Cisco FlexVPN Overview

FlexVPN is a framework to configure IPSec VPNs on Cisco IOS devices; it was created to simplify the deployment of VPN solutions of all type (Site-to-Site, Remote Access etc). It uses a common configuration template for all VPN types. FlexVPN is based on IKEv2 and does not support IKEv1.

IKEv2 Features

  • IKEv2 is more secure than IKEv1 because it supports the latest Suite B cryptographic algorithms
  • Built-in support for Dead Peer Detection (DPD) and NAT-Traversal
  • Is resistant to DoS attacks
  • Consolidated IKEv1 main and aggressive modes into one method, called “initial”
  • Supports more authentication methods; in addition to PSK, certificates it also supports EAP authentication.
  • XAUTH not used in IKEv2, EAP is used for authentication instead: EAP Tunneling: EAP-TLS, EAP-PEAP, EAP-PSK, EAP Non-Tunnelling: EAP-MSCHAPv2, EAP-MD5, EAP-GTC and
    EAP Anyconnect

IKEv2 Message Exchange


IKEv2 has only two initial phases of negotiation: IKE_SA_INIT exchange and IKE_AUTH exchange


IKE_SA_INIT

  • The initial exchange, in which the peers establish a secure channel by agreeing IKEv2 Proposal.
  • This happens un-encrypted
  • The exchange contains 2 packets/messages – combines all the information from IKEv1 MM 1-4

IKE_AUTH

  • Once IKE_SA_INIT exchange is complete all subsequent communication is encrypted
  • IKE_AUTH authenticates the remote peer using the method specified in the IKEv2 Profile
  • Once the peers have successfully authenticated the IPSec SA is established

CREATE_CHILD_SA (Optional)

  • The CREATE_CHILD exchange is used if the IKE SA or one of the Child SAs needs to be re-keyed. This serves the same function as Quick Mode exchange does in IKEv1.
  • Only 2 packets in the exchange, but will be repeated for every re-key or new SA.

IKev2 DoS Prevention


IKEv2 uses stateless anti-clogging cookies, which is used for protection of DoS attacks from spoofed source addresses. The initiator sends an IKE SPI to the Responder, who acknowledges the SPI sent and requests confirmation with a cookie specified. The responder will limit resources until the initiator responses with the correct cookie ID.

The anti-clogging cookies are optional Anti-DoS mechanism. They are exchanged in the first 2 messages in the IKE_SA_INIT exchange.


Configuration Components


The following IKEv2/IPSec configuration components are required for FlexVPN

Component Description
IKEv2 Proposal
  • Mandatory
  • Defines the encryption, integrity algorithm, DH group used for protection in the negotiation of the IKEv2 SA.
  • Can specify multiple entries for each option
  • Authentication method and SA lifetime NOT contained in proposal
IKEv2 Policy
  • Mandatory
  • Matches the peers and associates the IKEv2 Proposal by binding the previously created IKEv2 Proposal so it is selected for negotiation with the defined VPN peer.
IKEv2 Keyring
  • Mandatory only if using PSK authentication
  • Used to define the pre-shared keys. Unlike IKEv1 this can be asymmetric, one key for the local router and another for the remote router.
IKEv2 Profile
  • Mandatory
  • Defines the local/remote IKEv2 identities (address/identity)
  • Defines the local/remote authentication type
  • Defines the IKEv2 keyring if using PSK or the PKI Trustpoint if using certificate authentication
IPSec Transform Set
  • Specifics the acceptable security protocols and algorithms for the IPSec SA
IPSec Profile
  • References the IPSec Transform Set if NOT default
  • References the IKEv2 Profile if NOT default
  • IPSec Profile attached to the Tunnel interface

Smart Defaults

The FlexVPN configuration can be minimised using the IKEv2 Smart Defaults, these specify default values for all components except IKEv2 Profile and Keyring (if PSK used).

  • Smart defaults can be modified if required
  • Smart defaults will only be displayed in the running-config if you use the command “show running-config all
  • The default configuration can be disabled by using “no” before the command
  • The default mode for the default transform set is “transport“, where as all other transform sets the default mode is “tunnel
Description Show command Default values
Transform Set show crypto ipsec transform-set default crypto ipsec transform-set default
esp-aes 128 esp-sha-hmac
IPSec Profile show crypto ipsec profile default
crypto ipsec profile default
set transform-set default

set ikev2-profile default

IKEv2 Proposal show crypto ikev2 proposal default
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

integrity sha512 sha384 sha256 sha1 md5

group 5 2

IKEv2 Policy show crypto ikev2 policy default
crypto ikev2 policy default
match fvrf any

proposal default

IKEv2 Authorization Policy show crypto ikev2 authorization policy default crypto ikev2 authorization policy default
route set interface

route accept any

The “IKEv2 Profile” will need configuring with Identity, Authentication method and keyring (if PSK used).


crypto ikev2 keyring KEYRING
peer ROUTER2
address 10.10.10.1
pre-shared-key local cisco1234
pre-shared-key remote cisco5678

crypto ikev2 profile default

match identity remote access 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local KEYRING

interface tunnel 1
tunnel protection ipsec profile default

All defaults can be modified, deactivated or restored

Modifying defaults crypto ikev2 proposal default
encryption aes-cbc-128

Integrity md5

crypto ipsec transform-set default esp-aes 256 esp-sha-hmac

Restoring defaults default crypto ikev2 proposal
default crypto ipsec transform-set
Disabling defaults no crypto ikev2 proposal default
no crypto ipsec transform-set default

One thought on “Cisco FlexVPN Overview”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s