Upload
nguyenminh
View
235
Download
0
Embed Size (px)
Citation preview
Nisha Kuruvilla – Network Consulting Engineer, Advanced Services
Hector Mendoza – Solutions Integration Architect, Advanced Services
Session BRKSEC-1050
An Overview of Site-to-Site Cisco VPN Technologies
• VPN Technology Positioning
• SVTI, DVTI, DMVPN, GETVPN, and FlexVPN
• Technology Overview
• Why select said technology given network requirements
• Configuration
• Advantages/Disadvantages
• Additional Points to Consider
• Summary
Agenda
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN Technology Positioning
Public Cloud
Private Cloud
Connected Vehicle
(IoT use-case)
ATM (Remote Access
use-case)
Desktop and Mobile clients
(Remote Access use-case)Branch B (Site-to Site use-case)
Branch A (Site-to Site use-case)
DC/Headquarters
Spoke A
Spoke B
ASR 1000CSR 1000V
ISR
ISR
RA Software ClientsRA client
RA Hardware Client
Internet MPLS
Secure
Access
MPLS
Group
Member
Group
Member
Hub /
Group Member
Key Server
DMVPN Hub-Spoke
DMVPN Spoke-Spoke
GETVPN Control Plane
GETVPN Data Plane
FlexVPN
SSLVPN / FlexVPN BRKSEC-1050 4
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Tunnel Interface
• IPsec in tunnel mode between VPN peers
• Simplifies VPN configuration by eliminating crypto maps, access control lists (ACLs), and Generic Router Encapsulation (GRE)
• Uses IOS tunnels, virtual interfaces and crypto socket infrastructure
• There are 2 types of VTI – static VTI and dynamic VTI (Enhanced Easy VPN)
• Simplifies VPN design:
• 1:1 relationship between tunnels and sites with a dedicated logical interface using SVTI
• Virtual template spawns virtual access interfaces for remote access connections using DVTI
• More scalable alternative to GRE
• VTI can support Quality of Service (QoS), multicast, and other routing functions that previously required GRE
• Limited VPN interoperability support with non-Cisco platforms
BRKSEC-1050 6
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Static VTI
Statically configured tunnel via ‘tunnel mode ipsec ipv4/ipv6’ and tunnel protection
Always up – IPsec tunnel initiated via configuration and not by traffic
Interface state tied to underlying crypto socket state (IPsec SA)
Can initiate and accept only one IPsec SA per VTI, using ‘any any’ proxylocal ident (add/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (add/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
Routing determines traffic to be protected – any packet forwarded to tunnel interface is protected
IPsec SA re-keyed even in the absence of any traffic
BRKSEC-1050 7
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Partner’s Configurationcrypto map VPN 10 ipsec-isakmpset peer 1.1.1.2set transform-set TSET match address 100
access-list 100 permit gre host 1.1.1.1 host 1.1.1.2
interface Tunnel0ip address 10.1.1.1 255.255.255.0tunnel source 1.1.1.1tunnel destination 1.1.1.2
interface Ethernet0/0ip address 1.1.1.1 255.255.255.0crypto map VPN
Solution #1crypto ipsec profile TPset transform-set TSET
interface Tunnel0ip address 10.1.1.2 255.255.255.0tunnel source 1.1.1.2tunnel destination 1.1.1.1tunnel protection ipsec profile TP
Solution #2crypto ipsec profile TPset transform-set TSET
interface Tunnel0ip address 10.1.1.2 255.255.255.0tunnel source 1.1.1.2tunnel mode ipsec ipv4tunnel destination 1.1.1.1tunnel protection ipsec profile TP
Possibilities
A. Solution #1B. Solution #2C. Solutions #1 & #2D. None of the Above
What makes a SVTI a SVTI?
8
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SVTI Configuration
crypto isakmp policy 1authentication pre-shareencr aes
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile TPset transform-set TSET
interface Tunnel0
ip address 192.168.100.1 255.255.255.0tunnel source FastEthernet0/0tunnel destination 1.1.1.2tunnel mode ipsec ipv4tunnel protection ipsec profile TP
ip route 192.168.2.0 255.255.255.0 Tunnel0
IPSec Static Virtual Tunnel Interfaces
.1
..
.1
192.168.100.0/30192.168.2.0/24
192.168.1.0/24
crypto isakmp policy 1authentication pre-shareencr aes
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile TPset transform-set TSET
interface Tunnel0
ip address 192.168.100.2 255.255.255.0tunnel source FastEthernet0/0tunnel destination 1.1.1.1tunnel mode ipsec ipv4tunnel protection ipsec profile TP
ip route 192.168.1.0 255.255.255.0 Tunnel0
BRKSEC-1050 9
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
When do you use it
Used with site-to-site VPNs – to provide always-on traffic protection
Need for routing protocols and/or multicast traffic to be protected by IPsec tunnel
Eliminates the need of GRE
Need for QoS, firewall, or other security services on a per tunnel basis
Target Deployment: 2 - 50 sites with point to point connectivity and Cisco and Non-Cisco interoperability
BRKSEC-1050 10
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SVTIAdvantages
• Support for IGP dynamic routing protocol over the VPN (EIGRP, OSPF, etc.)
• Support for multicast
• Application of features such as NAT, ACLs, and QoS and apply them to clear-text or encrypted text
• Simpler configuration
• IPsec sessions not tied to any interface
Disadvantages
• No support for non-IP protocols
• Limited support for multi-vendor
• IPsec stateful failover not available
• Similar scaling properties of IPsec and GRE over IPsec
• Only tunnel mode
BRKSEC-1050 11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic VTI
Replaces dynamic crypto maps
Requires minimal configuration
Created on an incoming IPsec tunnel request
Dynamically instantiated IPsec virtual-access interface (not configurable) cloned from a pre-defined virtual-template
Interface state tied to underlying crypto socket state (IPSec SA)
Can support multiple IPSec SAs per DVTI
Routes to client subnets are added using Reverse Route Injection (RRI)
Avoids the need for a routing protocol and hence scales better
BRKSEC-1050 12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic VTI
Mainly used as Enhanced Easy VPN server for terminating• Enhanced Easy VPN Remote
• Legacy Easy VPN Remote
Easy VPN Remote supports 3 modes of operation• client mode
• network extension mode
• network extension plus mode
A single DVTI can terminate tunnels using static VTIs or crypto map
Can only terminate and cannot initiate an IPSec tunnel (except in the case of Enhanced Easy VPN Remote)
BRKSEC-1050 13
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SVTI To DVTI
Crypto Head End
Branch
interface Tunnel0
ip unnumbered Loopback1
tunnel source FastEthernet0
tunnel destination 192.168.2.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
192.168.2.1
crypto isakmp profile
interface Virtual-Template n
interface Virtual-Access nData Plane
Control Plane
Virtual-Access interface is spawned from the Virtual-Template
tunnel protect ipsec profile …
BRKSEC-1050 14
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
When do you use it
• Scalable connectivity for remote-access VPNs
• Need for QoS, firewall, or other security services on a per tunnel basis
• Single touch configuration needed on hub
• No need for routing protocols as it uses reverse route injection
• Target Deployment: 50 – 10,000 sites with a hub-spoke layout and Cisco and Non-Cisco interoperability
BRKSEC-1050 15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DVTI (SVTI to DVTI)Spoke (SVTI)
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0
crypto ipsec transform-set TSET esp-aes esp-sha-
hmac
crypto ipsec profile TP
set transform-set TSET
interface Tunnel0
ip unnumbered Loopback0
tunnel source 1.1.1.2
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile TP
Hub (DVTI)
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp profile VPN
keyring default
match identity address 0.0.0.0
virtual-template 1
crypto ipsec transform-set TSET esp-aes esp-sha-
hmac
crypto ipsec profile TP
set transform-set TSET
set isakmp-profile VPN
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile TP
BRKSEC-1050 16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enhanced EasyVPN Client To Server (using DVTI)Enhanced Easy VPN remote:
crypto ipsec client ezvpn EZ
connect manual
group cisco key cisco
local-address Ethernet0/0
mode network-plus
peer 1.1.1.1
virtual-interface 1
xauth userid mode interactive
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
interface Ethernet0/0
ip address 1.1.1.3 255.255.255.0
crypto ipsec client ezvpn EZ
!
interface Ethernet0/1
ip address 192.168.3.1 255.255.255.0
crypto ipsec client ezvpn EZ inside
Enhanced Easy VPN server:
crypto isakmp client configuration group cisco
key cisco
dns 192.168.1.10
pool VPNPOOL
acl 101
crypto isakmp profile VPN
match identity group cisco
isakmp authorization list default
client configuration address respond
virtual-template 1
crypto ipsec transform-set TSET esp-3des esp-
sha-hmac
crypto ipsec profile TP
set transform-set TSET
set isakmp-profile VPN
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile TP
BRKSEC-1050 17
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DVTI (SVTI to DVTI)
18BRKSEC-1050
172.16.0.0/24.1
1.1.1.1
.254
17
2.1
6.2
.0/2
4Spoke
Hub
Spoke (SVTI)
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile TP
set transform-set TSET
interface Tunnel0
ip unnumbered Loopback0
tunnel source 1.1.1.2
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile TP
Hub (DVTI)
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp profile VPN
keyring default
match identity address 0.0.0.0
virtual-template 1
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile TP
set transform-set TSET
set isakmp-profile VPN
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile TP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enhanced EasyVPN Client To Server (using DVTI)
19BRKSEC-1050
192.168.1.0/24.1
1.1.1.1
.254
19
2.1
68.3
.0/2
4Spoke
Hub
Enhanced Easy VPN remote:
crypto ipsec client ezvpn EZ
connect manual
group cisco key cisco
local-address Ethernet0/0
mode network-plus
peer 1.1.1.1
virtual-interface 1
xauth userid mode interactive
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
interface Ethernet0/0
ip address 1.1.1.3 255.255.255.0
crypto ipsec client ezvpn EZ
!
interface Ethernet0/1
ip address 192.168.3.1 255.255.255.0
crypto ipsec client ezvpn EZ inside
Enhanced Easy VPN server:
crypto isakmp client configuration group cisco
key cisco
dns 192.168.1.10
pool VPNPOOL
acl 101
crypto isakmp profile VPN
match identity group cisco
isakmp authorization list default
client configuration address respond
virtual-template 1
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
crypto ipsec profile TP
set transform-set TSET
set isakmp-profile VPN
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile TP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DVTI
Advantages
• Simple configuration of headend once and done
• Scalable
• Support for IGP dynamic routing protocol over the VPN
• Support for IP multicast
• Support for per-branch QoS and traffic shaping
• Centralized Policy Push (Easy VPN)
• Support for x-auth (Easy VPN)
• Cross platform support
• IPsec sessions not tied to any interface
Disadvantages
• Requires ip unnumbered
• No support for non-IP protocols
• No direct spoke to spoke communication
• No IPsec stateful failover
BRKSEC-1050 20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Dynamic Multipoint VPN?
