What is FLEXVPN? How to configure FLEXVPN?

FlexVPN is a versatile VPN framework by Cisco that simplifies the configuration and deployment of various types of VPNs because Cisco supports various types of VPNs and many of them require different configurations to show verification commands. FlexVPN is designed to support site-to-site, hub-and-spoke, remote access, and other VPN configurations but The only VPN type that FlexVPN doesn’t cover is GETVPN.

Here are some key points about FlexVPN:

Based on IKEv2: FlexVPN utilizes the Internet Key Exchange version 2 (IKEv2) protocol for all its VPN types, which offers improved security and features over IKEv1.

Smart Defaults: It employs smart defaults based on best practices, minimizing the required configuration efforts.

Unified Solution: FlexVPN is a unified solution that covers all VPN types except Group Encrypted Transport VPN (GETVPN), making it easier to manage and operate.

Supports Various Authentication Methods: It supports certificates, pre-shared keys (PSKs), and Extensible Authentication Protocol (EAP) authentication methods.

Deployment Flexibility: FlexVPN can be deployed over public internet or private MPLS VPN networks and is designed for both site-to-site and remote access VPNs.

Failover Redundancy: It offers different redundancy models, including dynamic routing protocols over VPN tunnels and IKEv2-based server clustering.

Smart default is a pre-defined value this feature helps us to minimize the configuration and make it easy to configure VPN. For example, when we configure IPsec VPN with IKEv2, we have to configure the following items

IKEv2 proposal
IKEv2 policy
IKEv2 profile
IKEv2 keyring
IPsec transform-set
IPsec profile

These items we have to configure for IPsec VPN with IKEv2. But with smart default, we use pre-defined values and we have to configure only two items:

IKEv2 profile
IKEv2 policy

We do not have to configure the proposal, policy, transform-set, and IPsec profile.

Let’s see the configuration for a better understanding:

Topology: In this topology, we have a head office router-1 and branch sites a,b,c,d, and e routers. head office router is a hub router and the rest of the routers are spokes and router 2 acts as an internet. our task is to configure the IPsec VPN tunnel and all the data will be encrypted.

Goal:

configure the topology as per the diagram
configure the IP addresses as per the topology
configure a default route on routers 1,3,4,5,6, and 7
configure static routes on the internet router
configure crypto keyring
configure crypto IPsec profile
configure virtual template on router 1 (head office)
configure tunnel on spokes routers
configure EIGRP and advertise LAN and Loopback interfaces on hub and spokes routers
verify the configuration with show commands

Head-office#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.10.1 YES NVRAM up up

Serial3/0 192.168.12.1 YES NVRAM up up

Loopback0 192.168.111.1 YES NVRAM up up

INTERNET#show ip interface brief

Interface IP-Address OK? Method Status Protocol

Serial3/0 192.168.12.2 YES NVRAM up up

Serial3/1 192.168.23.2 YES NVRAM up up

Serial3/2 192.168.24.2 YES NVRAM up up

Serial3/3 192.168.25.2 YES NVRAM up up

Serial3/4 192.168.26.2 YES NVRAM up up

Serial3/5 192.168.27.2 YES NVRAM up up

Branch-A#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.30.1 YES NVRAM up up
Serial3/1 192.168.23.1 YES NVRAM up up

Loopback0 192.168.133.1 YES NVRAM up up

Branch-B#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.40.1 YES NVRAM up up

Serial3/2 192.168.24.1 YES NVRAM up up

Loopback0 192.168.144.1 YES NVRAM up up

Branch-C#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.50.1 YES NVRAM up up
Serial3/3 192.168.25.1 YES NVRAM up up
Loopback0 192.168.155.1 YES NVRAM up up

Branch-D#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.60.1 YES NVRAM up up
Serial3/4 192.168.26.1 YES NVRAM up up
Loopback0 192.168.166.1 YES NVRAM up up

