The FlexVPN client profile is an optional component used on the spoke (client) routers, which consists of settings used to connect to the FlexVPN server (hub) gateway, including the following:

• A list of peer gateways which are connected to in order using a backup gateway list (only one peer will be active at any time).
  • Lists can be configured statically in the local FlexVPN client profile, on the FlexVPN server (hub) in the authorisation policy or downloaded from AAA (RADIUS) server.
  • The tunnel destination dynamic command is used to obtain the peer from the FlexVPN Client Profile gateway list.
• If multiple WAN Interfaces are required, the tunnel source dynamic command can be utilised where the source interface is obtained from the FlexVPN Client Profile.
  • Each interface is assigned a priority number and tracked.
• Object tracking can be used to track interfaces or peers and subsequently failover to the next peer in the backup gateway list or change source interface.
• Pre-emption to reconnect to the primary peer, ensuring the highest priority peer is always connected.

Scenarios

This post will cover 2 common scenarios when using FlexVPN client profiles:

• Dynamic tunnel source when using multiple WAN interfaces.
• Dynamic tunnel destinations using a list of peer backup gateways.

Topology

The figure below represents the topology used in this post.

• Primary Peer gateway (1.1.1.1) configured a FlexVPN hub/server, with a Dynamic VTI
• Backup Peer gateway (2.2.2.1) configured a FlexVPN hub/server, with a Dynamic VTI
• Spoke gateway with 2 WAN interfaces, Primary WAN 3.3.3.1 and Secondary WAN 33.33.33.1, with a static VTI.

Initial Configuration

The configuration below represents the basic FlexVPN configuration of a spoke (client) gateway. The FlexVPN hub (server) gateway configuration is not covered in this post, refer to this post to configure a FlexVPN Hub.

vrf definition WAN
!
interface GigabitEthernet0/0
 description ** Primary WAN interface **
 vrf forwarding WAN
 ip address 3.3.3.1 255.255.255.0
!
interface GigabitEthernet0/1
 description ** Backup WAN interface **
 vrf forwarding WAN
 ip address 33.33.33.1 255.255.255.0
!
crypto ikev2 proposal PROP
 encryption aes-gcm-128
 prf sha256
 group 19
!
crypto ikev2 policy IKEV2-POLICY
 match fvrf WAN
 proposal PROP
!
crypto ikev2 profile IKEV2-PROFILE
 match fvrf WAN
 match identity remote fqdn domain lab.local
 identity local fqdn BRANCH-2.lab.local
 authentication remote pre-share key Cisco1234
 authentication local pre-share key Cisco1234
!
crypto ikev2 dpd 10 2 on-demand
!
crypto ipsec transform-set TSET esp-gcm 256
 mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set TSET
 set ikev2-profile IKEV2-PROFILE
!
interface Tunnel1
 ip unnumbered Loopback0
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 1.1.1.1
 tunnel vrf WAN
 tunnel protection ipsec profile IPSEC-PROFILE

Dynamic Tunnel Source

In this scenario the spoke router has multiple WAN interfaces. The FlexVPN client profile will be configured the source interfaces, with each interface assigned a unique sequence number and a track object. The interface is considered available only when the track object is in the “up” state, the tunnel interface with the lowest sequence number is used as the tunnel source and the most preferred.

A VPN will be established to the Hub via the preferred Primary WAN interface (Gig0/0), upon failure of that link the backup interface (Gig0/1) will establish a tunnel to the Hub. Once the preferred WAN interface (Gig0/0) is up again, the VPN will automatically reestablish via the primary WAN interface.

