3 modes of operation• client mode

• network extension mode

• network extension plus mode

A single DVTI can terminate tunnels using static VTIs or crypto map

Can only terminate and cannot initiate an IPSec tunnel (except in the case of Enhanced Easy VPN Remote)

BRKSEC-1050 13


SVTI To DVTI

Crypto Head End

Branch

interface Tunnel0

ip unnumbered Loopback1

tunnel source FastEthernet0

tunnel destination 192.168.2.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

192.168.2.1

crypto isakmp profile

interface Virtual-Template n

interface Virtual-Access nData Plane

Control Plane

Virtual-Access interface is spawned from the Virtual-Template

tunnel protect ipsec profile …

BRKSEC-1050 14


When do you use it

• Scalable connectivity for remote-access VPNs

• Need for QoS, firewall, or other security services on a per tunnel basis

• Single touch configuration needed on hub

• No need for routing protocols as it uses reverse route injection

• Target Deployment: 50 – 10,000 sites with a hub-spoke layout and Cisco and Non-Cisco interoperability

BRKSEC-1050 15


DVTI (SVTI to DVTI)Spoke (SVTI)

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0

crypto ipsec transform-set TSET esp-aes esp-sha-

hmac

crypto ipsec profile TP

set transform-set TSET

interface Tunnel0


tunnel source 1.1.1.2



tunnel protection ipsec profile TP

Hub (DVTI)


encr aes


group 2


crypto isakmp profile VPN

keyring default

match identity address 0.0.0.0

virtual-template 1

crypto ipsec transform-set TSET esp-aes esp-sha-

hmac



set isakmp-profile VPN

interface Virtual-Template1 type tunnel




BRKSEC-1050 16


Enhanced EasyVPN Client To Server (using DVTI)Enhanced Easy VPN remote:

crypto ipsec client ezvpn EZ

connect manual

group cisco key cisco

local-address Ethernet0/0

mode network-plus

peer 1.1.1.1

virtual-interface 1

xauth userid mode interactive

!




interface Ethernet0/0

ip address 1.1.1.3 255.255.255.0


!


ip address 192.168.3.1 255.255.255.0

crypto ipsec client ezvpn EZ inside

Enhanced Easy VPN server:

crypto isakmp client configuration group cisco

key cisco

dns 192.168.1.10

pool VPNPOOL

acl 101


match identity group cisco

isakmp authorization list default

client configuration address respond

virtual-template 1

crypto ipsec transform-set TSET esp-3des esp-

sha-hmac








BRKSEC-1050 17


DVTI (SVTI to DVTI)

18BRKSEC-1050

172.16.0.0/24.1

1.1.1.1

.254

17

2.1

6.2

.0/2

4Spoke

Hub

Spoke (SVTI)


encr aes


group 2





interface Tunnel0


tunnel source 1.1.1.2




Hub (DVTI)


encr aes


group 2



keyring default

match identity address 0.0.0.0

virtual-template 1










Enhanced EasyVPN Client To Server (using DVTI)

19BRKSEC-1050

192.168.1.0/24.1

1.1.1.1

.254

19

2.1

68.3

.0/2

4Spoke

Hub

Enhanced Easy VPN remote:


connect manual

group cisco key cisco

local-address Ethernet0/0

mode network-plus

peer 1.1.1.1

virtual-interface 1

xauth userid mode interactive

!





ip address 1.1.1.3 255.255.255.0


!


ip address 192.168.3.1 255.255.255.0

crypto ipsec client ezvpn EZ inside

Enhanced Easy VPN server:


key cisco

dns 192.168.1.10

pool VPNPOOL

acl 101



isakmp authorization list default


virtual-template 1

crypto ipsec transform-set TSET esp-3des esp-sha-hmac









DVTI

Advantages

• Simple configuration of headend once and done

• Scalable

• Support for IGP dynamic routing protocol over the VPN

• Support for IP multicast

• Support for per-branch QoS and traffic shaping

• Centralized Policy Push (Easy VPN)

• Support for x-auth (Easy VPN)

• Cross platform support

• IPsec sessions not tied to any interface

Disadvantages

• Requires ip unnumbered


• No direct spoke to spoke communication

• No IPsec stateful failover

BRKSEC-1050 20

Dynamic Multipoint VPN (DMVPN)


What is Dynamic Multipoint VPN?

22BRKSEC-1050

DMVPN is a Cisco IOS software solution

for building IPsec+GRE VPNs in an

easy, dynamic and scalable manner

• Configuration reduction and no-touch deployment

• Dynamic spoke-spoke tunnels for partial/full mesh scaling

• Can be used without IPsec Encryption (optional)

• Wide variety of network designs and options


SECURE ON-DEMAND TUNNELS

Dynamic Multipoint VPN (DMVPN)

• Branch spoke sites establish an IPsec tunnel to and register with the hub site

• IP routing exchanges prefix information for each site

• BGP or EIGRP are typically used for scalability

• With WAN interface IP address as the tunnel address,

provider network does not need to route customer internal

IP prefixes

• Data traffic flows over the DMVPN tunnels

• When traffic flows between spoke sites, the hub assists the spokes to establish a site-to-site tunnel

• Per-tunnel QOS is applied to prevent hub site oversubscription to spoke sites

23BRKSEC-1050

Branch 2

Traditional Static Tunnels

DMVPN On-Demand Tunnels

Static Known IP Addresses

Dynamic Unknown IP Addresses

Branch 1

Hub

IPsecVPN

Branch n


DMVPN Components

• Next Hop Resolution Protocol (NHRP)

• Creates a distributed (NHRP) mapping database of all the spoke’s tunnel to real (public interface) addresses

• Multipoint GRE Tunnel Interface (mGRE)

• Single GRE interface to support multiple GRE/IPsec tunnels

• Simplifies size and complexity of configuration

• IPsec tunnel protection

• Dynamically creates and applies encryption policies (optional)

• Routing

• Dynamic advertisement of branch networks; almost all routing protocols (EIGRP, RIP, OSPF, BGP, ODR) are supported

24BRKSEC-1050


What Triggers:

• IPsec integrated with DMVPN, but not required

• Packets Encapsulated in GRE, then Encrypted with IPsec• Both IKEv1 (ISAKMP) and IKEv2 supported

•

•

NHRP controls the tunnels, IPsec does encryption

Bringing up a tunnel

• NHRP signals IPsec to setup encryption

•

• ISAKMP/IKEv2 authenticates peer, generates SAs

• IPsec responds to NHRP and the tunnel is activated

• All NHRP and data traffic is Encrypted

Bringing down a tunnel

• NHRP signals IPsec to tear down tunnel

•

• IPsec can signal NHRP if encryption is cleared or lost

ISAKMP/IKEv2 Keepalives monitor state of spoke-spoke and spoke-hub tunnels

BRKSEC-1050 25


DMVPN How it works

• Spokes build a dynamic permanent GRE/IPsec tunnel to the hub, but not to other spokes. They register as clients of the NHRP server (hub)

• When a spoke needs to send a packet to a destination (private) subnet behind another spoke, it queries via NHRP for the real (outside) address of the destination spoke

• Now the originating spoke can initiate a dynamic GRE/IPsec tunnel to the target spoke (because it knows the peer address)

• The dynamic spoke-to-spoke tunnel is built over the mGRE interface

• When traffic ceases then the spoke-to-spoke tunnel is removed

BRKSEC-1050 26


“Static” Spoke-Hub, Hub-Hub Tunnels

• GRE, NHRP and IPsec configuration• p-pGRE or mGRE on spokes; mGRE on hubs

• NHRP registration• Dynamically addressed spokes (DHCP, NAT,…)

• Data traffic on spoke-hub tunnels• All traffic for hub-and-spoke only networks

• Spoke-spoke traffic while building spoke-spoke tunnels

BRKSEC-1050 27


Dynamic Spoke-Spoke Tunnels

• GRE, NHRP and IPsec configuration• mGRE on both hub and spokes

• Spoke-spoke unicast data traffic• Reduced load on hubs

• Reduced latency

• Single IPsec encrypt/decrypt

• On demand tunnel - created when needed

• NHRP resolutions and redirects• Find NHRP mappings for spoke-spoke tunnels

BRKSEC-1050 28


Terminology

Hub 1

Spoke 1

Hub 2

Spoke 2

192.168.101.0/24 192.168.102.0/24

192.168.1.0/24 192.168.2.0/24

Tunnel: 10.0.0.101

Physical: 172.16.101.1

Tunnel: 10.0.0.102

Physical: 172.16.102.1

Tunnel: 10.0.0.1

Physical: 172.16.1.1

Tunnel: 10.0.0.2


Overlay Addresses

Transport Network Overlay Network

NBMA Address

GRE/IPsec

Tunnels

Core Network

192.168.128.0/17

Tunnel Address

BRKSEC-1050 29


DMVPN Tunnel Establishment Steps

1. Spokes build a dynamic permanent GRE/IPsec tunnel to the hub (NHRP server) and are registered as NHRP clients

2. Active-Active redundancy model—two or more hubs per spoke

3. All hubs are active and routing neighbors with spokes

4. Routing protocol routes are used to determine traffic forwarding

5. When a spoke needs to send a packet to a destination (private) subnet behind another spoke, it queries via NHRP for the real (outside) address of the destination spoke

6. Originating spoke can initiate a dynamic GRE/IPsec tunnel to the target spoke (because it knows the peer outside address)

7. The dynamic spoke-to-spoke tunnel is built over the mGRE interface

8. When traffic ceases then the spoke-to-spoke tunnel is removed

DUAL DMVPN DESIGN

Single mGRE tunnel on Hub, two mGRE tunnels on Spokes

192.168.0.0/24


Tunnel1: 10.0.1.1


Tunnel0: 10.0.0.1

Physical: (dynamic)