22BRKSEC-1050
DMVPN is a Cisco IOS software solution
for building IPsec+GRE VPNs in an
easy, dynamic and scalable manner
• Configuration reduction and no-touch deployment
• Dynamic spoke-spoke tunnels for partial/full mesh scaling
• Can be used without IPsec Encryption (optional)
• Wide variety of network designs and options
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SECURE ON-DEMAND TUNNELS
Dynamic Multipoint VPN (DMVPN)
• Branch spoke sites establish an IPsec tunnel to and register with the hub site
• IP routing exchanges prefix information for each site
• BGP or EIGRP are typically used for scalability
• With WAN interface IP address as the tunnel address,
provider network does not need to route customer internal
IP prefixes
• Data traffic flows over the DMVPN tunnels
• When traffic flows between spoke sites, the hub assists the spokes to establish a site-to-site tunnel
• Per-tunnel QOS is applied to prevent hub site oversubscription to spoke sites
23BRKSEC-1050
Branch 2
Traditional Static Tunnels
DMVPN On-Demand Tunnels
Static Known IP Addresses
Dynamic Unknown IP Addresses
Branch 1
Hub
IPsecVPN
Branch n
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPN Components
• Next Hop Resolution Protocol (NHRP)
• Creates a distributed (NHRP) mapping database of all the spoke’s tunnel to real (public interface) addresses
• Multipoint GRE Tunnel Interface (mGRE)
• Single GRE interface to support multiple GRE/IPsec tunnels
• Simplifies size and complexity of configuration
• IPsec tunnel protection
• Dynamically creates and applies encryption policies (optional)
• Routing
• Dynamic advertisement of branch networks; almost all routing protocols (EIGRP, RIP, OSPF, BGP, ODR) are supported
24BRKSEC-1050
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What Triggers:
• IPsec integrated with DMVPN, but not required
• Packets Encapsulated in GRE, then Encrypted with IPsec• Both IKEv1 (ISAKMP) and IKEv2 supported
•
•
NHRP controls the tunnels, IPsec does encryption
Bringing up a tunnel
• NHRP signals IPsec to setup encryption
•
• ISAKMP/IKEv2 authenticates peer, generates SAs
• IPsec responds to NHRP and the tunnel is activated
• All NHRP and data traffic is Encrypted
Bringing down a tunnel
• NHRP signals IPsec to tear down tunnel
•
• IPsec can signal NHRP if encryption is cleared or lost
ISAKMP/IKEv2 Keepalives monitor state of spoke-spoke and spoke-hub tunnels
BRKSEC-1050 25
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPN How it works
• Spokes build a dynamic permanent GRE/IPsec tunnel to the hub, but not to other spokes. They register as clients of the NHRP server (hub)
• When a spoke needs to send a packet to a destination (private) subnet behind another spoke, it queries via NHRP for the real (outside) address of the destination spoke
• Now the originating spoke can initiate a dynamic GRE/IPsec tunnel to the target spoke (because it knows the peer address)
• The dynamic spoke-to-spoke tunnel is built over the mGRE interface
• When traffic ceases then the spoke-to-spoke tunnel is removed
BRKSEC-1050 26
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
“Static” Spoke-Hub, Hub-Hub Tunnels
• GRE, NHRP and IPsec configuration• p-pGRE or mGRE on spokes; mGRE on hubs
• NHRP registration• Dynamically addressed spokes (DHCP, NAT,…)
• Data traffic on spoke-hub tunnels• All traffic for hub-and-spoke only networks
• Spoke-spoke traffic while building spoke-spoke tunnels
BRKSEC-1050 27
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic Spoke-Spoke Tunnels
• GRE, NHRP and IPsec configuration• mGRE on both hub and spokes
• Spoke-spoke unicast data traffic• Reduced load on hubs
• Reduced latency
• Single IPsec encrypt/decrypt
• On demand tunnel - created when needed
• NHRP resolutions and redirects• Find NHRP mappings for spoke-spoke tunnels
BRKSEC-1050 28
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Terminology
Hub 1
Spoke 1
Hub 2
Spoke 2
192.168.101.0/24 192.168.102.0/24
192.168.1.0/24 192.168.2.0/24
Tunnel: 10.0.0.101
Physical: 172.16.101.1
Tunnel: 10.0.0.102
Physical: 172.16.102.1
Tunnel: 10.0.0.1
Physical: 172.16.1.1
Tunnel: 10.0.0.2
Physical: 172.16.2.1
Overlay Addresses
Transport Network Overlay Network
NBMA Address
GRE/IPsec
Tunnels
Core Network
192.168.128.0/17
Tunnel Address
BRKSEC-1050 29
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPN Tunnel Establishment Steps
1. Spokes build a dynamic permanent GRE/IPsec tunnel to the hub (NHRP server) and are registered as NHRP clients
2. Active-Active redundancy model—two or more hubs per spoke
3. All hubs are active and routing neighbors with spokes
4. Routing protocol routes are used to determine traffic forwarding
5. When a spoke needs to send a packet to a destination (private) subnet behind another spoke, it queries via NHRP for the real (outside) address of the destination spoke
6. Originating spoke can initiate a dynamic GRE/IPsec tunnel to the target spoke (because it knows the peer outside address)
7. The dynamic spoke-to-spoke tunnel is built over the mGRE interface
8. When traffic ceases then the spoke-to-spoke tunnel is removed
DUAL DMVPN DESIGN
Single mGRE tunnel on Hub, two mGRE tunnels on Spokes
192.168.0.0/24
Physical: 172.17.0.5
Tunnel1: 10.0.1.1
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Physical: (dynamic)
Tunnel0: 10.0.0.12
Tunnel1: 10.0.1.12
192.168.2.0/24
.1
Physical: (dynamic)
Tunnel0: 10.0.0.11
Tunnel1: 10.0.1.11
.1
192.168.1.0 /24
.1
192.168.X.0 /24
BRKSEC-1050 30
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPN Phases
Phase 1 – 12.2(13)TPhase 2 – 12.3(4)T
(Phase 1 +)
Phase 3 – 12.4.(6)T
(Phase 2 +)
• Hub and spoke functionality
• p-pGRE interface on spokes, mGRE on hubs
• Simplified and smaller configuration on hubs
• Support dynamically addressed CPEs (NAT)
• Support for routing protocols and multicast
• Spokes don’t need full routing table – can summarize on hubs
• Spoke to spoke functionality
• mGRE interface on spokes
• Direct spoke to spoke data traffic reduces load on hubs
• Hubs must interconnect in daisy-chain
• Spoke must have full routing table – no summarization
• Spoke-spoke tunnel triggered by spoke itself
• Routing protocol limitations
• More network designs and greater scaling
• Same Spoke to Hub ratio
• No hub daisy-chain
• Spokes don’t need full routing table – can summarize
• Spoke-spoke tunnel triggered by hubs
• Remove routing protocol limitations
• NHRP routes/next-hops in RIB (15.2(1)T)
BRKSEC-1050 31
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPN – Phase3
Spoke A
192.168.1.1/24
192.168.2.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Spoke B
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
192.168.0.1/24
172.16.1.1
172.16.2.1
Data packet
NHRP Redirect
NHRP Resolution
BRKSEC-1050 32
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Basic DMVPN Designs
• Hub-and-spoke – Order(n)• Spoke-to-spoke traffic via hub
• Phase 1: Hub bandwidth and CPU limit VPN
• SLB: Many “identical” hubs; increases CPU power and bandwidth limits
• Spoke-to-spoke – Order(n) « Order(n2)• Control traffic; Hub and spoke; Hub to hub
• Phase 2: (single)
• Phase 3: (hierarchical)
• Unicast Data traffic; Dynamic mesh• Spoke routers support spoke-hub and spoke-spoke tunnels currently in use.
• Hub supports spoke-hub traffic and overflow from spoke-spoke traffic.
• Network Virtualization
BRKSEC-1050 33
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Basic DMVPN Designs
Single DMVPN Dual Hub
Single mGRE tunnel on all nodes
= Dynamic Spoke-to-spoke
192.168.2.0/24
.1
192.168.1.0/24
.1
192.168.0.0/24.2 .1
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Physical: (dynamic)
Tunnel0: 10.0.0.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
Physical: 172.17.0.5
Tunnel0: 10.0.0.2
Spoke A
Spoke B
. . .
Dual DMVPN Single Hub
Single mGRE tunnel on Hub,
two p-pGRE tunnels on Spokes
192.168.1.0 /24
192.168.2.0/24
192.168.0.0/24.2 .1
Spoke A
Spoke B
Physical: 172.17.0.1
Tunnel0: 10.0.0.1Physical: 172.17.0.5
Tunnel0: 10.0.1.1
Physical: (dynamic)
Tunnel0: 10.0.0.11
Tunnel1: 10.0.1.11
Physical: (dynamic)
Tunnel0: 10.0.0.12
Tunnel1: 10.0.1.12
.1
.1
BRKSEC-1050 34
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multiple DMVPNs versus Single DMVPN
• Multiple DMVPNs
• Best for Hub-and-spoke only• Easier to manipulate RP metrics between DMVPNs for Load-sharing
• EIGRP – Route tags, Delay; iBGP – Communities, MED; OSPF – Cost
• Performance Routing (PfR) selects between interfaces
• Load-balancing over multiple ISPs (physical paths)• Load-balance data flows over tunnels Better statistical load-balancing
• Single DMVPN
• Best for spoke-spoke DMVPN
• Can only build spoke-spoke within a DMVPN not between DMVPNs*• Slightly more difficult to manipulate RP metrics within DMVPN for Load-sharing
• EIGRP – Route tags, delay; iBGP – Communities, MED; OSPF – Can’t do
• Load-balancing over multiple ISPs (physical paths)• Load-balance tunnel destinations over physical paths Worse statistical load-balancing
BRKSEC-1050 35
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPN Combination Designs
Spoke-to-hub tunnels
Spoke-to-spoke tunnels
Retail/Franchise
Spoke-to-hub tunnels
Spoke-to-spoke tunnels
Spoke-hub-hub-spoke
tunnel
Dual ISP
ISP
2
ISP
1
BRKSEC-1050 36
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPN Combination Designs (cont)
Spoke-to-hub tunnels
Spoke-to-spoke tunnels
Hub-to-hub tunnel
Server Load Balancing
Spoke-to-hub tunnels
Spoke-to-spoke tunnels
Hierarchical
BRKSEC-1050 37
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Quick review: Virtual Routing/Forwarding
• Router maintains separate L3 forwarding information for eachVRF instance (RIB, FIB, routing protocols)
• Two variants: VRF with MPLS, and VRF-Lite
• Each interface belongs to a single VRF
• For “ip unnumbered”, referenced interface must belong to the same VRF
• If no VRF specified, interface belongs to the global VRF
• VRF definition and assignment:
Old CLI: New CLI:
38BRKSEC-1050
ip vrf red
rd 1:1
!
