Cisco, VPN

Configuring DMVPN Phase 3 Dual Hub

This post details the configuration on how to configure a DMVPN Phase 3 VPN in a Dual Hub Single Cloud. I previously wrote a post on configuring DMVPN Phase 2, refer to this post for more detailed information on configuring DMVPN.

As per most previous posts GNS3 was used to lab the configuration. I had to use the Advanced Security IOS image “c7200-advsecurityk9-mz.152-4.M7” instead of my normal Advanced IP Services IOS image “c7200-advipservicesk9-mz.152-4.S4” because that version does not support NHRP redirect required for DMVPN Phase 3. The error received when configuring NHRP redirect is: % NHRP-WARNING: ‘ip nhrp redirect’ failed to initialise.

This post covers the following:

  • Front Door VRF
  • Crypto Keyring
  • Dual DMVPN Hub configuration
  • DMVPN Spoke configuration
  • DMVPN NHS Clustering (dual active Hubs and Active/Standby Hub)
  • DMVPN Phase 3

The router default ISAKMP Policy, IPSec Transform Set and IPSec Profile were used and therefore not covered in this post. This previous post covers ISAKMP and IPSec Policy/Profile creation.

The lab scenario has 6 x Cisco IOS 15.2(4) routers as represented in the diagram below.


Continue reading

Advertisements
Cisco, VPN

Configuring IKEv2 Site-to-Site VPN on Cisco ASA

This blog post provides the simple configuration information to setup a Site-to-Site VPN between two Cisco ASA firewalls using the IKEv2 protocol.

The following lab scenario was setup in GNS3 using the following images:

  • Cisco ASAv version 9.5(2)
  • Cisco IOS version 15.2(4)

A VPN will be setup between the 2 Cisco ASA firewalls (ASAv-1 and ASAv-2). The 2 routers (R1 and R2) will act as hosts in the local networks in order to generate traffic to initiate the VPN tunnel on demand.
Continue reading

Cisco

Configuring Cisco ASA Active/Standby Failover

Identical Cisco ASA firewalls (same hardware, model, interfaces and RAM etc) can be configured for failover, thus allowing for uninterrupted network connectivity. The Cisco ASA supports 2 failover configurations Active/Active (both appliances pass traffic) and Active/Standby (only the active appliance passes traffic, whilst the other appliance is waiting for failure/failover to occur).

The ASA appliances are connected to each other through a dedicated failover link, this can be any spare interface not currently used. Stateful failover can also be configured; this replicates the firewall state information to the standby appliance.
Continue reading

Cisco, VPN

Configuring Cisco FlexVPN Hub-and-Spoke

In a FlexVPN Hub and Spoke design spoke routers are configured with a normal static VTI with the tunnel destination of the Hub’s IP address, the Hub however is configured with a Dynamic VTI. The DVTI on the Hub router is not configured with a static mapping to the peer’s IP address. The VTI on the Hub is created dynamically from a preconfigured tunnel template “virtual-template” when a tunnel is initiated by the spoke router/peer. The dynamic tunnel spawns a separate “virtual-access” interface for each spoke tunnel, inheriting the configuration from the cloned the template.


Continue reading

Cisco, VPN

Configuring Cisco FlexVPN SVTI

As mentioned in the previous blog post when configuring FlexVPN configuration can be minimized by using the Smart Defaults, they comprises of default configurations for IKEv2 Proposal, IKEv2 Policy, IPSec Profile and Transform Set. This post provides a simple configuration example when using Smart Defaults and when using custom configurations.

Configuration Example – FlexVPN SVTI with Smart Defaults


This simple lab configuration is to setup a SVTI Site-to-Site VPN between 2 Cisco IOS routers.


Continue reading

Cisco, VPN

Cisco FlexVPN Overview

FlexVPN is a framework to configure IPSec VPNs on Cisco IOS devices; it was created to simplify the deployment of VPN solutions of all type (Site-to-Site, Remote Access etc). It uses a common configuration template for all VPN types. FlexVPN is based on IKEv2 and does not support IKEv1.

IKEv2 Features

  • IKEv2 is more secure than IKEv1 because it supports the latest Suite B cryptographic algorithms
  • Built-in support for Dead Peer Detection (DPD) and NAT-Traversal
  • Is resistant to DoS attacks
  • Consolidated IKEv1 main and aggressive modes into one method, called “initial”
  • Supports more authentication methods; in addition to PSK, certificates it also supports EAP authentication.
  • XAUTH not used in IKEv2, EAP is used for authentication instead: EAP Tunneling: EAP-TLS, EAP-PEAP, EAP-PSK, EAP Non-Tunnelling: EAP-MSCHAPv2, EAP-MD5, EAP-GTC and
    EAP Anyconnect
    Continue reading