Tunnel0: 10.0.0.12

Tunnel1: 10.0.1.12

192.168.2.0/24

.1

Physical: (dynamic)

Tunnel0: 10.0.0.11

Tunnel1: 10.0.1.11

.1

192.168.1.0 /24

.1

192.168.X.0 /24

BRKSEC-1050 30


DMVPN Phases

Phase 1 – 12.2(13)TPhase 2 – 12.3(4)T

(Phase 1 +)

Phase 3 – 12.4.(6)T

(Phase 2 +)

• Hub and spoke functionality

• p-pGRE interface on spokes, mGRE on hubs

• Simplified and smaller configuration on hubs

• Support dynamically addressed CPEs (NAT)

• Support for routing protocols and multicast

• Spokes don’t need full routing table – can summarize on hubs

• Spoke to spoke functionality

• mGRE interface on spokes

• Direct spoke to spoke data traffic reduces load on hubs

• Hubs must interconnect in daisy-chain

• Spoke must have full routing table – no summarization

• Spoke-spoke tunnel triggered by spoke itself

• Routing protocol limitations

• More network designs and greater scaling

• Same Spoke to Hub ratio

• No hub daisy-chain

• Spokes don’t need full routing table – can summarize

• Spoke-spoke tunnel triggered by hubs

• Remove routing protocol limitations

• NHRP routes/next-hops in RIB (15.2(1)T)

BRKSEC-1050 31


DMVPN – Phase3

Spoke A

192.168.1.1/24

192.168.2.1/24


Tunnel0: 10.0.0.1

Spoke B

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

192.168.0.1/24

172.16.1.1

172.16.2.1

Data packet

NHRP Redirect

NHRP Resolution

BRKSEC-1050 32


Basic DMVPN Designs

• Hub-and-spoke – Order(n)• Spoke-to-spoke traffic via hub

• Phase 1: Hub bandwidth and CPU limit VPN

• SLB: Many “identical” hubs; increases CPU power and bandwidth limits

• Spoke-to-spoke – Order(n) « Order(n2)• Control traffic; Hub and spoke; Hub to hub

• Phase 2: (single)

• Phase 3: (hierarchical)

• Unicast Data traffic; Dynamic mesh• Spoke routers support spoke-hub and spoke-spoke tunnels currently in use.

• Hub supports spoke-hub traffic and overflow from spoke-spoke traffic.

• Network Virtualization

BRKSEC-1050 33


Basic DMVPN Designs

Single DMVPN Dual Hub

Single mGRE tunnel on all nodes

= Dynamic Spoke-to-spoke

192.168.2.0/24

.1

192.168.1.0/24

.1

192.168.0.0/24.2 .1


Tunnel0: 10.0.0.1

Physical: (dynamic)

Tunnel0: 10.0.0.11

Physical: (dynamic)

Tunnel0: 10.0.0.12


Tunnel0: 10.0.0.2

Spoke A

Spoke B

. . .

Dual DMVPN Single Hub

Single mGRE tunnel on Hub,

two p-pGRE tunnels on Spokes

192.168.1.0 /24

192.168.2.0/24

192.168.0.0/24.2 .1

Spoke A

Spoke B


Tunnel0: 10.0.0.1Physical: 172.17.0.5

Tunnel0: 10.0.1.1

Physical: (dynamic)

Tunnel0: 10.0.0.11

Tunnel1: 10.0.1.11

Physical: (dynamic)

Tunnel0: 10.0.0.12

Tunnel1: 10.0.1.12

.1

.1

BRKSEC-1050 34


Multiple DMVPNs versus Single DMVPN

• Multiple DMVPNs

• Best for Hub-and-spoke only• Easier to manipulate RP metrics between DMVPNs for Load-sharing

• EIGRP – Route tags, Delay; iBGP – Communities, MED; OSPF – Cost

• Performance Routing (PfR) selects between interfaces

• Load-balancing over multiple ISPs (physical paths)• Load-balance data flows over tunnels Better statistical load-balancing

• Single DMVPN

• Best for spoke-spoke DMVPN

• Can only build spoke-spoke within a DMVPN not between DMVPNs*• Slightly more difficult to manipulate RP metrics within DMVPN for Load-sharing

• EIGRP – Route tags, delay; iBGP – Communities, MED; OSPF – Can’t do

• Load-balancing over multiple ISPs (physical paths)• Load-balance tunnel destinations over physical paths Worse statistical load-balancing

BRKSEC-1050 35


DMVPN Combination Designs

Spoke-to-hub tunnels

Spoke-to-spoke tunnels

Retail/Franchise



Spoke-hub-hub-spoke

tunnel

Dual ISP

ISP

2

ISP

1

BRKSEC-1050 36


DMVPN Combination Designs (cont)



Hub-to-hub tunnel

Server Load Balancing



Hierarchical

BRKSEC-1050 37


Quick review: Virtual Routing/Forwarding

• Router maintains separate L3 forwarding information for eachVRF instance (RIB, FIB, routing protocols)

• Two variants: VRF with MPLS, and VRF-Lite

• Each interface belongs to a single VRF

• For “ip unnumbered”, referenced interface must belong to the same VRF

• If no VRF specified, interface belongs to the global VRF

• VRF definition and assignment:

Old CLI: New CLI:

38BRKSEC-1050

ip vrf red

rd 1:1

!


ip vrf forwarding red

ip address 10.0.0.1 255.255.255.0

vrf definition red

rd 1:1

address-family ipv4

exit-address-family

!


vrf forwarding red

ip address 10.0.0.1 255.255.255.0


Quick review: forwarding & tunneling with VRF-LiteBlue RIB/FIB Global RIB/FIBRed RIB/FIB

Routing Routing Routing

interface Eth0/0

vrf forwarding blue

!

interface Eth0/1

vrf forwarding blue

interface Eth1/0

vrf forwarding red

!

interface Eth1/1

! no VRF = global

!

interface Tunnel1

vrf forwarding red

tunnel source Eth1/1

Eth0/0 Eth0/1 Eth1/0 Eth1/1

Tunnel1

interface Eth2/0

vrf forwarding red

!

interface Eth2/1

vrf forwarding orange

!

interface Tunnel2

vrf forwarding red

tunnel vrf orange

tunnel source Eth2/1Inside VRF (iVRF)

Front VRF

(fVRF)

Orange RIB/FIBRed RIB/FIB

Routing Routing

Eth2/0 Eth2/1

Tunnel2

iVRF

BRKSEC-1050 39


DMVPN virtualization with VRF-Lite

• Tunnel interface can be part of only one iVRF one DMVPN Tunnel per iVRF needed

• Spokes can be single-tenant or multi-tenant(single-tenant not necessarily VRF-aware)

• Spoke-spoke direct communication

• One pair of IPsec SAs per peer per iVRF

Hub

Spokes

BRKSEC-1050 40


DMVPN virtualization with VRF-Lite (2)

• Convenient if only a few iVRFs

• Main drawbacks:

• Major configuration overhead if many iVRFs

• One hub-spoke routing protocol neighborship per iVRF

• Tunnel address ranges cannot overlap if hubs use theBGP Dynamic Neighbors feature to peer with spokes

• If separate authentication is needed for each DMVPN:

Different ISAKMP profiles required (different IKE credentials) Different IPsec profiles required Different source interfaces required (same source requires shared profile)

BRKSEC-1050 41


DMVPN virtualization with MPLS VPN

• Single Tunnel interface in global VRF

• MPLS VPN labels identify which iVRFthe tunneled traffic belongs to

• BGP must be used as the routing protocolbetween hubs & spokes

• Separate IKE authentication not possible

• Single pair of IPsec SAs per peer

Hub

Spokes

BRKSEC-1050 42


• Tunnel interface in global, not part of any customer VRF

• Hub and spokes act as PE routers, exchange VRF prefixes over MBGP

• mGRE Tunnel creates a back-to-back connection spoke LSR is the penultimate hop only the VPN label is pushed

• LDP still required for a supported design

Tunnel0

10.0.0.1/24

Tunnel0

10.0.0.101/24

VRF blue Spoke1

(PE)Hub1

(PE)

VRF red

MBGP

VRF blue

VRF red

Global VRF

192.168.11.11 192.168.12.12

192.168.11.11 192.168.12.12

Label: 16

GRE (protocol: 0x8847)

IPsec (ESP transport mode)

172.16.1.1 172.16.101.1 192.168.11.11 192.168.12.12

VPNv4 prefix from Hub1:red:192.168.0.0/16 label 16

BRKSEC-1050 43


DMVPN Network Virtualization Designs2547oDMVPN

VRF-A tunnels

VRF-B tunnels

VRF-A to VRF-B Path (optional)

VRF-lite

VRF-A tunnels

VRF-B tunnels

VRF-A/B Tunnels

BRKSEC-1050 44


Where use VRF’s• Either technique (iVRF or fVRF) is used to allow you to have two or more different routing tables to seperate the routing

of GRE+IPSecpackets from the routing of data IP packets. You can use both at the same time. These techniques can be used for various deployment purposes:

•

Allow dynamic spoke-spoke tunnels when doing non-split-tunneling.

• Separate routing of IPsec+GRE packets from data IP packets to protect against forwarding loops through the tunnel interface (tunnel destination learned via the tunnel interface).

• When using two ISPs being able to lock a GRE tunnel to one outside physical interface. Allows load balancing over both ISPs when having to use a different tunnel source address for each ISP.

