- FlexVPN L2L with Pre-Shared Key
- FlexVPN L2L with Digital Certificates
- FlexVPN L2L with Next Generation Encryption (NGE)
- FlexVPN with Dynamic IP Assignment, Configuration Payload & Exchange
- FlexVPN with Dynamic Virtual Tunnel Interfaces (DVTIs) and External PSK via ISE
- FlexVPN Spoke-to-Spoke Deployment Using NHRP and IKEv2
- FlexVPN with Router Clients and Certificates
- FlexVPN with Router Clients and EAP Authentication via Cisco ISE
- FlexVPN Client with Enabled Manual Connect Mode
- FlexVPN Client Deployments & Routing
- FlexVPN Clients with Redundant Internet Connection
- FlexVPN & Leveraging Configuration Exchange for Dynamic Client Provisioning
- FlexVPN Server for AnyConnect Clients Using Certificate and EAP Authentication
- FlexVPN with AnyConnect Using Certificates: Advanced Configuration
- FlexVPN with Windows IKEv2 Clients: RSA-Based Configuration
- FlexVPN with Local and External Authorization
- FlexVPN with FVRF and IVRF for Advanced Isolation and Control
- FlexVPN Dual Hub, Dual Cloud, and Spoke-to-Spoke Redundancy
- FlexVPN Redundancy with Dual Hub Single Cloud: High Availability and Spoke-to-Spoke Communication
- FlexVPN IKEv2 PSK Configuration with Default Profiles
- FlexVPN IPv4 Site-to-Site VPN with Pre-Shared Keys (PSK)
- FlexVPN Site-to-Site VPN with IOS Certificate Authority and RSA Signatures
- FlexVPN IPv4 Remote Access (RA) with Pre-Shared Keys (PSK)
- FlexVPN IPv4 Remote Access with PSK: Full Configuration for Server and Client Routers
- FlexVPN IPv4 Remote Access VPN with IOS CA and RSA-SIG Authentication
- FlexVPN IPv6 Remote Access (RA) VPN with Pre-Shared Keys (PSK)
- FlexVPN IPv6 Remote Access (RA) with IOS CA and RSA Authentication
- FlexVPN SVTI to DVTI
FlexVPN L2L with Pre-Shared Key
We’ll walk through configuring a Cisco FlexVPN setup for a LAN-to-LAN topology using pre-shared keys (PSK) for authentication. This scenario connects a headquarters router (R1) to two branch routers (BR1 and BR2) using secure IPSec tunnels. The configuration will involve IKEv2 keyrings, profiles, transform sets, IPSec profiles, and tunnel interfaces.
Topology Overview
The topology includes:
- R1 (HQ): Dual tunnel interfaces connecting to each branch.
- BR1 and BR2: Each have a single tunnel to HQ.
- IPSec tunnels: Use IKEv2 with pre-shared key authentication.
- Addressing:
- R1 ↔ BR1: 172.16.11.0/30
- R1 ↔ BR2: 172.16.12.0/30
Configuration on R1 (Headquarters)
Step 1: Define the IKEv2 Keyring
crypto ikev2 keyring FLEXVPN_KEY peer BR1 address 2.2.2.2 pre-shared-key local hqcisco pre-shared-key remote br1cisco exit peer BR2 address 3.3.3.3 pre-shared-key local hqcisco pre-shared-key remote br2cisco exit
To verify:
show run | sec keyring
Step 2: Configure the IKEv2 Profile
crypto ikev2 profile default match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share description **** FLEXVPN TO BRANCHES **** keyring local FLEXVPN_KEY lifetime 86400
To verify:
show crypto ikev2 profile
Step 3: Configure Tunnel Interface to BR1
interface tunnel 1 description **** TO BR1 **** ip address 172.16.11.1 255.255.255.252 tunnel source g3 tunnel destination 2.2.2.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile default
Step 4: Configure Transform Set and IPSec Profile for BR2
crypto ipsec transform-set ESP_AES256_SHA512 esp-aes 256 esp-sha512 crypto ipsec profile FLEXVPN_IPSEC set transform-set ESP_AES256_SHA512 set pfs group14 set ikev2-profile default
To verify:
show crypto ipsec profile default
Step 5: Configure Tunnel Interface to BR2
interface tunnel 2 description **** TO BR2 **** ip address 172.16.12.1 255.255.255.252 tunnel source g3 tunnel destination 3.3.3.3 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Configuration on BR1
Step 1: IKEv2 Default Profile
crypto ikev2 profile default description **** FLEXVPN TO HQ **** match identity remote address 1.1.1.11 255.255.255.255 authentication local pre-share key br1cisco authentication remote pre-share key hqcisco
Step 2: Configure DPD (Dead Peer Detection)
crypto ikev2 dpd 10 2 on-demand
Step 3: Configure Tunnel Interface
interface tunnel 1 description *** TO HQ *** ip address 172.16.11.2 255.255.255.252 tunnel source g2 tunnel destination 1.1.1.11 tunnel mode ipsec ipv4 tunnel protection ipsec profile default
To verify:
show crypto ikev2 sa [detailed] show crypto ikev2 session show crypto ipsec sa
Configuration on BR2
Unlike BR1, BR2 does not use smart defaults and requires full customization.
Step 1: Disable Default IKEv2 Policies
no crypto ikev2 policy default no crypto ikev2 proposal default
Step 2: Define Custom IKEv2 Proposal
crypto ikev2 proposal FLEXVPN_IKEV2 encryption aes-cbc-128 integrity sha256 group 5 prf sha256
Step 3: Configure Custom IKEv2 Policy
crypto ikev2 policy FLEXVPN_IKEV2 proposal FLEXVPN_IKEV2
Step 4: Configure Custom IKEv2 Profile
crypto ikev2 profile FLEXVPN_IKEV2 description *** FLEXVPN TO HQ *** match identity remote address 1.1.1.11 255.255.255.255 authentication local pre-share key br2cisco authentication remote pre-share key hqcisco
Step 5: Configure Dead Peer Detection
crypto ikev2 dpd 10 2 on-demand
Step 6: Configure IPSec Transform Set and Profile
crypto ipsec transform-set ESP_AES_SHA512 esp-aes 256 esp-sha512 crypto ipsec profile FLEXVPN_IPSEC set transform-set ESP_AES_SHA512 set pfs group14 set ikev2-profile FLEXVPN_IKEV2
To check what’s configured:
show run | sec ikev
Step 7: Configure Tunnel Interface
interface tunnel 1 description *** TO HQ *** ip address 172.16.12.2 255.255.255.252 tunnel source g2 tunnel destination 1.1.1.11 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Summary
This FlexVPN L2L configuration demonstrates a hybrid approach:
- HQ (R1) uses a centralized keyring and default IKEv2/IPSec profiles.
- BR1 relies on default profiles and lightweight configuration.
- BR2 uses customized proposals and policies for more granular control.
This method provides flexibility for mixed deployment models, which is useful when dealing with different capabilities or compliance needs at branch locations.
FlexVPN L2L with Digital Certificates
We will explore how to deploy Cisco FlexVPN for a LAN-to-LAN topology using digital certificates for secure IKEv2 authentication. Compared to pre-shared key methods, certificates provide better scalability, identity management, and security. This deployment connects a central router (R1) to two branch routers (BR1 and BR2) using IPSec tunnels secured with certificates issued from a local CA (Certificate Authority).
Configuration on R1 (Headquarters)
We start by establishing PKI trust on R1. First, configure a crypto trustpoint that defines how R1 will communicate with the CA:
crypto pki trustpoint IOS-CA enrollment url http://1.1.1.1 subject-name cn=r1.cciesecurity.com revocation-check none
Next, authenticate the trustpoint:
crypto pki authenticate IOS-CA
You can verify successful authentication using:
show crypto pki cert IOS-CA
After that, enroll the router to obtain a certificate:
crypto pki enroll IOS-CA
Verify certificate installation with:
show crypto pki certificate
Now configure the IKEv2 profile to use RSA signatures for authentication:
crypto ikev2 profile default description **** FLEXVPN TO BRANCHES **** authentication local rsa-sig authentication remote rsa-sig pki trustpoint IOS-CA match identity remote address 0.0.0.0 lifetime 86400
Enable Dead Peer Detection (DPD) for faster failover:
crypto ikev2 dpd 10 2 on-demand
Configure the first tunnel interface connecting to BR1:
interface tunnel 1 description **** TO BR1 **** ip address 172.16.11.1 255.255.255.252 tunnel source g2 tunnel destination 2.2.2.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile default
For BR2, define a custom IPSec transform set and profile:
crypto ipsec transform-set ESP_AES256_SHA512 esp-aes 256 esp-sha512 crypto ipsec profile FLEXVPN_IPSEC set transform-set ESP_AES256_SHA512 set pfs group14 set ikev2-profile default
Then configure the tunnel interface to BR2:
interface tunnel 2 description **** TO BR2 **** ip address 172.16.12.1 255.255.255.252 tunnel source g2 tunnel destination 3.3.3.3 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Finally, configure dynamic routing using EIGRP:
router eigrp 100 no auto-summary network 172.16.11.0 0.0.0.3 network 172.16.12.0 0.0.0.3
Configuration on BR1
Begin by setting up PKI:
crypto pki trustpoint IOS-CA enrollment url http://2.2.2.1 subject-name cn=br1.cciesecurity.com revocation-check none
Authenticate and enroll:
crypto pki authenticate IOS-CA crypto pki enroll IOS-CA
Verify using:
show crypto pki cert IOS-CA show crypto pki certificate
Configure the IKEv2 profile for RSA signature authentication:
crypto ikev2 profile default match identity remote address 1.1.1.11 authentication local rsa-sig authentication remote rsa-sig pki trustpoint IOS-CA
Enable DPD:
crypto ikev2 dpd 10 2 on-demand
Configure the tunnel to HQ:
interface tunnel 1 description **** TO HQ **** ip address 172.16.11.2 255.255.255.252 tunnel source g1 tunnel destination 1.1.1.11 tunnel mode ipsec ipv4 tunnel protection ipsec profile default
EIGRP configuration:
router eigrp 100 no auto-summary network 172.16.11.0 0.0.0.3
Configuration on BR2
Create the trustpoint and enroll with the CA:
crypto pki trustpoint IOS-CA enrollment url http://3.3.3.1 fqdn br2.cciesecurity.com subject-name cn=br2.cciesecurity.com revocation-check none
Authenticate and enroll:
crypto pki authenticate IOS-CA crypto pki enroll IOS-CA
Then configure the IKEv2 profile:
crypto ikev2 profile FLEXVPN_IKEV2 match identity remote address 1.1.1.11 255.255.255.255 authentication local rsa-sig authentication remote rsa-sig pki trustpoint IOS-CA
Enable DPD:
crypto ikev2 dpd 10 2 on-demand
Since BR2 doesn’t use smart defaults, define a custom IKEv2 proposal:
crypto ikev2 proposal FLEXVPN_IKEV2 encryption aes-cbc-128 integrity sha256 group 5 prf sha256
Attach this proposal to an IKEv2 policy:
crypto ikev2 policy FLEXVPN_IKEV2 proposal FLEXVPN_IKEV2
Now define the IPSec transform set and profile:
crypto ipsec transform-set ESP_AES_SHA512 esp-aes 256 esp-sha512 mode tunnel crypto ipsec profile FLEXVPN_IPSEC set transform-set ESP_AES_SHA512 set pfs group14 set ikev2-profile FLEXVPN_IKEV2
Configure the tunnel to HQ:
interface tunnel 1 description *** TO HQ *** ip address 172.16.12.2 255.255.255.252 tunnel source g1 tunnel destination 1.1.1.11 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
EIGRP routing for BR2:
router eigrp 100 no auto-summary network 172.16.12.0 0.0.0.3
Summary
Using PKI for FlexVPN LAN-to-LAN deployments offers robust authentication and easier key management than PSKs. In this setup:
- R1 connects securely to BR1 and BR2 using certificate-based IKEv2.
- Each router authenticates with a local CA and exchanges certificates.
