Ltrsec 3004

LTRSEC-3004
Advanced IOS FlexVPN Lab

Mateusz Grzesiak – Customer Support Engineer, Cisco Services
Piotr Kupisiewicz – Customer Support Engineer, Cisco Services
Wen Zhang – Technical Leader, Cisco Services
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#LTRSEC-3004
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab Objectives and Prerequisites
• Session Objectives
• To understand IKEv2
• To showcase FlexVPN, Cisco’s unified VPN solution
• To provide a hands-on experience for configuring a number of common FlexVPN
deployment scenarios
• Prerequisites
• General knowledge of IP routing
• Knowledge of IPSec based VPN Technologies
• Basic Understanding of IKEv2, IPv6, Multicast is a plus
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Related Sessions
• BRKSEC-2338 – ASA and IOS Crypto VPNs – Comparison and Operational

Choices
• Piotr Kupisiewicz – Cisco Services Customer Support Engineer
• BRKSEC-3005 – Cryptographic Protocols and Algorithms

• Frederic Detienne – Cisco Services Distinguished Engineer
Cisco Press Book ‘IKEv2 IPsec VPNs’ by Amjad Inamdar & Graham Bartlett
Customer Reviews Cisco Press rebate

One of the best technical books I've read
code:
This book is the IKEv2 VPN equivalent of Jeff Doyle's Routing TCP/IP Vol 1 & 2 - a must read
for any network security engineer wanting to design and build secure VPN's. One of the best
technical books I've read.
CISCOLIVE2018
Superb book and well worth the money for anyone even thinking about Cisco crypto
This book is the most comprehensive book on IKEv2 for Cisco network engineers that you
will find and is all about real-world scenarios.
Definitive guide on modern IPsec VPN theory and practice

Many times I wish I had a book like this to help distill many complex IETF RFCs into “plain
English” and provide practical and actionable security best practices.
Highly recommended for anyone on the CCIE Security track or anyone

If you need to really understand IKEv2 and FlexVPN, this is the book that will get you there.
Be warned, it's not for the faint of heart ...
The best book on IKEv2 IPsec VPNs

The book is awesome! I appreciate authors' work on presenting deeply technical topics in
extremely easy to understand manner.
Finally, all you need to know about FLEX in one place!

Well written , concise and accurate. An absolute must for anyone designing, supporting or
troubleshooting IKEv2 VPNs. You too can become a FLEX expert!
Most comprehensive VPN reference

This the most comprehensive book on IKEv2 and IPSec I have come across. If anyone is
interested in Cisco VPN solutions, this is the book to look for.
Extremely well written book on Nextgen Crypto VPN technologies

https://www.amazon.com/IKEv2-IPsec-Virtual-Private The authors have immense experience in the domain which is very evident in the way every
Networks/dp/1587144603/ topic is explained brilliantly. A must have book if you are into Security.!
Brilliant
Listed in the CCIE Security reading list It's well worth the money. I feel like I know the subject thoroughly now. I don't usually leave
https://learningnetwork.cisco.com/community/certifications/ reviews but was motivated to in this instance. Good job, highly recommended.
ccie_security/written_exam/study-material
Great Book
Very in depth and detail explanations. It has greatly enhanced my understanding of IKEv2,
IPSec, and Cisco's implementations.
Agenda
• Introduction
• FlexVPN Overview
• IKEv2 and Smart Defaults
• Deployment Hands-on Exercises

• IKEv2 with FlexVPN Site-to-Site
• FlexVPN Hub and Spoke
• FlexVPN Dynamic Mesh
• IPv6 Integration with FlexVPN
• FlexVPN Redundancy Configuration
FlexVPN and IKEv2 Overview
FlexVPN Overview
• What is FlexVPN?
• IKEv2-based unified VPN technology that combines site-to-site, remote-access,
hub-spoke and spoke-to-spoke topologies
• FlexVPN highlights
• Unified CLI
• Based on and compliant to IKEv2 standard
• Unified infrastructure: leverages IOS Point-to-Point tunnel interface
• Unified features: most features available across topologies (AAA, IPv6, Routing…)
• No IWAN Support
• Simplified configuration using smart-defaults
• Interoperable with non-Cisco implementations
• Easy to learn, market and manage
TECSEC-3725 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
IKEv2 Protocol Overview
IKE_SA_INIT IKE_SA authentication

(2 messages) parameters negotiated
IKE_AUTH + CREATE_CHILD_SA IKE Authentication and