Branch-E#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.70.1 YES NVRAM up up
Serial3/5 192.168.27.1 YES NVRAM up up
Loopback0 192.168.177.1 YES NVRAM up up

Head-office#show ip route static

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Serial3/0

INTERNET#show ip route static
Gateway of last resort is not set
S 192.168.10.0/24 is directly connected, Serial3/0
S 192.168.30.0/24 is directly connected, Serial3/1
S 192.168.40.0/24 is directly connected, Serial3/2
S 192.168.50.0/24 is directly connected, Serial3/3
S 192.168.60.0/24 is directly connected, Serial3/4
S 192.168.70.0/24 is directly connected, Serial3/5

Branch-A#show ip route static

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Serial3/1

Branch-B#show ip route static

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Serial3/2

Branch-C#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Serial3/3

Branch-D#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Serial3/4

Branch-E#show ip route static

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Serial3/5

Head-office(config)#crypto ikev2 keyring IKEV2-KEYRING
Head-office(config-ikev2-keyring)#Peer Branch-A
Head-office(config-ikev2-keyring-peer)#address 192.168.23.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-B
Head-office(config-ikev2-keyring-peer)#address 192.168.24.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-C
Head-office(config-ikev2-keyring-peer)#address 192.168.25.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-D
Head-office(config-ikev2-keyring-peer)#address 192.168.26.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-E
Head-office(config-ikev2-keyring-peer)#address 192.168.27.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#exit

Head-office(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Head-office(config-ikev2-profile)#match identity remote  address 192.168.23.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote  address 192.168.24.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.25.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.26.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote  address 192.168.27.1 255.255.255.0
Head-office(config-ikev2-profile)#authentication remote pre-share
Head-office(config-ikev2-profile)#authentication local pre-share
Head-office(config-ikev2-profile)#keyring local IKEV2-KEYRING
Head-office(config-ikev2-profile)#virtual-template 1
Head-office(config-ikev2-profile)#exit
Head-office(config)#exit

Head-office(config)#crypto ipsec profile IPSEC-PROFILE
Head-office(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Head-office(ipsec-profile)#exit

Head-office#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE
Ref Count: 13
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 192.168.23.1 255.255.255.0
address 192.168.24.1 255.255.255.0
address 192.168.25.1 255.255.255.0
address 192.168.26.1 255.255.255.0
address 192.168.27.1 255.255.255.0
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: IKEV2-KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: 1
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none

Head-office#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
IKEV2 profile IKEV2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
Branch-A(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-A(config-ikev2-keyring)#Peer Head-office
Branch-A(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-A(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-A(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-A(config-ikev2-keyring-peer)#exit
Branch-A(config-ikev2-keyring)#exit

Branch-A(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Branch-A(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-A(config-ikev2-profile)#authentication remote pre-share
Branch-A(config-ikev2-profile)#authentication local pre-share
Branch-A(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-A(config-ikev2-profile)#exit

Branch-A(config)#crypto ipsec profile IPSEC-PROFILE
Branch-A(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-A(ipsec-profile)#exit

Branch-A#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE
Ref Count: 4
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 192.168.12.1 255.255.255.255
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: IKEV2-KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
Branch-A#
Branch-A#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
IKEV2 profile IKEV2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

Branch-B(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-B(config-ikev2-keyring)#Peer Head-office
Branch-B(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-B(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-B(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-B(config-ikev2-keyring-peer)#exit
Branch-B(config-ikev2-keyring)#exit

Branch-B(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Branch-B(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-B(config-ikev2-profile)#authentication remote pre-share
Branch-B(config-ikev2-profile)#authentication local pre-share
Branch-B(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-B(config-ikev2-profile)#exit

Branch-B(config)#crypto ipsec profile IPSEC-PROFILE
Branch-B(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-B(ipsec-profile)#exit