- BR1 uses default profiles, while BR2 leverages fully customized crypto policies for enhanced control.
This configuration provides a secure and scalable foundation for enterprise VPNs.
FlexVPN L2L with Next Generation Encryption (NGE)
As security standards evolve, organizations are adopting cryptographic methods that meet modern requirements like Suite B cryptography. Cisco FlexVPN, with its support for IKEv2 and modular configuration, makes it easy to deploy VPNs that use Next Generation Encryption (NGE), including elliptic curve certificates, AES encryption, and SHA-2 hashing. This lab guides you through configuring a FlexVPN L2L solution with full Suite B compliance across headquarters (HQ), branches, and even ASA firewalls.
1. What is Suite B and Why It Matters
Suite B, detailed in RFC 6379 and Cisco’s NGE documentation, specifies a set of cryptographic algorithms including:
- Elliptic Curve Digital Signature Algorithm (ECDSA)
- Elliptic Curve Diffie-Hellman (ECDH)
- AES (CBC and GCM modes)
- SHA-2 hashing (e.g., SHA-256)
Suite B provides high-assurance encryption suitable for both commercial and government networks. This configuration focuses on deploying ECDSA-based certificates and aligning IKEv2 and IPSec settings accordingly.
2. Certificate Preparation and Enrollment
To begin, ensure your routers use ECC-based certificates. Start by generating a 256-bit ECC key:
crypto key generate ec keysize 256 label vpn-ec-key
Then define a trustpoint using that key:
crypto pki trustpoint TRUSTPOINT_NAME enrollment terminal fqdn vpn.example.com subject-name cn=vpn.example.com revocation-check none eckeypair vpn-ec-key
Paste in the root CA certificate using:
crypto pki authenticate TRUSTPOINT_NAME
After authenticating, enroll the router and export the CSR:
crypto pki enroll TRUSTPOINT_NAME
Submit the CSR to your CA using an IPSec-compatible certificate template. Once signed, download the certificate in Base64, and import it:
crypto pki import TRUSTPOINT_NAME certificate
Verify the import with:
show crypto pki verbose TRUSTPOINT_NAME
3. Headend Router Configuration
Disable Defaults
To avoid unintended behavior, disable Cisco’s smart defaults:
no crypto ikev2 policy default no crypto ikev2 proposal default no crypto ipsec transform-set default no crypto ipsec profile default
IKEv2 Configuration
Define a cryptographic proposal using Suite B algorithms:
crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 prf sha256
Attach it to an IKEv2 policy:
crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128
Create a certificate map and link it to the IKEv2 profile:
crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP identity local dn authentication local ecdsa-sig authentication remote ecdsa-sig pki trustpoint TRUSTPOINT_NAME virtual-template 1
IPSec Configuration
Define a transform-set and IPSec profile:
crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode tunnel crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
Tunnel Interfaces
For static L2L configurations:
interface tunnel1 description *** TO BR1 *** ip address 172.16.11.1 255.255.255.252 tunnel source g2 tunnel destination 2.2.2.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC interface tunnel2 description *** TO BR2 *** ip address 172.16.12.1 255.255.255.252 tunnel source g2 tunnel destination 3.3.3.3 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
For DVTI (Dynamic Virtual Tunnel Interface), configure:
interface loopback1 ip address 172.16.255.1 255.255.255.0 interface virtual-template 1 type tunnel ip unnumbered loopback1 tunnel source g2 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
If GRE is required for interoperability:
crypto ikev2 profile FLEXVPN_IKEV2 virtual-template 1 mode auto
4. Branch Configuration (BR1/BR2)
Branches use similar IKEv2 and IPSec settings:
crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 prf sha256 crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128 crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP identity local dn authentication local ecdsa-sig authentication remote ecdsa-sig pki trustpoint TRUSTPOINT_NAME crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode tunnel crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
Tunnel interfaces:
interface tunnel1 description *** TO HQ *** ip address 172.16.255.2 255.255.255.0 tunnel source g1 tunnel destination 1.1.1.11 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Adjust IP for BR2 as needed.
Routing via EIGRP:
router eigrp 100 no auto-summary network 172.16.255.0 0.0.0.255
5. ASA Firewall Integration
ASA supports ECC-based FlexVPN with crypto map configuration. Start with key generation:
crypto key generate ecdsa label CA-SELF elliptic-curve 256
Create and authenticate a trustpoint:
crypto ca trustpoint CA-ROOT enrollment terminal fqdn br3.cciesecurity.com subject-name cn=br3.cciesecurity.com revocation-check none keypair CA-SELF crypto ca authenticate CA-ROOT crypto ca enroll CA-ROOT crypto ca import CA-ROOT
IKEv2 and IPSec setup:
crypto ikev2 policy 10 encryption aes integrity sha256 prf sha256 group 19 crypto ikev2 enable outside crypto ipsec ikev2 ipsec-proposal GCM128 protocol esp encryption aes-gcm protocol esp integrity null
Configure tunnel group and ACL:
tunnel-group 1.1.1.11 type ipsec-l2l tunnel-group 1.1.1.11 ipsec-attributes peer-id-validate cert ikev2 remote-authentication certificate ikev2 local-authentication certificate CA-ROOT access-list BR3HQ extended permit ip 172.17.3.0 255.255.255.0 172.16.0.0 255.255.0.0
And apply the crypto map:
crypto map VPN 10 match address BR3HQ crypto map VPN 10 set peer 1.1.1.11 crypto map VPN 10 set trustpoint CA-ROOT crypto map VPN 10 set pfs group19 crypto map VPN 10 set ikev2 ipsec-proposal GCM128 crypto map VPN interface outside
6. Monitoring and Debugging
Use the following commands to monitor tunnel states:
show crypto ikev2 sa show crypto ipsec sa show interface virtual-access show vtemplate 1
This FlexVPN deployment with elliptic curve cryptography and Suite B encryption demonstrates a highly secure, scalable, and standards-aligned VPN configuration. Whether deploying L2L static tunnels or DVTI at the hub with dynamic spokes, this architecture supports modern use cases, compliance, and integration—even with legacy devices like ASA firewalls.
FlexVPN with Dynamic IP Assignment, Configuration Payload & Exchange
Traditional VPN configurations require pre-assigning IP addresses to tunnel interfaces, especially in Static Virtual Tunnel Interface (SVTI) deployments. However, Cisco FlexVPN with IKEv2 supports a far more scalable model: dynamic IP assignment via configuration payload exchange. This method simplifies deployment by letting the hub (headend) assign IPs to branch routers during IKEv2 negotiation.
In this lab, we’ll walk through configuring dynamic IP assignment using Suite B cryptography with ECDSA-based authentication, configuration payloads, and BGP or EIGRP routing.
1. Disable Smart Defaults on the Hub
Before configuring any cryptographic parameters, disable Cisco’s default policies and profiles to prevent unintended fallback behaviors:
no crypto ikev2 policy default no crypto ikev2 proposal default no crypto ipsec transform-set default no crypto ipsec profile default
2. Define Cryptographic Parameters
IKEv2 Proposal (Suite B with ECC):
crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 prf sha256
Group 19 corresponds to the NIST P-256 elliptic curve.
IKEv2 Policy and Certificate Map:
crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128 crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com
IKEv2 Profile:
crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP identity local dn authentication local ecdsa-sig authentication remote ecdsa-sig pki trustpoint TRUSTPOINT_NAME
3. Configure IPSec Parameters
Transform Set and Profile:
crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode tunnel crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
4. Enable Configuration Exchange with AAA
Create an IP Pool:
ip local pool FLEXVPN_POOL 172.16.255.16 172.16.255.240
Set Up AAA for Authorization:
aaa new-model aaa authorization network AUTHOR_LOCAL local
Define IKEv2 Authorization Policy:
crypto ikev2 authorization policy FLEXVPN_CONFIG pool FLEXVPN_POOL netmask 255.255.255.0
Attach Authorization Policy to the IKEv2 Profile:
crypto ikev2 profile FLEXVPN_IKEV2 aaa authorization group cert list AUTHOR_LOCAL FLEXVPN_CONFIG
5. Configure the Hub’s Interfaces
Loopback Interface:
interface loopback1 description **** FLEXVPN HUB IP **** ip address 172.16.255.1 255.255.255.0
Virtual Template:
interface virtual-template 1 type tunnel ip unnumbered loopback1 tunnel source g2 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Reference in IKEv2 Profile:
crypto ikev2 profile FLEXVPN_IKEV2 virtual-template 1
6. Configure Routing at the Hub
Using BGP:
router bgp 100 no auto-summary no synchronization neighbor REMOTE peer-group neighbor REMOTE fall-over neighbor REMOTE route-reflector-client neighbor REMOTE next-hop-self bgp listen range 172.16.255.0/24 peer-group REMOTE network 172.16.0.0 mask 255.255.0.0
This configuration allows the hub to dynamically peer with any remote branch that connects using an address from the 172.16.255.0/24 range.
7. Branch Configuration
Each branch requires similar crypto configurations:
crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 prf sha256 crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128 crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP identity local dn authentication local ecdsa-sig authentication remote ecdsa-sig pki trustpoint TRUSTPOINT_NAME
IPSec and Transform Set:
crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode tunnel crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
Tunnel Interface (No Static IP):
interface tunnel1 description **** TO HQ **** ip address negotiated tunnel source g1 tunnel destination 1.1.1.11 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Routing:
For BGP:
router bgp 100 no auto-summary no synchronization network 172.17.0.0 mask 255.255.255.0 network 172.17.1.0 mask 255.255.255.0 neighbor 172.16.255.1 remote-as 100 neighbor 172.16.255.1 fall-over
For EIGRP (alternative):
router eigrp 100 no auto-summary network 172.16.255.0 0.0.0.255
8. Verification & Troubleshooting
Confirm IP Assignment:
After bouncing the tunnel interface on the branch, verify it has received an IP address from the pool:
show ip interface brief
You should see the tunnel interface with an address like 172.16.255.X.
IKEv2 Debug Output:
Enable debugging on the hub to inspect the IKEv2 payload:
debug crypto ikev2
Look for logs indicating configuration exchange, such as:
IKEv2:Using mlist AUTHOR_LOCAL and username FLEXVPN_CONFIG for group author request IKEv2:Received valid config mode data
By enabling dynamic IP assignment through IKEv2 configuration payload exchange, FlexVPN becomes significantly easier to scale and manage. This approach eliminates the need for static tunnel IP configurations at branch routers and allows seamless integration with routing protocols like BGP and EIGRP. Combined with Suite B cryptographic standards and ECC authentication, you get a highly secure and flexible VPN architecture ideal for large enterprise or government networks.
FlexVPN with Dynamic Virtual Tunnel Interfaces (DVTIs) and External PSK via ISE
For organizations managing large-scale VPN deployments, centralizing pre-shared key (PSK) authentication using an external RADIUS server like Cisco Identity Services Engine (ISE) provides both security and scalability. This lab walks through configuring FlexVPN with dynamic virtual tunnel interfaces (DVTIs) on a headend router, using Cisco ISE to store and manage the PSKs centrally.
Why Use ISE for PSK Authentication?
Instead of storing PSKs locally on each headend, we configure ISE to act as a centralized repository and RADIUS server. When a remote site attempts to establish a VPN session, the headend retrieves the PSK from ISE based on identity data provided during IKEv2 negotiation. This prevents the need to duplicate key material across multiple headends and improves failover efficiency—both hubs can query ISE using the same policy structure.
Step 1: Headend Configuration
Define the RADIUS Server
radius server ISE address ipv4 10.1.100.27 timeout 2 key ISEc0ld
Enable AAA Authorization
aaa new-model aaa authorization network AUTHOR_RADIUS group radius
Step 2: Set Up the Name Mangler
To authenticate using a specific portion of the Fully Qualified Domain Name (FQDN) as a RADIUS username, configure a name mangler:
crypto ikev2 name-mangler FLEXVPN_NAME fqdn hostname
This tells the headend to extract the hostname portion of the FQDN for identity mapping.