SLA Monitor

Create 2 SLA monitors that send a icmp ping request to the peer IP address, the first SLA monitor instance sources the ping from the primary WAN interface and the second SLA monitor instance sources the ping from the secondary WAN interface.

ip sla 1
 icmp-echo 2.2.2.1 source-interface GigabitEthernet0/0
 vrf WAN
 timeout 6000
 frequency 6

ip sla schedule 1 life forever start-time now

ip sla 2
 icmp-echo 2.2.2.1 source-interface GigabitEthernet0/1
 vrf WAN
 timeout 6000
 frequency 6
 ip sla schedule 2 life forever start-time now

Tracking

Create 2 track instances, the first tracks SLA monitor instance 1 and the second tracks SLA monitor instance 2.

track 1 ip sla 1
track 2 ip sla 2

Tracked static routes

Configure the default route using track 1, which monitors the primary WAN. Create a second default route via the secondary WAN link next hop, but with a higher metric than the primary WAN.

ip route vrf WAN 0.0.0.0 0.0.0.0 3.3.3.254 track 1
ip route vrf WAN 0.0.0.0 0.0.0.0 33.33.33.254 250

FlexVPN client profile

Create a FlexVPN client profile and define the following.

• Define the IP address of the peer gateway.
• Use the peer reactivate command, which will failback to the primary WAN interface (based on tracking the peer with the highest priority).
• Define each source interface and related track object.
• Define the tunnel interface to connect.

crypto ikev2 client flexvpn FLEX-CLIENT
 peer 1 2.2.2.1
 peer reactivate
 source 1 GigabitEthernet0/0 track 1
 source 2 GigabitEthernet0/1 track 2
 client connect Tunnel1

Tunnel Interface

The tunnel interface is configured using tunnel source dynamic, which will dynamically look up the peer source IP address in the FlexVPN client profile.

interface Tunnel1
 ip unnumbered Loopback0
 tunnel source dynamic
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel vrf WAN
 tunnel protection ipsec profile IPSEC-PROFILE

Verification

Once the tunnel has been established, the spoke router logs should confirm the tunnel state and the FlexVPN connection is up, as per the logs below.

*Jul  1 11:38:54.434: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
*Jul  1 11:38:54.460: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(CLIENT) Client_public_addr = 3.3.3.1 Server_public_addr = 1.1.1.1

From the spoke router run the command show track. The output below confirms the SLA state is “up” for both track objects.

BRANCH-2#show track
!
Track 1
IP SLA 1 state
 State is Up
 3 changes, last change 01:28:44
Latest operation return code: OK
Latest RTT (millisecs) 11
Tracked by:
 Static IP Routing 0
 FlexVPN 0
!
Track 2
IP SLA 2 state
 State is Up
 3 changes, last change 01:29:04
Latest operation return code: OK
Latest RTT (millisecs) 12
Tracked by:
 FlexVPN 0

Run the command show crypto ikev2 sa, the output below confirms the IKEv2 SA established, note the Local IP address is 3.3.3.1 (Gig0/0 IP address). 

To simulate a failure of the primary WAN link shutdown Gig0/0, this in turn should trigger the IP SLA monitor to mark the state as down.

*Jul  1 11:40:08.272: %SYS-5-CONFIG_I: Configured from console by console
*Jul  1 11:40:08.921: %TRACK-6-STATE: 1 ip sla 1 state Up -> Down

The FlexVPN client state should change to down and the line protocol of interface tunnel1.

*Jul  1 11:40:08.935: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(CLIENT) Client_public_addr = 3.3.3.1 Server_public_addr = 1.1.1.1
*Jul  1 11:40:08.944: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
*Jul  1 11:40:09.026: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.21.0.1 (Tunnel1) is down: interface down
*Jul  1 11:40:09.147: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Jul  1 11:40:09.157: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Shortly afterwards, the line protocol of interface tunnel1 should change to up and the FlexVPN client should connect, this time the Client_public_addr is the IP address of the Gig0/1 interface.

*Jul  1 11:40:09.670: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
*Jul  1 11:40:09.716: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(CLIENT) Client_public_addr = 33.33.33.1 Server_public_addr = 1.1.1.1
*Jul  1 11:40:09.913: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down
*Jul  1 11:40:10.922: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
*Jul  1 11:40:13.711: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.21.0.1 (Tunnel1) is up: new adjacency

Run the command show crypto ikev2 sa again, this time confirm the local IP address is now of the Gig0/1 interface, 33.33.33.1.

