FlexVPN Hub-and-Spoke

In a FlexVPN Hub and Spoke design spoke routers are configured with a normal static VTI with the tunnel destination of the Hub’s IP address, the Hub however is configured with a Dynamic VTI. The DVTI on the Hub router is not configured with a static mapping to the peer’s IP address. The VTI on the Hub is created dynamically from a preconfigured tunnel template “virtual-template” when a tunnel is initiated by the spoke router/peer. The dynamic tunnel spawns a separate “virtual-access” interface for each spoke tunnel, inheriting the configuration from the cloned the template.


FlexVPN Hub and Spoke Configuration

Hub Router

Step 1 – Define a loopback interface (this will be used as a source IP address for the tunnel)

interface loopback 0
ip address 172.16.0.1 255.255.255.255

Step 2 – Create a Tunnel Template (tunnel of source WAN interface and use Lo0 as IP for Tunnel)

interface virtual-template 1 type tunnel
tunnel source gigabitethernet 0/0
ip unnumbered loopback 0

Step 3 – Create a PSK Keyring (use address of 0.0.0.0 for lab purposes to match all peers, use symmetric PSK key for simplicity)

crypto ikev2 keyring KEYRING
peer ANY-PEER
address 0.0.0.0
pre-shared-key local cisco1234
pre-shared-key remote cisco1234
exit

Step 4 – Create IKEv2 Profile (specify local identity of FQDN, match any peer on the domain name, specify authentication PSK, specify the Keyring to use and specify the Virtual Template to clone)

crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain lab.net
identity local fqdn R1.lab.net
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
virtual-template 1

Step 5 – Create IPSec Profile (set IKEv2 Profile, default Transform set will be used so no need to specify)

crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEV2_PROFILE

Step 6 – Specify the IPSec Profile on the Tunnel Template

interface virtual-template 1 type tunnel
tunnel protection ipsec profile IPSEC_PROFILE

Step 7 – Specify some Loopback Interfaces to simulate LAN Subnets & configure Dynamic Routing Protocol

interface loopback1
ip address 10.1.0.1 255.255.255.0
interface loopback2
ip address 10.1.1.1 255.255.255.0
router eigrp 1
no auto-summary
network 172.16.0.1
network 10.1.0.0 0.0.255.255


Spoke Router

Step 1 – Specify some Loopback Interfaces to simulate LAN Subnets & configure Dynamic Routing Protocol

interface loopback0
ip address 172.16.0.2 255.255.255.0
interface loopback1
ip address 10.3.0.1 255.255.255.0
interface loopback2
ip address 10.3.1.1 255.255.255.0
router eigrp 1
no auto-summary
network 172.16.0.2
network 10.3.0.0 0.0.255.255

Step 2 – Create a PSK Keyring (use address of 0.0.0.0 for lab purposes to match all peers, use symmetric PSK key for simplicity)

crypto ikev2 keyring KEYRING
peer ANY-PEER
address 0.0.0.0
pre-shared-key local cisco1234
pre-shared-key remote cisco1234
exit

Step 3 – Create IKEv2 Profile (specify local identity of FQDN, match any peer on the domain name, specify authentication PSK, specify the Keyring to use)

crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain lab.net
identity local fqdn R2.lab.net
authentication remote pre-share
authentication local pre-share
keyring local KEYRING

Step 4 – Create IPSec Profile (set IKEv2 Profile, default Transform set will be used so no need to specify)

crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEV2_PROFILE

Step 5 – Create a SVTI (use Lo0 as tunnel interface, specify tunnel source, tunnel destination as Hub’s WAN IP, specify IPSec Profile)

interface tunnel0
ip unnumbered loopback 0
tunnel source gigabitethernet 0/0
tunnel destination 1.1.1.1
tunnel protection ipsec profile IPSEC_PROFILE

Verify Configuration

Use the command “show ip interface brief” to display that a virtual-access interface has been created.

Using the command “show crypto ikev2 sa detailed” you can verify the IKEv2 SA was established correct with the peer

Use the “show crypto ipsec sa” command to configure the IPSec tunnel is UP and passing traffic. Each IPSec SA will identify the Virtual-Access interface associated with the remote ID of the peer.



Advertisements

10 thoughts on “FlexVPN Hub-and-Spoke”

  1. Hi.

    Thanks for the example, how do I do if I wanna add redundancy to this, with one more hub? Just one more tunnel interface to the “standby” spoke?

    Like

    1. Hi Jacob,

      You don’t necessarily need to create an additional tunnel, you can use the Flex Client inconjunction with IP SLA/Track commands. When the primary tunnel goes down, it will failover to the secondary. E.g:-

      crypto ikev2 client flexvpn FLEX_CLIENT
      peer 1 1.1.1.1 track 1
      peer 2 2.2.2.1 track 2
      peer reactivate
      client connect tunnel0
      connect auto

      interface tunnel 0
      tunnel destination dynamic

      HTH

      Like

      1. Okey I dont have that option.
        Using a CISCO 867 as client.

        Router(config)#crypto ikev2 ?
        authorization IKEv2 authorization
        certificate-cache Cache for storing certs fetched from HTTP URLs
        cookie-challenge Set Cookie-challenge watermark
        diagnose IKEV2 diagnose
        dpd Enable IKE liveness check for peers
        fragmentation Enable fragmentation of ikev2 packets
        http-url Enable http URL lookup
        keyring Define IKEv2 Keyring
        limit Limit the number of maximum and negotiating sa
        name-mangler Name mangler
        nat NAT-transparency
        policy Define IKEV2 policies
        profile Define IKEv2 Profiles
        proposal Define IKEV2 proposals
        window IKEV2 window size

        Like

      2. Perhaps the IOS firmware version you have doesn’t support FlexVPN Client, check how old your version is and potentially upgrade.
        Alternatively you could run 2 tunnels and use a routing protocol for ECMP (2 equal cost routes over both tunnels) or with a delay on the tunnel interfaces for 1 active route over 1 tunnel and the 2nd route as backup.

        HTH

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.