Step 3: Configure IKEv2 and IPSec
IKEv2 Proposal and Policy
crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 prf sha256 crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128
IKEv2 Profile with RADIUS PSK Authorization
crypto ikev2 profile FLEXVPN_IKEV2 match identity remote fqdn domain cciesecurity.com identity local fqdn r1.cciesecurity.com authentication local pre-share authentication remote pre-share keyring aaa AUTHOR_RADIUS name-mangler FLEXVPN_NAME aaa authorization user psk cached
Step 4: Configure IPSec
crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode tunnel crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
Step 5: Address Assignment and Authorization Policies
Create an IP Pool
ip local pool FLEXVPN_POOL 172.16.255.16 172.16.255.240
Define AAA Authorization for Configuration Exchange
aaa new-model aaa authorization network AUTHOR_LOCAL local
Configure Authorization Policy for IKEv2
crypto ikev2 authorization policy FLEXVPN_CONFIG pool FLEXVPN_POOL netmask 255.255.255.0 crypto ikev2 profile FLEXVPN_IKEV2 aaa authorization group psk list AUTHOR_LOCAL FLEXVPN_CONFIG
Step 6: Configure Virtual Template and Routing
Loopback and Virtual Template
interface loopback1 description **** FLEXVPN HUB IP **** ip address 172.16.255.1 255.255.255.0 interface virtual-template 1 type tunnel ip unnumbered loopback1 tunnel source g2 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC crypto ikev2 profile FLEXVPN_IKEV2 virtual-template 1 mode auto
Routing
router eigrp 100 no auto-summary network 172.16.255.0 0.0.0.255
Step 7: Branch Configuration (e.g., BR1 and BR2)
Each branch uses the same IKEv2 proposal and IPSec settings:
crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 prf sha256 crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128 crypto ikev2 profile FLEXVPN_IKEV2 match identity remote fqdn r1.cciesecurity.com identity local fqdn br1.cciesecurity.com authentication local pre-share key br1cisco authentication remote pre-share key br1cisco
IPSec and Routing
crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode tunnel crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2 router eigrp 100 no auto-summary network 172.16.255.0 0.0.0.255
Tunnel Interface
interface tunnel1 description **** TO HQ **** ip address negotiated tunnel source g1 tunnel destination 1.1.1.11 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Step 8: ASA Configuration for BR3
IKEv2 and IPSec Proposals
crypto ikev2 policy 10 encryption aes integrity sha256 prf sha256 group 19 crypto ikev2 enable outside crypto ipsec ikev2 ipsec-proposal GCM128 protocol esp encryption aes-gcm protocol esp integrity null
Identity and Tunnel Group
domain-name cciesecurity.com crypto isakmp identity hostname tunnel-group 1.1.1.11 type ipsec-l2l tunnel-group 1.1.1.11 ipsec-attributes ikev2 remote-authentication pre-shared-key br3cisco ikev2 local-authentication pre-shared-key br3cisco
ACL and Crypto Map
access-list BR3HQ extended permit ip 172.17.3.0 255.255.255.0 172.16.0.0 255.255.0.0 crypto map VPN 10 match address BR3HQ crypto map VPN 10 set peer 1.1.1.11 crypto map VPN 10 set pfs group19 crypto map VPN 10 set ikev2 ipsec-proposal GCM128 crypto map VPN interface outside
Step 9: ISE Configuration
Register HQ Router in ISE
Add the headend router as a network device with its IP address and RADIUS shared secret.
View Live Logs for Debugging
When authentication fails, logs should show the hostname extracted by the name mangler and whether the device exists in the identity store.
Create Network Access Users
Navigate to Identities and create users like br1, br2, and br3. Assign them to the FlexVPN-Routers identity group.
Add a Custom Attribute
Under User Custom Attributes, define an attribute like FLEXVPN_PSK. Assign this to each user with their corresponding password (e.g., br1cisco).
Create Authorization Profile
Create an authorization profile that maps the custom attribute:
Radius:Tunnel-Password = InternalUser:FLEXVPN_PSK
Configure Policy Set
Define a policy set named FlexVPN that:
- Matches on device type
- Allows RADIUS access
- Applies the correct authorization profile based on identity group
Using Cisco ISE as a centralized RADIUS server for PSK-based FlexVPN authentication enhances security, simplifies management, and supports redundancy. This architecture allows branches and ASAs to dynamically authenticate without local PSK configuration, with ISE acting as the single source of truth for credentials and authorization policies.
FlexVPN Spoke-to-Spoke Deployment Using NHRP and IKEv2
FlexVPN, Cisco’s unified VPN architecture based on IKEv2, supports scalable and dynamic topologies, including spoke-to-spoke designs. In this configuration, we leverage NHRP (Next Hop Resolution Protocol) to allow direct spoke-to-spoke tunnels while maintaining the integrity and security of IPSec.
NHRP and Spoke Communication
FlexVPN tightly integrates NHRP for address resolution and dynamic peer discovery. Unlike DMVPN, NHRP cannot be decoupled from IPSec in FlexVPN. This means that any FlexVPN deployment using NHRP must also include IPSec, with no exceptions.
Step-by-Step Configuration
1. Generate an ECC Key
Begin by creating an elliptic curve key that will later be used in your trustpoint and certificate:
crypto key generate ec keysize 256 label label-name
2. Create a Trustpoint and Import the CA Certificate
Define the trustpoint:
crypto pki trustpoint trustpoint-name enrollment terminal fqdn fqdn-name subject-name cn=name revocation-check none eckeypair label-name
Paste in your CA certificate:
crypto pki authenticate trustpoint-name
Once pasted, confirm the fingerprint and accept it. Then generate the certificate request:
crypto pki enroll trustpoint-name
Use a CA to issue the certificate (e.g., via Microsoft CA with the IPSec offline request template) and download the response in Base64 format.
Import it:
crypto pki import trustpoint-name certificate
Verify:
show crypto pki verbose trustpoint-name
3. Configure Headend Router for IKEv2 and IPSec
Disable Defaults
no crypto ikev2 policy default no crypto ikev2 proposal default no crypto ipsec transform-set default no crypto ipsec profile default
IKEv2 Proposal and Policy
crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 prf sha256 crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128
Certificate Map and IKEv2 Profile
crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP identity local dn authentication local ecdsa-sig authentication remote ecdsa-sig pki trustpoint <trustpoint-name>
IPSec Transform Set and Profile
crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode transport ! Required for spoke-to-spoke crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
4. Configure Tunnel Interfaces and Templates
Loopback for Virtual Template
interface loopback1 description **** FLEXVPN HUB IP **** ip address 172.16.255.1 255.255.255.0
Virtual Template (Initial Raw IPSec Setup)
interface virtual-template 1 type tunnel ip unnumbered loopback 1 tunnel source g2 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Reference it in the profile:
crypto ikev2 profile FLEXVPN_IKEV2 virtual-template 1
If GRE is Required (Spoke-to-Spoke Mode)
Update the profile:
crypto ikev2 profile FLEXVPN_IKEV2 virtual-template 1 mode auto
Then, modify the virtual template:
interface virtual-template 1 type tunnel ip nhrp network-id 123 ip nhrp redirect timeout 3 tunnel mode gre IP
5. Configure Routing (BGP + EIGRP)
On the hub:
router bgp 100 no auto-summary network 172.16.255.0 mask 255.255.0.0 router eigrp 100 no auto-summary network 172.16.255.0 0.0.0.255
On the spokes:
router bgp 100 bgp log-neighbor-changes network 172.17.0.1 mask 255.255.255.255 network 172.17.1.0 mask 255.255.255.0 neighbor 172.16.255.1 remote-as 100 neighbor 172.16.255.1 fall-over
6. Spoke Tunnel Interfaces
BR1:
interface tunnel1 description **** TO HQ **** ip address 172.16.255.2 255.255.255.0 tunnel source g1 tunnel mode gre ip tunnel destination 1.1.1.11 tunnel protection ipsec profile FLEXVPN_IPSEC ip nhrp network-id 123 ip nhrp redirect ip nhrp shortcut virtual-template 1
BR2:
interface tunnel1 description **** TO HQ **** ip address 172.16.255.3 255.255.255.0 tunnel source g1 tunnel mode gre ip tunnel destination 1.1.1.11 tunnel protection ipsec profile FLEXVPN_IPSEC ip nhrp network-id 123 ip nhrp redirect ip nhrp shortcut virtual-template 1
Create a virtual template on the spokes as well:
interface virtual-template 1 type tunnel ip unnumbered lo0 ip nhrp network-id 123 ip nhrp shortcut virtual-template 1 ip nhrp redirect tunnel mode gre ip tunnel protection ipsec profile FLEXVPN_IPSEC
Reference it:
crypto ikev2 profile FLEXVPN_IKEV2 virtual-template 1
7. Verification with Debug
To monitor NHRP activity:
debug nhrp packet
You should observe resolution requests, shortcut creations, and GRE encapsulated NHRP messages successfully exchanged.
This concludes the spoke-to-spoke FlexVPN configuration with GRE encapsulation and NHRP resolution. With this setup, you get a resilient, dynamic, and scalable VPN mesh that performs like a DMVPN, but on the stronger and more modern IKEv2 foundation that FlexVPN brings.
FlexVPN with Router Clients and Certificates
When designing a scalable and secure VPN architecture, FlexVPN stands out as a robust solution due to its flexibility and native IKEv2 support. One major advantage of using FlexVPN with router-based clients is its support for multiple source interfaces and destination IPs, enabling redundancy and failover tracking. This also allows more granular control over tunnel initiation, including options for auto-connect, manual connect, and conditional connections.
In this lab, we’ll walk through configuring FlexVPN using certificate-based authentication for both the headend and branch routers. We’ll also touch on leveraging Cisco ISE for RADIUS authentication and configuration exchange capabilities.
Key Advantages of FlexVPN with Certificates
- Multiple Interfaces & IP Redundancy: Enhanced resilience and peer tracking.
- Granular Connection Control: Triggered or policy-based initiation.
- Automated Configuration Exchange: Like XAUTH in EZVPN but using IKEv2’s native config payloads.
- External RADIUS Integration: ISE is used to authenticate and authorize client routers dynamically.
Step 1: Key and Trustpoint Setup
Begin by generating a key pair on the router:
crypto key generate ec keysize 256 label label-name
Next, define a trustpoint using that key:
crypto pki trustpoint trustpoint-name enrollment terminal fqdn fqdn-name subject-name cn=name revocation-check none ec keypair label-name
Now authenticate the trustpoint:
crypto pki authenticate trustpoint-name
Paste the Base64-encoded CA certificate into the terminal. You’ll be prompted to accept the certificate after checking the fingerprint.
Step 2: Enroll for a Certificate
Once the CA is authenticated, enroll for a certificate:
crypto pki enroll trustpoint-name
This displays a Certificate Signing Request (CSR). Copy it, and paste it into your CA web interface. Submit it using a Base64 format and select the IPSec offline certificate request template.
Download the signed certificate in Base64 format and open it in Notepad.