interface Ethernet0/0
ip vrf forwarding red
ip address 10.0.0.1 255.255.255.0
vrf definition red
rd 1:1
address-family ipv4
exit-address-family
!
interface Ethernet0/0
vrf forwarding red
ip address 10.0.0.1 255.255.255.0
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Quick review: forwarding & tunneling with VRF-LiteBlue RIB/FIB Global RIB/FIBRed RIB/FIB
Routing Routing Routing
interface Eth0/0
vrf forwarding blue
!
interface Eth0/1
vrf forwarding blue
interface Eth1/0
vrf forwarding red
!
interface Eth1/1
! no VRF = global
!
interface Tunnel1
vrf forwarding red
tunnel source Eth1/1
Eth0/0 Eth0/1 Eth1/0 Eth1/1
Tunnel1
interface Eth2/0
vrf forwarding red
!
interface Eth2/1
vrf forwarding orange
!
interface Tunnel2
vrf forwarding red
tunnel vrf orange
tunnel source Eth2/1Inside VRF (iVRF)
Front VRF
(fVRF)
Orange RIB/FIBRed RIB/FIB
Routing Routing
Eth2/0 Eth2/1
Tunnel2
iVRF
BRKSEC-1050 39
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPN virtualization with VRF-Lite
• Tunnel interface can be part of only one iVRF one DMVPN Tunnel per iVRF needed
• Spokes can be single-tenant or multi-tenant(single-tenant not necessarily VRF-aware)
• Spoke-spoke direct communication
• One pair of IPsec SAs per peer per iVRF
Hub
Spokes
BRKSEC-1050 40
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPN virtualization with VRF-Lite (2)
• Convenient if only a few iVRFs
• Main drawbacks:
• Major configuration overhead if many iVRFs
• One hub-spoke routing protocol neighborship per iVRF
• Tunnel address ranges cannot overlap if hubs use theBGP Dynamic Neighbors feature to peer with spokes
• If separate authentication is needed for each DMVPN:
Different ISAKMP profiles required (different IKE credentials) Different IPsec profiles required Different source interfaces required (same source requires shared profile)
BRKSEC-1050 41
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPN virtualization with MPLS VPN
• Single Tunnel interface in global VRF
• MPLS VPN labels identify which iVRFthe tunneled traffic belongs to
• BGP must be used as the routing protocolbetween hubs & spokes
• Separate IKE authentication not possible
• Single pair of IPsec SAs per peer
Hub
Spokes
BRKSEC-1050 42
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Tunnel interface in global, not part of any customer VRF
• Hub and spokes act as PE routers, exchange VRF prefixes over MBGP
• mGRE Tunnel creates a back-to-back connection spoke LSR is the penultimate hop only the VPN label is pushed
• LDP still required for a supported design
Tunnel0
10.0.0.1/24
Tunnel0
10.0.0.101/24
VRF blue Spoke1
(PE)Hub1
(PE)
VRF red
MBGP
VRF blue
VRF red
Global VRF
192.168.11.11 192.168.12.12
192.168.11.11 192.168.12.12
Label: 16
GRE (protocol: 0x8847)
IPsec (ESP transport mode)
172.16.1.1 172.16.101.1 192.168.11.11 192.168.12.12
VPNv4 prefix from Hub1:red:192.168.0.0/16 label 16
BRKSEC-1050 43
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPN Network Virtualization Designs2547oDMVPN
VRF-A tunnels
VRF-B tunnels
VRF-A to VRF-B Path (optional)
VRF-lite
VRF-A tunnels
VRF-B tunnels
VRF-A/B Tunnels
BRKSEC-1050 44
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Where use VRF’s• Either technique (iVRF or fVRF) is used to allow you to have two or more different routing tables to seperate the routing
of GRE+IPSecpackets from the routing of data IP packets. You can use both at the same time. These techniques can be used for various deployment purposes:
•
Allow dynamic spoke-spoke tunnels when doing non-split-tunneling.
• Separate routing of IPsec+GRE packets from data IP packets to protect against forwarding loops through the tunnel interface (tunnel destination learned via the tunnel interface).
• When using two ISPs being able to lock a GRE tunnel to one outside physical interface. Allows load balancing over both ISPs when having to use a different tunnel source address for each ISP.
• Allow DMVPN hub (or spoke) to be behind an MPLS network where, GRE+IPsec packets come in on an MPLS VPN.
• Allow DMVPN hub to feed into an MPLS VPN. Data IP packets need be tagged to go into MPLS on the inside physical interface.
• Allow an ISP to use one DMVPN hub router to support multiple customers and keep the customer's data IP packets and routing tables separate.
BRKSEC-1050 45
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intelligent WAN Deployment Models
Dual MPLS
Internet
Highest SLA guarantees
– Tightly coupled to SP
ẋ Expensive
Public
MPLS
Branch
MPLS
Hybrid
More BW for key applications
Balanced SLA guarantees
– Moderately priced
PublicEnterprise
Branch
MPLS+
Internet
Dual Internet
Consistent VPN Overlay Enables Security Across Transition
Best price/performance
Most SP flexibility
– Enterprise responsible for SLAs
Internet
Branch
Enterprise Public
BRKSEC-1050 47
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intelligent WAN Solution
Internet
Branch
3G/4G-LTE
AVC
MPLS
PrivateCloud
VirtualPrivateCloud
PublicCloudWAAS PfR
Application Optimization
• Application visibility with
performance monitoring
• Application acceleration
and bandwidth
optimization
Secure Connectivity
• Certified strong encryption
• Comprehensive threat
defense
• Cloud Web Security for
secure direct Internet access
Intelligent Path Control
• Dynamic Application best
path based on policy
• Load balancing for full
utilization of bandwidth
• Improved network
availability
TransportIndependent
• Consistent operational model
• Simple provider migrations
• Scalable and modular design
• IPsec routing overlay design
BRKSEC-1050 48
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Simplifies WAN DesignDynamic Full-Meshed
ConnectivityProven Robust Security
IWAN with DMVPN (Flexible Secure WAN Design Over Any Transport)
SecureFlexible
• Easy multi-homing over any carrier service offering
• Single routing control plane with minimal peering to the provider
• Consistent design over all transports
• Automatic site-to-site IPsec tunnels
• Zero-touch hub configuration for new spokes
• Certified crypto and firewall for compliance
• Scalable design with high-performance cryptography in hardware
ISR-G2
WAN
Internet
MPLSASR 1000
ASR 1000
Transport-Independent
Data CenterBranch
BRKSEC-1050 49
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Other Features**
• IPv6 and DMVPN:
• IPv6 as overlay and transport is supported
• Dual-stack: IPv6 & IPv4 data packets over the same mGRE tunnel(Phase 3 designs only)
• Per-tunnel QoS (Spoke-Hub, Hub-Spoke and Spoke-Spoke, IPv4 and IPv6), Adaptive QoS
• Multicast (Spoke- Hub)
• TrustSec DMVPN Inline Tagging Support (only with IKEv2)
• Hub and /or Spokes can be behind NAT devices
NAT: BRKSEC-1050 50
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Routing
• Supports all routing protocols, except ISIS• Best routing protocols are EIGRP and BGP• Hubs are routing neighbors with spokes and other hubs
• Spokes are only routing neighbors with hubs, not with other
spokes
BRKSEC-1050 51
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Platform Support
• IOS :3800, 2800, 1800, 870, 7200(G1), 7200(G2, VSA)
3900(E), 2900, 1900, 890, 880
• IOS-XE : ASR1k, CSR1000v, ISR 4k
BRKSEC-1050 52
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hub Configurationcrypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode transport
crypto ipsec profile TP
set transform-set TSET
interface Tunnel
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 1111
ip nhrp redirect
tunnel key 10
no ip split-horizon eigrp 10
ip summary-address eigrp 10 192.168.0.0 255.255.0.0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TP
Phase I and Phase II
NHRP with IPSec
BRKSEC-1050 53
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spoke Configurationcrypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode transport
crypto ipsec profile TP
set transform-set TSET
interface Tunnel
ip address 10.0.0.2 255.255.255.0
no ip redirect
ip nhrp authentication cisco
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.1
ip nhrp network-id 1111
ip nhrp nhs 10.0.0.1
ip nhrp shortcut
tunnel key 10
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TP
Phase I and Phase II
NHRP with IPSec
BRKSEC-1050 54
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DMVPNAdvantages
• Dynamic partial or full mesh tunnels
• IP multicast support
• Supports dynamic routing protocols over the hub-and-spoke
• Supported on all Cisco IOS/IOS-XE router platforms
• IWAN Support
• Simplifies and shortens configurations
• Per tunnel QoS possible
• SGT (secure group tagging) with IKEv2
• Cisco Prime Management
Disadvantages
• No support for non-IP protocols
• IGP routing peers tend to limit the design scalability
• No interoperability with non-Cisco platforms or Cisco ASA
• Some added complexity with configuration and troubleshooting of DMVPN
• Multicast replication done on the Hub
BRKSEC-1050 55
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tunnel-Less VPN - A New Security Model
• Scalability—an issue (N^2 problem)
• Overlay routing
• Any-to-any instant connectivity can’t be done to scale
• Limited QoS
• Inefficient Multicast replication
WAN
Multicast
Before: IPsec Point-to-Point Tunnels After: Tunnel-Less VPN
• Scalable architecture for any-to-any connectivity and encryption
• No overlays—native routing
• Any-to-any instant connectivity
• Enhanced QoS
• Efficient Multicast replication
BRKSEC-1050 57
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Group Encrypted Transport (GET) VPN
Cisco GET VPN delivers a revolutionary solution for tunnel-less, any-to-any branch confidential communications
• Large-scale any-to-any encrypted communications
• Native routing without tunnel overlay
• Native Multicast support -improves application performance
• Transport agnostic - private LAN/WAN, IP, MPLS
Any-to-Any Connectivity
Real TimeScalable
Any-to-AnyConnectivity
Cisco GET
VPN
BRKSEC-1050 58
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Header PreservationIPSec Tunnel Mode vs. GETVPN
IP Packet
IP PayloadIP HeaderIPSecTunnel Mode
ESPNew IP Header
IP PayloadIP Header
IPSec header inserted by VPN Gateway New IP Address requires overlay routing
IP Packet
IP PayloadIP HeaderESPPreserved HeaderGETVPN
IP PayloadIP Header
IP header preserved by VPN Gateway Preserved IP Address uses original routing plane
BRKSEC-1050 59
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
When should it be used?