• Allow DMVPN hub (or spoke) to be behind an MPLS network where, GRE+IPsec packets come in on an MPLS VPN.

• Allow DMVPN hub to feed into an MPLS VPN. Data IP packets need be tagged to go into MPLS on the inside physical interface.

• Allow an ISP to use one DMVPN hub router to support multiple customers and keep the customer's data IP packets and routing tables separate.

BRKSEC-1050 45


Intelligent WAN Deployment Models

Dual MPLS

Internet

Highest SLA guarantees

– Tightly coupled to SP

ẋ Expensive

Public

MPLS

Branch

MPLS

Hybrid

More BW for key applications

Balanced SLA guarantees

– Moderately priced

PublicEnterprise

Branch

MPLS+

Internet

Dual Internet

Consistent VPN Overlay Enables Security Across Transition

Best price/performance

Most SP flexibility

– Enterprise responsible for SLAs

Internet

Branch

Enterprise Public

BRKSEC-1050 47


Intelligent WAN Solution

Internet

Branch

3G/4G-LTE

AVC

MPLS

PrivateCloud

VirtualPrivateCloud

PublicCloudWAAS PfR

Application Optimization

• Application visibility with

performance monitoring

• Application acceleration

and bandwidth

optimization

Secure Connectivity

• Certified strong encryption

• Comprehensive threat

defense

• Cloud Web Security for

secure direct Internet access

Intelligent Path Control

• Dynamic Application best

path based on policy

• Load balancing for full

utilization of bandwidth

• Improved network

availability

TransportIndependent

• Consistent operational model

• Simple provider migrations

• Scalable and modular design

• IPsec routing overlay design

BRKSEC-1050 48


Simplifies WAN DesignDynamic Full-Meshed

ConnectivityProven Robust Security

IWAN with DMVPN (Flexible Secure WAN Design Over Any Transport)

SecureFlexible

• Easy multi-homing over any carrier service offering

• Single routing control plane with minimal peering to the provider

• Consistent design over all transports

• Automatic site-to-site IPsec tunnels

• Zero-touch hub configuration for new spokes

• Certified crypto and firewall for compliance

• Scalable design with high-performance cryptography in hardware

ISR-G2

WAN

Internet

MPLSASR 1000

ASR 1000

Transport-Independent

Data CenterBranch

BRKSEC-1050 49


Other Features**

• IPv6 and DMVPN:

• IPv6 as overlay and transport is supported

• Dual-stack: IPv6 & IPv4 data packets over the same mGRE tunnel(Phase 3 designs only)

• Per-tunnel QoS (Spoke-Hub, Hub-Spoke and Spoke-Spoke, IPv4 and IPv6), Adaptive QoS

• Multicast (Spoke- Hub)

• TrustSec DMVPN Inline Tagging Support (only with IKEv2)

• Hub and /or Spokes can be behind NAT devices

NAT: BRKSEC-1050 50


Routing

• Supports all routing protocols, except ISIS• Best routing protocols are EIGRP and BGP• Hubs are routing neighbors with spokes and other hubs

• Spokes are only routing neighbors with hubs, not with other

spokes

BRKSEC-1050 51


Platform Support

• IOS :3800, 2800, 1800, 870, 7200(G1), 7200(G2, VSA)

3900(E), 2900, 1900, 890, 880

• IOS-XE : ASR1k, CSR1000v, ISR 4k

BRKSEC-1050 52


Hub Configurationcrypto isakmp policy 1

encr aes


group 2



mode transport



interface Tunnel

ip address 10.0.0.1 255.255.255.0

no ip redirects

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 1111

ip nhrp redirect

tunnel key 10

no ip split-horizon eigrp 10

ip summary-address eigrp 10 192.168.0.0 255.255.0.0

tunnel source FastEthernet0/0

tunnel mode gre multipoint


Phase I and Phase II

NHRP with IPSec

BRKSEC-1050 53


Spoke Configurationcrypto isakmp policy 1

encr aes


group 2



mode transport



interface Tunnel

ip address 10.0.0.2 255.255.255.0

no ip redirect

ip nhrp authentication cisco

ip nhrp map 10.0.0.1 172.17.0.1

ip nhrp map multicast 172.17.0.1


ip nhrp nhs 10.0.0.1

ip nhrp shortcut

tunnel key 10

tunnel source FastEthernet0/0




NHRP with IPSec

BRKSEC-1050 54


DMVPNAdvantages

• Dynamic partial or full mesh tunnels

• IP multicast support

• Supports dynamic routing protocols over the hub-and-spoke

• Supported on all Cisco IOS/IOS-XE router platforms

• IWAN Support

• Simplifies and shortens configurations

• Per tunnel QoS possible

• SGT (secure group tagging) with IKEv2

• Cisco Prime Management

Disadvantages


• IGP routing peers tend to limit the design scalability

• No interoperability with non-Cisco platforms or Cisco ASA

• Some added complexity with configuration and troubleshooting of DMVPN

• Multicast replication done on the Hub

BRKSEC-1050 55

Group Encrypted Transport VPN (GETVPN)


Tunnel-Less VPN - A New Security Model

• Scalability—an issue (N^2 problem)

• Overlay routing

• Any-to-any instant connectivity can’t be done to scale

• Limited QoS

• Inefficient Multicast replication

WAN

Multicast

Before: IPsec Point-to-Point Tunnels After: Tunnel-Less VPN

• Scalable architecture for any-to-any connectivity and encryption

• No overlays—native routing

• Any-to-any instant connectivity

• Enhanced QoS

• Efficient Multicast replication

BRKSEC-1050 57


Cisco Group Encrypted Transport (GET) VPN

Cisco GET VPN delivers a revolutionary solution for tunnel-less, any-to-any branch confidential communications

• Large-scale any-to-any encrypted communications

• Native routing without tunnel overlay

• Native Multicast support -improves application performance

• Transport agnostic - private LAN/WAN, IP, MPLS

Any-to-Any Connectivity

Real TimeScalable

Any-to-AnyConnectivity

Cisco GET

VPN

BRKSEC-1050 58


Header PreservationIPSec Tunnel Mode vs. GETVPN

IP Packet

IP PayloadIP HeaderIPSecTunnel Mode

ESPNew IP Header

IP PayloadIP Header

IPSec header inserted by VPN Gateway New IP Address requires overlay routing

IP Packet

IP PayloadIP HeaderESPPreserved HeaderGETVPN

IP PayloadIP Header

IP header preserved by VPN Gateway Preserved IP Address uses original routing plane

BRKSEC-1050 59


When should it be used?

• Securing an already secure network

• Efficient secure multicast traffic

• Deploying voice or similar collaborative

applications requiring any-to-any encryption

• Encrypting IP packets over satellite links

BRKSEC-1050 60


Main Components of GETVPN

• GDOI (Group Domain of Interpretation,RFC 6407)

• Cryptographic protocol for group key management

• Key Servers (KS’s)

• IOS devices responsible for creating /maintaining control plane

• Distributing keys to the group members

• Group Members (GM’s)

• IOS devices used for encryption/decryption

• Group Security Associations

• Tunnel-less Network

• No Peer-to-Peer Tunnel required

• IPsec SAs shared by GM’s

• IP Address Preservation

• Original IP Address preservedBRKSEC-1050 61


GDOI Reuses IKE on UDP 848

• IPsec Negotiations with GDOI (GETVPN)- Follows the IKE Phase 1

GDOI defines a Re-key exchange for subsequent key updates

– Can use multicast for efficiency

GDOI Rekey

IKE Phase 1

GDOI Registration/Download IPsec SAs

Key

ServerGroup

Member

Key

Server

Group

Member

• Peer to Peer IPsec negotiation:IKE Phase 1

IKE Phase 2/IPsec SAsIPSec Peer

IPSec Peer

BRKSEC-1050 62


How does it work?• Group Members (GM’s) “register” via GDOI with the Key Server (KS)

• KS authenticates & authorizes the GM’s

• KS returns a set of IPsec SA’s for the GM’s to use

GM1

GM2

GM3 GM4

GM5

GM6

GM7GM8

GM9 KS

BRKSEC-1050 63


How does it work? (cont’d) Data Plane Encryption

• GM’s exchange encrypted traffic using the group keys

• Traffic uses IPSec Tunnel Mode with “address preservation”

GM1

GM2

GM3

GM4

GM5

GM6

GM7GM8

GM9 KS

BRKSEC-1050 64


How does it work? (cont’d)• Periodic Rekey of Keys

• KS pushes out replacement IPsec keys before current IPsec keys expire

• Unicast rekey or Multicast rekey

GM1

GM2

GM3 GM4

GM5

GM6

GM7GM8

GM9 KS

BRKSEC-1050 65


Cooperative Key Servers - Redundancy

• A list of trusted key servers

• Manages common set of keys and security policies for GM’s

GM 1

GM 3

Subnet 1

Subnet 4

Subnet 2

Subnet 3

GM 4

GM 2

Cooperative KS3

Cooperative KS1

IP Network

Cooperative KS2

BRKSEC-1050 66


Group Security Elements

Group

Member

Group

Member

Group

Member

Group

Member

Key Servers

Routing

Members

Key Encryption Key (KEK)

Traffic Encryption Key

(TEK)

Group Policy

RFC3547:

Group Domain of

Interpretation (GDOI)

Proprietary: KS Cooperative

Protocol

BRKSEC-1050 67


Policy Management – ACL

Permit ACL’s can only be pushed from KS

Deny ACL’s can be configured locally on GM or pushed from KS

Local GM ACL has precedence over downloaded KS ACL

IP

KS

GM

GM

GM

GM

10.0.1.0/24

10.0.2.0/24

10.0.3.0/24

Permit: Any-Any

Deny: Link Local

Deny: Link Local

INET

BRKSEC-1050 68


Design Application

• If for, Internet based environments, GETVPN can be deployed with DMVPN

• LISP as the overlay

• Native Multicast

BRKSEC-1050 69


Other Features**

• Supports Dual Stack (IPv4 and IPv6)

• VRF aware (Data and control (GDOI) plane)

• TrustSec Inline Tagging Support

• NAT

• IKEv2 (G-IKEv2)

** Note: Version Dependent

BRKSEC-1050 70


Platforms Supported

Key Server Group Member

ASR 1k, 7200,ISR-G2 (39xx,

29xx, 19xx), ISR 4k

ASR 1k,7200,39xx, 29xx, 19xx,

87x,88x,89x

Note: The same device cannot be a GM and KS

BRKSEC-1050 71



!


encr aes


!