Backup Gateways

In this scenario the spoke router(s) will have a single WAN interface and multiple peer gateways the client will attempt to connect to, although only one peer will be active at any given time. The tunnel interface will be configured with tunnel destination dynamic command (instead of defining the peer IP address), this will utilise the FlexVPN client profile to determine the destination peer IP address to connect to. IP SLA and a track object will be utilised to track the primary peer, if the track object is marked as down then the VPN will automatically failover to the second peer defined under the FlexVPN client profile.

SLA Monitor

Create an SLA monitor to send an icmp ping request to the primary peer IP address at regular intervals.

ip sla 1
 icmp-echo 1.1.1.1 source-interface GigabitEthernet0/0
 vrf WAN
 timeout 6000
 frequency 6
 ip sla schedule 1 life forever start-time now

Track object

Create a track object to track the SLA instance 1.

track 1 ip sla 1

FlexVPN client profile

Create a FlexVPN client profile and define the following.

• Define the IP address of the primary peer gateway (1.1.1.1) using track object 1.
• Define the IP address of the backup peer (2.2.2.1).
• Use the peer reactivate command, which will failback to the primary peer once the track object is up.
• Define the tunnel interface to connect.

crypto ikev2 client flexvpn CLIENT
 peer 1 1.1.1.1 track 1
 peer 2 2.2.2.1
 peer reactivate
 client connect Tunnel1

Tunnel interface

The tunnel interface is configured using tunnel destination dynamic, which will dynamically look up the peer IP addresses in the FlexVPN client profile.

interface Tunnel1
 ip unnumbered Loopback0
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel vrf WAN
 tunnel protection ipsec profile IPSEC-PROFILE

Verification

Once the configuration is applied to the spoke router, confirm the tunnel is established to the primary peer. Run the command show crypto ikev2 client flexvpn CLIENT detail. From the output below we can confirm the state is ACTIVE to the primary peer 1.1.1.1.

Simulate of failure of the primary peer (1.1.1.1), from the output of the logs on the spoke router we can confirm EIGRP adjacency, the IP SLA, the FlexVPN client connection state and line protocol of the tunnel interface are all down.

*Jul  1 11:59:51.274: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.21.0.1 (Tunnel1) is down: holding time expired
*Jul  1 11:59:52.261: %TRACK-6-STATE: 1 ip sla 1 state Up -> Down
*Jul  1 11:59:52.310: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(CLIENT) Client_public_addr = 3.3.3.1 Server_public_addr = 1.1.1.1
*Jul  1 11:59:52.321: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down

Shortly afterward the spoke router logs confirm the line protocol of the tunnel interface is up, the FlexVPN client is up and a new EIGRP adjacency is established. You will note the Server_public_address = 2.2.2.1, which is the backup peer IP address.

*Jul  1 11:59:53.115: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
*Jul  1 11:59:53.176: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(CLIENT) Client_public_addr = 3.3.3.1 Server_public_addr = 2.2.2.1
*Jul  1 11:59:56.162: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.21.0.2 (Tunnel1) is up: new adjacency

Run the command show crypto ikev2 client flexvpn CLIENT detail again and confirm the peer is now 2.2.2.1 (compared to 1.1.1.1 before simulating the failover).

Restore connectivity to the primary peer (1.1.1.1)

Once the IP SLA detects the primary peer is up again, with the peer reactivate command configured in the FlexVPN client profile, the FlexVPN client will reset the connection and reestablish a tunnel to the primary peer.

*Jul  1 12:03:22.454: %TRACK-6-STATE: 1 ip sla 1 state Down -> Up
*Jul  1 12:03:22.481: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(CLIENT) Client_public_addr = 3.3.3.1 Server_public_addr = 2.2.2.1
*Jul  1 12:03:22.490: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
*Jul  1 12:03:22.559: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.21.0.2 (Tunnel1) is down: interface down
*Jul  1 12:03:23.388: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
*Jul  1 12:03:23.452: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(CLIENT) Client_public_addr = 3.3.3.1 Server_public_addr = 1.1.1.1
*Jul  1 12:03:27.258: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.21.0.1 (Tunnel1) is up: new adjacency