VRFs can be used on a router acting as a VPN gateway in order to isolate the routing tables of encrypted and cleartext traffic. As default when not using VRFs all routes are within the global routing table. A Frontdoor VRF (FVRF) can be defined on the outside/WAN interface; all traffic within this VRF would be encrypted. An Inside VRF (IVRF) would be used for cleartext traffic defined on the interface(s) on the inside of the network.

In this blogpost scenario the Hub and Spoke routers will be configured as follows:-


  • The Hub router will use a DVTI (Virtual-Template)
  • The Spoke router(s) will be configured with an SVTI Tunnel Interface per IVRF (in this scenario 2 IVRFs will be used).
  • The Hub router will not accept more than 1 tunnel from the same source peer address, therefore a loopback interface per tunnel is defined on the spoke routers’ – this must be routable over the internet/WAN.
  • RSA Certificates will be used for authentication. The spoke routers’ will require a unique certificate per VRF
  • Authorization will be performed on the Hub, a unique value in the OU field will distinguish between the spoke tunnels, with the IKEv2 name-mangler feature extracting the OU value.
  • Multiple Local IKEv2 Authorization Policies will be defined on the Hub, the Policy name matching the exact value in the OU field in the spokes’ certificate. In this instance the OU value is the same as the IVRF, it does not need to the same name as the IVRF.
  • The Hub’s IKEv2 Authorization Profile will reference a unique AAA Attribute list, which will define the unique VRF to be assigned to the Virtual-Access interface dynamically created on the Hub.
  • The spoke router(s) will also perform Authorization, but the policy will be static configured (name-mangler not required)
  • IKEv2 Routing will be used for one VRF and EIGRP will be used for the other

This post does not cover the full configuration of FlexVPN, refer to the previous blog posts for more information:-

FlexVPN Hub and Spoke
FlexVPN Local Authorization
FlexVPN IKEv2 Routing
FlexVPN Certificate Authentication

Continue reading “FlexVPN VRF”

Cisco IOS Certificate Authority

A Cisco IOS Router can be configured as a Certificate Authority (CA), distributing and managing (revoking) digital certificates. IOS routers enrol with the PKI Server and issued a certificate for use during the authentication phase when establishing a VPN tunnel. When authenticating peers exchange certificates and validate the identity of the peer and if successful establish a secure IKE Security Association, through which an IPSec SA can be established.

The purpose of this post is to describe the steps to configure a basic PKI/CA Server on a Cisco IOS router.

Continue reading “Cisco IOS Certificate Authority”

FlexVPN Local Authorization

In this example FlexVPN Remote Access VPN users will authenticate to the Hub router using RSA certificates. Using the IKEv2 Name Mangler feature, the organisation-unit (OU) value will be extracted from the certificate and assigned a Local IKEv2 Policy based on the extracted value. The IKEv2 Policy name must match exactly the value defined in the OU. The IKEv2 Policy in conjunction with the AAA attribute list will assign different attributes to the users’ sessions, for example VRF, IP Pool, Access List etc.

This configuration is an example of FlexVPN Local Authorization, the same can be achieved using a RADIUS server. Refer to the previous posts for additional FlexVPN information:-

FlexVPN Certificate Authentication
FlexVPN external AAA with RADIUS
FlexVPN Hub and Spoke

Continue reading “FlexVPN Local Authorization”

OpenSSL CA for VPN authentication

The purpose of this post is to describe the steps to setup and configure an OpenSSL Certificate Authority (CA) on an Ubuntu server. The CA will be used for VPN authentication for Windows Client authenticating against a Cisco Router. It is assumed that the Ubuntu server is already installed and configured. Important to note, time accuracy is important when using certificates, so ensure the Ubuntu servers’ time is correct.

The following software/hardware was utilised:-

FlexVPN IKEv2 Routing

FlexVPN supports the use of Dynamic Routing protocols such as EIGRP, BGP and OSPF. FlexVPN also has the ability to advertise routes in the IKEv2 SA’s. In order to do this we must configure an IKEv2 Authorization Policy, this policy can be configured on the local router or centrally on a RADIUS server such as ISE.

This post only describes the steps how to configure a local IKEv2 Authorization Policy and IKEv2 Routing on a Hub and Spoke router. For further information on FlexVPN, review these blog posts  Configure FlexVPN Hub and Spoke and Configure FlexVPN with certificate authentication.

Continue reading “FlexVPN IKEv2 Routing”

Recommended IKEv2 Proposal

IKEv2 is an important protocol used in IPSec VPNs, it is used to securely authenticate peers by setting up security associations (SAs). Cisco IOS routers have predefined default encryption, integrity (hashing), DH group and PRF algorithms, some of these algorithms are no longer considered secure and therefore not recommended.

As of Cisco IOS-XE v16.8.1 the default IKEv2 Proposal will be updated, more information here: https://gblogs.cisco.com/uki/deep-dive-a-vpn-journey/

As of 2018 the recommended IKEv2 Proposal ciphers are:
Integrity: SHA512 SHA384
PRF: SHA512 SHA384
DH Group: Group19 Group 14 Group21 Group5

Customers running older IOS versions do not need to specifically upgrade in order to use, a customer IKEv2 Proposal and Policy can be defined and implemented. This post describes how to configure a custom IKEv2 Proposal and Policy to use on an IPSec VPN such as FlexVPN, DMVPN or GETVPN.

Continue reading “Recommended IKEv2 Proposal”

FlexVPN Remote Access VPN

In addition to Site-to-Site VPNs, FlexVPN can also be used for Remote Access VPN. It uses the same familiar commands as used to configure the S2S VPNs. Remote Access VPN can use certificate authentication (mutual certificate authentication between router and AnyConnect client), EAP (MD5/MSCHAPv2) and AnyConnect EAP. Authentication and Authorization can be performed by local AAA or external RADIUS, which can authenticate the users against Active Directory Domain and authorize depending on AD group membership.

This post will describe how to configure FlexVPN Remote Access VPN using aggregated authentication (double authentication) using AD username/password and client certificate authentication. We will not describe the basics of configuring FlexVPN Hub-and-Spoke or certificate authentication; these have been described in previous posts here:

Continue reading “FlexVPN Remote Access VPN”