!

crypto ipsec profile GETVPN


!

access-list 150 permit ip any host 225.1.1.1

!

access-list 160 deny eigrp any any

access-list 160 deny pim any any

access-list 160 deny udp any any eq 848

access-list 160 permit ip any any

KS Configuration


ACL defining encryption domain

BRKSEC-1050 72


crypto gdoi group GETVPN

identity number 1234

server local

!rekey address ipv4 150 !

rekey lifetime seconds 14400

rekey retransmit 10 number 2

rekey authentication mypubkey rsa GETVPN

rekey transport unicast

sa ipsec 1

profile GETVPN

match address ipv4 160

address ipv4 1.1.1.1

redundancy

local priority 10

peer address ipv4 1.1.1.2

!

Encryption ACL

GDOI Group ID

Source address for rekeys

Rekey Properties

KS Configuration (Cont.)

BRKSEC-1050 73


GM Configuration crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!


encr aes


!

crypto gdoi group getvpn1

identity number 1234

server address ipv4 1.1.1.1

!

crypto map GETVPN 10 gdoi

set group getvpn1

!

interface FastEthernet0/0

crypto map GETVPN

GDOI Config and Applying

to Interface

Phase I parameters

BRKSEC-1050 74


GETVPNAdvantages

• Any-to-Any large scale (Site-to-Site)

• Multicast replication in IP WAN network

• Route Distribution Model + Stateful

• Group Protection

• Address Preservation - hence works well with QoS and traffic engineering

• SGT support

Disadvantages

• Suited for private IP network infrastructure

• Does not support non-IP protocols

• Cisco routers only

BRKSEC-1050 75


• Extend LANs over WAN

• Consume services from a centralized location

• Prevent man-in-the-middle attacks

• Data confidentiality

• Any-to-Any connectivity

Hub-Spoke + Spoke-Spoke Solutions

Choose GETVPN When

• On-demand spoke-spoke tunnels

• IKEv1 or IKEv2

• Distributed Policy Management and Pair-wise keys

• Branch-to-HQ and Branch-to-Branch connectivity

• Transport: Internet or multiple transport types (IP, MPLS) co-exist

• Separation of customer and provider routing domains

• Support for NAT-T

• Any-to-Any and Tunnel-less

• G-IKEv1 or G-IKEv2

• Centralized Policy Management and Group Keys

• Transport type: MPLS or Private WAN

• Native multicast replication

Problem Statement – Customer Needs Choose DMVPN When

BRKSEC-1050 76


Hub-Spoke + Spoke-Spoke VPN Solutions Components and Services Interaction

Technology Overlay TypeKey

Management

PfRv

3AVC WAAS QoS

DMVPN mGRE Tunnel Pair-wise Yes Yes Yes Adaptive

Per-Tunnel

GETVPN LISP Tunnel-

less

Group Keys N/A Yes Yes Egress-Interface

• PfRv3 works only with DMVPN (single routing domain)

• PfRv3 does not work with GETVPN

• Customers can continue to deploy GETVPN with LISP (WAN) or without LISP (private WAN)

BRKSEC-1050 77

FlexVPN


Flex VPN Overview• IKEv2 based unified VPN that combines site-to-site, remote-access, hub-spoke

and spoke-spoke topologies

• FlexVPN combines multiple frameworks into a single, comprehensive set of CLI and binds it together offering more flexibility and a means to extend functionality in the future

• FlexVPN offers a simple but modular framework that extensively uses the tunnel interface paradigm

• IKEv2 is a major protocol update

• IWAN NOT supported

BRKSEC-1050 79


VPN Technology Selection

Failover time

Failure detection method

Hub & Spoke

Spoke – Spoke Direct

Dynamic Routing

Route Injection

Per peer ACL’s

Multi-ISP Homing

Multi-Hub Homing

AAA Manageability

IPv4/IPv6 dual stack

Crypto Map or Tunnels

3rd party and legacy

support

QoS support

Scalability

High Availability

Dual DMVPN

Feature order

Multicast

Solution vs Components

Design complexity

Death by a thousand questions…

BRKSEC-1050 80


EasyVPN, DMVPN and Crypto Mapscrypto isakmp client configuration group cisco

key cisco123

pool dvti

acl 100

crypto isakmp profile dvti


client authentication list lvpn

isakmp authorization list lvpn


virtual-template 1

crypto ipsec transform-set dvti esp-3des esp-sha-hmac

crypto ipsec profile dvti

set transform-set dvti

set isakmp-profile dvti


ip unnumbered Ethernet0/0


tunnel protection ipsec profile dvti

ip local pool dvti 192.168.2.1 192.168.2.2

ip route 0.0.0.0 0.0.0.0 10.0.0.2

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac

mode transport

crypto ipsec profile vpnprofile

set transform-set vpn-ts-set

interface Tunnel0

ip address 10.0.0.254 255.255.255.0

ip nhrp map multicast dynamic


tunnel source Serial1/0


tunnel protection ipsec profile vpnprof


key pr3sh@r3dk3y

pool vpnpool

acl 110

crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac

crypto dynamic-map dynamicmap 10

set transform-set vpn-ts-set

reverse-route

crypto map client-vpn-map client authentication list userauthen

crypto map client-vpn-map isakmp authorization list groupauthor

crypto map client-vpn-map client configuration address initiate

crypto map client-vpn-map client configuration address respond

crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap

interface FastEthernet0/0

ip address 83.137.194.62 255.255.255.240

crypto map client-vpn-map

ip local pool vpnpool 10.10.1.1 10.10.1.254

access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255

BRKSEC-1050 81


Benefits of FlexVPN

• You can run Flex along all your previous IPsec VPNs. Most scenarios will allow coexistence of previous configuration and Flex

• Based on IKEv2 and not IKEv1, which improves almost all aspects of negotiation and protocol stability

• Using GRE over IPsec or VTI as encapsulation. GRE allows you to run almost anything over it. IPsec provides security for payload

• Utilizing virtual interfaces - allowing per-spoke features like firewall, QoS, ACLs, etc

• Remote access server and client (software and hardware) - similar to EZVPN

• Dynamic spoke to spoke tunnels - similar to DMVPN

• Ease of configuration by using built-in defaults - no longer will you need to define policies, transform sets etc.

BRKSEC-1050 82


When do you use it

Customer requires IKEv2 features

Customer desires to build site-to-site, remote-access, hub-spoke and spoke-spoke topologies utilizing a unified CLI

Large Scale deployment (of spoke to spoke and hub and spoke)

Customer wishes to reduce learning curve of implementing multiple different types of VPN connectivity

• Target Deployment: 50 – 10,000 sites with a hub-spoke layout and Cisco and Non-Cisco interoperability, IoT

BRKSEC-1050 83


IKEv2IKEv1

Comparing IKEv1 & IKEv2

NAT-T

DPD ISAKMP

RFC 2408

IPSec DOI

RFC 2407

IKE

RFC 2409

IKEv2

RFC 5996Mode

Config

Authentication

Integrity

Confidentiality

Suite-B

Anti-DoS

EAP Auth.

Hybrid Auth.

PSK, RSA-Sig

Cleaner Identity/Key Exchange

Uses UDP Ports 500 & 4500

Main + Aggressive INITIAL

Acknowledged Notifications

IKEv2 Redirect

RFC 5685

Childless IKEv2

RFC 6023

EAP-Only IKEv2

RFC 5998

Etc. ...

Same

Objectives

More Secure

Authentication

Options

Similar but

Different

BRKSEC-1050 84


Key Differentiators

IKEv1 IKEv2

Auth messages 6 max Open ended

First IPsec SA 9 msgs min ~ 4-6 msgs min

Authentication pubkey-sig, pubkey-encr, PSK Pubkey-sig, PSK, EAP

Anti-DOS Never worked Works!

IKE rekey Requires re-auth (expensive) No re-auth

Notifies Fire & Forget Acknowledged

BRKSEC-1050 85


IKEv2 Exchange Overview

IKE_SA_INIT

IKE_AUTH

CREATE_CHILD_SA

IKEv2 Security Association (SA) establishment (proposal selection, key exchange)

Mutual authentication & identity exchange

Initial IPSec SAs establishment

Certificate exchange (optional)

Configuration exchange (optional)

Additional IPSec SAs establishment

IKEv2 & IPSec SA rekey

INFORMATIONAL

Initiator (I) Responder (R)

Can be (I R) with ACK or (R I) with ACK

Notifications (SA deletion, liveness check, ...)

Configuration exchange (one or both ways)

BRKSEC-1050 86


IKEv2 Configuration Exchange

IKE_AUTHInitiator (RA client) requests configuration parameters from responder (RA server).

