FlexVPN is a framework to configure IPSec VPNs on Cisco IOS devices; it was created to simplify the deployment of VPN solutions of all type (Site-to-Site, Remote Access etc). It uses a common configuration template for all VPN types. FlexVPN is based on IKEv2 and does not support IKEv1.
- IKEv2 is more secure than IKEv1 because it supports the latest Suite B cryptographic algorithms
- Built-in support for Dead Peer Detection (DPD) and NAT-Traversal
- Is resistant to DoS attacks
- Consolidated IKEv1 main and aggressive modes into one method, called “initial”
- Supports more authentication methods; in addition to PSK, certificates it also supports EAP authentication.
- XAUTH not used in IKEv2, EAP is used for authentication instead: EAP Tunneling: EAP-TLS, EAP-PEAP, EAP-PSK, EAP Non-Tunnelling: EAP-MSCHAPv2, EAP-MD5, EAP-GTC and
IKEv2 Message Exchange
IKEv2 has only two initial phases of negotiation: IKE_SA_INIT exchange and IKE_AUTH exchange
- The initial exchange, in which the peers establish a secure channel by agreeing IKEv2 Proposal.
- This happens un-encrypted
- The exchange contains 2 packets/messages – combines all the information from IKEv1 MM 1-4
- Once IKE_SA_INIT exchange is complete all subsequent communication is encrypted
- IKE_AUTH authenticates the remote peer using the method specified in the IKEv2 Profile
- Once the peers have successfully authenticated the IPSec SA is established
- The CREATE_CHILD exchange is used if the IKE SA or one of the Child SAs needs to be re-keyed. This serves the same function as Quick Mode exchange does in IKEv1.
- Only 2 packets in the exchange, but will be repeated for every re-key or new SA.
IKev2 DoS Prevention
IKEv2 uses stateless anti-clogging cookies, which is used for protection of DoS attacks from spoofed source addresses. The initiator sends an IKE SPI to the Responder, who acknowledges the SPI sent and requests confirmation with a cookie specified. The responder will limit resources until the initiator responses with the correct cookie ID.
The anti-clogging cookies are optional Anti-DoS mechanism. They are exchanged in the first 2 messages in the IKE_SA_INIT exchange.
The following IKEv2/IPSec configuration components are required for FlexVPN
|IPSec Transform Set||
The FlexVPN configuration can be minimised using the IKEv2 Smart Defaults, these specify default values for all components except IKEv2 Profile and Keyring (if PSK used).
- Smart defaults can be modified if required
- Smart defaults will only be displayed in the running-config if you use the command “show running-config all”
- The default configuration can be disabled by using “no” before the command
- The default mode for the default transform set is “transport“, where as all other transform sets the default mode is “tunnel”
|Description||Show command||Default values|
|Transform Set||show crypto ipsec transform-set default||crypto ipsec transform-set default
esp-aes 128 esp-sha-hmac
|IPSec Profile||show crypto ipsec profile default
||crypto ipsec profile default
set transform-set default
set ikev2-profile default
|IKEv2 Proposal||show crypto ikev2 proposal default
||crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
|IKEv2 Policy||show crypto ikev2 policy default
||crypto ikev2 policy default
match fvrf any
|IKEv2 Authorization Policy||show crypto ikev2 authorization policy default||crypto ikev2 authorization policy default
route set interface
route accept any
The “IKEv2 Profile” will need configuring with Identity, Authentication method and keyring (if PSK used).
crypto ikev2 keyring KEYRING
pre-shared-key local cisco1234
pre-shared-key remote cisco5678
crypto ikev2 profile default
match identity remote access 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local KEYRING
interface tunnel 1
tunnel protection ipsec profile default
All defaults can be modified, deactivated or restored
|Modifying defaults||crypto ikev2 proposal default
crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
|Restoring defaults||default crypto ikev2 proposal
default crypto ipsec transform-set
|Disabling defaults||no crypto ikev2 proposal default
no crypto ipsec transform-set default