• Securing an already secure network
• Efficient secure multicast traffic
• Deploying voice or similar collaborative
applications requiring any-to-any encryption
• Encrypting IP packets over satellite links
BRKSEC-1050 60
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Main Components of GETVPN
• GDOI (Group Domain of Interpretation,RFC 6407)
• Cryptographic protocol for group key management
• Key Servers (KS’s)
• IOS devices responsible for creating /maintaining control plane
• Distributing keys to the group members
• Group Members (GM’s)
• IOS devices used for encryption/decryption
• Group Security Associations
• Tunnel-less Network
• No Peer-to-Peer Tunnel required
• IPsec SAs shared by GM’s
• IP Address Preservation
• Original IP Address preservedBRKSEC-1050 61
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
GDOI Reuses IKE on UDP 848
• IPsec Negotiations with GDOI (GETVPN)- Follows the IKE Phase 1
GDOI defines a Re-key exchange for subsequent key updates
– Can use multicast for efficiency
GDOI Rekey
IKE Phase 1
GDOI Registration/Download IPsec SAs
Key
ServerGroup
Member
Key
Server
Group
Member
• Peer to Peer IPsec negotiation:IKE Phase 1
IKE Phase 2/IPsec SAsIPSec Peer
IPSec Peer
BRKSEC-1050 62
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
How does it work?• Group Members (GM’s) “register” via GDOI with the Key Server (KS)
• KS authenticates & authorizes the GM’s
• KS returns a set of IPsec SA’s for the GM’s to use
GM1
GM2
GM3 GM4
GM5
GM6
GM7GM8
GM9 KS
BRKSEC-1050 63
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
How does it work? (cont’d) Data Plane Encryption
• GM’s exchange encrypted traffic using the group keys
• Traffic uses IPSec Tunnel Mode with “address preservation”
GM1
GM2
GM3
GM4
GM5
GM6
GM7GM8
GM9 KS
BRKSEC-1050 64
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
How does it work? (cont’d)• Periodic Rekey of Keys
• KS pushes out replacement IPsec keys before current IPsec keys expire
• Unicast rekey or Multicast rekey
GM1
GM2
GM3 GM4
GM5
GM6
GM7GM8
GM9 KS
BRKSEC-1050 65
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cooperative Key Servers - Redundancy
• A list of trusted key servers
• Manages common set of keys and security policies for GM’s
GM 1
GM 3
Subnet 1
Subnet 4
Subnet 2
Subnet 3
GM 4
GM 2
Cooperative KS3
Cooperative KS1
IP Network
Cooperative KS2
BRKSEC-1050 66
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Group Security Elements
Group
Member
Group
Member
Group
Member
Group
Member
Key Servers
Routing
Members
Key Encryption Key (KEK)
Traffic Encryption Key
(TEK)
Group Policy
RFC3547:
Group Domain of
Interpretation (GDOI)
Proprietary: KS Cooperative
Protocol
BRKSEC-1050 67
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Management – ACL
Permit ACL’s can only be pushed from KS
Deny ACL’s can be configured locally on GM or pushed from KS
Local GM ACL has precedence over downloaded KS ACL
IP
KS
GM
GM
GM
GM
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
Permit: Any-Any
Deny: Link Local
Deny: Link Local
INET
BRKSEC-1050 68
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Design Application
• If for, Internet based environments, GETVPN can be deployed with DMVPN
• LISP as the overlay
• Native Multicast
BRKSEC-1050 69
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Other Features**
• Supports Dual Stack (IPv4 and IPv6)
• VRF aware (Data and control (GDOI) plane)
• TrustSec Inline Tagging Support
• NAT
• IKEv2 (G-IKEv2)
** Note: Version Dependent
BRKSEC-1050 70
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Platforms Supported
Key Server Group Member
ASR 1k, 7200,ISR-G2 (39xx,
29xx, 19xx), ISR 4k
ASR 1k,7200,39xx, 29xx, 19xx,
87x,88x,89x
Note: The same device cannot be a GM and KS
BRKSEC-1050 71
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto isakmp policy 10
encr aes
authentication pre-share
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
!
crypto ipsec profile GETVPN
set transform-set TSET
!
access-list 150 permit ip any host 225.1.1.1
!
access-list 160 deny eigrp any any
access-list 160 deny pim any any
access-list 160 deny udp any any eq 848
access-list 160 permit ip any any
KS Configuration
Phase I and Phase II
ACL defining encryption domain
BRKSEC-1050 72
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
crypto gdoi group GETVPN
identity number 1234
server local
!rekey address ipv4 150 !
rekey lifetime seconds 14400
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN
rekey transport unicast
sa ipsec 1
profile GETVPN
match address ipv4 160
address ipv4 1.1.1.1
redundancy
local priority 10
peer address ipv4 1.1.1.2
!
Encryption ACL
GDOI Group ID
Source address for rekeys
Rekey Properties
KS Configuration (Cont.)
BRKSEC-1050 73
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
GM Configuration crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto isakmp policy 10
encr aes
authentication pre-share
!
crypto gdoi group getvpn1
identity number 1234
server address ipv4 1.1.1.1
!
crypto map GETVPN 10 gdoi
set group getvpn1
!
interface FastEthernet0/0
crypto map GETVPN
GDOI Config and Applying
to Interface
Phase I parameters
BRKSEC-1050 74
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
GETVPNAdvantages
• Any-to-Any large scale (Site-to-Site)
• Multicast replication in IP WAN network
• Route Distribution Model + Stateful
• Group Protection
• Address Preservation - hence works well with QoS and traffic engineering
• SGT support
Disadvantages
• Suited for private IP network infrastructure
• Does not support non-IP protocols
• Cisco routers only
BRKSEC-1050 75
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Extend LANs over WAN
• Consume services from a centralized location
• Prevent man-in-the-middle attacks
• Data confidentiality
• Any-to-Any connectivity
Hub-Spoke + Spoke-Spoke Solutions
Choose GETVPN When
• On-demand spoke-spoke tunnels
• IKEv1 or IKEv2
• Distributed Policy Management and Pair-wise keys
• Branch-to-HQ and Branch-to-Branch connectivity
• Transport: Internet or multiple transport types (IP, MPLS) co-exist
• Separation of customer and provider routing domains
• Support for NAT-T
• Any-to-Any and Tunnel-less
• G-IKEv1 or G-IKEv2
• Centralized Policy Management and Group Keys
• Transport type: MPLS or Private WAN
• Native multicast replication
Problem Statement – Customer Needs Choose DMVPN When
BRKSEC-1050 76
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hub-Spoke + Spoke-Spoke VPN Solutions Components and Services Interaction
Technology Overlay TypeKey
Management
PfRv
3AVC WAAS QoS
DMVPN mGRE Tunnel Pair-wise Yes Yes Yes Adaptive
Per-Tunnel
GETVPN LISP Tunnel-
less
Group Keys N/A Yes Yes Egress-Interface
• PfRv3 works only with DMVPN (single routing domain)
• PfRv3 does not work with GETVPN
• Customers can continue to deploy GETVPN with LISP (WAN) or without LISP (private WAN)
BRKSEC-1050 77
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Flex VPN Overview• IKEv2 based unified VPN that combines site-to-site, remote-access, hub-spoke
and spoke-spoke topologies
• FlexVPN combines multiple frameworks into a single, comprehensive set of CLI and binds it together offering more flexibility and a means to extend functionality in the future
• FlexVPN offers a simple but modular framework that extensively uses the tunnel interface paradigm
• IKEv2 is a major protocol update
• IWAN NOT supported
BRKSEC-1050 79
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN Technology Selection
Failover time
Failure detection method
Hub & Spoke
Spoke – Spoke Direct
Dynamic Routing
Route Injection
Per peer ACL’s
Multi-ISP Homing
Multi-Hub Homing
AAA Manageability
IPv4/IPv6 dual stack
Crypto Map or Tunnels
3rd party and legacy
support
QoS support
Scalability
High Availability
Dual DMVPN
Feature order
Multicast
Solution vs Components
Design complexity
Death by a thousand questions…
BRKSEC-1050 80
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
EasyVPN, DMVPN and Crypto Mapscrypto isakmp client configuration group cisco
key cisco123
pool dvti
acl 100
crypto isakmp profile dvti
match identity group cisco
client authentication list lvpn
isakmp authorization list lvpn
client configuration address respond
virtual-template 1
crypto ipsec transform-set dvti esp-3des esp-sha-hmac
crypto ipsec profile dvti
set transform-set dvti
set isakmp-profile dvti
interface Virtual-Template1 type tunnel
ip unnumbered Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile dvti
ip local pool dvti 192.168.2.1 192.168.2.2
ip route 0.0.0.0 0.0.0.0 10.0.0.2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
mode transport
crypto ipsec profile vpnprofile
set transform-set vpn-ts-set
interface Tunnel0
ip address 10.0.0.254 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof
crypto isakmp client configuration group cisco
key pr3sh@r3dk3y
pool vpnpool
acl 110
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
crypto dynamic-map dynamicmap 10
set transform-set vpn-ts-set
reverse-route
crypto map client-vpn-map client authentication list userauthen
crypto map client-vpn-map isakmp authorization list groupauthor
crypto map client-vpn-map client configuration address initiate
crypto map client-vpn-map client configuration address respond
crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap
interface FastEthernet0/0
ip address 83.137.194.62 255.255.255.240
crypto map client-vpn-map
ip local pool vpnpool 10.10.1.1 10.10.1.254
access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
BRKSEC-1050 81
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Benefits of FlexVPN
• You can run Flex along all your previous IPsec VPNs. Most scenarios will allow coexistence of previous configuration and Flex
• Based on IKEv2 and not IKEv1, which improves almost all aspects of negotiation and protocol stability
• Using GRE over IPsec or VTI as encapsulation. GRE allows you to run almost anything over it. IPsec provides security for payload
• Utilizing virtual interfaces - allowing per-spoke features like firewall, QoS, ACLs, etc
• Remote access server and client (software and hardware) - similar to EZVPN
• Dynamic spoke to spoke tunnels - similar to DMVPN
• Ease of configuration by using built-in defaults - no longer will you need to define policies, transform sets etc.