Branch-B#show crypto ikev2 profile

IKEv2 profile: IKEV2-PROFILE
Ref Count: 4
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 192.168.12.1 255.255.255.255
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: IKEV2-KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
Branch-B#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
IKEV2 profile IKEV2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

Branch-C(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-C(config-ikev2-keyring)#Peer Head-office
Branch-C(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-C(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-C(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-C(config-ikev2-keyring-peer)#exit
Branch-C(config-ikev2-keyring)#exit

Branch-C(config)#crypto ikev2 profile IKEV2-PROFILE
Branch-C(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-C(config-ikev2-profile)#authentication remote pre-share
Branch-C(config-ikev2-profile)#authentication local pre-share
Branch-C(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-C(config-ikev2-profile)#exit

Branch-C(config)#crypto ipsec profile IPSEC-PROFILE
Branch-C(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-C(ipsec-profile)#exit

Branch-C#show crypto ikev2 profile

IKEv2 profile: IKEV2-PROFILE
Ref Count: 4
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 192.168.12.1 255.255.255.255
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: IKEV2-KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none

Branch-C#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
IKEV2 profile IKEV2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

Branch-D(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-D(config-ikev2-keyring)#Peer Head-office
Branch-D(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-D(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-D(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-D(config-ikev2-keyring-peer)#exit
Branch-D(config-ikev2-keyring)#exit

Branch-D(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Branch-D(config-ikev2-profile)#match identity remote address 192.168.12.1
Branch-D(config-ikev2-profile)#authentication remote pre-share
Branch-D(config-ikev2-profile)#authentication local pre-share
Branch-D(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-D(config-ikev2-profile)#exit

Branch-D(config)#crypto ipsec profile IPSEC-PROFILE
Branch-D(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-D(ipsec-profile)#exit

Branch-D#show crypto ikev2 profile

IKEv2 profile: IKEV2-PROFILE
Ref Count: 4
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 192.168.12.1 255.255.255.255
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: IKEV2-KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
Branch-D#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
IKEV2 profile IKEV2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

Branch-E(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-E(config-ikev2-keyring)#Peer Head-office
Branch-E(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-E(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-E(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-E(config-ikev2-keyring-peer)#exit
Branch-E(config-ikev2-keyring)#exit
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Branch-E(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-E(config-ikev2-profile)#authentication remote pre-share
Branch-E(config-ikev2-profile)#authentication local pre-share
Branch-E(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-E(config-ikev2-profile)#exit

Branch-E(config)#crypto ipsec profile IPSEC-PROFILE
Branch-E(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-E(ipsec-profile)#exit

Branch-E#show crypto ikev2 profile

IKEv2 profile: IKEV2-PROFILE
Ref Count: 4
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 192.168.12.1 255.255.255.255
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: IKEV2-KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
Branch-E#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
IKEV2 profile IKEV2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

Head-office(config)#interface virtual-template 1 type tunnel
Head-office(config-if)#tunnel source 192.168.12.1
Head-office(config-if)#tunnel destination dynamic
Head-office(config-if)#ip unnumbered loopback 0
Head-office(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Head-office(config-if)#exit
Head-office(config)#exit

Head-office(config)#router eigrp 100
Head-office(config-router)#network 192.168.10.0
Head-office(config-router)#network 192.168.111.0
Head-office(config-router)#no auto-summary
Head-office(config-router)#exit

Apr 10 14:57:22.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
Apr 10 14:57:31.867: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.133.1 (Virtual-Access1) is up: new adjacency
Apr 10 14:58:56.463: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
Apr 10 14:59:36.675: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.144.1 (Virtual-Access2) is up: new adjacency
Apr 10 15:02:28.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Apr 10 15:05:55.379: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.155.1 (Virtual-Access5) is up: new adjacency
Apr 10 15:05:54.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to up
Apr 10 15:02:31.851: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.166.1 (Virtual-Access3) is up: new adjacency
Apr 10 15:03:40.187: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to up
Apr 10 15:03:43.507: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.177.1 (Virtual-Access4) is up: new adjacency