(2 messages) one CHILD_SA created
CREATE_CHILD_SA
Second CHILD_SA created
(2 messages)
A Protected data B
IKEv2 Configuration Constructs
IKEv2 Proposal (optional)
• Specifies one or more of: crypto ikev2 proposal prop-1
• Encryption algorithm(s) encryption 3des aes-cbc-128
• Integrity algorithm(s) integrity md5 sha1
• DH group(s)
prf md5 sha1
group 5 2
• PRF algorithm
• Does not specify:

• IKE SA lifetime (can potentially be different on each endpoint)
• Authentication method
IKEv2 Policy (optional)
crypto ikev2 policy site-policy
• Specifies one or more proposal(s) match fvrf Internet-vrf
with matching criteria match address local 192.168.1.1
• fVRF (default: global proposal prop-1
• Local address (default: any) proposal prop-2
• Multiple match statements of each type are allowed

• Statements of same type logically OR'ed
• Statements of different types logically AND'ed
• Overlapping policies: use most specific match
IKEv2 Keyring (optional)
crypto ikev2 keyring secretkeys
• Optional for PSK authentication peer cisco
• Local database of pre-shared keys address 10.0.1.1
pre-shared-key local cisco
• Keys can be symmetrical or asymmetrical
pre-shared-key remote ocsic
• Key lookup based on:
• Address
• Hostname (on initiator only)
• Identity (on responder only)
• Peer block:
• One key or key pair per block
• Overlapping peer blocks: use most specific match
IKEv2 Profile
• Mandatory, central IKEv2 CLI construct
crypto ikev2 profile profile1
• Set of non-negotiable parameters: match identity remote address 10.0.1.1
• Local/Remote authentication authentication local pre-shared key <key>
• local IKE identity authentication remote rsa-sig
identity local email user1@cisco.com
• keyring, trustpoint(s)
keyring secretkeys
pki trustpoint tp-remote verify
• Selected by matching:
• Peer identity/certificate, fVRF, local address
• Overlapping policies: considered a misconfig
• Matching rules:
• Statements of same type logically OR'ed
• Statements of different types logically AND'ed
Introducing Smart Defaults
Intelligent, reconfigurable defaults
crypto ipsec transform-set default crypto ikev2 profile default
esp-aes
esp-aes 128
128 esp-sha-hmac
esp-sha-hmac match identity remote address 10.0.1.1
authentication local rsa-sig
crypto ipsec profile default authentication remote rsa-sig
set transform-set default aaa authorization user cert list default default
set ikev2-profile
crypto ikev2-profile
defaultdefault pki trustpoint root
!
crypto ikev2 proposal default interface Tunnel0
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 ip address 192.168.0.1 255.255.255.252
integrity sha512 sha384 sha256 sha1 md5 tunnel protection ipsec profile default
group 5 2
What you need to specify
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 authorization policy default

route set interface
route accept any
These constructs are the Smart Defaults
Reconfigurable Defaults
All defaults can be modified, deactivated, or restored
crypto ikev2 proposal default

• Modifying defaults: encryption aes-cbc-128
integrity md5
crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
• Restoring defaults: default crypto ikev2 proposal
default crypto ipsec transform-set
• Disabling defaults: no crypto ikev2 proposal default
no crypto ipsec transform-set default
CiscoLive 2018 LTRSEC-3004
FlexVPN Lab Topology FreeRadius Server
.100
172.16.0.0/24
.2 .3
IPv4 WAN Connection
Hub-1 Hub-2
IPv6 WAN Connection .2 .3
LAN Connection 200.1.1.0/24

Broadband Backup
2001:DB8:AABB:4::1/64
IPsec Tunnel
Internet Spoke-4
.1
2001:DB8:B:4::/64
209.1.1.2/24 .2
209.1.3.2/24
DHCP
Spoke-1 Spk-4-Host
Spoke-3
.1 209.1.2.2/24
.1
172.16.1.0/24 Spoke-2 172.16.3.0/24
.1
172.16.2.0/24 .2
.2
.2 Spk-3-Host
Spk-1-Host
Spk-2-Host
FlexVPN Hub and Spoke
FlexVPN Hub-and-Spoke Example
The example uses VTI, certificate authentication, dynamic routing & Smart Defaults
Initiator (Spoke site)

