Security Flexvpn Notes

FlexVPN Overview

  • Combines all of the features of EzVPN, DMVPN and Crypto Maps. One technology to learn.
  • Combines VPN architectures:
    • site to site
    • remote-access
    • hub-spoke
    • spoke to spoke
  • Based on IKEv2 only (RFC5996)
    • Build in anit-DoS features.

Building Blocks

  • FlexVPN uses different interfaces depending on the access method. It uses tunnel interface for site to site while virtual templates for spokes to spoke.
  • Virtual-template instantiates an virtual-access interface from each spoke on the hub, or spoke to spoke communication.
  • One virtual-access interface per each spoke on the hub. Each session is a point to point. This provides the benefit of having a designated interface for each connection.
  • FlexVPN Roles:
    • Hub
    • Spoke
    • Remote User
  • Interfaces for each role and connection
    • Spoke to Hub - spoke.tunnel -> hub.virtual-access.
    • Spoke to Spoke - spoke1.virtual-access -spoke2.virtual-access
    • Hub1 to Hub2 - hub1.tunnel -> hub2.tunnel.
    • Remote User - hub.virtual-access


  • Basic configuration:
    • crypto ipsec transform-set
    • crypto ipsec profile - ties in the transform set with the ikev2 profile
    • tunnel protection profile - under virtual-template or tunnel specify the protecting profile.
  • Can use smart defaults, which simplifies the configs, just a crypto ikev2 profile and the tunnel protection.

Packet Forwarding

  • Control of the packet flows:
  1. Packet comes in on the Ingress interface (L2),
  2. Goes to the IKE (L5) module,
  3. Looks up the AAA (local or remote)
  4. Virtual-access interface gets created (per peer features).
  5. Remote private networks added to the routing table.
  • Packet forwarding:
  1. Ingress interface
  2. Egress virtual-access
  3. Post encapsulation (GRE) encryption
  4. Egress physical interface (route lookup on the tunneled IPs)

Shortcut Switching

  • Don't need a routing protocol for FlexVPN, but can use what's called IKE ROuting.
  • IKE negotiations includes a call for IP address, subnet and routes. Scales up to 10K spokes with IKE routing.
    • Remote subnet
    • Spoke subnet
  • Spoke1 sends packet to hub1, hub1 forwards to another hub2 (both are on the same NHRP network-id), which triggers an NHRP Redirect message back from hub1 to spoke1. Spoke1 sends a NHRP Resolution through the hub1-hub2->spoke2. Spoke2 adds a route for spoke1 and establishes a direct tunnel to spoke1 with the NHRP resolution reply to spoke1. For reverse traffic spoke2 does the same process to access spoke1's networks.
  • For routing, you can use IKE Routing ,EIGRP, OSPF, or other IGP but also BGP. If you use BGP, the hubs can use a BGP Listen Range, that will automatically create BGP neighbors for spokes.

Per Peer Features

  • One of the biggest benefits of FlexVPN is the ability to have a policy per peer session.
  • There are three ways of configuring that:
    • Virtual-Template features
    • Group Profiles on IOS
    • Central Service Policy (RADIUS)

VRF Injection

  • Ability to have VRFs on spokes without creating a new NHRP Network for each VRF.
  • There are two types of VRFs with FlexVPN:
    • Front Door VRF is the WAN facing vrf.
    • Inside VRF is the VRF for spokes' traffic.
  • WAN interface can be using the Globacl Routing Table or Front-VRF.

Hierarchical Shaper

  • Used in cases where the Hub's WAN interface has more bandwidth than the spokes.
  • Provides a QoS features to shape traffic based on the destination's WAN link not to oversaturate it.

High Availability

  • HA can be accomplished using the routing protocols. It can be Active/Active or Active/Standby, depending on the routes. (With some magic convergence can be as low as 3 sec, see the CiscoLive video).
  • Another method is to use Backup Peers. This option is based on IKE. This method is only Active/Standby.
    • Relies on track objects. Tracking peers in defines list.
    • Destinations are dynamic based on the IKE list of peers.
    • Can use Tunnel Pivoting, where the spokes can chose which interface to source the traffic from. For example if one is Gig0/0 and other backup Cellular interface.
  • IKE Load Balancer relies on HSRP between the hubs. One is active while others standby. All HSRP members are part of a cluster. The active hub sends IKE redirect messages to the less utilized hubs. This option allows for scaling higher than 10K sessions.

Remote Access


rating: 0+x
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License