This post will describe how to configure FlexVPN authorization using RADIUS AAA, ISE 2.4 will be used as the RADIUS server.
The Hub router will authenticate the spoke routers with RSA certificates. The spoke routers’ certificate will have an value in the OU (organisational unit) field which will identify the location e.g. US-Branch or UK-Branch. An IKEv2 name-mangler will be used to extract the OU value from the certificate and use this in the authorization request to the RADIUS server. Depending on matching on location in the Authorization rules the RADIUS server will return different values per location.
Continue reading “Configuring FlexVPN external AAA with RADIUS”
The intention of this blog post is to describe the steps to configure certificate authentication for FlexVPN on a Cisco IOS router. This post will not describe all the steps to enrol for a certificate or all the steps to configure FlexVPN, refer to the previous blog posts list below.
The configuration used is based on the FlexVPN sVTI blog post below and has successfully enrolled for certificates on all routers. VPN connectivity has been established using PSK, the configuration below will convert from PSK to certificate authentication.
Requesting a certificate on Cisco IOS router using SCEP or manual enrolment
Configuring FlexVPN VTI and Hub-and-Spoke on Cisco routers
Configure FlexVPN for Certificate authentication
All certificates in this FlexVPN lab are signed by the CA called lab-PKI-CA
Run the command show crypto pki certificates to identify the issuer, in this instance lab-PKI-CA
Continue reading “Configuring Cisco FlexVPN with Certificate authentication”
In a FlexVPN Hub and Spoke design spoke routers are configured with a normal static VTI with the tunnel destination of the Hub’s IP address, the Hub however is configured with a Dynamic VTI. The DVTI on the Hub router is not configured with a static mapping to the peer’s IP address. The VTI on the Hub is created dynamically from a preconfigured tunnel template “virtual-template” when a tunnel is initiated by the spoke router/peer. The dynamic tunnel spawns a separate “virtual-access” interface for each spoke tunnel, inheriting the configuration from the cloned the template.
Continue reading “Configuring Cisco FlexVPN Hub-and-Spoke”
As mentioned in the previous blog post when configuring FlexVPN configuration can be minimized by using the Smart Defaults, they comprises of default configurations for IKEv2 Proposal, IKEv2 Policy, IPSec Profile and Transform Set. This post provides a simple configuration example when using Smart Defaults and when using custom configurations.
Configuration Example – FlexVPN SVTI with Smart Defaults
This simple lab configuration is to setup a SVTI Site-to-Site VPN between 2 Cisco IOS routers.
Continue reading “Configuring Cisco FlexVPN SVTI”
FlexVPN is a framework to configure IPSec VPNs on Cisco IOS devices; it was created to simplify the deployment of VPN solutions of all type (Site-to-Site, Remote Access etc). It uses a common configuration template for all VPN types. FlexVPN is based on IKEv2 and does not support IKEv1.
- IKEv2 is more secure than IKEv1 because it supports the latest Suite B cryptographic algorithms
- Built-in support for Dead Peer Detection (DPD) and NAT-Traversal
- Is resistant to DoS attacks
- Consolidated IKEv1 main and aggressive modes into one method, called “initial”
- Supports more authentication methods; in addition to PSK, certificates it also supports EAP authentication.
- XAUTH not used in IKEv2, EAP is used for authentication instead: EAP Tunneling: EAP-TLS, EAP-PEAP, EAP-PSK, EAP Non-Tunnelling: EAP-MSCHAPv2, EAP-MD5, EAP-GTC and
Continue reading “Cisco FlexVPN Overview”