hostname branch interface Tunnel0
ip domain name cisco.com ip address 172.16.0.101 255.255.255.0
! tunnel source Ethernet0/0
crypto ikev2 profile branch-to-central tunnel mode ipsec ipv4
tunnel destination 10.0.0.100
match ident remote fqdn central.cisco.com
tunnel protection ipsec profile svti
identity local fqdn branch.cisco.com
!
authentication local rsa-sig router rip
authentication remote rsa-sig version 2
pki trustpoint CA passive-interface Ethernet1/0
! network 172.16.0.0
crypto ipsec profile svti network 192.168.101.0
set ikev2-profile branch-to-central
!
interface Ethernet0/0
ip address 10.0.0.101 255.255.255.0
! Hub
interface Ethernet1/0 Spoke
(responder)
ip address 192.168.101.1 255.255.255.0 (initiator)
FlexVPN Hub-and-Spoke Example
Responder (Central site)
hostname central interface Virtual-Template1 type tunnel
ip domain name cisco.com ip unnumbered Loopback0
! tunnel source Ethernet0/0
crypto ikev2 profile central-to-branch tunnel mode ipsec ipv4
match ident remote fqdn domain cisco.com tunnel protection ipsec profile default
identity local fqdn central.cisco.com !
authentication local rsa-sig router rip
authentication remote rsa-sig version 2
pki trustpoint CA passive-interface Ethernet1/0
virtual-template 1 network 172.16.0.0
! network 192.168.100.0
interface Loopback0
ip address 172.16.0.100 255.255.255.0
!
interface Ethernet0/0
ip address 10.0.0.100 255.255.255.0
!
interface Ethernet1/0 Spoke Hub
ip address 192.168.100.1 255.255.255.0
(initiator) (responder)
FlexVPN Spoke to Spoke (Shortcut Switching)
• FlexVPN Spoke-Spoke
• Allows direct tunnel between FlexVPN spokes
• Uses sVTI/dVTI, NHRP and optional routing protocol
• No NHRP registrations from spokes to hub
• Routing Protocol or ikev2 routing

• Routing protocol or ikev2 routing run over FlexVPN hub-spoke tunnels
• Allows spokes to learn networks behind other spokes
• NHRP
• Resolves spoke overlay addresses to transport addresses
• IPSec Virtual-Access Interface (VAI)
• IPSec VAI created on either side, per spoke tunnel
FlexVPN Spoke to Spoke
FlexVPN Hub Configuration FlexVPN Spoke Configuration
interface virtual-template1 type tunnel interface Tunnel 1