BRKSEC-1050 82
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
When do you use it
Customer requires IKEv2 features
Customer desires to build site-to-site, remote-access, hub-spoke and spoke-spoke topologies utilizing a unified CLI
Large Scale deployment (of spoke to spoke and hub and spoke)
Customer wishes to reduce learning curve of implementing multiple different types of VPN connectivity
• Target Deployment: 50 – 10,000 sites with a hub-spoke layout and Cisco and Non-Cisco interoperability, IoT
BRKSEC-1050 83
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2IKEv1
Comparing IKEv1 & IKEv2
NAT-T
DPD ISAKMP
RFC 2408
IPSec DOI
RFC 2407
IKE
RFC 2409
IKEv2
RFC 5996Mode
Config
Authentication
Integrity
Confidentiality
Suite-B
Anti-DoS
EAP Auth.
Hybrid Auth.
PSK, RSA-Sig
Cleaner Identity/Key Exchange
Uses UDP Ports 500 & 4500
Main + Aggressive INITIAL
Acknowledged Notifications
IKEv2 Redirect
RFC 5685
Childless IKEv2
RFC 6023
EAP-Only IKEv2
RFC 5998
Etc. ...
Same
Objectives
More Secure
Authentication
Options
Similar but
Different
BRKSEC-1050 84
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Key Differentiators
IKEv1 IKEv2
Auth messages 6 max Open ended
First IPsec SA 9 msgs min ~ 4-6 msgs min
Authentication pubkey-sig, pubkey-encr, PSK Pubkey-sig, PSK, EAP
Anti-DOS Never worked Works!
IKE rekey Requires re-auth (expensive) No re-auth
Notifies Fire & Forget Acknowledged
BRKSEC-1050 85
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2 Exchange Overview
IKE_SA_INIT
IKE_AUTH
CREATE_CHILD_SA
IKEv2 Security Association (SA) establishment (proposal selection, key exchange)
Mutual authentication & identity exchange
Initial IPSec SAs establishment
Certificate exchange (optional)
Configuration exchange (optional)
Additional IPSec SAs establishment
IKEv2 & IPSec SA rekey
INFORMATIONAL
Initiator (I) Responder (R)
Can be (I R) with ACK or (R I) with ACK
Notifications (SA deletion, liveness check, ...)
Configuration exchange (one or both ways)
BRKSEC-1050 86
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2 Configuration Exchange
IKE_AUTHInitiator (RA client) requests configuration parameters from responder (RA server).
Initiator (I) Responder (R)
CFG_REQUEST
CFG_REPLY
CFG_SET
INFORMATIONAL
CFG_ACK
CFG_SET
INFORMATIONAL
CFG_ACK
Initiator and/or responder sends unsolicited configuration parameters to its peer.
I would like:
an IPv6 address
a DNS & WINS server
a list of protected IPv6 subnets
Your assigned IPv6 address is ...
Your DNS server is ...
There is no WINS server
My protected IPv6 subnets are ...
My local IPv6 protected subnets are ...
Acknowledged
Derived from peer authorization
Derived from peer authorization
BRKSEC-1050 87
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2 CLI Overviewcrypto ikev2 proposal PROP-1
encryption aes-cbc-128 3des
integrity sha1
group 2
!
crypto ikev2 policy SITE-POLICY
proposal prop-1
!
crypto ikev2 keyring V2-KEYRING
peer cisco
address 10.0.1.1
pre-shared-key local CISCO
pre-shared-key remote OCSIC
!
crypto ikev2 authorization policy AUTH-POLICY
route set interface
route accept any
IKEv2 Proposal
IKEv2 Policy binds Proposal to
peer
Keyring supports asymmetric
PSK’s
IKEv2 Authorization Policy
(contains attributes for local AAA
& config. exchange)
BRKSEC-1050 88
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
crypto ikev2 profile default
identity local address 10.0.0.1
[identity local fqdn local.cisco.com]
[identity local email [email protected]]
[identity local dn]
match identity remote address 10.0.1.1
match identity remote fqdn remote.cisco.com
match identity remote fqdn domain cisco.com
match identity remote email [email protected]
match identity remote email domain cisco.com
match certificate certificate_map
match fvrf red
match address local 172.168.1.1
authentication local pre-share
[authentication local rsa-sig]
[authentication local eap]
authentication remote pre-share
authentication remote rsa-sig
authentication remote eap
keyring local IOSKeyring
keyring aaa AAAlist
pki trustpoint <trustpoint_name>
IKEv2 CLI OverviewIKEv2 Profile – Extensive CLI
Match on peer IKE identity
or certificate
Match on local address and
frontVRF
Self Identity Control
Asymmetric local & remote
authentication methods
Local and AAA-based
Pre-Shared Keyring
Only one local method allowed
Multiple remote methods allowed
Only one local identity allowed
Multiple “match identity” allowed
BRKSEC-1050 89
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2 CLI Overview IPsec – no further change
crypto ipsec transform-set TS esp-aes 128 esp-sha-hmac
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TS
set crypto ikev2 profile IKEV2-PROFILE
!
interface Virtual-Template1 type tunnel
ip unnumbered Ethernet0/0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source Ethernet0/0
tunnel destination 172.16.2.1
tunnel protection ipsec profile IPSEC-PROFILE
IPsec profile points to
IKEv2 profile
Tunnel protection
links IPsec to tunnel
BRKSEC-1050 90
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introducing Smart Defaults
• Intelligent, reconfigurable defaults
• Pre-existing constructs:
• crypto ikev2 proposal• AES-CBC 256, 192,128 , 3DES / SHA-512,384,256, SHA-1, MD5 / group 5, 2
• crypto ikev2 policy (match any)
• crypto ipsec transform-set (AES-128, 3DES / SHA, MD5)
• crypto ipsec profile default (default transform set, ikev2 profile default)
• Only an IKEv2 profile called “default” needs to be created
crypto ikev2 profile default
match identity remote address 10.0.1.1
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint TP
!
interface Tunnel0
ip address 192.168.0.1 255.255.255.252
tunnel protection ipsec profile default
Example full configusing smart defaults
BRKSEC-1050 91
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Reconfigurable Defaults
• All defaults can be modified, deactivated and restored
• Default proposals pre-configured
• for IKEv2
• for IPsec
• Modifying defaults
default crypto ikev2 proposal
default crypto ipsec transform-set Restoring defaults
crypto ikev2 proposal default
encryption aes-cbc-128
hash md5
crypto ipsec transform-set default aes-cbc 256 sha-
hmac
Disabling defaults no crypto ikev2 proposal default
no crypto ipsec transform-set default
BRKSEC-1050 92
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Building Block – IKEv2 Name Mangler
• Start with the peer’s IKE or EAP identity
• Derive a username that is meaningful to AAA (local or RADIUS)
IKEv2 Exchange
RA Client Identity
IKEv2 Name Mangler
AAA Username: joe
RADIUS AAA Request
Username: joe, password: cisco
Local AAA Request
Username: joe
crypto ikev2 name-mangler extract-user
fqdn hostname
email username
dn common-name
eap prefix delimiter @
FQDN: joe.cisco.com
Email: [email protected]
DN: cn=joe,ou=IT,o=Cisco
EAP: joe@cisco
Static password
(configurable)
RA ClientIKEv2 InitiatorRADIUS Client
FlexVPN ServerIKEv2 Responder
RADIUS NAS
AAA ServerRADIUS Server
BRKSEC-1050 93
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN and AAA
• IKEv2 communicates with IOS AAA subsystem
• Local database (IKEv2 Authorization Policy)
• Remote database (RADIUS)
• Protocols in play: IKEv2, RADIUS, EAP
• AAA-based authentication:
• Pre-shared keys stored on RADIUS server
• EAP over IKEv2 & RADIUS
• Authorization:
• Implicit authorization (re-uses attributes received during authentication)
• Explicit authorization (local or remote, group- & user-level)
• Accounting
Authentication, Authorization & Accounting
aaa new-model
aaa author network local-db local
aaa author network remote-db group radius
AAA list name
BRKSEC-1050 94
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authorization TypesNot mutually exclusive – May be combined
Implicit User Authorization
Explicit User Authorization
Explicit Group Authorization
crypto ikev2 profile default
aaa authorization user {psk|eap} cached
crypto ikev2 profile default
aaa authorization user {psk|eap|cert} list list [name | name-mangler mangler]
crypto ikev2 profile default
aaa authorization group {psk|eap|cert} [override] list list [name | name-mangler mangler]
Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication
Retrieves user attributes from RADIUS (local database not supported)
Retrieves group attributes from RADIUS or local database
RADIUS (Access-Accept)
Local PSK = cisco!
Remote PSK = !ocsic
Other user attributes for joe
Reverse order of precedence (group > user)
Cached for
authorization
BRKSEC-1050 95
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Attributes – Merging
Cached User Attributes
Explicit User Attributes
Merged User Attributes
Explicit Group Attributes
Final Merged Attributes
Attribute Value
Framed-IP-Address 10.0.0.101
ipsec:dns-servers 10.2.2.2
Attribute Value
Framed-IP-Address 10.0.0.102
Attribute Value
Framed-IP-Address 10.0.0.102
ipsec:dns-servers 10.2.2.2
Attribute Value
ipsec:dns-servers 10.2.2.3
ipsec:banner Welcome !
Attribute Value
Framed-IP-Address 10.0.0.102
ipsec:dns-servers 10.2.2.2
ipsec:banner Welcome !
Merged User Attributes take precedenceexcept if “group override” configured
Explicit User Attributes take precedence
FlexVPN Server AAA ServerReceived during
AAA-based authentication
Received during explicit
user authorization
Received during explicit
group authorization
BRKSEC-1050 96
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Modular Building Blocks
Tunneling Authentication
Method
Tunnel Config Config Mode
Source
GRE/IPsec Certificate Static Local config
Pure IPsec Pre-shared Key Dynamic RADIUS
EAP (initiator) crypto map Hybrid
Security policy & routing
IKEv2 “routing”
BGP
Static routes
Reverse-Route Injection
EIGRP or anything else!