Branch-A(config)#interface tunnel 0
Branch-A(config-if)#tunnel source 192.168.23.1
Branch-A(config-if)#tunnel destination 192.168.12.1
Branch-A(config-if)#ip unnumbered loopback 0
Branch-A(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-A(config-if)#exit

Branch-A(config)#router eigrp 100
Branch-A(config-router)#network 192.168.30.0
Branch-A(config-router)#network 192.168.133.0
Branch-A(config-router)#no auto-summary
Branch-A(config-router)#exit

Apr 10 14:57:20.287: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Apr 10 14:57:20.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Apr 10 14:57:31.571: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency

Branch-B(config)#interface tunnel 0
Branch-B(config-if)#tunnel source 192.168.24.1
Branch-B(config-if)#tunnel destination 192.168.12.1
Branch-B(config-if)#ip unnumbered loopback 0
Branch-B(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-B(config-if)#exit

Branch-B(config)#router eigrp 100
Branch-B(config-router)#network 192.168.40.1
Branch-B(config-router)#network 192.168.144.1
Branch-B(config-router)#no auto-summary
Branch-B(config-router)#exit

Apr 10 14:58:55.003: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Apr 10 14:58:55.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Apr 10 14:59:36.727: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency

Branch-C(config)#interface tunnel 0
Branch-C(config-if)#tunnel source 192.168.25.1
Branch-C(config-if)#tunnel destination 192.168.12.1
Branch-C(config-if)#ip unnumbered loopback 0
Branch-C(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-C(config-if)#exit

Branch-C(config)#router eigrp 100
Branch-C(config-router)#network 192.168.50.1
Branch-C(config-router)#network 192.168.155.1
Branch-C(config-router)#no auto-summary
Branch-C(config-router)#exit

Apr 10 15:05:55.467: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency

Branch-D(config)#interface tunnel 0
Branch-D(config-if)#tunnel source 192.168.26.1
Branch-D(config-if)#tunnel destination 192.168.12.1
Branch-D(config-if)#ip unnumbered loopback 0
Branch-D(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-D(config-if)#exit

Branch-D(config)#router eigrp 100
Branch-D(config-router)#network 192.168.60.1
Branch-D(config-router)#network 192.168.166.1
Branch-D(config-router)#no auto-summary
Branch-D(config-router)#exit

Apr 10 15:02:26.987: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Apr 10 15:02:27.447: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Apr 10 15:02:31.799: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency

Branch-E(config)#interface tunnel 0
Branch-E(config-if)#tunnel source 192.168.27.1
Branch-E(config-if)#tunnel destination 192.168.12.1
Branch-E(config-if)#ip unnumbered loopback 0
Branch-E(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-E(config-if)#exit

Branch-E(config)#router eigrp 100
Branch-E(config-router)#network 192.168.70.1
Branch-E(config-router)#network 192.168.177.1
Branch-E(config-router)#no auto-summary
Branch-E(config-router)#exit

Apr 10 15:03:38.223: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Apr 10 15:03:38.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

Head-office#traceroute 192.168.70.1
Type escape sequence to abort.
Tracing the route to 192.168.70.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.177.1 120 msec 68 msec 68 msec

Head-office#traceroute 192.168.60.1
Type escape sequence to abort.
Tracing the route to 192.168.60.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.166.1 64 msec 72 msec 64 msec

Head-office#traceroute 192.168.40.1
Type escape sequence to abort.
Tracing the route to 192.168.40.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.144.1 56 msec 68 msec 56 msec

Head-office#traceroute 192.168.30.1
Type escape sequence to abort.
Tracing the route to 192.168.30.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.133.1 80 msec 64 msec 56 msec

