Comparing DMVPN Phase configuration

Cisco DMVPN has 3 Phases; this post will simply cover the basic commands for each DMVPN Phase.

This previous blog post will describe DMVPN on more detail:- DMVPN Phase 3 Dual Hub

Basic Configuration

Continue reading “Comparing DMVPN Phase configuration”

Cisco IOS Certificate Authority

A Cisco IOS Router can be configured as a Certificate Authority (CA), distributing and managing (revoking) digital certificates. IOS routers enrol with the PKI Server and issued a certificate for use during the authentication phase when establishing a VPN tunnel. When authenticating peers exchange certificates and validate the identity of the peer and if successful establish a secure IKE Security Association, through which an IPSec SA can be established.

The purpose of this post is to describe the steps to configure a basic PKI/CA Server on a Cisco IOS router.

Continue reading “Cisco IOS Certificate Authority”

FlexVPN Local Authorization

In this example FlexVPN Remote Access VPN users will authenticate to the Hub router using RSA certificates. Using the IKEv2 Name Mangler feature, the organisation-unit (OU) value will be extracted from the certificate and assigned a Local IKEv2 Policy based on the extracted value. The IKEv2 Policy name must match exactly the value defined in the OU. The IKEv2 Policy in conjunction with the AAA attribute list will assign different attributes to the users’ sessions, for example VRF, IP Pool, Access List etc.

This configuration is an example of FlexVPN Local Authorization, the same can be achieved using a RADIUS server. Refer to the previous posts for additional FlexVPN information:-

FlexVPN Certificate Authentication
FlexVPN external AAA with RADIUS
FlexVPN Hub and Spoke

Continue reading “FlexVPN Local Authorization”

ASA VPN Filter

When configuring a VPN (crypto map or VTI) on a Cisco ASA firewall, by default all traffic is permitted. The command sysopt connection permit-vpn is enabled by default, with this command the interface ACLs will be ignored for traffic traversing the VPN tunnel, therefore permitting all traffic over the VPN tunnels. In order to restrict traffic within the VPN tunnel on an ASA a VPN Filter must be configured, multiple VPN Filters can be and assigned per group-policy, therefore per VPN tunnel.

The VPN Filter uses an Access List, however the ACE are not written as per a normal ACL, the SOURCE network/port is always the REMOTE network and the DESTINATION is always the LOCAL network/port. The VPN Filter is stateful and will therefore permit the return the traffic without having to explicitly permit the traffic.

This post will not cover the configuration of a VPN on the ASA, this has been covered in the following posts: – VTI or Crypto Map.

ASA Configuration

In this example a VPN between HQ_ASA and BRANCH-3_ASA is already configured and operational. A VPN Filter will be configured and applied only to the HQ ASA. Important to remember as far as the VPN Filter ACL is concerned the SOURCE network is BRANCH-3 network ( and the DESTINATION will be HQ network (

Continue reading “ASA VPN Filter”

OpenSSL CA for VPN authentication

The purpose of this post is to describe the steps to setup and configure an OpenSSL Certificate Authority (CA) on an Ubuntu server. The CA will be used for VPN authentication for Windows Client authenticating against a Cisco Router. It is assumed that the Ubuntu server is already installed and configured. Important to note, time accuracy is important when using certificates, so ensure the Ubuntu servers’ time is correct.

The following software/hardware was utilised:-

FTD VPN Certificate authentication

Using certificates to authenticate VPN peers is the most scalable authentication method. As of FTD 6.2.2 certificate enrolment is either via SCEP or manually using PKCS12. When using SCEP the FTD must have direct communication with the SCEP server in order to request the certificate, this may not be possible if the FTD is already deployed onsite. This leaves a PKCS12 file to import the signed certificate; this is a manual process, access to the console via SSH is all that is required.

This post will describe how to create a Certificate Template on a Windows CA, how to generate a certificate private key, csr and PKCS12 file and how to configure the VPN on the FMC.

Continue reading “FTD VPN Certificate authentication”

IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router

Cisco introduced VTI to ASA Firewalls in version 9.7.1 as an alternative to policy based crypto maps. Cisco IOS routers have long supported VTI (sVTI, DVTI, DMVPN, FlexVPN etc). This post will describe the steps on how to configure a VTI between a Cisco ASA Firewall and a Cisco IOS Router.

Hardware/Software used:
Cisco ASAv (v9.9.1)
Cisco CSR1000v (v16.3.3)

Continue reading “IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router”