Step 3: Import the Certificate
On the router:
crypto pki import trustpoint-name certificate
Paste the certificate into the terminal and verify it:
show crypto pki verbose trustpoint-name
Step 4: Headend Router Configuration
IKEv2 Crypto Proposal
crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 prf sha256
IKEv2 Policy
crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128
Certificate Map
crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com
IKEv2 Profile
crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP identity local dn authentication local ecdsa-sig authentication remote ecdsa-sig pki trustpoint trustpoint-name
IPSec Configuration
Transform Set
crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode tunnel
IPSec Profile
crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19
Loopback & Tunnel Interface
interface loopback1 description **** FLEXVPN HUB IP **** ip address 172.16.255.1 255.255.255.0 interface virtual-template 1 type tunnel ip unnumbered loopback1 tunnel source g2 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Assign the virtual template to the IKEv2 profile:
crypto ikev2 profile FLEXVPN_IKEV2 virtual-template 1
To enable GRE/IPSec hybrid tunnels later:
crypto ikev2 profile FLEXVPN_IKEV2 virtual-template 1 mode auto
Step 5: Branch Configuration
Repeat the certificate map creation:
crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com
IKEv2 configuration:
crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 prf sha256 crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128 crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP identity local dn authentication local ecdsa-sig authentication remote ecdsa-sig pki trustpoint trustpoint-name
IPSec transform and profile:
crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode transport crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
Client configuration:
crypto ikev2 client flexvpn FLEXVPN_CLIENT peer 10 1.1.1.11 client connect tunnel 1 client inside g2 connect auto
Step 6: Routing and Tunnel Interface
Configure EIGRP:
router eigrp 100 no auto-summary network 172.16.255.0 0.0.0.255
Tunnel on BR1:
interface tunnel1 description **** TO HQ **** ip address 172.16.255.2 255.255.255.0 tunnel source g1 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC tunnel destination dynamic
Step 7: Verification
Check IKEv2 SAs:
show crypto ikev2 sa
Check client profile:
show crypto ikev2 client flexvpn
Check configuration:
show run | sec client
This completes a secure, scalable FlexVPN deployment using certificates and router-based clients. It’s a modern replacement for legacy EZVPN deployments with improved automation, flexibility, and standards compliance.
FlexVPN with Router Clients and EAP Authentication via Cisco ISE
Cisco FlexVPN offers powerful flexibility when paired with router-based clients, and when combined with EAP authentication backed by Cisco Identity Services Engine (ISE), it provides a scalable and centralized access control model.
We will walk through the setup of FlexVPN using EAP authentication, where the client uses a username/password for authentication and the server uses certificates. This design is ideal for environments where clients cannot store certificates securely, or where central identity services are preferred.
Key Concepts of FlexVPN with EAP
- EAP (Extensible Authentication Protocol) is not VPN-specific. It’s a general-purpose authentication framework that terminates on the authentication server (in this case, Cisco ISE), not the VPN gateway.
- EAP is server-driven, meaning only the server authenticates the client using credentials. The server itself still uses certificates for local identification.
- Suite B Compatibility Issues: There can be limitations when using Suite B cryptography with EAP. It’s often better to default to the smart (more compatible) cryptographic settings when EAP is involved.
Step 1: Cisco ISE Configuration
Before configuring the routers, prepare the authentication environment in Cisco ISE:
- Configure the hub as a Network Device
In ISE, go to Administration > Network Resources > Network Devices and add your headend router by IP, ensuring shared secrets are configured correctly. - Create a User Identity Group
Navigate to Identity Management > Groups and create a group named FLEX_CLIENT. - Create a New User
Under Identities > Users, create a user with:- Username: FLEXCLIENT
- Password: cisco
- Group: FLEX_CLIENT
- Create a Policy Set
Under Policy > Policy Sets, create a new policy set for FlexVPN. Match users in the FLEX_CLIENT group and configure the Authentication/Authorization policies to permit VPN access.
Step 2: Headend Router Configuration
Define the RADIUS Server
radius server ISE address ipv4 10.1.100.27 timeout 2 key ISEc0ld
Configure AAA
aaa authentication login AUTHEN_RADIUS group radius
Local IP Pool
ip local pool FLEXVPN_POOL 172.16.255.16 172.16.255.240
Certificate Map (still required even when using EAP)
crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com
IKEv2 Authorization Policy
crypto ikev2 authorization policy FLEXVPN_CONFIG pool FLEXVPN_POOL netmask 255.255.255.0
IKEv2 Profile Configuration
crypto ikev2 profile FLEXVPN_IKEV2 identity local dn match identity remote address 0.0.0.0 authentication local ecdsa-sig authentication remote eap query-identity pki trustpoint trustpoint-name aaa authentication eap AUTHEN_RADIUS aaa authorization group eap list AUTHOR_LOCAL FLEXVPN_CONFIG
Note: If the config-exchange feature becomes disabled, you can re-enable it within the IKEv2 profile:
config-exchange set {accept | send}
Step 3: Configure IPsec and Tunnel Interfaces
Transform Set
crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode tunnel
IPsec Profile
crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
Loopback and Tunnel Configuration
interface loopback1 description **** FLEXVPN HUB IP **** ip address 172.16.255.1 255.255.255.0 interface virtual-template 1 type tunnel ip unnumbered loopback 1 tunnel source g2 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Reference the virtual template in the profile:
crypto ikev2 profile FLEXVPN_IKEV2 virtual-template 1
For GRE/IPSec support:
crypto ikev2 profile FLEXVPN_IKEV2 virtual-template 1 mode auto
Step 4: Branch Router Configuration
Certificate Map
crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com
IKEv2 Profile with EAP on the Client Side
crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP authentication local eap md5 username FLEXCLIENT password cisco authentication remote ecdsa-sig pki trustpoint trustpoint-name
IPsec Transport Mode Setup
crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode transport crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
FlexVPN Client Definition
crypto ikev2 client flexvpn FLEXVPN_CLIENT peer 10 1.1.1.11 client connect tunnel 1 client inside g2 connect auto
This tells the router that the peer address is 1.1.1.11, to use Tunnel1 as the connection interface, G2 as the inside interface, and to connect automatically without manual input.
Step 5: Routing and Tunnel Interface on Branch
EIGRP Routing
router eigrp 100 no auto-summary network 172.16.255.0 0.0.0.255
Tunnel Interface
interface tunnel1 description **** TO HQ **** ip address negotiated tunnel source g1 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC tunnel destination dynamic
This dynamic destination allows the router to discover the peer from the FlexVPN client configuration.
This configuration completes a full FlexVPN deployment using EAP authentication via Cisco ISE, with the hub using certificates and the branch authenticating with credentials. This design suits enterprise environments that seek centralized AAA policies, flexible deployment, and robust cryptographic standards without requiring certificate management on every client.
FlexVPN Client with Enabled Manual Connect Mode
In certain deployments, automation may not be the ideal approach for VPN initiation. Whether for security, control, or troubleshooting purposes, FlexVPN clients can be configured to initiate connections manually. This setup is particularly useful when credentials should not be stored on the device or when an administrator needs to supervise the establishment of tunnels.
The below configuration assumes that the base FlexVPN configuration has already been completed, including IKEv2, IPsec profiles, and RADIUS or EAP authentication, as covered in earlier sections.
What Is Manual Connect Mode?
Manual connect mode disables the automatic establishment of the VPN tunnel. Instead, a user or administrator must explicitly initiate the tunnel from the command line, at which point they’ll be prompted for credentials, unless already stored.
This is controlled entirely on the client-side (spoke router). No changes are needed on the headend beyond what has already been configured for EAP-based authentication.
Step 1: Enable Manual Connect
On the spoke router, modify the client configuration to require manual initiation:
crypto ikev2 client flexvpn FLEXVPN_CLIENT connect manual
This command will stop any automatic tunnel establishment, effectively tearing down an existing tunnel session if active.
Step 2: Remove Stored Credentials (Optional)
If you don’t want the router to store credentials locally, you must ensure the IKEv2 profile does not include pre-configured credentials.
Update the IKEv2 profile to expect credentials to be entered at runtime:
crypto ikev2 profile FLEXVPN_IKEV2 authentication local eap
This assumes the remote (headend) is still authenticating using EAP and certificates, while the local client will now prompt for login credentials during connection attempts.
Step 3: Initiate the Tunnel
To manually bring up the VPN tunnel, use:
crypto ikev2 client flexvpn connect
You will then be prompted to enter credentials unless they’re already cached. To input credentials:
crypto eap credentials FLEXVPN_CLIENT
At this point, you’ll be prompted to provide the username and password for the FlexVPN user (e.g., FLEXCLIENT) that was previously configured on the ISE server.
Manual connect mode gives network administrators tighter control over when and how VPN tunnels are brought up. It’s particularly useful for:
- On-demand site-to-site connections
- Lab environments
- Secure deployments where credentials shouldn’t be stored
- Testing EAP login flows
Just remember that this method shifts operational responsibility to the user or admin initiating the tunnel, which may not be ideal for high-availability environments.
FlexVPN Client Deployments & Routing
Routing plays a critical role in the success of any VPN deployment. With Cisco FlexVPN, there are three primary ways to handle routing between hubs and spoke routers (clients):
- Manually configured static routes pointing to the tunnel interface.
- Dynamic routing protocols such as EIGRP or OSPF.
- Automatic static route exchange using IKEv2 config exchange mechanisms.
This lab focuses on method #3: using FlexVPN’s configuration exchange to automatically propagate static routes between the hub and spoke.
How Config Exchange Works
Configuration exchange allows the hub router to inform the spoke which internal networks it should route through the VPN tunnel, and vice versa. This is particularly useful when dynamic routing protocols are not an option due to policy or complexity.
Step 1: Configure Static Route Exchange on the Headend (Hub)
The first step is to define which internal subnets the headend will advertise to the client.
Create an Access List
This access list defines the HQ subnet:
ip access-list standard HQ_NET permit 172.16.0.0 0.0.255.255
Configure the IKEv2 Authorization Policy
Apply the route advertisement using the authorization policy:
crypto ikev2 authorization policy FLEXVPN_CONFIG route set access-list HQ_NET route set interface lo0
This tells the hub to advertise the 172.16.0.0/16 network and that traffic should route via the loopback interface (lo0).
Step 2: Configure the Client to Accept Routes
On the spoke (client) router, you’ll need to configure AAA and mirror the authorization policy.
Set Up AAA
aaa new-model aaa authorization network AUTHOR_LOCAL local
Configure IKEv2 Authorization Policy
This prepares the spoke to send local routes back to the headend:
crypto ikev2 authorization policy FLEXVPN_CONFIG route set interface lo0 route set remote ipv4 172.17.1.0 255.255.255.0
The client advertises its local subnet (172.17.1.0/24) to the server, allowing two-way route exchange.
Apply Authorization Group to the IKEv2 Profile
Add the following to your IKEv2 profile on the client:
crypto ikev2 profile FLEXVPN_IKEV2 aaa authorization group cert list AUTHOR_LOCAL FLEXVPN_CONFIG
This links the client’s local authorization policy to the group authentication that validates the server’s certificate.
Step 3: Verifying the Configuration
After bringing up the tunnel, verify that static routes have been exchanged using:
show ip route static
On the client, you should see a route to the HQ network via the tunnel interface (e.g., Tunnel1):
S 172.16.0.0/16 [1/0] via 2.2.2.1
On the server (hub), you should see a route to the client-side subnet:
S 172.17.1.0/24 is directly connected, Virtual-Access3
These routes are automatically injected thanks to the config exchange process via IKEv2.
FlexVPN’s configuration exchange for static routing is a clean and scalable solution for exchanging routes between routers without relying on dynamic protocols. It allows headends and clients to push relevant subnets to each other securely and automatically using existing AAA and IKEv2 constructs.
FlexVPN Clients with Redundant Internet Connection
In enterprise environments, maintaining VPN connectivity even in the event of a primary WAN failure is critical. Cisco FlexVPN supports redundant internet connections by leveraging interface tracking with the line protocol. This ensures seamless failover by dynamically switching the VPN tunnel source if the primary interface goes down.
This tutorial builds on the previous FlexVPN lab and introduces redundancy using tracking and dynamic source selection.
Step 1: Define a Backup Default Route
On the branch router, begin by creating a static default route through the secondary internet connection:
ip route 0.0.0.0 0.0.0.0 5.5.5.1 240 name DEFAULT_BACKUP
The administrative distance of 240 ensures that this route is only used when no other preferred default route (e.g., from DHCP or dynamic routing) is available.
Step 2: Configure Interface Tracking
Tracking the line protocol of WAN interfaces lets the router know if an interface becomes operationally down, even if it’s administratively up. Configure two tracking objects:
track 1 interface g1 line-protocol track 2 interface g3 line-protocol
Here, GigabitEthernet1 (g1) is the primary WAN interface, and GigabitEthernet3 (g3) is the backup.