Initiator (I) Responder (R)

CFG_REQUEST

CFG_REPLY

CFG_SET

INFORMATIONAL

CFG_ACK

CFG_SET

INFORMATIONAL

CFG_ACK

Initiator and/or responder sends unsolicited configuration parameters to its peer.

I would like:

an IPv6 address

a DNS & WINS server

a list of protected IPv6 subnets

Your assigned IPv6 address is ...

Your DNS server is ...

There is no WINS server

My protected IPv6 subnets are ...

My local IPv6 protected subnets are ...

Acknowledged

Derived from peer authorization

Derived from peer authorization

BRKSEC-1050 87


IKEv2 CLI Overviewcrypto ikev2 proposal PROP-1

encryption aes-cbc-128 3des

integrity sha1

group 2

!

crypto ikev2 policy SITE-POLICY

proposal prop-1

!

crypto ikev2 keyring V2-KEYRING

peer cisco

address 10.0.1.1

pre-shared-key local CISCO

pre-shared-key remote OCSIC

!

crypto ikev2 authorization policy AUTH-POLICY

route set interface

route accept any

IKEv2 Proposal

IKEv2 Policy binds Proposal to

peer

Keyring supports asymmetric

PSK’s

IKEv2 Authorization Policy

(contains attributes for local AAA

& config. exchange)

BRKSEC-1050 88


crypto ikev2 profile default

identity local address 10.0.0.1

[identity local fqdn local.cisco.com]

[identity local email [email protected]]

[identity local dn]

match identity remote address 10.0.1.1

match identity remote fqdn remote.cisco.com

match identity remote fqdn domain cisco.com

match identity remote email [email protected]

match identity remote email domain cisco.com

match certificate certificate_map

match fvrf red

match address local 172.168.1.1

authentication local pre-share

[authentication local rsa-sig]

[authentication local eap]

authentication remote pre-share

authentication remote rsa-sig

authentication remote eap

keyring local IOSKeyring

keyring aaa AAAlist

pki trustpoint <trustpoint_name>

IKEv2 CLI OverviewIKEv2 Profile – Extensive CLI

Match on peer IKE identity

or certificate

Match on local address and

frontVRF

Self Identity Control

Asymmetric local & remote

authentication methods

Local and AAA-based

Pre-Shared Keyring

Only one local method allowed

Multiple remote methods allowed

Only one local identity allowed

Multiple “match identity” allowed

BRKSEC-1050 89

mailto:[email protected]

mailto:[email protected]


IKEv2 CLI Overview IPsec – no further change

crypto ipsec transform-set TS esp-aes 128 esp-sha-hmac

!

crypto ipsec profile IPSEC-PROFILE

set transform-set TS

set crypto ikev2 profile IKEV2-PROFILE

!



tunnel source Ethernet0/0


tunnel protection ipsec profile IPSEC-PROFILE

interface Tunnel0

ip address 10.0.0.1 255.255.255.252



tunnel protection ipsec profile IPSEC-PROFILE

IPsec profile points to

IKEv2 profile

Tunnel protection

links IPsec to tunnel

BRKSEC-1050 90


Introducing Smart Defaults

• Intelligent, reconfigurable defaults

• Pre-existing constructs:

• crypto ikev2 proposal• AES-CBC 256, 192,128 , 3DES / SHA-512,384,256, SHA-1, MD5 / group 5, 2

• crypto ikev2 policy (match any)

• crypto ipsec transform-set (AES-128, 3DES / SHA, MD5)

• crypto ipsec profile default (default transform set, ikev2 profile default)

• Only an IKEv2 profile called “default” needs to be created



authentication local rsa-sig

authentication remote rsa-sig

pki trustpoint TP

!

interface Tunnel0

ip address 192.168.0.1 255.255.255.252

tunnel protection ipsec profile default

Example full configusing smart defaults

BRKSEC-1050 91


Reconfigurable Defaults

• All defaults can be modified, deactivated and restored

• Default proposals pre-configured

• for IKEv2

• for IPsec

• Modifying defaults

default crypto ikev2 proposal

default crypto ipsec transform-set Restoring defaults

crypto ikev2 proposal default

encryption aes-cbc-128

hash md5

crypto ipsec transform-set default aes-cbc 256 sha-

hmac

Disabling defaults no crypto ikev2 proposal default

no crypto ipsec transform-set default

BRKSEC-1050 92


Building Block – IKEv2 Name Mangler

• Start with the peer’s IKE or EAP identity

• Derive a username that is meaningful to AAA (local or RADIUS)

IKEv2 Exchange

RA Client Identity

IKEv2 Name Mangler

AAA Username: joe

RADIUS AAA Request

Username: joe, password: cisco

Local AAA Request

Username: joe

crypto ikev2 name-mangler extract-user

fqdn hostname

email username

dn common-name

eap prefix delimiter @

FQDN: joe.cisco.com

Email: [email protected]

DN: cn=joe,ou=IT,o=Cisco

EAP: joe@cisco

Static password

(configurable)

RA ClientIKEv2 InitiatorRADIUS Client

FlexVPN ServerIKEv2 Responder

RADIUS NAS

AAA ServerRADIUS Server

BRKSEC-1050 93


FlexVPN and AAA

• IKEv2 communicates with IOS AAA subsystem

• Local database (IKEv2 Authorization Policy)

• Remote database (RADIUS)

• Protocols in play: IKEv2, RADIUS, EAP

• AAA-based authentication:

• Pre-shared keys stored on RADIUS server

• EAP over IKEv2 & RADIUS

• Authorization:

• Implicit authorization (re-uses attributes received during authentication)

• Explicit authorization (local or remote, group- & user-level)

• Accounting

Authentication, Authorization & Accounting

aaa new-model

aaa author network local-db local

aaa author network remote-db group radius

AAA list name

BRKSEC-1050 94


Authorization TypesNot mutually exclusive – May be combined

Implicit User Authorization

Explicit User Authorization

Explicit Group Authorization


aaa authorization user {psk|eap} cached


aaa authorization user {psk|eap|cert} list list [name | name-mangler mangler]


aaa authorization group {psk|eap|cert} [override] list list [name | name-mangler mangler]

Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication

Retrieves user attributes from RADIUS (local database not supported)

Retrieves group attributes from RADIUS or local database

RADIUS (Access-Accept)

Local PSK = cisco!

Remote PSK = !ocsic

Other user attributes for joe

Reverse order of precedence (group > user)

Cached for

authorization

BRKSEC-1050 95


Attributes – Merging

Cached User Attributes

Explicit User Attributes

Merged User Attributes

Explicit Group Attributes

Final Merged Attributes

Attribute Value

Framed-IP-Address 10.0.0.101

ipsec:dns-servers 10.2.2.2

Attribute Value


Attribute Value



Attribute Value


ipsec:banner Welcome !

Attribute Value



ipsec:banner Welcome !

Merged User Attributes take precedenceexcept if “group override” configured

Explicit User Attributes take precedence

FlexVPN Server AAA ServerReceived during

AAA-based authentication

Received during explicit

user authorization

Received during explicit

group authorization

BRKSEC-1050 96


Modular Building Blocks

Tunneling Authentication

Method

Tunnel Config Config Mode

Source

GRE/IPsec Certificate Static Local config

Pure IPsec Pre-shared Key Dynamic RADIUS

EAP (initiator) crypto map Hybrid

Security policy & routing

IKEv2 “routing”

BGP

Static routes

Reverse-Route Injection

EIGRP or anything else!

BRKSEC-1050 97


Site-to-Site Use Cases

• FlexVPN Site-to-Site Configuration using Crypto Maps

• FlexVPN Site-to-Site SVTI-SVTI Configuration using Digital Certificates

• FlexVPN Site-to-Site IPv6 over IPv4 using GRE Encapsulation (in reference slides)

• FlexVPN Hub & Spoke DVTI-SVTI using IKEv2 Routing

• FlexVPN Hub & Spoke using Flex Client

• FlexVPN Dynamic Spoke to Spoke

• MPLS over FlexVPN

BRKSEC-1050 98


FlexVPN Site-to-Site Configuration using Crypto Maps

crypto ikev2 keyring ASApeer ASAaddress 1.1.1.2pre-shared-key cisco

crypto ikev2 profile PROFmatch identity remote address 1.1.1.2 255.255.255.255 authentication local pre-shareauthentication remote pre-sharekeyring ASA


crypto map VPN 10 ipsec-isakmpset peer 1.1.1.2set transform-set TSET set ikev2-profile PROFmatch address CRYPTOACL

ip access-list extended CRYPTOACLpermit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

ip route 0.0.0.0 0.0.0.0 1.1.1.2

crypto ipsec ikev2 ipsec-proposal IPROPprotocol esp encryption aesprotocol esp integrity sha-1

crypto map VPN 10 match address CRYPTOACLcrypto map VPN 10 set peer 1.1.1.1 crypto map VPN 10 set ikev2 ipsec-proposal IPROPcrypto map VPN interface outside

crypto ikev2 policy 1encryption aesintegrity shagroup 5prf sha

crypto ikev2 enable outside

tunnel-group 1.1.1.1 type ipsec-l2ltunnel-group 1.1.1.1 ipsec-attributesikev2 remote-authentication pre-shared-key ciscoikev2 local-authentication pre-shared-key cisco

access-list CRYPTOACL extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

route outside 192.168.1.0 255.255.255.0 1.1.1.1 1

1.1.1.21.1.1.1

19

2.1

68.2

.0/2

4

19

2.1

68.1

.0/2

4

Just a string

Peer address

CM references IKEv2

Profile

ASA requires local-

authentication

BRKSEC-1050 99


FlexVPN Site-to-Site SVTI-SVTI Configuration using Digital Certificates

crypto pki trustpoint PKIenrollment url http://1.1.1.1:80serial-numbersubject-name cn=hub.cisco.comrevocation-check none