BRKSEC-1050 97
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site-to-Site Use Cases
• FlexVPN Site-to-Site Configuration using Crypto Maps
• FlexVPN Site-to-Site SVTI-SVTI Configuration using Digital Certificates
• FlexVPN Site-to-Site IPv6 over IPv4 using GRE Encapsulation (in reference slides)
• FlexVPN Hub & Spoke DVTI-SVTI using IKEv2 Routing
• FlexVPN Hub & Spoke using Flex Client
• FlexVPN Dynamic Spoke to Spoke
• MPLS over FlexVPN
BRKSEC-1050 98
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Site-to-Site Configuration using Crypto Maps
crypto ikev2 keyring ASApeer ASAaddress 1.1.1.2pre-shared-key cisco
crypto ikev2 profile PROFmatch identity remote address 1.1.1.2 255.255.255.255 authentication local pre-shareauthentication remote pre-sharekeyring ASA
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto map VPN 10 ipsec-isakmpset peer 1.1.1.2set transform-set TSET set ikev2-profile PROFmatch address CRYPTOACL
ip access-list extended CRYPTOACLpermit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 1.1.1.2
crypto ipsec ikev2 ipsec-proposal IPROPprotocol esp encryption aesprotocol esp integrity sha-1
crypto map VPN 10 match address CRYPTOACLcrypto map VPN 10 set peer 1.1.1.1 crypto map VPN 10 set ikev2 ipsec-proposal IPROPcrypto map VPN interface outside
crypto ikev2 policy 1encryption aesintegrity shagroup 5prf sha
crypto ikev2 enable outside
tunnel-group 1.1.1.1 type ipsec-l2ltunnel-group 1.1.1.1 ipsec-attributesikev2 remote-authentication pre-shared-key ciscoikev2 local-authentication pre-shared-key cisco
access-list CRYPTOACL extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
route outside 192.168.1.0 255.255.255.0 1.1.1.1 1
1.1.1.21.1.1.1
19
2.1
68.2
.0/2
4
19
2.1
68.1
.0/2
4
Just a string
Peer address
CM references IKEv2
Profile
ASA requires local-
authentication
BRKSEC-1050 99
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Site-to-Site SVTI-SVTI Configuration using Digital Certificates
crypto pki trustpoint PKIenrollment url http://1.1.1.1:80serial-numbersubject-name cn=hub.cisco.comrevocation-check none
crypto pki certificate map CERTMAP 10subject-name co spoke1.cisco.com
crypto ikev2 profile defaultmatch certificate CERTMAPidentity local dnauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint PKIdpd 10 2 on-demand
interface Tunnel0ip address 10.1.1.1 255.255.255.252tunnel source FastEthernet0/0tunnel mode ipsec ipv4tunnel destination 1.1.1.2tunnel protection ipsec profile default
ip route 192.168.2.0 255.255.255.0 Tunnel0
crypto pki trustpoint PKIenrollment url http://1.1.1.1:80serial-numbersubject-name cn=spoke1.cisco.comrevocation-check none
crypto pki certificate map CERTMAP 10subject-name co hub.cisco.com
crypto ikev2 profile defaultmatch certificate CERTMAPidentity local dnauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint PKIdpd 10 2 on-demand
interface Tunnel0ip address 10.1.1.2 255.255.255.252tunnel source FastEthernet0/0tunnel mode ipsec ipv4tunnel destination 1.1.1.1tunnel protection ipsec profile default
ip route 192.168.1.0 255.255.255.0 Tunnel0
1.1.1.21.1.1.1
19
2.1
68.2
.0/2
4
19
2.1
68.1
.0/2
4
Certificate enrollment
Certificate Map to
match peer’s identity
Could use a
routing protocol
(IGP/BGP)
Static Tunnel Static Tunnel
hub.cisco.com spoke1.cisco.com
BRKSEC-1050 100
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Site-to-Site IPv6 over IPv4 using GRE Encapsulation
crypto ikev2 keyring KRpeer SPOKE2address 2.2.2.1pre-shared-key local CISCOpre-shared-key remote CICSO
crypto ikev2 profile defaultmatch identity remote address 2.2.2.1 255.255.255.255 authentication remote pre-shareauthentication local pre-sharekeyring local KR
interface Tunnel0ip address 10.1.1.1 255.255.255.0ipv6 address FE80::1 link-localtunnel source Ethernet0/0tunnel destination 2.2.2.1tunnel protection ipsec profile default
ip route 192.168.2.0 255.255.255.0 Tunnel0ipv6 route 2001:0:0:2::/64 Tunnel0
crypto ikev2 keyring KRpeer SPOKE1address 1.1.1.1pre-shared-key local CICSOpre-shared-key remote CISCO
crypto ikev2 profile defaultmatch identity remote address 1.1.1.1 255.255.255.255 authentication remote pre-shareauthentication local pre-sharekeyring local KR
interface Tunnel0ip address 10.1.1.2 255.255.255.0ipv6 address FE80::2 link-localtunnel source Ethernet0/0tunnel destination 1.1.1.1tunnel protection ipsec profile default
ip route 192.168.1.0 255.255.255.0 Tunnel0ipv6 route 2001:0:0:1::/64 Tunnel0
2.2.2.11.1.1.1
19
2.1
68.2
.0/2
4
20
01
:0:0
:2::
1/6
4
19
2.1
68.1
.0/2
4
20
01
:0:0
:1::
1/6
4
Asymmetric PSKs
Tunneling IPv6 over
IPv4 Tunnel
Could use a
routing protocol
(IGP/BGP)
Static Tunnel Static Tunnel
BRKSEC-1050 101
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Hub & Spoke DVTI-SVTI using IKEv2 Routing –Network Diagram
192.168.1.0/24.1
200.1.1.2
.254
Virtual-Access Interfaces
Static Tunnel Interface
192.168.2.0/24
BRKSEC-1050 102
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Hub & Spoke DVTI-SVTI using IKEv2 Routing –Hub configuration
192.168.1.0/24.1
aaa authorization network FLEX local
crypto ikev2 keyring SPOKESpeer ALLaddress 0.0.0.0 0.0.0.0pre-shared-key cisco123
crypto ikev2 authorization policy FLEXAUTHORpool FLEXPOOLroute set interfaceroute set access-list 99
crypto ikev2 profile defaultmatch identity remote address 0.0.0.0 authentication remote pre-shareauthentication local pre-sharekeyring local SPOKESdpd 10 2 periodicaaa authorization group psk list FLEX FLEXAUTHORvirtual-template 1
200.1.1.2
.254
19
2.1
68.2
.0/2
4
.1
IKEv2 authorization
policy named
FLEXAUTHOR
AAA authorization
method list
Creates Virtual-
Access from Virtual-
Template
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/1
tunnel protection ipsec profile default
ip local pool FLEXPOOL 10.1.1.1 10.1.1.10
access-list 99 permit 192.168.0.0 0.0.255.255
IKE v2 Route
Spoke Tunnel IP Pool
SpokeHub
BRKSEC-1050 103
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Hub & Spoke DVTI-SVTI using IKEv2 Routing –Spoke ConfigurationSpoke configuration
192.168.1.0/24.1
200.1.1.2
interface Tunnel0
ip address negotiated
tunnel source Ethernet0/0
tunnel destination 200.1.1.2
tunnel protection ipsec profile default
aaa authorization network FLEX local
crypto ikev2 keyring HUBpeer HUBaddress 200.1.1.2pre-shared-key cisco123
crypto ikev2 authorization policy FLEXAUTHORroute set interfaceroute set access-list 99
crypto ikev2 profile defaultmatch identity remote address 200.1.1.2 255.255.255.255 authentication remote pre-shareauthentication local pre-sharekeyring local HUBdpd 10 2 periodicaaa authorization group psk list FLEX FLEXAUTHOR
access-list 99 permit 192.168.2.0 0.0.0.255
Advertising tunnel
interface IP and
192.168.2.0/24 subnet
Local Authorization
.254
19
2.1
68.2
.0/2
4
.1
IKE v2 Route
IP Address Assignment
from FLEXPOOL
SpokeHub
BRKSEC-1050 104
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Server
• FlexVPN Server is an IKEv2 RA Server that provides the IKEv2
headend functionality for Remote Access and Hub-Spoke topologies.
