FlexVPN is a framework to configure IPSec VPNs on Cisco IOS devices; it was created to simplify the deployment of VPN solutions of all type (Site-to-Site, Remote Access etc). It uses a common configuration template for all VPN types. FlexVPN is based on IKEv2 and does not support IKEv1.
IKEv2 Features
- IKEv2 is more secure than IKEv1 because it supports the latest Suite B cryptographic algorithms
- Built-in support for Dead Peer Detection (DPD) and NAT-Traversal
- Is resistant to DoS attacks
- Consolidated IKEv1 main and aggressive modes into one method, called “initial”
- Supports more authentication methods; in addition to PSK, certificates it also supports EAP authentication.
- XAUTH not used in IKEv2, EAP is used for authentication instead: EAP Tunneling: EAP-TLS, EAP-PEAP, EAP-PSK, EAP Non-Tunnelling: EAP-MSCHAPv2, EAP-MD5, EAP-GTC and EAP Anyconnect.
IKEv2 Message Exchange
IKEv2 has only two initial phases of negotiation: IKE_SA_INIT exchange and IKE_AUTH exchange.
IKE_SA_INIT
- The initial exchange, in which the peers establish a secure channel by agreeing IKEv2 Proposal.
- This happens un-encrypted
- The exchange contains 2 packets/messages – combines all the information from IKEv1 MM 1-4
IKE_AUTH
- Once IKE_SA_INIT exchange is complete all subsequent communication is encrypted
- IKE_AUTH authenticates the remote peer using the method specified in the IKEv2 Profile
- Once the peers have successfully authenticated the IPSec SA is established
CREATE_CHILD_SA (Optional)
- The CREATE_CHILD exchange is used if the IKE SA or one of the Child SAs needs to be re-keyed. This serves the same function as Quick Mode exchange does in IKEv1.
- Only 2 packets in the exchange, but will be repeated for every re-key or new SA.
IKev2 DoS Prevention
IKEv2 uses stateless anti-clogging cookies, which is used for protection of DoS attacks from spoofed source addresses. The initiator sends an IKE SPI to the Responder, who acknowledges the SPI sent and requests confirmation with a cookie specified. The responder will limit resources until the initiator responses with the correct cookie ID.
The anti-clogging cookies are optional Anti-DoS mechanism. They are exchanged in the first 2 messages in the IKE_SA_INIT exchange.
Configuration Components
The following IKEv2/IPSec configuration components are required for FlexVPN
| Component | Description |
| IKEv2 Proposal | – Mandatory – Defines the encryption, integrity algorithm, DH group used for protection in the negotiation of the IKEv2 SA. – Can specify multiple entries for each option – Authentication method and SA lifetime NOT contained in proposal |
| IKEv2 Policy | – Mandatory – Matches the peers and associates the IKEv2 Proposal by binding the previously created IKEv2 Proposal so it is selected for negotiation with the defined VPN peer. |
| IKEv2 Keyring | – Mandatory only if using PSK authentication – Used to define the pre-shared keys. Unlike IKEv1 this can be asymmetric, one key for the local router and another for the remote router. |
| IKEv2 Profile | – Mandatory – Defines the local/remote IKEv2 identities (address/identity) – Defines the local/remote authentication type – Defines the IKEv2 keyring if using PSK or the PKI Trustpoint if using certificate authentication |
| IPSec Transform Set | – Specifics the acceptable security protocols and algorithms for the IPSec SA |
| IPSec Profile | – References the IPSec Transform Set if NOT default – References the IKEv2 Profile if NOT default – IPSec Profile attached to the Tunnel interface |
Smart Defaults
The FlexVPN configuration can be minimised using the IKEv2 Smart Defaults, these specify default values for all components except IKEv2 Profile and Keyring (if PSK used).
- Smart defaults can be modified if required
- Smart defaults will only be displayed in the running-config if you use the command “show running-config all”
- The default configuration can be disabled by using “no” before the command
- The default mode for the default transform set is “transport”, where as all other transform sets the default mode is “tunnel”
| Description | Show command | Default valuest |
| Transform Set | show crypto ipsec transform-set default | crypto ipsec transform-set default esp-aes 128 esp-sha-hmac |
| IPSec Profile | show crypto ipsec profile default
|
crypto ipsec profile default set transform-set default set ikev2-profile default |
| IKEv2 Proposal | show crypto ikev2 proposal default
|
crypto ikev2 proposal default encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 integrity sha512 sha384 sha256 group 19 20 21 |
| IKEv2 Policy | show crypto ikev2 policy default
|
crypto ikev2 policy default match fvrf any proposal default |
| IKEv2 Authorization Policy | show crypto ikev2 authorization policy default | crypto ikev2 authorization policy default route set interface route accept any |
The “IKEv2 Profile” will need configuring with Identity, Authentication method and keyring (if PSK used).
crypto ikev2 keyring KEYRING peer ROUTER2 address 10.10.10.1 pre-shared-key local cisco1234 pre-shared-key remote cisco5678 ! crypto ikev2 profile default match identity remote access 0.0.0.0 authentication local pre-share authentication remote pre-share keyring local KEYRING ! interface tunnel 1 tunnel protection ipsec profile default
All defaults can be modified, deactivated or restored
| Modifying defaults | crypto ikev2 proposal default encryption aes-cbc-128 integrity sha256crypto ipsec transform-set default esp-aes 256 esp-sha-hmac |
| Restoring defaults | default crypto ikev2 proposal default crypto ipsec transform-set |
| Disabling defaults | no crypto ikev2 proposal default no crypto ipsec transform-set default |