Security Flexvpn Notes
Table of Contents
FlexVPN Overview
- Combines all of the features of EzVPN, DMVPN and Crypto Maps. One technology to learn.
- Combines VPN architectures:
- site to site
- remote-access
- hub-spoke
- spoke to spoke
- Based on IKEv2 only (RFC5996)
- Build in anit-DoS features.
Building Blocks
- FlexVPN uses different interfaces depending on the access method. It uses tunnel interface for site to site while virtual templates for spokes to spoke.
- Virtual-template instantiates an virtual-access interface from each spoke on the hub, or spoke to spoke communication.
- One virtual-access interface per each spoke on the hub. Each session is a point to point. This provides the benefit of having a designated interface for each connection.
- FlexVPN Roles:
- Hub
- Spoke
- Remote User
- Interfaces for each role and connection
- Spoke to Hub - spoke.tunnel -> hub.virtual-access.
- Spoke to Spoke - spoke1.virtual-access -spoke2.virtual-access
- Hub1 to Hub2 - hub1.tunnel -> hub2.tunnel.
- Remote User - hub.virtual-access
IPSec
- Basic configuration:
- crypto ipsec transform-set
- crypto ipsec profile - ties in the transform set with the ikev2 profile
- tunnel protection profile - under virtual-template or tunnel specify the protecting profile.
- Can use smart defaults, which simplifies the configs, just a crypto ikev2 profile and the tunnel protection.
Packet Forwarding
- Control of the packet flows:
- Packet comes in on the Ingress interface (L2),
- Goes to the IKE (L5) module,
- Looks up the AAA (local or remote)
- Virtual-access interface gets created (per peer features).
- Remote private networks added to the routing table.
- Packet forwarding:
- Ingress interface
- Egress virtual-access
- Post encapsulation (GRE) encryption
- Egress physical interface (route lookup on the tunneled IPs)
Shortcut Switching
- Don't need a routing protocol for FlexVPN, but can use what's called IKE ROuting.
- IKE negotiations includes a call for IP address, subnet and routes. Scales up to 10K spokes with IKE routing.
- Remote subnet
- Spoke subnet
- Spoke1 sends packet to hub1, hub1 forwards to another hub2 (both are on the same NHRP network-id), which triggers an NHRP Redirect message back from hub1 to spoke1. Spoke1 sends a NHRP Resolution through the hub1-hub2->spoke2. Spoke2 adds a route for spoke1 and establishes a direct tunnel to spoke1 with the NHRP resolution reply to spoke1. For reverse traffic spoke2 does the same process to access spoke1's networks.
- For routing, you can use IKE Routing ,EIGRP, OSPF, or other IGP but also BGP. If you use BGP, the hubs can use a BGP Listen Range, that will automatically create BGP neighbors for spokes.
Per Peer Features
- One of the biggest benefits of FlexVPN is the ability to have a policy per peer session.
- There are three ways of configuring that:
- Virtual-Template features
- Group Profiles on IOS
- Central Service Policy (RADIUS)
VRF Injection
- Ability to have VRFs on spokes without creating a new NHRP Network for each VRF.
- There are two types of VRFs with FlexVPN:
- Front Door VRF is the WAN facing vrf.
- Inside VRF is the VRF for spokes' traffic.
- WAN interface can be using the Globacl Routing Table or Front-VRF.
Hierarchical Shaper
- Used in cases where the Hub's WAN interface has more bandwidth than the spokes.
- Provides a QoS features to shape traffic based on the destination's WAN link not to oversaturate it.
High Availability
- HA can be accomplished using the routing protocols. It can be Active/Active or Active/Standby, depending on the routes. (With some magic convergence can be as low as 3 sec, see the CiscoLive video).
- Another method is to use Backup Peers. This option is based on IKE. This method is only Active/Standby.
- Relies on track objects. Tracking peers in defines list.
- Destinations are dynamic based on the IKE list of peers.
- Can use Tunnel Pivoting, where the spokes can chose which interface to source the traffic from. For example if one is Gig0/0 and other backup Cellular interface.
- IKE Load Balancer relies on HSRP between the hubs. One is active while others standby. All HSRP members are part of a cluster. The active hub sends IKE redirect messages to the less utilized hubs. This option allows for scaling higher than 10K sessions.