• FlexVPN Server Features include
• Peer Authentication Using EAP
• Per-user Attributes allows fetching per-user session attributes from
AAA via IKEv2 authorization
• IKEv2 Multi-SA dVTI
Supported Remote Access Clients include Microsoft Windows7/8
IKEv2 Client, Cisco IKEv2 AnyConnect Client, and Cisco IOS FlexVPN
clientBRKSEC-1050 105
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Client
• FlexVPN Client provides the IKEv2 Remote Access Client functionality
• FlexVPN Client Highlights• GRE encapsulation support that allows IPv4/IPv6 over IPv4/IPv6• Dynamic routing protocol support• Route exchange via config mode• Dynamic BGP peering
• FlexVPN Client Features
• Backup Gateways
• Dial backup
• Split DNS
• NAT
BRKSEC-1050 106
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Hub & Spoke using Flex Client –Network Diagram
192.168.1.0/24.1
200.1.1.2
.254
Virtual-Access Interfaces
Static Tunnel Interface with
FlexVPN client
192.168.2.0/24
BRKSEC-1050 107
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Hub & Spoke using Flex Client –Hub configuration
192.168.1.0/24.1
crypto ikev2 keyring SPOKES
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
crypto ikev2 profile default
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local SPOKES
dpd 10 2 periodic
virtual-template 1
200.1.1.2
.2
19
2.1
68.2
.0/2
4
.1
IKEv2 profile named
default
Wildcard PSK
Keyring
Creates Virtual-
Access from Virtual-
Template
interface Virtual-Template1 type tunnel
ip unnumbered Ethernet0/1
tunnel source Ethernet0/0
tunnel protection ipsec profile default
router eigrp 1
network 192.168.1.1 0.0.0.0
IGP Routing
200.1.1.1
SpokeHub 1 Hub 2
BRKSEC-1050 108
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Hub & Spoke using Flex Client –Spoke Configuration
192.168.1.0/24.1
200.1.1.2
interface Tunnel0ip unnumbered Ethernet0/1tunnel source Ethernet0/0tunnel destination dynamictunnel protection ipsec profile default
router eigrp 1network 192.168.1.1 0.0.0.0
crypto ikev2 keyring HUBSpeer HUB1address 200.1.1.1pre-shared-key cisco123
peer HUB2address 200.1.1.2pre-shared-key cisco123
crypto ikev2 profile defaultmatch identity remote address 0.0.0.0authentication remote pre-shareauthentication local pre-sharekeyring local HUBSdpd 10 2 periodic
crypto ikev2 client flexvpn FLEXCLIENTpeer 1 200.1.1.1peer 2 200.1.1.2client connect Tunnel0
Client FlexVPNconstruct
.2
19
2.1
68.2
.0/2
4
.1
Tunnel destination selected
from flexvpn client
200.1.1.1
SpokeHub 1 Hub 2
BRKSEC-1050 109
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spoke – Dynamic Tunnel Source/Destination192.168.1.0/24.1
200.1.1.1
track 1 ip sla 1
delay down 10 up 10
track 2 ip sla 2
delay down 10 up 10
track 3 list boolean and
object 2 not
ip sla 1
icmp-echo 200.1.1.1
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 209.1.2.2 source-interface Ethernet0/0
frequency 5
ip sla schedule 2 life forever start-time now
interface Ethernet0/0
ip address 209.1.2.1 255.255.255.0
interface Ethernet0/1
ip address 209.1.3.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 209.1.2.2 track 2
ip route 0.0.0.0 0.0.0.0 209.1.3.2 track 3
crypto ikev2 keyring PEERSpeer ALLaddress 0.0.0.0 0.0.0.0pre-shared-key cisco
crypto ikev2 profile PROFmatch identity remote address 0.0.0.0 authentication remote pre-shareauthentication local pre-sharekeyring local PEERSdpd 30 2 on-demand
crypto ikev2 client flexvpn FLEXCLIENTpeer 1 200.1.1.1 track 1peer 2 200.1.1.2peer reactivatesource 1 Ethernet0/0 track 2source 2 Ethernet0/1 track 3client connect Tunnel0
crypto ipsec profile defaultset ikev2-profile PROF
.2
19
2.1
68.2
.0/2
4
.1
interface Tunnel0
ip unnumbered Loopback0
tunnel source dynamic
tunnel destination dynamic
tunnel protection ipsec profile
default
E0/0
E0/1200.1.1.2
BRKSEC-1050 110
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Spoke to Spoke
FlexVPN Hub-Spoke, Spoke-Spoke• Uses sVTI/dVTI, NHRP and routing protocol
• No NHRP registrations from spokes to hub
• No GRE multipoint interface
Routing Protocol• Routing protocol run over FlexVPN hub-spoke tunnels
• Allows spokes to learn networks behind other spokes
NHRP‒ Resolves spoke overlay addresses to transport addresses
IPSec Virtual-Access Interface (VA)‒ IPSec VA created on either side, per spoke tunnel
BRKSEC-1050 111
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Hub and Spoke – IKE Route Exchange
Physical:
Tunnel:
172.16.1.1
10.0.0.1
Physical:
Tunnel:
172.16.2.1
10.0.0.2
Physical: 172.16.0.1
Tunnel: 10.0.0.254
Hub 1
.1
Physical: 172.16.0.2
Tunnel: 10.0.0.253
192.168.100.0/24Hub 2
.2
Tunnel 100
Spoke 1
192.168.1.0/24
Spoke 2
192.168.2.0/24
C 192.168.1.0/24 Eth0
C 10.0.0.1 Tunnel0
S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0
S 192.168.0.0/16 Tunnel0Routin
gTable
-
NH
RP
Table
-
NH
RP
Table
C 192.168.2.0/24 Eth0
C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0
S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel1Routin
gTable
C 10.0.0.254 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1
S 192.168.1.0/24 V-Access1
Routing
Table
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.2 V-Access1
S 192.168.2.0/24 V-Access1
Routing
Table
BRKSEC-1050 112
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Mesh – Indirection
Physical:
Tunnel:
172.16.1.1
10.0.0.1
Physical:
Tunnel:
172.16.2.1
10.0.0.2
Physical: 172.16.0.1
Tunnel: 10.0.0.254
Hub 1
.1
Physical: 172.16.0.2
Tunnel: 10.0.0.253
192.168.100.0/24Hub 2
.2
Tunnel 100
Spoke 1
192.168.1.0/24
Spoke 2
192.168.2.0/24
C 192.168.1.0/24 Eth0
C 10.0.0.1 Tunnel0
S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0
S 192.168.0.0/16 Tunnel0Routin
gTable
-
NH
RP
Table
-
NH
RP
Table
C 192.168.2.0/24 Eth0
C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0
S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel1Routin
gTable
C 10.0.0.254 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1
S 192.168.1.0/24 V-Access1
Routing
Table
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.2 V-Access1
S 192.168.2.0/24 V-Access1
Routing
Table
BRKSEC-1050 113
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Mesh – Resolution
Physical:
Tunnel:
172.16.1.1
10.0.0.1
Physical:
Tunnel:
172.16.2.1
10.0.0.2
Physical: 172.16.0.1
Tunnel: 10.0.0.254
Hub 1
.1
Physical: 172.16.0.2
Tunnel: 10.0.0.253
192.168.100.0/24Hub 2
.2
Tunnel 100
Spoke 1
192.168.1.0/24
Spoke 2
192.168.2.0/24
C 192.168.1.0/24 Eth0
C 10.0.0.1 Tunnel0
S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0
S 192.168.0.0/16 Tunnel0
H/S 10.0.0.2/32 V-Access1
H/S 192.168.2.0/24 V-Access1
Routin
gTable
10.0.0.2/32 172.16.2.1
192.168.2.0/24 172.16.2.1
NH
RP
Table
10.0.0.1 172.16.1.1
NH
RP
Table
C 192.168.2.0/24 Eth0
C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0
S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel1
H/S 10.0.0.1/32 V-Access1
Routin
gTable
C 10.0.0.254 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1
S 192.168.1.0/24 V-Access1
Routing
Table
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.2 V-Access1
S 192.168.2.0/24 V-Access1
Routing
Table
Resolution
(192.168.2.2)
Resolution Reply
(192.168.2.0/24)
BRKSEC-1050 114
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Mesh – Shortcut Forwarding
Physical:
Tunnel:
172.16.1.1
10.0.0.1
Physical:
Tunnel:
172.16.2.1
10.0.0.2
Physical: 172.16.0.1
Tunnel: 10.0.0.254
Hub 1
.1
Physical: 172.16.0.2
Tunnel: 10.0.0.253
192.168.100.0/24Hub 2
.2
Tunnel 100
Spoke 1
192.168.1.0/24
Spoke 2
192.168.2.0/24
C 192.168.1.0/24 Eth0
C 10.0.0.1 Tunnel0
S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0
S 192.168.0.0/16 Tunnel0
H/S 10.0.0.2/32 V-Access1
H/S 192.168.2.0/24 V-Access1
Routin
gTable
10.0.0.2/32 172.16.2.1
192.168.2.0/24 172.16.2.1
NH
RP
Table
10.0.0.1 172.16.1.1
NH
RP
Table
C 192.168.2.0/24 Eth0
C 10.0.0.2 Tunnel1
S 0.0.0.0/0 Dialer0
S 10.0.0.253/32 Tunnel1
S 192.168.0.0/16 Tunnel1
H/S 10.0.0.1/32 V-Access1
Routin
gTable
C 10.0.0.254 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.1 V-Access1
S 192.168.1.0/24 V-Access1
Routing
Table
C 10.0.0.253 Loopback0
C 192.168.100.0/24 Eth0
S 192.168.0.0/16 Tunnel100
S 10.0.0.0/8 Tunnel100
S 10.0.0.2 V-Access1
S 192.168.2.0/24 V-Access1
Routing
Table
BRKSEC-1050 115
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hub-Spoke tunnels
1. Spokes connect to hub, IPSec-VA created on hub for each spoke
2. IPSec-VAs for all spokes share network id
3. Hub learns spoke networks via routing protocol over hub-spoke tunnels
4. Hub advertizes summarized route (via hub) to all spokes
NHRP redirect
1. Spoke to spoke traffic forwarded to hub
2. Hub detects ingress and egress interfaces(IPSec-VAs) share NHRP network id
3. Hub sends NHRP traffic redirect indication to source spoke with destination spoke overlay address
FlexVPN Spoke to Spoke Protocol Flow
BRKSEC-1050 116
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NHRP Resolution
1. Spoke receiving redirect initiates NHRP resolution via hub to resolve destination
spoke
2. Hub forwards resolution request to destination spoke
3. Destination spoke receives resolution request, creates VA and crypto tunnel to
source spoke
4. Destination spoke sends resolution reply over spoke-spoke direct tunnel
5. Destination spoke adds NHRP cache entry for source spoke
NHRP Shortcut
1. Source spoke receives NHRP resolution reply
2. Source spoke adds NHRP cache entry and shortcut route for destination spoke
FlexVPN Spoke to Spoke Protocol Flow
BRKSEC-1050 117
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Spoke to Spoke – Network Diagram172.16.0.0/24.1
200.1.1.2
.254
Virtual-Access Interfaces
Static Tunnel Interface
Virtual-Access Interfaces
172.16.2.0/24
BRKSEC-1050 118
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Spoke to Spoke – Hub configuration172.16.0.0/24.1
crypto ikev2 keyring SPOKESpeer ALLaddress 0.0.0.0 0.0.0.0pre-shared-key cisco123
crypto ikev2 profile defaultmatch identity remote address 0.0.0.0 authentication remote pre-shareauthentication local pre-sharekeyring local SPOKESvirtual-template 1
router eigrp 100distribute-list EIGRP_SUMMARY out Virtual-Template1network 172.16.0.1 0.0.0.0redistribute static metric 1500 10 10 1 1500
ip route 172.16.0.0 255.255.0.0 Null0
ip access-list standard EIGRP_SUMMARYpermit 172.16.0.0 0.0.255.255
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/1
ip nhrp network-id 1
ip nhrp redirect
tunnel protection ipsec profile default
200.1.1.2
.254
Routing via EIGRP
17
2.1
6.2
.0/2
4
Wildcard PSK
Creates Virtual-Access from Virtual-Template
IKEv2 Profile referencing Virtual-Template
SpokeHub
BRKSEC-1050 119
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Spoke to Spoke – Spoke configuration172.16.0.0/24.1
200.1.1.2
interface Virtual-Template1 type tunnelip unnumbered FastEthernet0/1ip nhrp network-id 1ip nhrp holdtime 300ip nhrp shortcut virtual-template 1tunnel protection ipsec profile default
!!router eigrp 100network 172.16.2.1 0.0.0.0passive-interface defaultno passive-interface Tunnel0no passive-interface Ethernet0/1
crypto ikev2 keyring SPOKESpeer ALLaddress 0.0.0.0 0.0.0.0pre-shared-key cisco123
crypto ikev2 profile defaultmatch identity remote address 0.0.0.0 authentication remote pre-shareauthentication local pre-sharekeyring local SPOKESvirtual-template 1
interface Tunnel0ip unnumbered FastEthernet0/1ip nhrp network-id 1ip nhrp holdtime 300ip nhrp shortcut virtual-template 1tunnel source FastEthernet0/0tunnel destination 200.1.1.2tunnel protection ipsec profile default
.254
Virtual-Template is used for
Spoke-Spoke Communication
17
2.1
6.2
.0/2
4
Shortcut switching
Tunnel0 is used for Hub-Spoke Communication
Prevent EIGRP Neighbors on VAI
SpokeHub
BRKSEC-1050 120
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary Route Advertisement• Redistributing a static route pointing to null0 (Preferred option). This option allows to have control over summary and
redistribution without touching hub's VT configuration.