ip unnumbered loopback0 ip address address
ip nhrp network-id number ip nhrp network-id number
ip nhrp redirect [timeout-seconds] ip nhrp shortcut [virtual-template-number]
!
interface virtual-template1 type tunnel
ip unnumbered loopback0
ip nhrp network-id number
ip nhrp shortcut [virtual-template-number]
FlexVPN Spoke to Spoke (1)
Routing table Hub
C 10.0.0.254/32  Loopback0 192.168.100.0/24
C 192.168.100.0/24  Eth0
S 10.0.0.1  V-Access1
B 192.168.0.0/29  V-Access1 Physical: 172.16.0.1
S 10.0.0.2  V-Access2 Tunnel: 10.0.0.254
B 192.168.0.8/29  V-Access2
Physical: 172.16.1.1
Tunnel: 10.0.0.1 Physical: 172.16.2.1
Tunnel: 10.0.0.2
NHRP table NHRP table
- -
Spoke 2
Spoke 1
Routing table 192.168.0.8/29
192.168.0.0/29 Routing table
C 192.168.0.0/29  Eth0
C 192.168.0.8/29  Eth0
S 0.0.0.0/0  Dialer0
S 0.0.0.0/0  Dialer0
S 10.0.0.254/32  Tunnel0
S 10.0.0.254/32  Tunnel0
B 192.168.0.0/16  Tunnel0
B 192.168.0.0/16  Tunnel0
Routing table Hub
C 10.0.0.254/32  Loopback0 192.168.100.0/24
C 192.168.100.0/24  Eth0
S 10.0.0.1  V-Access1
B 192.168.0.0/29  V-Access1
S 10.0.0.2  V-Access2 Physical: 172.16.0.1
B 192.168.0.8/29  V-Access2 Tunnel: 10.0.0.254
Tunnel: 10.0.0.1 Physical: 172.16.2.1
Resolution Reply Tunnel: 10.0.0.2
NHRP table
10.0.0.2/32  172.16.2.1 NHRP table
192.168.0.8/2910.0.0.2172.16.2.1 10.0.0.1  172.16.1.1
192.168.0.8/29  172.16.2.1
Spoke 1 Spoke 2
Routing table
192.168.0.0/29 192.168.0.8/29 Routing table
C 192.168.0.0/29  Eth0
S 0.0.0.0/0  Dialer0 C 192.168.0.8/29  Eth0
S 10.0.0.254/32  Tunnel0 S 0.0.0.0/0  Dialer0
B 192.168.0.0/16  Tunnel0 S 10.0.0.254/32  Tunnel0
H 10.0.0.2/32  V-Access1 B 192.168.0.0/16  Tunnel0
H 192.168.0.8/29  V-Access1 H 10.0.0.1/32  V-Access1
Routing table Hub
C 10.0.0.254/32  Loopback0 192.168.100.0/24
C 192.168.100.0/24  Eth0
S 10.0.0.1  V-Access1
B 192.168.0.0/29  V-Access1 Physical: 172.16.0.1
S 10.0.0.2  V-Access2 Tunnel: 10.0.0.254
B 192.168.0.8/29  V-Access2
Tunnel: 10.0.0.1 Physical: 172.16.2.1
Tunnel: 10.0.0.2
NHRP table
10.0.0.2/32  172.16.2.1 NHRP table
192.168.0.8/29  172.16.2.1 10.0.0.1  172.16.1.1
Spoke 1 Spoke 2
Routing table 192.168.0.0/29 192.168.0.8/29
C 192.168.0.0/29  Eth0 Routing table
S 0.0.0.0/0  Dialer0 C 192.168.0.8/29  Eth0
S 10.0.0.254/32  Tunnel0 S 0.0.0.0/0  Dialer0
B 192.168.0.0/16  Tunnel0 S 10.0.0.254/32  Tunnel0
H 10.0.0.2/32  V-Access1 B 192.168.0.0/16  Tunnel0
H 192.168.0.8/29  V-Access1 H 10.0.0.1/32  V-Access1
EIGRP Routing Considerations
interface Virtual-Template1 type tunnel
ip summary-address eigrp 100 172.16.0.0 255.255.0.0
WAN Connection
172.16.0.0/24
LAN Connection
.2 .3
Summary
Broadband Backup routes to
Hub-1 Hub-2
spokes
IPSEC Tunnel . .3
172.16.0.0/16 2
200.1.1.0/24
Spoke configured
as EIGRP Stub
router eigrp 100

Internet
eigrp stub connected
....
Prefer one tunnel for

209.1.1.2/24 symmetric traffic using
delay, offset-list or
Spoke-1 bandwidth command
EIGRP Default set as passive
interface to avoid unnecessary .1 209.1.2.2/24
adjacencies
172.16.1.0/24 Spoke-2
router eigrp 100
passive-interface default 172.16.2.0/24 .1
no passive-interface Tunnel1
no passive-interface Tunnel2
IKEv2 with Configuration Payload
IKE_SA_INIT IKE_SA Authentication
(2 messages) parameters negotiated
IKE_AUTH + CREATE_CHILD_SA + IKE Authentication,

CFG_REQUEST/CFG_REPLY Configuration exchange
(2 messages) + one CHILD_SA created
CREATE_CHILD_SA Second CHILD_SA created

(2 messages)
A Protected data B
FlexVPN Site to Site: IKEv2 Routing
Routes sent to peer are determined by:
Inbound route filter (by tag or AD) is Route Accept?  interface (‘route set interface’)
possible using ‘route accept’
 access-list (‘route set access-list’)
Default is ‘accept any’! CFG_REQUEST
 direct statement (‘route set remote’)
CFG_REPLY
C 192.168.1.0/24  Eth0 C 192.168.100.0/24  Eth0
Routing Table
Routing Table
C 10.0.0.2  Tunnel0 C 10.0.0.254/32 -> Loopback0
S 0.0.0.0/0  Dialer0 S 0.0.0.0/0  Dialer0
S 10.0.0.254/32  Tunnel0 S 192.168.0.0/16  Null0
S 192.168.0.0/16  Tunnel0 S 10.0.0.2/32  Tunnel0
Initiator Responder S 192.168.1.0/24  Tunnel0
CFG_SET
For maximal security, remote routes

CFG_ACK
Initiator sends its own routes to the can be denied and route addition can
responder be controlled locally using
Route Accept? ‘route set local’
• Route exchange during IKE negotiation is driven from the IKEv2 authorization policy
• This authorization profile is either locally defined or centralized (AAA server)!
• Administrative distance can be modified via route accept any distance <x>
.100
172.16.0.0/24
.2 .3
IPv4 WAN Connection
Hub-1 Hub-2