crypto pki certificate map CERTMAP 10subject-name co spoke1.cisco.com

crypto ikev2 profile defaultmatch certificate CERTMAPidentity local dnauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint PKIdpd 10 2 on-demand

interface Tunnel0ip address 10.1.1.1 255.255.255.252tunnel source FastEthernet0/0tunnel mode ipsec ipv4tunnel destination 1.1.1.2tunnel protection ipsec profile default

ip route 192.168.2.0 255.255.255.0 Tunnel0

crypto pki trustpoint PKIenrollment url http://1.1.1.1:80serial-numbersubject-name cn=spoke1.cisco.comrevocation-check none

crypto pki certificate map CERTMAP 10subject-name co hub.cisco.com

crypto ikev2 profile defaultmatch certificate CERTMAPidentity local dnauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint PKIdpd 10 2 on-demand

interface Tunnel0ip address 10.1.1.2 255.255.255.252tunnel source FastEthernet0/0tunnel mode ipsec ipv4tunnel destination 1.1.1.1tunnel protection ipsec profile default

ip route 192.168.1.0 255.255.255.0 Tunnel0

1.1.1.21.1.1.1

19

2.1

68.2

.0/2

4

19

2.1

68.1

.0/2

4

Certificate enrollment

Certificate Map to

match peer’s identity

Could use a

routing protocol

(IGP/BGP)

Static Tunnel Static Tunnel

hub.cisco.com spoke1.cisco.com

BRKSEC-1050 100


FlexVPN Site-to-Site IPv6 over IPv4 using GRE Encapsulation

crypto ikev2 keyring KRpeer SPOKE2address 2.2.2.1pre-shared-key local CISCOpre-shared-key remote CICSO

crypto ikev2 profile defaultmatch identity remote address 2.2.2.1 255.255.255.255 authentication remote pre-shareauthentication local pre-sharekeyring local KR

interface Tunnel0ip address 10.1.1.1 255.255.255.0ipv6 address FE80::1 link-localtunnel source Ethernet0/0tunnel destination 2.2.2.1tunnel protection ipsec profile default

ip route 192.168.2.0 255.255.255.0 Tunnel0ipv6 route 2001:0:0:2::/64 Tunnel0

crypto ikev2 keyring KRpeer SPOKE1address 1.1.1.1pre-shared-key local CICSOpre-shared-key remote CISCO

crypto ikev2 profile defaultmatch identity remote address 1.1.1.1 255.255.255.255 authentication remote pre-shareauthentication local pre-sharekeyring local KR

interface Tunnel0ip address 10.1.1.2 255.255.255.0ipv6 address FE80::2 link-localtunnel source Ethernet0/0tunnel destination 1.1.1.1tunnel protection ipsec profile default

ip route 192.168.1.0 255.255.255.0 Tunnel0ipv6 route 2001:0:0:1::/64 Tunnel0

2.2.2.11.1.1.1

19

2.1

68.2

.0/2

4

20

01

:0:0

:2::

1/6

4

19

2.1

68.1

.0/2

4

20

01

:0:0

:1::

1/6

4

Asymmetric PSKs

Tunneling IPv6 over

IPv4 Tunnel

Could use a

routing protocol

(IGP/BGP)

Static Tunnel Static Tunnel

BRKSEC-1050 101


FlexVPN Hub & Spoke DVTI-SVTI using IKEv2 Routing –Network Diagram

192.168.1.0/24.1

200.1.1.2

.254

Virtual-Access Interfaces

Static Tunnel Interface

192.168.2.0/24

BRKSEC-1050 102


FlexVPN Hub & Spoke DVTI-SVTI using IKEv2 Routing –Hub configuration

192.168.1.0/24.1

aaa authorization network FLEX local

crypto ikev2 keyring SPOKESpeer ALLaddress 0.0.0.0 0.0.0.0pre-shared-key cisco123

crypto ikev2 authorization policy FLEXAUTHORpool FLEXPOOLroute set interfaceroute set access-list 99

crypto ikev2 profile defaultmatch identity remote address 0.0.0.0 authentication remote pre-shareauthentication local pre-sharekeyring local SPOKESdpd 10 2 periodicaaa authorization group psk list FLEX FLEXAUTHORvirtual-template 1

200.1.1.2

.254

19

2.1

68.2

.0/2

4

.1

IKEv2 authorization

policy named

FLEXAUTHOR

AAA authorization

method list

Creates Virtual-

Access from Virtual-

Template


ip unnumbered FastEthernet0/1


ip local pool FLEXPOOL 10.1.1.1 10.1.1.10

access-list 99 permit 192.168.0.0 0.0.255.255

IKE v2 Route

Spoke Tunnel IP Pool

SpokeHub

BRKSEC-1050 103


FlexVPN Hub & Spoke DVTI-SVTI using IKEv2 Routing –Spoke ConfigurationSpoke configuration

192.168.1.0/24.1

200.1.1.2

interface Tunnel0

ip address negotiated




aaa authorization network FLEX local

crypto ikev2 keyring HUBpeer HUBaddress 200.1.1.2pre-shared-key cisco123

crypto ikev2 authorization policy FLEXAUTHORroute set interfaceroute set access-list 99

crypto ikev2 profile defaultmatch identity remote address 200.1.1.2 255.255.255.255 authentication remote pre-shareauthentication local pre-sharekeyring local HUBdpd 10 2 periodicaaa authorization group psk list FLEX FLEXAUTHOR

access-list 99 permit 192.168.2.0 0.0.0.255

Advertising tunnel

interface IP and

192.168.2.0/24 subnet

Local Authorization

.254

19

2.1

68.2

.0/2

4

.1

IKE v2 Route

IP Address Assignment

from FLEXPOOL

SpokeHub

BRKSEC-1050 104


FlexVPN Server

• FlexVPN Server is an IKEv2 RA Server that provides the IKEv2

headend functionality for Remote Access and Hub-Spoke topologies.

• FlexVPN Server Features include

• Peer Authentication Using EAP

• Per-user Attributes allows fetching per-user session attributes from

AAA via IKEv2 authorization

• IKEv2 Multi-SA dVTI

Supported Remote Access Clients include Microsoft Windows7/8

IKEv2 Client, Cisco IKEv2 AnyConnect Client, and Cisco IOS FlexVPN

clientBRKSEC-1050 105


FlexVPN Client

• FlexVPN Client provides the IKEv2 Remote Access Client functionality

• FlexVPN Client Highlights• GRE encapsulation support that allows IPv4/IPv6 over IPv4/IPv6• Dynamic routing protocol support• Route exchange via config mode• Dynamic BGP peering

• FlexVPN Client Features

• Backup Gateways

• Dial backup

• Split DNS

• NAT

BRKSEC-1050 106


FlexVPN Hub & Spoke using Flex Client –Network Diagram

192.168.1.0/24.1

200.1.1.2

.254


Static Tunnel Interface with

FlexVPN client

192.168.2.0/24

BRKSEC-1050 107


FlexVPN Hub & Spoke using Flex Client –Hub configuration

192.168.1.0/24.1

crypto ikev2 keyring SPOKES

peer ALL

address 0.0.0.0 0.0.0.0

pre-shared-key cisco123



authentication remote pre-share

authentication local pre-share

keyring local SPOKES

dpd 10 2 periodic

virtual-template 1

200.1.1.2

.2

19

2.1

68.2

.0/2

4

.1

IKEv2 profile named

default

Wildcard PSK

Keyring

Creates Virtual-

Access from Virtual-

Template





router eigrp 1

network 192.168.1.1 0.0.0.0

IGP Routing

200.1.1.1

SpokeHub 1 Hub 2

BRKSEC-1050 108


FlexVPN Hub & Spoke using Flex Client –Spoke Configuration

192.168.1.0/24.1

200.1.1.2

interface Tunnel0ip unnumbered Ethernet0/1tunnel source Ethernet0/0tunnel destination dynamictunnel protection ipsec profile default

router eigrp 1network 192.168.1.1 0.0.0.0

crypto ikev2 keyring HUBSpeer HUB1address 200.1.1.1pre-shared-key cisco123

peer HUB2address 200.1.1.2pre-shared-key cisco123

crypto ikev2 profile defaultmatch identity remote address 0.0.0.0authentication remote pre-shareauthentication local pre-sharekeyring local HUBSdpd 10 2 periodic

crypto ikev2 client flexvpn FLEXCLIENTpeer 1 200.1.1.1peer 2 200.1.1.2client connect Tunnel0