ip route 172.16.0.0 255.255.0.0 Null0
ip access-list standard EIGRP_SUMMARY
permit 172.16.0.0 0.0.255.255
router eigrp 100
distribute-list EIGRP_SUMMARY out Virtual-Template1
redistribute static metric 1500 10 10 1 1500
• DMVPN-style summary address on Virtual-template. This configuration is not recommended because of internal processing and replication of said summary to each virtual access. It is shown here for reference:
interface Virtual-Template1 type tunnel ip summary-address eigrp 100 172.16.0.0 255.255.0.0
BRKSEC-1050 121
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
172.16.1.254 172.16.1.253
MPLS VPN over FlexObjective: end-to-end VRF separation
.2
192.168.100.0/24
.2.1
`192.168.100.0/24
.2.1 .1
192.168.100.0/24
192.168.1.0/24
192.168.1.0/24
.1 .1 .1192.168.1.0/24
192.168.2.0/24
192.168.2.0/24
.1 .1 .1192.168.2.0/24
192.168.3.0/24
.1 .1
192.168.3.0/24
192.168.3.0/24.1
BRKSEC-1050 122
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
172.16.1.254 172.16.1.253
MPLS VPN over Flex
.2
192.168.100.0/24
.2.1 .2
192.168.100.0/24
.1 .1
192.168.100.0/24
Going LDP FreeHub private interface(s) in inside VRFor MPLS
Virtual-Access’ in GRT, run MPLS
Spoke tunnels run MPLS
192.168.1.0/24
192.168.1.0/24
.1 .1 .1192.168.1.0/24
192.168.2.0/24
192.168.2.0/24
.1 .1 .1192.168.2.0/24
192.168.3.0/24
.1 .1
192.168.3.0/24
192.168.3.0/24.1
Private interfaces in VRF’s
Tunnels create “back-to-back” links
LDP not needed !!
BRKSEC-1050 123
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN HW Client Redundancy Configurations
Backup Gateway IKEv2 Load Balancer Tunnel Pivot
Hub Hub
Hub HubHub
SpokeHub Hub
ISP1 ISP2
HSRPVIP
• IP SLA/track failure detection
• Multiple peer definition under
client block
• Dynamic tunnel destination
• HSRP for clustering
• IKEv2 Redirect based on
Least Loaded Gateway
• IP SLA/track failure detection
• Multiple tunnel source
definition under client block
• Dynamic tunnel source
BRKSEC-1050 124
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Backup Peers (1)
172.16.0.1 172.16.0.2
192.168.100.0/24
.1 .2
Tunnels are set up
to a primary Hub
BRKSEC-1050 125
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Backup Peers (2)
172.16.0.1 172.16.0.2
192.168.100.0/24
.1 .2
Hub 1 Fails
New tunnels are set up
to a backup Hub
BRKSEC-1050 126
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Powerful Peer Syntaxpeer
peer
peer
peer
<n> <ip>
<n> <ip> track <x>
<n> <fqdn>
<n> <fqdn> track <x>
aaa authorization network default local
crypto ikev2 profile default
match certificate HUBMAP
fqdn Spoke1.cisco.com
remote rsa-sig
local pre-shared
identity local
authentication
authentication
keyring local
authorization group cert list default default
pki trustpoint CA
aaa
dpd 30 2 on-demand
flexvpn defaultcrypto ikev2 client
client connect tunnel 0
peer 1
peer 2
172.16.1.254
172.16.1.253
interface Tunnel0
ip address negotiated
source FastEthernet0/0tunnel
tunnel
tunnel
destination dynamic
protection ipsec profile default
FlexVPN Backup Peers (3) – Spoke Config.
To Primary Hub
To Secondary Hub
Detect Hub Failure
Nth source selected only if
corresponding track object is up
Destination
managed by
FlexVPN
Also works with Routing
Protocol
RADIUS Backup List Attribute
ipsec:ipsec-backup-gateway
Up to 10 backup gateways pushed by
config-exchange
crypto ikev2 authorization policyroute set interfaceroute set access-list 99
BRKSEC-1050 127
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Downloadable Backup Peer List
Seq 10: Peer 1
Seq 20: Peer 2
Peer 1 is selected initially
(sequence number based)
If Peer 1 fails, Peer 2 is selected
(sequence number based)
Upon connection to Peer 2, a downloadable peer list is received
Upon failure of Peer 2, Peer 2.1 then 2.2
are selected (part of downloadable peer
list)
Downloadable list peers are used until
last downloadable list peer fails
Upon successful connection to next peer instatic list is deleted
Seq 10: Peer 2.1
Seq 20: Peer 2.2
Seq 30: Peer 3
Static Peer List (Locally Configured)
Downloadable Peer List
BRKSEC-1050 128
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Backup – Re-activation of Primary Peer
remote1crypto ikev2 flexvpn client
peer 1 10.0.0.1 track 1
peer 2 10.0.0.2 track 2
peer 3 10.0.0.3 track 3
peer reactivate
client connect Tunnel0
!
interface Tunnel0
ip address negotiated
…
dynamictunnel destination
…
client
10.0.0.1
10.0.0.2
10.0.0.3
Tracker state (Up/Down)
ICMP-echo IP SLA probe
IPsec Tunnel
Allow re-establishing tunnel directly to preferred peer as soon as it is available again
Trackers are required for this featuretrack 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 ip sla 3 reachability
BRKSEC-1050 129
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Backup GroupsWarrant that a peer, belonging to different peer-lists in the samebackup group, is never active in multiple peer-list at a given time
ikev2 flexvpn client remote1crypto
peer
peer
peer
1 10.0.0.1
2 10.0.0.2
3 10.0.0.3
group 1
connect Tunnel0
backup
client
crypto ikev2 flexvpn client remote2
peer
peer
peer
1 10.0.0.1
2 10.0.0.2
3 10.0.0.3
group 1
connect Tunnel1
backup
client
!
interface Tunnel0
ip address negotiated
…
tunnel destination dynamic
…
interface Tunnel1
ip address negotiated
…
tunnel destination dynamic
…
Hub 1
Hub 2
Hub 3
Client
Tu0
Tu1
10.0.0.1
10.0.0.2
10.0.0.3
Service Provider 2
Service Provider 1
10.0.0.1 cannot be used as
already active in remote1
peer-list from same group
BRKSEC-1050 130
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Tunnel Pivot• Use when different Service Providers are used to connect to remote host
Hub
Service Provider 2
track 1 ip sla 1 reachability
crypto ikev2 flexvpn client remote1
peer 10.0.0.1
GigabitEthernet0/0 track 11 interface
2 interface FastEthernet2/0
source
source
client connect tunnel 0
interface Tunnel0
ip address negotiated
…
source dynamic
destination dynamic
tunnel
tunnel
…
GigE0/0
Client
FastE2/0
Tracker state (Up/Down)
ICMP-echo IP SLA probe
IPsec Tunnel
Service Provider 1
BRKSEC-1050 131
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPNAdvantages
• Leverages IKEv2 Protocol
• Large Scale Hub-Spoke with dynamic spoke-
to-spoke
• VPN Concentrator for Remote Access
• Can be deployed either on public or private
networks
• Centralized Policy Management with AAA
• Failover (dynamic and IKEv2 based routing)
• Multicast
• Per-tunnel QoS at Hub
• 3rd Party Compatible
Disadvantages
• Not backward compatible with IKEv1
• Currently supported only on ISR-G2s, ASR1k,
CSR-1000v, ISR-NG (4000 series)
BRKSEC-1050 132
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN Selection Criteria for Key Solutions
• IWAN-based deployments must use DMVPN
• IOT deployments can use either of DMVPN, GETVPN, SSLVPN, FlexVPN
Key Solutions DMVPN
(mGRE, p-p
GRE)
GETVPN
(Tunnel-less)
SSLVPN
(TLS)
Easy VPN
(IPsec
tunnels,
IKEv1)
FlexVPN
(dVTI, IKEv2)
IPsec VPN
(CM, VTI, p-
pGRE)
IOT Yes Yes Yes No Yes No
IWAN Yes N/A N/A N/A N/A N/A
DCI N/A Yes N/A N/A N/A No
MPLS-o-mGRE N/A Yes N/A N/A N/A No
MPLS-o-DMVPN Yes N/A N/A N/A N/A N/A
Yes = Supported and Recommended No = Supported but Not-Recommended
BRKSEC-1050 133
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Features Standard IPsec GRE over IPsec Easy VPN/DVTI SVTI DMVPN GETVPN FlexVPN
3rd Party Compatibility x x x x x
AAA attributes support x x x
Dynamically addressed spoke
x x x x x
Dynamic Routing x x x x x x
Dynamic Spoke to Spoke tunnel
x x x
IKEv2 x x x
Public Transport x x x x x x
IPv6 x x x x x x
IP Multicast x x x x x x
NAT x x x x x x
Inline tagging (IKEv2) x x x x x x
QoS x x x x x x x
VRF x x x x x x x
IWAN x
IoT x
DCI x
Summary
134
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.
BRKSEC-1050 135
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-1050 136