Broadband Backup
2001:DB8:AABB:4::1/64
IPsec Tunnel
Internet Spoke-4
.1
2001:DB8:B:4::/64
209.1.1.2/24 .2
209.1.3.2/24
DHCP
Spoke-1 Spk-4-Host
Spoke-3
.1 209.1.2.2/24
.1
172.16.1.0/24 Spoke-2 172.16.3.0/24
.1
172.16.2.0/24 .2
.2
.2 Spk-3-Host
Spk-1-Host
Spk-2-Host
FlexVPN IPv6 Deployment and High
Availability
FlexVPN and IPv6 Deployment Options
IPv6 IPSec VTI Tunnel
IPv6 Private IPv6 Private
Mixed-mode
supported
No dual-stack

IPv4 (or IPv6) IPSecTunnel
Requires GRE to
transport IPv4
and IPv6 traffic
Auto Tunnel Mode
• Reduces deployment complexity due to different encapsulations
• Automatic detection of:
• Tunneling protocol – IPSec or GRE interface tunnel 1
tunnel mode gre ip
• Transport protocol – IPv4 or IPv6
IPv6 interface tunnel 1

tunnel mode ipsec ipv4
FlexVPN Hub
IPv4
crypto ikev2 profile ALL-SPOKES interface tunnel 1
tunnel mode gre ipv6
virtual-template 1 mode auto
!
interface virtual-template 1 type tunnel interface tunnel 1
tunnel mode ipsec ipv6
tunnel mode gre ip
FlexVPN Redundancy Configurations
• FlexVPN offers a variety of redundancy options for high availability
Backup Gateway IKEv2 Load Balancer Tunnel Pivot
Hub Hub
Hub
HSRP VIP
Hub Hub
ISP1 ISP2
Spoke
Spoke Spoke
FlexVPN Lab Topology
.100
172.16.0.0/24
.2 .3
IPv4 WAN Connection
Hub-1 Hub-2

Broadband Backup
2001:DB8:AABB:4::1/64
IPsec Tunnel
Internet Spoke-4
.1
2001:DB8:B:4::/64
209.1.1.2/24 .2
209.1.3.2/24
DHCP
Spoke-1 Spk-4-Host
Spoke-3
.1 209.1.2.2/24
.1
172.16.1.0/24 Spoke-2 172.16.3.0/24
.1
172.16.2.0/24 .2
.2
.2 Spk-3-Host
Spk-1-Host
Spk-2-Host
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#LTRSEC-3004
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
Thank you

Ltrsec 3004

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ltrsec 3004

Загружено:

Авторское право:

Доступные форматы

LTRSEC-3004

Advanced IOS FlexVPN Lab

• BRKSEC-2338 – ASA and IOS Crypto VPNs – Comparison and Operational

• BRKSEC-3005 – Cryptographic Protocols and Algorithms

Customer Reviews Cisco Press rebate

Definitive guide on modern IPsec VPN theory and practice

Highly recommended for anyone on the CCIE Security track or anyone

The best book on IKEv2 IPsec VPNs

Finally, all you need to know about FLEX in one place!

Most comprehensive VPN reference

Extremely well written book on Nextgen Crypto VPN technologies

• Deployment Hands-on Exercises

IKE_SA_INIT IKE_SA authentication

IKE_AUTH + CREATE_CHILD_SA IKE Authentication and

• Does not specify:

• Multiple match statements of each type are allowed

crypto ikev2 authorization policy default

crypto ikev2 proposal default

crypto ipsec transform-set default esp-aes 256 esp-sha-hmac

• Restoring defaults: default crypto ikev2 proposal

default crypto ipsec transform-set

• Disabling defaults: no crypto ikev2 proposal default

no crypto ipsec transform-set default

LAN Connection 200.1.1.0/24

Initiator (Spoke site)

• Routing Protocol or ikev2 routing

FlexVPN Hub Configuration FlexVPN Spoke Configuration

interface virtual-template1 type tunnel interface Tunnel 1

router eigrp 100

Prefer one tunnel for

IKE_AUTH + CREATE_CHILD_SA + IKE Authentication,

CREATE_CHILD_SA Second CHILD_SA created

For maximal security, remote routes

LAN Connection 200.1.1.0/24

IPv4 Private IPv4 Private

• Transport protocol – IPv4 or IPv6

IPv6 interface tunnel 1

Backup Gateway IKEv2 Load Balancer Tunnel Pivot

LAN Connection 200.1.1.0/24

Вам также может понравиться