Client FlexVPNconstruct

.2

19

2.1

68.2

.0/2

4

.1

Tunnel destination selected

from flexvpn client

200.1.1.1

SpokeHub 1 Hub 2

BRKSEC-1050 109


Spoke – Dynamic Tunnel Source/Destination192.168.1.0/24.1

200.1.1.1

track 1 ip sla 1

delay down 10 up 10

track 2 ip sla 2

delay down 10 up 10

track 3 list boolean and

object 2 not

ip sla 1

icmp-echo 200.1.1.1

frequency 5

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 209.1.2.2 source-interface Ethernet0/0

frequency 5

ip sla schedule 2 life forever start-time now


ip address 209.1.2.1 255.255.255.0


ip address 209.1.3.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 209.1.2.2 track 2

ip route 0.0.0.0 0.0.0.0 209.1.3.2 track 3

crypto ikev2 keyring PEERSpeer ALLaddress 0.0.0.0 0.0.0.0pre-shared-key cisco

crypto ikev2 profile PROFmatch identity remote address 0.0.0.0 authentication remote pre-shareauthentication local pre-sharekeyring local PEERSdpd 30 2 on-demand

crypto ikev2 client flexvpn FLEXCLIENTpeer 1 200.1.1.1 track 1peer 2 200.1.1.2peer reactivatesource 1 Ethernet0/0 track 2source 2 Ethernet0/1 track 3client connect Tunnel0

crypto ipsec profile defaultset ikev2-profile PROF

.2

19

2.1

68.2

.0/2

4

.1

interface Tunnel0


tunnel source dynamic

tunnel destination dynamic

tunnel protection ipsec profile

default

E0/0

E0/1200.1.1.2

BRKSEC-1050 110


FlexVPN Spoke to Spoke

FlexVPN Hub-Spoke, Spoke-Spoke• Uses sVTI/dVTI, NHRP and routing protocol

• No NHRP registrations from spokes to hub

• No GRE multipoint interface

Routing Protocol• Routing protocol run over FlexVPN hub-spoke tunnels

• Allows spokes to learn networks behind other spokes

NHRP‒ Resolves spoke overlay addresses to transport addresses

IPSec Virtual-Access Interface (VA)‒ IPSec VA created on either side, per spoke tunnel

BRKSEC-1050 111


FlexVPN Hub and Spoke – IKE Route Exchange

Physical:

Tunnel:

172.16.1.1

10.0.0.1

Physical:

Tunnel:

172.16.2.1

10.0.0.2


Tunnel: 10.0.0.254

Hub 1

.1


Tunnel: 10.0.0.253

192.168.100.0/24Hub 2

.2

Tunnel 100

Spoke 1

192.168.1.0/24

Spoke 2

192.168.2.0/24

C 192.168.1.0/24 Eth0

C 10.0.0.1 Tunnel0

S 0.0.0.0/0 Dialer0

S 10.0.0.254/32 Tunnel0

S 192.168.0.0/16 Tunnel0Routin

gTable

-

NH

RP

Table

-

NH

RP

Table

C 192.168.2.0/24 Eth0

C 10.0.0.2 Tunnel1

S 0.0.0.0/0 Dialer0

S 10.0.0.253/32 Tunnel1


gTable

C 10.0.0.254 Loopback0

C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100

S 10.0.0.1 V-Access1

S 192.168.1.0/24 V-Access1

Routing

Table


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


S 192.168.2.0/24 V-Access1

Routing

Table

BRKSEC-1050 112


FlexVPN Mesh – Indirection

Physical:

Tunnel:

172.16.1.1

10.0.0.1

Physical:

Tunnel:

172.16.2.1

10.0.0.2


Tunnel: 10.0.0.254

Hub 1

.1


Tunnel: 10.0.0.253

192.168.100.0/24Hub 2

.2

Tunnel 100

Spoke 1

192.168.1.0/24

Spoke 2

192.168.2.0/24

C 192.168.1.0/24 Eth0

C 10.0.0.1 Tunnel0

S 0.0.0.0/0 Dialer0

S 10.0.0.254/32 Tunnel0


gTable

-

NH

RP

Table

-

NH

RP

Table

C 192.168.2.0/24 Eth0

C 10.0.0.2 Tunnel1

S 0.0.0.0/0 Dialer0

S 10.0.0.253/32 Tunnel1


gTable


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


S 192.168.1.0/24 V-Access1

Routing

Table


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


S 192.168.2.0/24 V-Access1

Routing

Table

BRKSEC-1050 113


FlexVPN Mesh – Resolution

Physical:

Tunnel:

172.16.1.1

10.0.0.1

Physical:

Tunnel:

172.16.2.1

10.0.0.2


Tunnel: 10.0.0.254

Hub 1

.1


Tunnel: 10.0.0.253

192.168.100.0/24Hub 2

.2

Tunnel 100

Spoke 1

192.168.1.0/24

Spoke 2

192.168.2.0/24

C 192.168.1.0/24 Eth0

C 10.0.0.1 Tunnel0

S 0.0.0.0/0 Dialer0

S 10.0.0.254/32 Tunnel0

S 192.168.0.0/16 Tunnel0

H/S 10.0.0.2/32 V-Access1

H/S 192.168.2.0/24 V-Access1

Routin

gTable

10.0.0.2/32 172.16.2.1

192.168.2.0/24 172.16.2.1

NH

RP

Table

10.0.0.1 172.16.1.1

NH

RP

Table

C 192.168.2.0/24 Eth0

C 10.0.0.2 Tunnel1

S 0.0.0.0/0 Dialer0

S 10.0.0.253/32 Tunnel1

S 192.168.0.0/16 Tunnel1

H/S 10.0.0.1/32 V-Access1

Routin

gTable


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


S 192.168.1.0/24 V-Access1

Routing

Table


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


S 192.168.2.0/24 V-Access1

Routing

Table

Resolution

(192.168.2.2)

Resolution Reply

(192.168.2.0/24)

BRKSEC-1050 114


FlexVPN Mesh – Shortcut Forwarding

Physical:

Tunnel:

172.16.1.1

10.0.0.1

Physical:

Tunnel:

172.16.2.1

10.0.0.2


Tunnel: 10.0.0.254

Hub 1

.1


Tunnel: 10.0.0.253

192.168.100.0/24Hub 2

.2

Tunnel 100

Spoke 1

192.168.1.0/24

Spoke 2

192.168.2.0/24

C 192.168.1.0/24 Eth0

C 10.0.0.1 Tunnel0

S 0.0.0.0/0 Dialer0

S 10.0.0.254/32 Tunnel0

S 192.168.0.0/16 Tunnel0

H/S 10.0.0.2/32 V-Access1

H/S 192.168.2.0/24 V-Access1

Routin

gTable

10.0.0.2/32 172.16.2.1

192.168.2.0/24 172.16.2.1

NH

RP

Table

10.0.0.1 172.16.1.1

NH

RP

Table

C 192.168.2.0/24 Eth0

C 10.0.0.2 Tunnel1

S 0.0.0.0/0 Dialer0

S 10.0.0.253/32 Tunnel1

S 192.168.0.0/16 Tunnel1

H/S 10.0.0.1/32 V-Access1

Routin

gTable


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


S 192.168.1.0/24 V-Access1

Routing

Table


C 192.168.100.0/24 Eth0

S 192.168.0.0/16 Tunnel100

S 10.0.0.0/8 Tunnel100


S 192.168.2.0/24 V-Access1

Routing

Table

BRKSEC-1050 115


Hub-Spoke tunnels

1. Spokes connect to hub, IPSec-VA created on hub for each spoke

2. IPSec-VAs for all spokes share network id

3. Hub learns spoke networks via routing protocol over hub-spoke tunnels

4. Hub advertizes summarized route (via hub) to all spokes

NHRP redirect

1. Spoke to spoke traffic forwarded to hub

2. Hub detects ingress and egress interfaces(IPSec-VAs) share NHRP network id

3. Hub sends NHRP traffic redirect indication to source spoke with destination spoke overlay address

FlexVPN Spoke to Spoke Protocol Flow

BRKSEC-1050 116


NHRP Resolution

1. Spoke receiving redirect initiates NHRP resolution via hub to resolve destination

spoke

2. Hub forwards resolution request to destination spoke

3. Destination spoke receives resolution request, creates VA and crypto tunnel to

source spoke

4. Destination spoke sends resolution reply over spoke-spoke direct tunnel

5. Destination spoke adds NHRP cache entry for source spoke

NHRP Shortcut

1. Source spoke receives NHRP resolution reply

2. Source spoke adds NHRP cache entry and shortcut route for destination spoke

FlexVPN Spoke to Spoke Protocol Flow

BRKSEC-1050 117


FlexVPN Spoke to Spoke – Network Diagram172.16.0.0/24.1

200.1.1.2

.254


Static Tunnel Interface


172.16.2.0/24

BRKSEC-1050 118


FlexVPN Spoke to Spoke – Hub configuration172.16.0.0/24.1


crypto ikev2 profile defaultmatch identity remote address 0.0.0.0 authentication remote pre-shareauthentication local pre-sharekeyring local SPOKESvirtual-template 1

router eigrp 100distribute-list EIGRP_SUMMARY out Virtual-Template1network 172.16.0.1 0.0.0.0redistribute static metric 1500 10 10 1 1500

ip route 172.16.0.0 255.255.0.0 Null0

ip access-list standard EIGRP_SUMMARYpermit 172.16.0.0 0.0.255.255


ip unnumbered FastEthernet0/1


ip nhrp redirect


200.1.1.2

.254

Routing via EIGRP

17

2.1

6.2

.0/2

4

Wildcard PSK

Creates Virtual-Access from Virtual-Template

IKEv2 Profile referencing Virtual-Template

SpokeHub

BRKSEC-1050 119


FlexVPN Spoke to Spoke – Spoke configuration172.16.0.0/24.1

200.1.1.2

interface Virtual-Template1 type tunnelip unnumbered FastEthernet0/1ip nhrp network-id 1ip nhrp holdtime 300ip nhrp shortcut virtual-template 1tunnel protection ipsec profile default

!!router eigrp 100network 172.16.2.1 0.0.0.0passive-interface defaultno passive-interface Tunnel0no passive-interface Ethernet0/1


crypto ikev2 profile defaultmatch identity remote address 0.0.0.0 authentication remote pre-shareauthentication local pre-sharekeyring local SPOKESvirtual-template 1

interface Tunnel0ip unnumbered FastEthernet0/1ip nhrp network-id 1ip nhrp holdtime 300ip nhrp shortcut virtual-template 1tunnel source FastEthernet0/0tunnel destination 200.1.1.2tunnel protection ipsec profile default