Step 3: FlexVPN Client Configuration with Tracking
Update the FlexVPN client configuration to bind tunnel sourcing dynamically based on interface tracking:
crypto ikev2 client flexvpn FLEXVPN_CLIENT source 10 g1 track 1 source 20 g3 track 2
This sets up a priority list: use g1 unless it fails, then fall back to g3.
Step 4: Update Tunnel Source
On the tunnel interface, change the source to allow dynamic selection:
interface tunnel 1 tunnel source dynamic
This allows the tunnel to source itself from the tracked interface, which changes automatically depending on the line protocol state.
Step 5: Verification
Check Tracking Status
Use the show track command to confirm that tracking is working and which interfaces are up:
show track
You should see outputs similar to:
Track 1 Interface GigabitEthernet1 line-protocol Line protocol is Up Track 2 Interface GigabitEthernet3 line-protocol Line protocol is Up
Verify VPN Client Source Selection
Check the active source interface being used for the VPN tunnel with:
show crypto ikev2 client flex
Look for the Source field. If GigabitEthernet1 is up, it should be used. If it’s down, the router should automatically switch to GigabitEthernet3.
This configuration provides resilience for remote sites by ensuring the FlexVPN tunnel remains active, even when the primary WAN interface fails. Using track and tunnel source dynamic, the router intelligently switches tunnel sources without manual intervention.
FlexVPN & Leveraging Configuration Exchange for Dynamic Client Provisioning
One of the most powerful features in Cisco FlexVPN is Configuration Exchange (CFG Exchange), which allows the server to dynamically push configuration parameters to clients during tunnel negotiation. This simplifies client configuration, improves flexibility, and supports centralized control of VPN behavior.
In FlexVPN, these settings are defined under the IKEv2 authorization policy. This lab highlights additional configuration options available and how to verify that they’re working correctly.
Extended Configuration Options with crypto ikev2 authorization policy
When you define your FlexVPN authorization policy, you can use the following keywords to push parameters to the client dynamically:
- aaa – Include RADIUS attributes.
- backup-gateway – Push a backup default gateway instead of requiring clients to preconfigure multiple ones.
- banner – Send a configuration mode banner for software clients.
- dhcp – Push the DHCP server IP address to the client.
- dns – Specify DNS server(s) for the client.
- def-domain – Push the default domain name (e.g., cciesecurity.com).
- pfs – Enable Perfect Forward Secrecy.
- session-lifetime – Specify how long a session should remain active.
- wins – Provide WINS server information.
These values can be injected into the client dynamically and will take effect without the need to statically configure them on the remote device.
Example: Defining Authorization Policy on the Headend
Here’s a sample configuration that demonstrates the power of this feature:
crypto ikev2 authorization policy FLEXVPN_CONFIG pool FLEXVPN_POOL dns 10.1.100.25 wins 10.1.100.25 def-domain cciesecurity.com
Verifying Configuration Exchange Delivery
Once the tunnel is established, you can verify that the configuration exchange succeeded by running:
show crypto ikev2 authorization policy
You should see output like:
IKEv2 Authorization Policy : FLEXVPN_CONFIG IPv4 Address Pool : FLEXVPN_POOL IPv4 DNS Primary : 10.1.100.25 Wins Primary : 10.1.100.25 Default Domain : cciesecurity.com
This confirms the server sent DNS, WINS, and domain name values successfully to the client.
DHCP Integration with Config Exchange
To allow DHCP clients on the branch side to benefit from these parameters (DNS, domain, WINS), configure the DHCP server with the following:
ip dhcp pool VLAN1 import all network 172.17.1.0 255.255.255.0 default-router 172.17.1.1
The import all keyword allows the DHCP server to automatically inherit parameters learned from the FlexVPN config exchange.
Confirm DHCP Parameter Inheritance
You can confirm that the DHCP server imported the correct options using:
show ip dhcp import
Sample output:
Address Pool Name: VLAN1 Domain Name Server(s): 10.1.100.25 NetBIOS Name Server(s): 10.1.100.25 Domain Name Option: cciesecurity.com
FlexVPN’s configuration exchange feature enables centralized distribution of critical network settings like DNS, DHCP, WINS, and gateway configurations. When paired with DHCP import all, these settings propagate all the way to LAN clients, making your VPN deployment smarter and easier to manage.
FlexVPN Server for AnyConnect Clients Using Certificate and EAP Authentication
In this lab, we demonstrate how to configure a Cisco FlexVPN server to support Windows AnyConnect clients using both certificate-based authentication and EAP (Extensible Authentication Protocol). The client (running Windows 7 or later) connects to a FlexVPN headend router using IKEv2/IPSec, and the authentication process is managed through Cisco ISE and digital certificates.
Topology Overview
- Client: AnyConnect on a Windows 7 machine (Branch 1)
- VPN Server: Cisco R1, running as a FlexVPN server
- Authentication: Certificate-based for the server, with optional EAP for the client
- Backend: Cisco ISE acts as the RADIUS server
- VPN Profile Delivery: Configured manually in the AnyConnect VPN Editor and saved locally
Step 1: Configure the Certificate Infrastructure on the Headend
Start by generating a key and creating a trustpoint:
crypto key generate ec keysize 256 label label-name crypto pki trustpoint trustpoint-name enrollment terminal fqdn fqdn-name subject-name cn=name revocation-check none ec keypair label-name
Import the CA certificate and enroll:
crypto pki authenticate trustpoint-name crypto pki enroll trustpoint-name crypto pki import trustpoint-name certificate
Step 2: Configure Cisco ISE as a RADIUS Server
On the router:
radius server ISE address ipv4 10.1.100.27 auth-port 1645 acct-port 1646 timeout 2 key ISEc0ld
Enable AAA and point login/accounting to ISE:
aaa new-model aaa authentication login AUTHEN_RADIUS group radius aaa accounting network ACCOUNT_RADIUS start-stop group radius
Step 3: Set Up Certificate Matching and IP Pool
crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com ip local pool FLEXVPN_POOL 172.16.255.16 172.16.255.240
Step 4: Define AAA Authorization Policy
crypto ikev2 authorization policy FLEXVPN_CONFIG pool FLEXVPN_POOL netmask 255.255.255.0
Step 5: Configure the IKEv2 Profile
crypto ikev2 profile FLEXVPN_IKEV2 identity local dn match identity remote key-id cisco authentication local ecdsa-sig authentication remote eap query-identity pki trustpoint CA-ROOT aaa authentication eap AUTHEN_RADIUS authentication remote anyconnect-eap aggregate aaa authentication anyconnect-eap AUTHEN_RADIUS aaa authorization group anyconnect-eap list AUTHOR_LOCAL FLEXVPN_CONFIG aaa authorization group eap list AUTHOR_LOCAL FLEXVPN_CONFIG aaa accounting eap ACCOUNT_RADIUS aaa accounting anyconnect-eap ACCOUNT_RADIUS
Step 6: Configure IPSec Parameters
Transform Set and IPSec Profile:
crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode tunnel crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
Step 7: Virtual-Template and Tunnel Interfaces
Loopback and Tunnel Template:
interface loopback1 description **** FLEXVPN HUB IP **** ip address 172.16.255.1 255.255.255.0 interface virtual-template 1 type tunnel ip unnumbered loopback 1 tunnel source g2 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Attach template to profile:
crypto ikev2 profile FLEXVPN_IKEV2 virtual-template 1 mode auto
Step 8: ISE Configuration Steps
- Configure R1 as a network device in ISE (IP, key, and device type).
- Create a user named employee1 and assign them to a group like Employee.
- Create a policy set named “FlexVPN” and allow authentication based on certificates.
- Add authorization rules that grant VPN access to users in the Employee group or FLEX_CLIENT.
Step 9: Configure the AnyConnect Client
VPN Editor – Preferences
- Uncheck: Auto Update
- Clear: SmartCard PIN
- Set: Minimize On Connect and Auto Reconnect
Preferences (Part 2)
- Set Proxy: IgnoreProxy
- Enable: Optimal Gateway Selection
- Trusted Servers: Add the VPN endpoint FQDN
Server List Entry
- Host Display Name: FLEXVPN
- FQDN/IP: r1.cciesecurity.com
- Primary Protocol: IPsec
- IKE Identity: cisco
- Auth Method: EAP-AnyConnect
Save this profile under the appropriate AnyConnect profile folder (usually in AppData).
Step 10: Local Policy File (Optional)
Edit the AnyConnectLocalPolicy.xml and check Bypass Downloader to disable automatic module updates.
This deployment allows a Windows AnyConnect client to establish a secure FlexVPN connection to a Cisco IOS router using both certificate and EAP-based authentication. It integrates with Cisco ISE for centralized user policy control and uses IPSec/IKEv2 for secure transport.
This hybrid model is ideal for enterprises that need both the flexibility of client-based VPNs and the policy enforcement of a RADIUS back end.
FlexVPN with AnyConnect Using Certificates: Advanced Configuration
This configuration builds on our earlier FlexVPN + AnyConnect setup by refining certificate-based authentication, improving control over route authorization, session lifetimes, and integrating fallback mechanisms like RADIUS Change of Authorization (CoA). We’ll also make adjustments in the AnyConnect Profile Editor to enforce certificate matching and define authentication behavior.
1. Update the Certificate Map and IKEv2 Profile
We begin by expanding the certificate map to include certificates issued to users:
crypto pki certificate map CERT_MAP 20 subject-name co ou=Users
Then update your IKEv2 profile to use this new certificate map:
crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP authentication remote ecdsa-sig aaa authentication group cert list AUTHOR_LOCAL FLEXVPN_CONFIG aaa accounting cert ACCOUNT_RADIUS
To enhance security and avoid untrusted URLs for certificate retrieval, disable HTTP URL certificate fetching:
no crypto ikev2 http-url cert
2. Define and Apply an ACL for Tunnel Scope
To restrict what traffic is allowed through the tunnel, define an ACL:
ip access-list standard VPN_ST_ACL permit 172.16.0.0 0.15.255.255
Apply this ACL and other configuration parameters to the authorization policy:
crypto ikev2 authorization policy FLEXVPN_CONFIG route set access-list VPN_ST_ACL backup-gateway 1.1.1.12 session-lifetime 28800 split-dns cciesecurity.com
You may also want to allow clients to automatically reconnect:
crypto ikev2 profile FLEXVPN_IKEV2 reconnect timeout 86400
3. Enable Change of Authorization (CoA)
To allow ISE to terminate or change sessions mid-connection (useful for NAC or revocation scenarios):
aaa server radius dynamic-author client 10.1.100.27 server-key ISEc0ld
4. Configure AnyConnect Certificate Matching
In the AnyConnect Profile Editor, go to the Certificate Matching section:
- Add a Distinguished Name match rule:
- Name: ISSUER-CN
- Pattern: ccie-SERVER2012-CA-2
- Operator: Equal
This ensures the client only presents certificates from the trusted issuing CA.
5. Update the AnyConnect Server List Entry
In the Server List Editor:
- Hostname: FLEXVPN
- FQDN: r1.cciesecurity.com
- Primary Protocol: IPSec
- Auth Method During IKE Negotiation: EAP-AnyConnect
- IKE Identity: cisco (this must match the key-id used on the router)
6. Optional: Use AD Credentials + Certificate
If you want to use Active Directory credentials in combination with a certificate, you can enable aggregate authentication:
authentication remote anyconnect-eap aggregate cert-request
This allows the server to prompt for a certificate and then challenge with AD credentials during authentication.
7. Optional: Enable Local Authentication as a Fallback
In case the RADIUS server is unreachable, you can enable local user authentication on the router:
username local sec cisco
Update AAA:
aaa authentication login AUTHEN_LOCAL local
Then modify the IKEv2 profile:
crypto ikev2 profile FLEXVPN_IKEV2 no aaa authentication anyconnect-eap AUTH_RADIUS aaa authentication anyconnect-eap AUTH_LOCAL
With this configuration, you’re using FlexVPN with AnyConnect in a production-grade deployment:
- Certificate-based authentication for strong identity
- ACLs and session control for tunnel behavior
- Backup gateways and reconnect timers for resiliency
- Optional CoA and fallback local authentication
This setup ensures secure, flexible, and manageable remote access with tight integration between Cisco IOS and AnyConnect.