Head-office#show crypto ipsec sa
interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr 192.168.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.23.1/255.255.255.255/47/0)
current_peer 192.168.23.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 981, #pkts encrypt: 981, #pkts digest: 981
#pkts decaps: 979, #pkts decrypt: 979, #pkts verify: 979
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
current outbound spi: 0xC7D9A838(3352930360)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x91CBD49D(2446054557)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 12, flow_id: 12, sibling_flags 80000000, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4224607/2559)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC7D9A838(3352930360)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 11, flow_id: 11, sibling_flags 80000000, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4224608/2559)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 192.168.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.24.1/255.255.255.255/47/0)
current_peer 192.168.24.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 957, #pkts encrypt: 957, #pkts digest: 957
#pkts decaps: 953, #pkts decrypt: 953, #pkts verify: 953
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.24.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
current outbound spi: 0x2D7CE225(763159077)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x90E4AB46(2430905158)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 14, flow_id: 14, sibling_flags 80000000, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4328889/2658)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2D7CE225(763159077)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 13, flow_id: 13, sibling_flags 80000000, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4328889/2658)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access3
Crypto map tag: Virtual-Access3-head-0, local addr 192.168.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.26.1/255.255.255.255/47/0)
current_peer 192.168.26.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 910, #pkts encrypt: 910, #pkts digest: 910
#pkts decaps: 912, #pkts decrypt: 912, #pkts verify: 912
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.26.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
current outbound spi: 0xC59185C3(3314648515)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x6584E4BE(1703208126)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 15, flow_id: 15, sibling_flags 80000000, crypto map: Virtual-Access3-head-0
sa timing: remaining key lifetime (k/sec): (4330964/2932)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC59185C3(3314648515)

Head-office#show crypto ikev2 stats
--------------------------------------------------------------------------------
Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego: 40
Total IKEv2 SA Count: 5 active: 5 negotiating: 0
Incoming IKEv2 Requests: 5 accepted: 5 rejected: 0
Outgoing IKEv2 Requests: 0 accepted: 0 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0

Head-office#show ip interface brief
Interface IP-Address OK? Method Status Protocol

Loopback0 192.168.111.1 YES NVRAM up up
Virtual-Access1 192.168.111.1 YES unset up up
Virtual-Access2 192.168.111.1 YES unset up up
Virtual-Access3 192.168.111.1 YES unset up up
Virtual-Access4 192.168.111.1 YES unset up up
Virtual-Access5 192.168.111.1 YES unset up up
Virtual-Template1 192.168.111.1 YES unset up down

Head-office#show interface virtual-access 1

Virtual-A 192.168.111.1) ccess1 is up, line protocol is up

Hardware is Virtual Access interface

Interface is unnumbered. Using address of Loopback0 (192.168.111.1)

MTU 17874 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL

Tunnel vaccess, cloned from Virtual-Template1

Vaccess status 0x0, loopback not set

Keepalive not set

Tunnel source 192.168.12.1, destination 192.168.23.1

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255, Fast tunneling enabled

Tunnel transport MTU 1434 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "IPSEC-PROFILE")

Last input 00:00:03, output never, output hang never

Last clearing of "show interface" counters 01:17:48

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

1029 packets input, 86718 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

1031 packets output, 86614 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

Head-office#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
4 192.168.12.1/500 192.168.27.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4043 sec
Tunnel-id Local Remote fvrf/ivrf Status
2 192.168.12.1/500 192.168.24.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4327 sec
Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.12.1/500 192.168.23.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4421 sec
Tunnel-id Local Remote fvrf/ivrf Status
3 192.168.12.1/500 192.168.26.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4115 sec
Tunnel-id Local Remote fvrf/ivrf Status
5 192.168.12.1/500 192.168.25.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3908 sec
IPv6 Crypto IKEv2 SA

MPLS

What is FLEXVPN? How to configure FLEXVPN?

0 comments:

Labels

Pages

Popular Posts

Follow us on Facebook

Featured post