################## FlexVPN Video Notes ################## Introduction ============ * IKEv2 & S2S = FlexVPN * IKEv2 & RA = FlexVPN * Can be used with legacy crypto maps and or VTI * IKEv2 improvements over IKEv1 * 4-6 Messages * Check peer existance via cookies * VOIP Support * Uses Suite B Cryptography * IKEv2 Steps * IKESA_INIT (2 msg) * IKE_AUTH+CREATE_CHILD_SA (2 msgs) * IKE_CREATE_SECOND_CHILD_SA (optional 2 messages) Configuration ============= FlexVPN Site-To-Site with Pre-Shared Key ---------------------------------------- Summary of Steps ^^^^^^^^^^^^^^^^ The following steps should be completed on each peer that needs to have a VPN tunnel established. #. Define IKEv2 proposal #. Define IKEv2 Policy #. Define PSK/Keyring #. Define IKEv2 Profile #. Define IPSec Transform Set #. Override IPSec Security Association lifetime (optional) #. Define Interesting Traffic #. Map the profiles and policies to the VPN peer #. Apply mapping to appropriate interface .. note:: If existing VPNs are in place it's possible some of this configuration may already exist. Where possible a consistly high-strength security policy should be used to enable reuse of existing configuration. Define the IKEv2 Proposal ^^^^^^^^^^^^^^^^^^^^^^^^^ :: crypto ikev2 proposal encryption integrity group Define the IKEv2 Policy ^^^^^^^^^^^^^^^^^^^^^^^^^ :: crypto ikev2 policy proposal Define the IKEv2 Keyring or PSK ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. rubric:: Using a Keyring :: crypto ikev2 keyring peer address pre-shared-key .. rubric:: And for preshared key :: crypto ikev2 key address .. todo:: Check if this is even valid? :: crypto ikev2 profile match identity remote address authentication local pre-share authentication remote pre-share keyring :: crypto ipsec transform-set Override the default IPSec SA lifetime (optional) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. note:: This can also be set for individual peers by defining in the later crypto map. :: crypto ipsec security-association lifetime seconds Define the traffic to be encrypted over the VPN tunnel ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ :: access-list permit ip Map the encryption settings to the appropriate VPN peer ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ :: crypto map ipsec-isakmp set transform-set set peer match address set ikev2-profile Apple the encryption mapping to the appropriate interface ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ :: interface crypto map FlexVPN S2S with RSA -------------------- .. warning:: It is important that all devices have a consistent time (preferably) via NTP. If not authentication failures may occur due to devices thinking that certificates are either not yet valid or have expired. Summary of Steps ^^^^^^^^^^^^^^^^ #. Define the trusted CA #. Authenticate the CA #. Enroll with the CA #. Define IKEv2 Profile with RSA Authentication #. Repeat all other steps as with PKI Define the trusted CA ^^^^^^^^^^^^^^^^^^^^^ :: crypto pki trustpoint enrollment url revocation-check none Authenticate the CA ^^^^^^^^^^^^^^^^^^^ :: crypto pki authenticate Enroll the device with the new CA ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ :: crypto pki enroll Define the IKEv2 Profile ^^^^^^^^^^^^^^^^^^^^^^^^^ :: crypto ikev2 profile match identity remote address authentication local rsa-sig authentication remote rsa-sig pki trustpoint Define the tunnel interface ^^^^^^^^^^^^^^^^^^^^^^^^^^^ :: interface tunnel ip address tunnel mode ipsec ipv4 tunnel protection ipsec profile FlexVPN Remote Access with PSK ------------------------------ Summary of Steps ^^^^^^^^^^^^^^^^ .. rubric:: Shared Configuration #. Define the IKEv2 Keyring (Use wildcard IP if clients have dynamic IP) #. Define the IKEv2 Policy #. Define the IPSec Proposal #. Define the split-tunnel ACL #. Define Authorisation Policy #. Define the IKEv2 Profile #. Define the IPSec Transform Set #. Override the default IPSec SA Lifetime (optional) .. rubric:: For Remote Access Server #. Define IP Pool #. Define virtual tempalte .. rubric:: For Remote Access Client #. Define tunnel interface #. Define IKEv2 client Remote Access Server/Hub Configuration ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ :: crypto ikev2 authorization policy pool route set access-list :: int virtual-template type tunnel ip unnumbered tunnel source tunnel protection ipsec profile :: crypto ikev2 profile virtual-template aaa authorization group psk aaa authorization group psk list default pki trustpoint Remote Access Client Steps ^^^^^^^^^^^^^^^^^^^^^^^^^^ :: crypto ikev2 keyring peer addresss pre-shared-key :: interface tunnel tunnel source tunnel destination tunnel mode ipsec ipv4 tunnel protection ipsec profile :: crypto ikev2 client flexvpn client connect tunnel peer FlexVPN Remote Access with RSA ------------------------------ .. rubric:: On Both Hub and Remote Clients #. Setup trusted CA #. Authenticate the CA #. Enroll with the CA #. Define the IKEv2 Authorization Policy #. Complete remaining steps as per basic setup .. rubric:: On Hub #. Define the remote client connection template .. rubric:: On Remote Clients #. Define the VPN tunnel interface #. Define how to connect to the hub FlexVPN Site-To-Site with IPv6 and PSK -------------------------------------- Setup is practically the same as with IPv4, with the following changes #. Use 'ipv6 address' on interface addressing #. All peer addressing should use IPv6 addresses (if used on public network) #. Tunnel mode should be specified as 'ipsec ipv6' .. todo:: Is it possible to do an IPv4 public IP but then do IPv6 private subnets?