FlexVPN with Windows IKEv2 Clients: RSA-Based Configuration
While Cisco FlexVPN is highly versatile and supports modern cryptographic suites like elliptic curve (ECDSA), Windows’ native IKEv2 VPN client lacks support for ECDSA. This means we need to configure the FlexVPN headend to use RSA-based certificates and lower-strength cryptographic settings compatible with Windows.
This lab walks through modifying a standard FlexVPN setup to work with Windows 10/11 built-in VPN clients using IKEv2 and RSA authentication.
Step 1: Configure RSA-Based Certificate Trustpoint on the Router
Create a new trustpoint that uses RSA keys, as ECDSA is not compatible with the Windows client:
pki trustpoint CA_RSA enroll url http://1.1.1.1 fqdn r1.cciesecurity.com subject-name cn=r1.cciesecurity.com revocation-check none
Download the certificate and enroll:
crypto pki authenticate CA_RSA crypto pki enroll CA_RSA
Step 2: Update the IKEv2 Profile to Use RSA
Switch the FlexVPN IKEv2 profile to use RSA authentication:
crypto ikev2 profile FLEXVPN_IKEV2 authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA_RSA
This allows the router to authenticate using an RSA certificate that the Windows client can validate.
Step 3: Adjust IPSec Cryptography for Compatibility
Windows’ built-in VPN client supports only certain IPSec transform sets. Use the following to ensure compatibility:
crypto ipsec transform-set tset esp-aes 256 esp-sha-hmac mode tunnel
Update your IPSec profile and remove Perfect Forward Secrecy (PFS), which the Windows client also does not support:
crypto ipsec profile FLEXVPN_IPSEC set transform-set tset no set pfs group19
Step 4: Configure the Windows Client
To connect from a Windows device:
- Open Network & Internet Settings > VPN > Add a new VPN connection
- Choose the VPN provider as “Windows (built-in)”
- Set the VPN type to IKEv2
- Enter the remote router’s public IP or FQDN (e.g., r1.cciesecurity.com)
- After creating the profile, go into Properties
- Select IKEv2 under “Type of VPN”
- Choose the appropriate authentication method (typically machine or user certificate)
- Optionally select the CA to trust and inner authentication method
Cisco FlexVPN can be adapted to work with Windows-native IKEv2 clients by falling back to RSA certificates, AES+SHA1 transform sets, and removing ECDSA/PFS dependencies. While not as strong cryptographically as ECDSA deployments, this approach ensures compatibility with legacy or unmanaged Windows environments.
FlexVPN with Local and External Authorization
In a scalable enterprise VPN deployment, authorization plays a key role in dynamically assigning client configurations and access privileges. Cisco FlexVPN allows both local and external (RADIUS-based) authorization methods, enabling granular policy enforcement per user, per group, or through implicit methods. This lab outlines how to configure a FlexVPN server with both local and external authorization strategies using IKEv2 and Cisco ISE as a RADIUS server.
Overview of the Topology
The logical topology includes:
- A FlexVPN Server (R1) with an internal HQ network (172.16.0.0/16)
- A VPN client (LM-WIN10-TEST1) connecting via IPSec tunnel over the internet
- An edge router (BR1) terminating the FlexVPN tunnel in VRF BR1 with VLAN1 (172.17.1.0/24)
- Authorization profiles assigning users different IP addresses, ACLs, MTU values, and DNS configurations
FlexVPN Authorization Attribute Types
Cisco FlexVPN supports three types of authorization attributes:
- IKEv2 Standard – IP address, subnet mask, DNS, and WINS
- Cisco Unity – Similar to IKEv1’s legacy options like banners, backup servers, domain names, and split DNS
- FlexVPN-Specific Attributes – Custom Cisco-defined parameters
Configuration Workflow for the HQ Router (R1)
Step 1: Define the Crypto ACL
ip access-list standard VPN_ST_ACL permit 172.16.0.0 0.15.255.255
Step 2: PKI Setup – Router Key and Trustpoints
crypto key generate ec keysize 256 label CA-SELF crypto pki trustpoint CA-ROOT enrollment terminal fqdn r1.cciesecurity.com subject-name cn=r1.cciesecurity.com revocation-check none eckeypair CA-SELF crypto pki trustpoint IOS-CA enrollment url http://1.1.1.1 fqdn r1.cciesecurity.com subject-name cn=r1.cciesecurity.com revocation-check none eckeypair CA-SELF crypto pki authenticate CA-ROOT crypto pki authenticate IOS-CA crypto pki enroll CA-ROOT crypto pki enroll IOS-CA
Step 3: Certificate Mapping
crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com crypto pki certificate map CERT_MAP 20 subject-name co ou=Users
FlexVPN Core Configuration Elements
ISE as RADIUS Server
radius server ISE address ipv4 10.1.100.27 auth-port 1645 acct-port 1646 timeout 2 key ISEc0ld
IP Pool
ip local pool FLEXVPN_POOL 172.16.255.16 172.16.255.240
IPSec Transform Set
crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode tunnel
IKEv2 Proposal
crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19
AAA Configuration
aaa new-model aaa authentication login default local aaa authentication login NOAUTH none aaa authentication AUTHEN_RADIUS group radius aaa authentication login AUTHEN_LOCAL local aaa authorization network AUTHOR_LOCAL local aaa accounting network ACCOUNT_RADIUS start-stop group radius aaa server radius dynamic-author
IKEv2 Profile and Authorization Policy
IKEv2 Authorization Policy
crypto ikev2 authorization policy FLEXVPN_CONFIG session-lifetime 28800 pool FLEXVPN_POOL dns 10.1.100.25 wins 10.1.100.25 netmask 255.255.255.0 banner ^Authorized Access Only^ def-domain cciesecurity.com split-dns cciesecurity.com backup-gateway 1.1.1.12 route-set access-list VPN_ST_ACL
IKEv2 Profile
crypto ikev2 profile FLEXVPN_IKEV2 match identity remote address 0.0.0.0 match identity remote key-id cisco match certificate CERT_MAP identity local dn authentication local rsa-sig authentication remote rsa-sig authentication remote ecdsa-sig authentication remote eap query-identity authentication remote anyconnect-eap aggregate pki trustpoint CA-ROOT pki trustpoint IOS-CA aaa authentication eap AUTHEN_RADIUS aaa authorization group cert list AUTHOR_LOCAL FLEXVPN_CONFIG aaa authorization group anyconnect-eap list AUTHOR_LOCAL FLEXVPN_CONFIG aaa accounting anyconnect-eap ACCOUNT_RADIUS virtual-template 1 mode auto reconnect timeout 86400
Tunnel Configuration
Loopback and Virtual Template
interface loopback1 description **** FLEXVPN HUB IP **** ip address 172.16.255.1 255.255.255.0 interface virtual-template 1 type tunnel ip unnumbered loopback 1 tunnel source g2 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Using Name Manglers for Dynamic Authorization
You can dynamically assign users to policies based on certificate DN fields or EAP prefixes.
EAP Domain-Based
crypto ikev2 name-mangler EAP_DOMAIN eap prefix delimiter \
Certificate OU-Based
crypto ikev2 name-mangler DN_OU dn organization-unit
Certificate CN-Based
crypto ikev2 name-mangler DN_CN dn common-name
Local and Group Authorization Configuration
- Group-level authorization can be configured via cert or EAP mappings.
- User-level authorization overrides group-level if both are present.
Example:
ip pool EMPLOYEE_POOL 172.16.255.10 172.16.255.10 aaa attribute list AAA_EMPLOYEE attribute type interface-config “ip mtu 1300” crypto ikev2 authorization policy employee1 pool AAA_EMPLOYEE route set access-list VPN_ST_ACL aaa attribute list AAA_EMPLOYEE
RADIUS Integration with Cisco ISE
- Define advanced RADIUS attributes like IP pools, DNS servers, ACLs, and interface MTU.
- Create authorization profiles in ISE for each AD group.
- Match users to profiles based on group membership, CN, OU, or EAP domain prefix.
Example Attributes in ISE:
-
ipsec:addr-pool=IT_POOL
-
ipsec:dns-servers=172.16.32.40
-
ip:interface-config=ip access-group FROM_NETWORK_SUPPORT in
This lab demonstrates a powerful, flexible approach to user and group-level authorization in Cisco FlexVPN using both local attributes and RADIUS-based policies via Cisco ISE. Leveraging certificate-based identity mapping, EAP prefixes, and name manglers allows for dynamic, scalable VPN deployments that can adapt to diverse enterprise requirements.
FlexVPN with FVRF and IVRF for Advanced Isolation and Control
When designing scalable VPN solutions, isolating control and data planes using VRFs (Virtual Routing and Forwarding) can enhance both security and routing simplicity. Cisco FlexVPN, when combined with FVRF (Front Door VRF) and IVRF (Inside VRF), enables secure, dynamic VPN sessions with full support for multi-tenant or service-segmented deployments. In this lab, we’ll explore why and how to implement FVRF and IVRF in your FlexVPN architecture.
Why Use FVRF?
Using a Front Door VRF (FVRF) has several benefits:
- Enhanced Security: Interfaces placed in an FVRF are isolated from other routing domains. This means no internet or internal network traffic can reach them unless specifically permitted, reducing the attack surface.
- Simplified Routing: With the interface isolated to only communicate with remote peers, a single default route can suffice, avoiding the need for full routing protocols on that interface.
- Dual Internet/Dual-Homed Scenarios: Placing each WAN interface in a separate VRF enables multiple default routes and independent routing tables, making it ideal for dual-cloud or failover topologies.
Headend (Hub) Configuration with FVRF
Start by generating your cryptographic materials:
crypto key generate ec keysize 256 label CA-SELF crypto pki trustpoint TRUSTPOINT-NAME enrollment terminal fqdn r1.cciesecurity.com subject-name cn=r1.cciesecurity.com revocation-check none eckeypair CA-SELF crypto pki authenticate TRUSTPOINT-NAME crypto pki enroll TRUSTPOINT-NAME
After enrolling and importing certificates, configure the FlexVPN crypto parameters:
crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 prf sha256 crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128 crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP identity local dn authentication local ecdsa-sig authentication remote ecdsa-sig pki trustpoint TRUSTPOINT-NAME
Create the IPSec transform set and profile:
crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode tunnel crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
Define the IP pool and authorization policy:
ip local pool FLEXVPN_POOL 172.16.255.16 172.16.255.240 aaa new-model aaa authorization network AUTHOR_LOCAL local crypto ikev2 authorization policy FLEXVPN_CONFIG pool FLEXVPN_POOL netmask 255.255.255.0
Reference this in the IKEv2 profile:
crypto ikev2 profile FLEXVPN_IKEV2 aaa authorization group cert list AUTHOR_LOCAL FLEXVPN_CONFIG
VRF Setup for Tunnel Interface Isolation (FVRF)
Create the VRF and bind it to the interface:
vrf definition INET rd 1:1 address-family ipv4 interface g2 vrf forwarding INET ip address 1.1.1.11 255.255.255.0 no shutdown
Update the default route into the VRF:
no ip route 0.0.0.0 0.0.0.0 1.1.1.1 ip route vrf INET 0.0.0.0 0.0.0.0 1.1.1.1
Update the IKEv2 policy and profile to bind to the VRF:
crypto ikev2 policy FLEXVPN_IKEV2 no match fvrf any match fvrf INET crypto ikev2 profile FLEXVPN_IKEV2 match fvrf INET
Apply the VRF to the tunnel interface:
interface virtual-template 1 tunnel vrf INET
Branch (Client) Configuration
The branch router follows a similar certificate-based setup:
crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP identity local dn authentication local ecdsa-sig authentication remote ecdsa-sig pki trustpoint TRUSTPOINT-NAME crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2 crypto ikev2 client flexvpn FLEXVPN_CLIENT peer 10 1.1.1.11 client connect tunnel 1 client inside g2 connect auto
Tunnel interface:
interface tunnel1 description **** TO HQ **** ip address negotiated tunnel source g1 tunnel mode ipsec ipv4 tunnel destination 1.1.1.11 tunnel protection ipsec profile FLEXVPN_IPSEC
Enable routing:
router eigrp 100 no auto-summary network 172.16.255.0 0.0.0.255
IVRF: Inside VRF for Data Segregation
To isolate internal data flows, configure an IVRF:
vrf definition BR2 rd 100:100 address-family ipv4 interface loopback100 vrf forwarding BR2 ip address 172.16.100.1 255.255.255.0
Create the appropriate IKEv2 profile for BR2:
crypto pki certificate map CERT_MAP_BR2 10 subject-name co br2.cciesecurity.com crypto ikev2 profile FLEXVPN_BR2 match fvrf INET match certificate CERT_MAP_BR2 identity local dn authentication local ecdsa authentication remote ecdsa pki trustpoint CA-ROOT
Create the P2P tunnel and assign IVRF:
interface tunnel2 description *** TO BR2 *** vrf forwarding BR2 ip address 172.16.12.1 255.255.255.252 tunnel source g2 tunnel destination 3.3.3.3 tunnel vrf INET tunnel protection ipsec profile FLEXVPN_IPSEC ikev2-profile FLEXVPN_BR2
Bonus: Assigning IVRF via RADIUS
You can assign IVRFs dynamically using RADIUS attributes. Define VRFs and loopback:
vrf definition ADMIN rd 101:101 address-family ipv4 interface lo2 vrf forwarding ADMIN ip address 172.16.255.1 255.255.255.0
Update authentication and authorization on the router and configure ISE to return attributes like Cisco:vrf for session-specific inside routing.