.254

Virtual-Template is used for

Spoke-Spoke Communication

17

2.1

6.2

.0/2

4

Shortcut switching

Tunnel0 is used for Hub-Spoke Communication

Prevent EIGRP Neighbors on VAI

SpokeHub

BRKSEC-1050 120


Summary Route Advertisement• Redistributing a static route pointing to null0 (Preferred option). This option allows to have control over summary and

redistribution without touching hub's VT configuration.

ip route 172.16.0.0 255.255.0.0 Null0

ip access-list standard EIGRP_SUMMARY

permit 172.16.0.0 0.0.255.255

router eigrp 100

distribute-list EIGRP_SUMMARY out Virtual-Template1

redistribute static metric 1500 10 10 1 1500

• DMVPN-style summary address on Virtual-template. This configuration is not recommended because of internal processing and replication of said summary to each virtual access. It is shown here for reference:

interface Virtual-Template1 type tunnel ip summary-address eigrp 100 172.16.0.0 255.255.0.0

BRKSEC-1050 121


172.16.1.254 172.16.1.253

MPLS VPN over FlexObjective: end-to-end VRF separation

.2

192.168.100.0/24

.2.1

`192.168.100.0/24

.2.1 .1

192.168.100.0/24

192.168.1.0/24

192.168.1.0/24

.1 .1 .1192.168.1.0/24

192.168.2.0/24

192.168.2.0/24

.1 .1 .1192.168.2.0/24

192.168.3.0/24

.1 .1

192.168.3.0/24

192.168.3.0/24.1

BRKSEC-1050 122


172.16.1.254 172.16.1.253

MPLS VPN over Flex

.2

192.168.100.0/24

.2.1 .2

192.168.100.0/24

.1 .1

192.168.100.0/24

Going LDP FreeHub private interface(s) in inside VRFor MPLS

Virtual-Access’ in GRT, run MPLS

Spoke tunnels run MPLS

192.168.1.0/24

192.168.1.0/24

.1 .1 .1192.168.1.0/24

192.168.2.0/24

192.168.2.0/24

.1 .1 .1192.168.2.0/24

192.168.3.0/24

.1 .1

192.168.3.0/24

192.168.3.0/24.1

Private interfaces in VRF’s

Tunnels create “back-to-back” links

LDP not needed !!

BRKSEC-1050 123


FlexVPN HW Client Redundancy Configurations

Backup Gateway IKEv2 Load Balancer Tunnel Pivot

Hub Hub

Hub HubHub

SpokeHub Hub

ISP1 ISP2

HSRPVIP

• IP SLA/track failure detection

• Multiple peer definition under

client block

• Dynamic tunnel destination

• HSRP for clustering

• IKEv2 Redirect based on

Least Loaded Gateway

• IP SLA/track failure detection

• Multiple tunnel source

definition under client block

• Dynamic tunnel source

BRKSEC-1050 124


FlexVPN Backup Peers (1)

172.16.0.1 172.16.0.2

192.168.100.0/24

.1 .2

Tunnels are set up

to a primary Hub

BRKSEC-1050 125


FlexVPN Backup Peers (2)

172.16.0.1 172.16.0.2

192.168.100.0/24

.1 .2

Hub 1 Fails

New tunnels are set up

to a backup Hub

BRKSEC-1050 126


Powerful Peer Syntaxpeer

peer

peer

peer

<n> <ip>

<n> <ip> track <x>

<n> <fqdn>

<n> <fqdn> track <x>

aaa authorization network default local


match certificate HUBMAP

fqdn Spoke1.cisco.com

remote rsa-sig

local pre-shared

identity local

authentication

authentication

keyring local

authorization group cert list default default

pki trustpoint CA

aaa

dpd 30 2 on-demand

flexvpn defaultcrypto ikev2 client

client connect tunnel 0

peer 1

peer 2

172.16.1.254

172.16.1.253

interface Tunnel0


source FastEthernet0/0tunnel

tunnel

tunnel

destination dynamic

protection ipsec profile default

FlexVPN Backup Peers (3) – Spoke Config.

To Primary Hub

To Secondary Hub

Detect Hub Failure

Nth source selected only if

corresponding track object is up

Destination

managed by

FlexVPN

Also works with Routing

Protocol

RADIUS Backup List Attribute

ipsec:ipsec-backup-gateway

Up to 10 backup gateways pushed by

config-exchange

crypto ikev2 authorization policyroute set interfaceroute set access-list 99

BRKSEC-1050 127


FlexVPN Downloadable Backup Peer List

Seq 10: Peer 1

Seq 20: Peer 2

Peer 1 is selected initially

(sequence number based)

If Peer 1 fails, Peer 2 is selected

(sequence number based)

Upon connection to Peer 2, a downloadable peer list is received

Upon failure of Peer 2, Peer 2.1 then 2.2

are selected (part of downloadable peer

list)

Downloadable list peers are used until

last downloadable list peer fails

Upon successful connection to next peer instatic list is deleted

Seq 10: Peer 2.1

Seq 20: Peer 2.2

Seq 30: Peer 3

Static Peer List (Locally Configured)

Downloadable Peer List

BRKSEC-1050 128


FlexVPN Backup – Re-activation of Primary Peer

remote1crypto ikev2 flexvpn client

peer 1 10.0.0.1 track 1

peer 2 10.0.0.2 track 2

peer 3 10.0.0.3 track 3

peer reactivate

client connect Tunnel0

!

interface Tunnel0


…

dynamictunnel destination

…

client

10.0.0.1

10.0.0.2

10.0.0.3

Tracker state (Up/Down)

ICMP-echo IP SLA probe

IPsec Tunnel

Allow re-establishing tunnel directly to preferred peer as soon as it is available again

Trackers are required for this featuretrack 1 ip sla 1 reachability

track 2 ip sla 2 reachability


BRKSEC-1050 129


FlexVPN Backup GroupsWarrant that a peer, belonging to different peer-lists in the samebackup group, is never active in multiple peer-list at a given time

ikev2 flexvpn client remote1crypto

peer

peer

peer

1 10.0.0.1

2 10.0.0.2

3 10.0.0.3

group 1

connect Tunnel0

backup

client

crypto ikev2 flexvpn client remote2

peer

peer

peer

1 10.0.0.1

2 10.0.0.2

3 10.0.0.3

group 1

connect Tunnel1

backup

client

!

interface Tunnel0


…


…

interface Tunnel1


…


…

Hub 1

Hub 2

Hub 3

Client

Tu0

Tu1

10.0.0.1

10.0.0.2

10.0.0.3

Service Provider 2

Service Provider 1

10.0.0.1 cannot be used as

already active in remote1

peer-list from same group

BRKSEC-1050 130


FlexVPN Tunnel Pivot• Use when different Service Providers are used to connect to remote host

Hub

Service Provider 2


crypto ikev2 flexvpn client remote1

peer 10.0.0.1

GigabitEthernet0/0 track 11 interface

2 interface FastEthernet2/0

source

source

client connect tunnel 0

interface Tunnel0


…

source dynamic

destination dynamic

tunnel

tunnel

…

GigE0/0

Client

FastE2/0

Tracker state (Up/Down)

ICMP-echo IP SLA probe

IPsec Tunnel

Service Provider 1

BRKSEC-1050 131


FlexVPNAdvantages

• Leverages IKEv2 Protocol

• Large Scale Hub-Spoke with dynamic spoke-

to-spoke

• VPN Concentrator for Remote Access

• Can be deployed either on public or private

networks

• Centralized Policy Management with AAA

• Failover (dynamic and IKEv2 based routing)

• Multicast

• Per-tunnel QoS at Hub

• 3rd Party Compatible

Disadvantages

• Not backward compatible with IKEv1

• Currently supported only on ISR-G2s, ASR1k,

CSR-1000v, ISR-NG (4000 series)

BRKSEC-1050 132


VPN Selection Criteria for Key Solutions

• IWAN-based deployments must use DMVPN

• IOT deployments can use either of DMVPN, GETVPN, SSLVPN, FlexVPN

Key Solutions DMVPN

(mGRE, p-p

GRE)

GETVPN

(Tunnel-less)

SSLVPN

(TLS)

Easy VPN

(IPsec

tunnels,

IKEv1)

FlexVPN

(dVTI, IKEv2)

IPsec VPN

(CM, VTI, p-

pGRE)

IOT Yes Yes Yes No Yes No

IWAN Yes N/A N/A N/A N/A N/A

DCI N/A Yes N/A N/A N/A No

MPLS-o-mGRE N/A Yes N/A N/A N/A No

MPLS-o-DMVPN Yes N/A N/A N/A N/A N/A

Yes = Supported and Recommended No = Supported but Not-Recommended

BRKSEC-1050 133


Features Standard IPsec GRE over IPsec Easy VPN/DVTI SVTI DMVPN GETVPN FlexVPN

3rd Party Compatibility x x x x x

AAA attributes support x x x

Dynamically addressed spoke

x x x x x

Dynamic Routing x x x x x x

Dynamic Spoke to Spoke tunnel

x x x

IKEv2 x x x

Public Transport x x x x x x

IPv6 x x x x x x

IP Multicast x x x x x x

NAT x x x x x x

Inline tagging (IKEv2) x x x x x x

QoS x x x x x x x

VRF x x x x x x x

IWAN x

IoT x

DCI x

Summary

134


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.

BRKSEC-1050 135

CiscoLive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/us

http://ciscolive.com/us


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

BRKSEC-1050 136

Thank you

an overview of site-to-site cisco vpn...

Documents