FlexVPN IKEv2 Basic Configuration
In this post, we demonstrate a basic FlexVPN IKEv2 configuration with a typical site-to-site IPSec deployment. The logical topology includes a headquarters router (R1) and two branch routers (BR1 and BR3), each secured by IPSec tunnels using IKEv2 profiles and crypto maps.
Router 1 (HQ) Configuration
Step 1: Define the IKEv2 Profile
crypto ikev2 profile REMOTE
An IKEv2 profile must contain:
- A local and remote authentication method.
- A match identity or certificate configuration.
Options for identity matching include:
match identity remote {address | any | email | fqdn | key-id}
This allows matching based on IP, FQDN, or email, etc.
Step 2: Set Authentication
You can use:
-
authentication {local | remote} {eap | ecdsa-sig | pre-share | rsa-sig} - For EAP: supports GTC, MD5, MSCHAPv2.
- For pre-share: set shared keys explicitly.
Step 3: Optional Enhancements
Additional IKEv2 profile options:
- aaa – AAA server for auth.
- config-exchange – Enable config push/pull.
- description – Add profile description.
- dpd – Dead Peer Detection.
Advanced knobs:
- identity, initial-contact, ivr, keyring, lifetime, nat, pki trustpoint, redirect-gateway-auth, shutdown, virtual-template.
Dead Peer Detection example:
crypto ikev2 dpd 10 3 on-demand
Step 4: Define Crypto ACLs
ip access-list extended HQB1 permit ip 10.1.100.0 0.0.0.255 172.17.1.0 0.0.0.255 permit ip 172.16.0.2 0.0.0.0 172.17.1.0 0.0.0.255 permit ip 172.16.1.0 0.0.0.0 172.17.1.0 0.0.0.255 ip access-list extended HQB3 permit ip 10.1.100.0 0.0.0.255 172.17.3.0 0.0.0.255 permit ip 172.16.0.2 0.0.0.0 172.17.3.0 0.0.0.255 permit ip 172.16.1.0 0.0.0.0 172.17.1.0 0.0.0.255
Step 5: Configure the Crypto Map
crypto map VPN 10 ipsec-isakmp set peer 2.2.2.2 set ikev2-profile REMOTE match address HQB1 crypto map VPN 20 ipsec-isakmp set peer 4.4.4.4 set ikev2-profile REMOTE match address HQB2
Attach to interface:
interface g3 crypto map VPN
Branch Site B1 Configuration
IKEv2 Profile
crypto ikev2 profile HQ match identity remote address 0.0.0.0 authentication local pre-share key cisco authentication remote pre-share key cisco
Crypto ACL
ip access-list extended B1HQ permit ip 172.17.1.0 0.0.0.255 172.16.0.2 0.0.0.0 permit ip 172.17.1.0 0.0.0.255 172.16.1.0 0.0.0.255 permit ip 172.17.1.0 0.0.0.255 10.1.100.0 0.0.0.255
Crypto Map
crypto map VPN 10 ipsec-isakmp set peer 1.1.1.11 match address B1HQ set ikev2-profile HQ
Attach to interface:
interface g2 crypto map VPN
ASA Configuration Overview
IKEv2 Policy (priority based on number)
crypto ikev2 policy 10 integrity sha512 group 5 encryption aes-256 prf sha512 lifetime seconds 86400
Enable IKEv2
crypto ikev2 enable outside
Tunnel Group Setup
tunnel-group 1.1.1.11 type ipsec-l2l tunnel-group 1.1.1.11 ipsec-attributes ikev2 local-authentication pre-shared-key cisco ikev2 remote-authentication pre-shared-key cisco
ACL for Interesting Traffic
access-list B3HQ extended permit ip 172.17.3.0 255.255.255.0 172.16.0.2 255.255.255.0 access-list B3HQ extended permit ip 172.17.3.0 255.255.255.0 172.16.1.0 255.255.255.0
IPsec Proposal
crypto ipsec ikev2 ipsec-proposal AES_SHA protocol esp encryption aes-256 protocol esp integrity sha-1
Crypto Map Assembly
crypto map HQ 10 match address B3HQ crypto map HQ 10 set peer 1.1.1.11 crypto map HQ 10 set ikev2 ipsec-proposal AES_SHA
Bind to interface:
crypto map HQ interface outside
FlexVPN IKEv2 Debugging and Verification
Once your FlexVPN IKEv2 tunnels are configured and active, it’s crucial to verify and troubleshoot the connection to ensure everything is functioning as expected. Cisco IOS provides a powerful suite of debug and show commands to aid in this process.
Debugging IKEv2 Negotiation
When enabling debug on the router (e.g., debug crypto ikev2), you can observe the IKEv2 negotiation phases in real-time. For instance, when a peer attempts to initiate a connection, you may see output like:
IKEv2: Using the Default Policy for Proposal IKEv2: Found Policy 'default' IKEv2: Generating IKE_SA_INIT message
This shows that if no explicit IKEv2 policy is matched, the router falls back to a smart default. The default proposal typically includes strong cryptographic transforms like:
- Encryption: AES-CBC
- Integrity: SHA512
- DH Group: 1536 MODP/Group 5
When multiple transform sets are available, the most secure one is selected automatically.
Verifying IKEv2 SAs
Use the show crypto ikev2 sa command to check active IKEv2 tunnels:
R1# show crypto ikev2 sa
You’ll see key attributes like:
- Local/Remote endpoints
- Encryption (AES-CBC 256-bit)
- Integrity (SHA512)
- DH Group (Group 5)
- Authentication method (PSK)
- SA lifetime and current active time
Verifying IPsec SAs
To inspect the IPsec tunnel status and stats, use:
show crypto ipsec sa
This output provides insight into:
- Tunnel endpoints and matched traffic selectors (ACLs)
- Packet encryption/decryption stats
- Transform sets used (e.g., aes-sha-hmac)
- Remaining key lifetime
- SPI values and crypto map association
Example:
local ident: 172.16.0.2/255.255.255.0 remote ident: 172.17.1.0/255.255.255.0 transform: aes-sha-hmac crypto map: VPN
This confirms that traffic between the specified local and remote subnets is being securely tunneled and encrypted.
Detailed SA View with Dead Peer Detection (DPD)
For deeper insight, especially around Dead Peer Detection (DPD), run:
show crypto ikev2 sa detailed
In this output, you’ll find:
- Initiator/Responder roles
- Local and remote SPIs
- DPD configuration (e.g., DPD configured for 10 seconds, retry 3)
- NAT detection status
- Cisco TrustSec SGT support (if any)
- Fragmentation support and IKE message exchange statistics
This command is particularly useful for verifying the liveness of remote peers and the correctness of negotiated settings.
Wrap-Up
With FlexVPN and IKEv2, Cisco provides a highly customizable and secure framework for modern IPsec VPN deployments. By leveraging profiles, policies, and dynamic negotiation, FlexVPN simplifies configuration while enabling robust authentication and encryption standards.
Debugging tools and show commands are your best allies when it comes to validating tunnels, especially in production environments where reliability is critical. From policy negotiation to SA lifetimes and packet stats, these commands give you full visibility into your FlexVPN infrastructure.