Combining FlexVPN with FVRF and IVRF configurations enhances security, routing control, and multi-tenant support. By leveraging VRFs for both external (FVRF) and internal (IVRF) paths, you can achieve robust isolation between control and data planes. Whether manually configured or dynamically assigned via Cisco ISE, this method is essential for building secure, segmented VPN architectures in modern enterprise environments.
FlexVPN Dual Hub, Dual Cloud, and Spoke-to-Spoke Redundancy
In enterprise environments, high availability and redundancy are critical. Cisco FlexVPN provides the flexibility to design robust VPN topologies, including multi-hub, multi-cloud deployments with seamless spoke-to-spoke connectivity. This lab walks through configuring a dual-hub, dual-cloud FlexVPN setup and enabling direct spoke communication, all with certificate-based authentication, IKEv2, and IPSec transport.
Topology Overview
In this architecture:
- Two FlexVPN hubs reside in separate cloud environments.
- Each spoke router establishes two tunnels—one to each hub.
- Hubs and spokes are configured for spoke-to-spoke communication via NHRP.
- Certificate-based PKI is used for authentication across the infrastructure.
Hub 1 Configuration
Step 1: Global AAA and PKI Setup
aaa new-model aaa authorization network AUTHOR_LOCAL local crypto key generate ec keysize 256 label HUB1-KEY
Create the trustpoint and import the certificate:
crypto pki trustpoint CA-ROOT enrollment terminal fqdn hub1.vpn.lab subject-name cn=hub1.vpn.lab revocation-check none eckeypair HUB1-KEY crypto pki authenticate CA-ROOT crypto pki enroll CA-ROOT
Step 2: Define Certificate Map and Address Pool
crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com ip local pool FLEXVPN_POOL 172.16.255.16 172.16.255.240
Step 3: IKEv2 and IPSec Settings
crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128 crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP identity local dn authentication local ecdsa-sig authentication remote ecdsa-sig pki trustpoint CA-ROOT aaa authorization group cert list AUTHOR_LOCAL FLEXVPN_CONFIG virtual-template 1 mode auto crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode transport crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
Step 4: Interfaces
interface loopback1 description **** FLEXVPN HUB IP **** ip address 172.16.255.1 255.255.255.0 interface virtual-template 1 type tunnel ip unnumbered loopback1 tunnel source g2 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Hub 2 Configuration
Identical to Hub 1, but with a different address pool and loopback:
ip local pool FLEXVPN_POOL 172.16.254.16 172.16.254.240 interface loopback1 ip address 172.16.254.1 255.255.255.0
Tunnel source should be appropriate to Hub 2’s WAN interface.
Spoke Configuration (IOS)
Step 1: PKI Setup
crypto pki trustpoint CA-ROOT enrollment terminal fqdn spoke1.vpn.lab subject-name cn=spoke1.vpn.lab revocation-check none eckeypair CA-SELF crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com
Step 2: IKEv2 and IPSec
crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128 crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP identity local dn authentication local ecdsa-sig authentication remote ecdsa-sig pki trustpoint CA-ROOT aaa authorization group cert list AUTHOR_LOCAL FLEXVPN_CONFIG virtual-template 1 mode auto crypto ipsec transform-set SUITE_B_AES128 esp-gcm 128 mode transport crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
Step 3: Tunnels to Dual Hubs
interface tunnel1 description *** TO HQ FLEXVPN1 *** ip address negotiated tunnel source g1 tunnel mode ipsec ipv4 tunnel destination 1.1.1.11 tunnel protection ipsec profile FLEXVPN_IPSEC interface tunnel2 description *** TO HQ FLEXVPN2 *** ip address negotiated tunnel source g1 tunnel mode ipsec ipv4 tunnel destination 1.1.1.12 tunnel protection ipsec profile FLEXVPN_IPSEC
Enabling Spoke-to-Spoke Connectivity
To allow dynamic spoke-to-spoke tunnels:
On Both Hubs:
interface virtual-template 1 ip nhrp network-id 1 ip nhrp redirect timeout 3 tunnel mode gre ip crypto ipsec transform-set SUITE_B_AES128 esp-gcm mode transport
On Spokes:
interface virtual-template 1 type tunnel description **** TO SPOKES **** ip unnumbered lo1 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 ip nhrp redirect timeout 3 tunnel protection ipsec profile FLEXVPN_IPSEC crypto ikev2 profile FLEXVPN_IKEV2 virtual-template 1 interface tunnel1 ip nhrp network-id 1 ip nhrp redirect timeout 3 tunnel mode gre ip ip nhrp shortcut virtual-template 1 interface tunnel2 ip nhrp network-id 1 ip nhrp redirect timeout 3 tunnel mode gre ip ip nhrp shortcut virtual-template 1
Optional Optimizations for Faster Failover
Dead Peer Detection (DPD):
crypto ikev2 dpd 10 2 on-demand
BGP Timers:
router bgp 100 timers bgp 10 30
This dual-hub dual-cloud FlexVPN configuration provides a robust, fault-tolerant VPN infrastructure with built-in redundancy and optional spoke-to-spoke communication. By leveraging PKI for authentication and using GRE/IPSec with NHRP, Cisco FlexVPN can easily scale across cloud regions while supporting direct peer communication and rapid failover.
FlexVPN Redundancy with Dual Hub Single Cloud: High Availability and Spoke-to-Spoke Communication
High availability is a cornerstone of enterprise VPN design. In environments where both FlexVPN hubs reside within the same cloud or datacenter region, it’s still crucial to configure failover, load balancing, and spoke-to-spoke communication effectively. This lab walks through setting up a dual-hub, single-cloud FlexVPN architecture with seamless certificate-based authentication, spoke failover via IP SLA tracking, and inter-spoke communication using GRE and NHRP.
Hub 1 Configuration
1. Global AAA and PKI Setup
aaa new-model aaa authorization network AUTHOR_LOCAL local crypto key generate ec keysize 256 label HUB1_KEY
Trustpoint and certificate import:
crypto pki trustpoint CA-ROOT enrollment terminal fqdn hub1.lab subject-name cn=hub1.lab revocation-check none eckeypair HUB1_KEY crypto pki authenticate CA-ROOT crypto pki enroll CA-ROOT
2. Certificate Map and IP Pool
crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com ip local pool FLEXVPN_POOL 172.16.255.16 172.16.255.127
3. IKEv2 and IPSec Configuration
crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128 crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP identity local dn authentication local ecdsa-sig authentication remote ecdsa-sig pki trustpoint CA-ROOT aaa authorization group cert list AUTHOR_LOCAL FLEXVPN_CONFIG virtual-template 1 mode auto
Transform set and IPSec profile:
crypto ipsec transform-set SUITE_B_AES128 esp-gcm mode tunnel crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
4. Interfaces
interface loopback1 ip address 172.16.255.1 255.255.255.0 interface virtual-template 1 type tunnel ip unnumbered loopback1 tunnel source g2 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC
Hub 2 Configuration
Mirror the configuration of Hub 1 with differences in loopback and address pool:
ip local pool FLEXVPN_POOL 172.16.255.128 172.16.255.191 interface loopback1 ip address 172.16.255.2 255.255.255.0
All other crypto and PKI configurations match Hub 1 with different FQDN and key labels.
Spoke Configuration
PKI and IKEv2 Setup
crypto pki trustpoint CA-ROOT enrollment terminal fqdn spoke.lab subject-name cn=spoke.lab revocation-check none eckeypair CA-SELF crypto pki certificate map CERT_MAP 10 subject-name co cciesecurity.com
IKE and IPSec configuration:
crypto ikev2 proposal SUITE_B_AES128 encryption aes-cbc-128 integrity sha256 group 19 crypto ikev2 policy FLEXVPN_IKEV2 proposal SUITE_B_AES128 crypto ikev2 profile FLEXVPN_IKEV2 match certificate CERT_MAP identity local dn authentication local ecdsa-sig authentication remote ecdsa-sig pki trustpoint CA-ROOT aaa authorization group cert list AUTHOR_LOCAL FLEXVPN_CONFIG virtual-template 1 mode auto crypto ipsec transform-set SUITE_B_AES128 esp-gcm mode tunnel crypto ipsec profile FLEXVPN_IPSEC set transform-set SUITE_B_AES128 set pfs group19 set ikev2-profile FLEXVPN_IKEV2
Tunnel Interfaces to Dual Hubs
interface tunnel1 description *** TO HQ FLEXVPN1 *** ip address negotiated tunnel source g1 tunnel destination dynamic tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEXVPN_IPSEC crypto ikev2 client flexvpn FLEXVPN_CLIENT peer 10 1.1.1.11 peer 20 1.1.1.12 client connect tunnel 1 client inside g2 connect auto
Enabling Spoke-to-Spoke Communication
On Hubs:
interface virtual-template 1 ip nhrp network-id 1 ip nhrp redirect timeout 3 tunnel mode gre ip crypto ipsec transform-set SUITE_B_AES128 esp-gcm mode transport
On Spokes:
interface tunnel1 ip nhrp network-id 1 ip nhrp redirect ip nhrp shortcut virtual-template 1 tunnel mode gre ip interface virtual-template 1 type tunnel ip unnumbered lo0 tunnel mode gre ip ip nhrp network-id 1 ip nhrp redirect ip nhrp shortcut virtual-template 1 tunnel protection ipsec profile FLEXVPN_IPSEC
Enhancing Failover with IP SLA and Tracking
Instead of relying only on Dead Peer Detection (DPD), configure SLA-based tracking:
ip sla 1 icmp-echo 1.1.1.11 frequency 5 threshold 2000 timeout 2000 ip sla schedule 1 start-time now ip sla 2 icmp-echo 1.1.1.12 frequency 5 threshold 2000 timeout 2000 ip sla schedule 2 start-time now track 1 ip sla 1 track 2 ip sla 2 crypto ikev2 client flexvpn FLEXVPN_CLIENT peer 10 1.1.1.11 track 1 peer 20 1.1.1.12 track 2
Inter-Hub GRE Tunnel for Route Synchronization
To support full route awareness for spoke-to-spoke traffic across hubs:
On Hub 1:
interface tunnel100 description *** INTER-HUB TUNNEL *** ip address 172.16.100.1 255.255.255.252 tunnel source lo0 tunnel destination 172.16.0.3 ip nhrp network-id 1 ip nhrp redirect timeout 3
BGP Configuration (on both hubs):
router bgp 100 bgp router-id 172.16.0.x neighbor 172.16.100.x remote-as 100 neighbor 172.16.100.x next-hop-self all neighbor 172.16.100.x route-reflector-client neighbor 172.16.100.x weight 65000 neighbor 172.16.100.x unsuppress-map UNSUPPRESS_MAP ip prefix-list SPOKE_NET permit 172.17.0.0/16 le 32 route-map UNSUPPRESS_MAP permit 10 match ip address prefix-list SPOKE_NET
This FlexVPN dual-hub single-cloud setup delivers high availability, dynamic spoke failover, and optional spoke-to-spoke communication. With features like IP SLA tracking, GRE inter-hub tunnels, and certificate-based authentication, the architecture is scalable, secure, and ready for real-world deployment.
FlexVPN IKEv2 PSK Configuration with Default Profiles
Cisco FlexVPN offers a modular and streamlined approach to deploying IPsec VPNs. One of its most convenient features is the ability to use default IKEv2 policies and proposals. This allows administrators to stand up VPN tunnels quickly without needing to define every crypto parameter from scratch. Here’s how to configure a basic site-to-site FlexVPN connection using pre-shared keys and default IKEv2 settings.
Step 1: Configure the IKEv2 Keyring
The keyring defines the peer and the associated pre-shared key (PSK). This is used during IKEv2 authentication.
crypto ikev2 keyring PSK peer BRANCH2 address 198.51.100.1 pre-shared-key local MYLOCALKEY remote MYREMOTEKEY
This binds the peer IP address to a set of shared secrets. You can also use FQDNs or hostname mappings instead of static IPs.
Step 2: Define the IKEv2 Profile
Use the default profile or specify a named one. This profile links the identity information, authentication method, and keyring.
crypto ikev2 profile default match identity remote fqdn branch2.lab.local identity local fqdn branch1.lab.local authentication local pre-share authentication remote pre-share keyring local PSK
This configuration ensures that the router uses pre-shared keys and matches the remote peer by its FQDN. The default profile saves time by auto-binding default IKEv2 and IPsec parameters.
Step 3: Configure the Tunnel Interface
Now define the tunnel that will carry the encrypted traffic.
interface tunnel1 ip address 172.16.1.1 255.255.255.0 tunnel source g2 tunnel destination 198.51.100.1 tunnel protection ipsec profile default
This uses the default IPsec profile tied to IKEv2, which works if the crypto ikev2 profile and global transform sets are pre-configured on the box.
Step 4: Verify the Tunnel and Encryption
After configuration, you can verify the operational state using the following commands:
show crypto map show crypto ipsec sa show crypto ikev2 sa show ip cef x.x.x.x
These commands confirm if the Security Associations (SAs) are successfully established, IPsec is protecting traffic, and the peer is reachable.
Step 5: Enable IKEv2-Based Routing Exchange (Optional)
To inject routing information during IKEv2 negotiation, you must enable AAA and define an authorization policy:
access-list 99 permit 10.11.11.11 0.0.0.255 aaa new-model aaa authorization network default local crypto ikev2 authorization policy default route set access-list 99
This allows the VPN router to advertise connected networks to the peer using IKEv2 attributes. For this to take effect, ensure the tunnel is shut/no-shut to trigger a re-negotiation.
This FlexVPN configuration using IKEv2 with pre-shared keys and default profiles makes deployment quick and efficient. By leveraging default proposals and authorization policies, administrators can spin up secure tunnels with minimal effort while still maintaining flexibility for future enhancements.
FlexVPN IPv4 Site-to-Site VPN with Pre-Shared Keys (PSK)
When simplicity and interoperability are key, FlexVPN with IKEv2 and PSK is an excellent option for establishing secure, scalable site-to-site VPN tunnels. In this configuration, we manually define the IKEv2 proposal, keyring, profiles, and bind it all together using crypto map, a useful approach especially on platforms that may not support Virtual Templates or DMVPN-style tunnels.
This lab walks through the key steps of configuring a site-to-site FlexVPN tunnel using IPv4 and pre-shared key authentication.
Step 1: Define IKEv2 Policy and Proposal
Start by creating a custom IKEv2 proposal and attaching it to a policy. This defines the encryption, integrity, and Diffie-Hellman parameters used during phase 1 negotiations.
crypto ikev2 proposal 1 encryption aes-cbc-256 integrity sha512 group 5 exit crypto ikev2 policy 1 proposal 1 exit
Step 2: Configure the Keyring
The keyring ties a specific peer IP address to a pre-shared key that will be used for authentication.
crypto ikev2 keyring 1 peer branch-peer address 203.0.113.1 pre-shared-key MySecretKey exit exit
Replace the peer address and key with values specific to your remote site.
Step 3: Create the IKEv2 Profile
The IKEv2 profile brings together the peer matching, authentication method, and keyring.
crypto ikev2 profile 1 match identity remote address 203.0.113.1 authentication local pre-share authentication remote pre-share keyring local 1 exit
This tells the router to match the remote peer by IP address and use pre-shared key authentication for both directions.
Step 4: Define the IPSec Transform Set
Next, configure the IPSec phase 2 parameters including encryption and hashing methods. This will be referenced in the crypto map.
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac mode tunnel
You can replace esp-aes and esp-sha-hmac with other valid options like esp-gcm or esp-aes-256.
Step 5: Optional: Define SA Lifetime
To control the rekeying behavior, you can set a custom Security Association (SA) lifetime:
crypto ipsec security-association lifetime seconds 1800
This will force rekeying every 30 minutes.
Step 6: Define Traffic to Encrypt with an ACL
Specify which traffic should be protected across the VPN:
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
This example protects traffic from 192.168.10.0/24 (local) to 192.168.20.0/24 (remote).
Step 7: Configure the Crypto Map
Bind all the previous configurations together using a crypto map:
crypto map VPN-MAP 10 ipsec-isakmp set transform-set MY_TRANSFORM_SET set peer 203.0.113.1 match address 101 set ikev2-profile 1
Then apply the crypto map to your internet-facing interface:
interface g2 crypto map VPN-MAP
This configuration sets up a reliable, secure site-to-site tunnel using FlexVPN with IKEv2 and PSK. It’s ideal for fixed peer-to-peer topologies or branch-to-branch links in environments where certificate infrastructure is unnecessary or unavailable.
By using manual IKEv2 profiles and crypto maps, this method is also compatible with older IOS versions and more constrained routers while still offering strong encryption (AES-256/SHA-512).
FlexVPN Site-to-Site VPN with IOS Certificate Authority and RSA Signatures
Using digital certificates signed by an iOS-based Certificate Authority (CA) adds security and scalability to FlexVPN deployments. This approach removes the dependency on pre-shared keys and enables centralized credential management. In this lab, we’ll walk through setting up a site-to-site FlexVPN tunnel using RSA signatures and a self-hosted IOS CA.
Step 1: Prepare the IOS CA Router
Before anything else, ensure that your CA router has its clock synchronized (e.g., via NTP) since certificate issuance depends on accurate timekeeping.
Generate RSA key pair for the CA:
crypto key generate rsa general-keys exportable label CA_KEY modulus 1024 crypto key export rsa CA_KEY pem url nvram: 3des MySecurePassword
Enable HTTP services and configure the CA server:
ip http server crypto pki server MY-CA database level minimum database url nvram: issuer-name cn=MY-CA l=NY c=US lifetime certificate 730 grant auto no shutdown
This sets up an internal CA named MY-CA, stores the database in NVRAM, auto-approves certificate requests, and sets a 2-year certificate lifetime.
Step 2: Enroll Other Routers with the IOS CA
On each router that will participate in the VPN, define the CA trustpoint and initiate the enrollment.
crypto pki trustpoint MY-CA enrollment url http://10.0.0.1 revocation-check none exit crypto pki authenticate MY-CA crypto pki enroll MY-CA
The authenticate step pulls the CA certificate, and enroll generates and submits a certificate request to the CA.
Step 3: Define the IKEv2 Crypto Settings
Now configure the cryptographic parameters on the VPN routers. This includes the IKEv2 proposal, policy, and profile.
IKEv2 Proposal:
crypto ikev2 proposal 1 encryption aes-cbc-256 integrity sha512 group 5 exit
IKEv2 Policy:
crypto ikev2 policy 1 proposal 1 exit
IKEv2 Profile:
crypto ikev2 profile 1 match identity remote address 203.0.113.2 authentication local rsa-sig authentication remote rsa-sig pki trustpoint MY-CA exit
This profile matches remote peers by IP address and uses RSA signature-based authentication through the CA-issued certificate.
Step 4: Define the IPSec Profile
The IPSec profile references the IKEv2 profile and binds it for tunnel protection.
crypto ipsec profile VPN_PROFILE set ikev2-profile 1
Step 5: Configure the Tunnel Interface
Create and bind the tunnel using IPSec for secure communication.
interface tunnel0 ip address 10.1.1.1 255.255.255.252 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile VPN_PROFILE
Repeat this setup on the remote peer with the IP roles reversed and unique tunnel IP addressing.
Using an IOS-based Certificate Authority for FlexVPN allows scalable, certificate-authenticated IPsec tunnels without relying on pre-shared keys. This method is well-suited for secure, automated certificate distribution in environments where deploying a full PKI infrastructure is overkill.
FlexVPN IPv4 Remote Access (RA) with Pre-Shared Keys (PSK)
FlexVPN’s Remote Access (RA) mode is a powerful way to connect client routers or remote workers securely back to headquarters. When simplicity and speed are priorities, using Pre-Shared Keys (PSK) for IKEv2 authentication is an effective option. This lab walks through the key configuration steps required to stand up a basic RA FlexVPN deployment using IPv4 and PSK.
Step 1: Define the IKEv2 Keyring
The keyring defines the remote peer (client) and the associated pre-shared key.
crypto ikev2 keyring 1 peer RA-CLIENT address 203.0.113.2 pre-shared-key MySecretKey exit
This ties the remote client IP to the correct PSK for IKEv2 authentication.
Step 2: Configure the IKEv2 Profile
The profile links authentication methods, identity matching, and the keyring.
crypto ikev2 profile 1 match identity remote address 203.0.113.2 authentication local pre-share authentication remote pre-share keyring local 1 exit
This profile tells the router to expect a pre-shared key and match the remote identity based on IP address.
Step 3: Create the IPSec Profile
This binds the IKEv2 profile to IPSec so it can be referenced by tunnel interfaces.
crypto ipsec profile VPN_PROFILE set ikev2-profile 1 exit
Step 4: Configure Authorization on the Headend
You need to define what internal traffic is reachable from the RA clients and assign them IP addresses dynamically.
ip access-list standard RA_ACL permit 192.168.10.0 0.0.0.255 ip local pool RA_POOL 10.10.10.10 10.10.10.50 crypto ikev2 authorization policy RA_POLICY pool RA_POOL
- The ACL defines what internal subnet the clients are allowed to access.
- The local pool assigns virtual IP addresses to remote clients.
- The authorization policy binds that pool to the IKEv2 negotiation process.
This FlexVPN RA configuration using PSK is a lightweight, secure way to deploy remote access tunnels. It requires minimal configuration on the client and no certificate infrastructure. The keyring defines authentication, the IKEv2 profile dictates how peers are matched, and the authorization policy enables dynamic IP address assignment. This model is perfect for small branch deployments or mobile workers using compatible router hardware.
FlexVPN IPv4 Remote Access with PSK: Full Configuration for Server and Client Routers
FlexVPN provides a unified and modular way to configure VPNs on Cisco IOS routers. One of its most practical applications is supporting remote access (RA) VPNs using pre-shared key (PSK) authentication. This lab walks through the complete setup process for deploying a FlexVPN RA tunnel, covering both the headend (server) and the client router.
Configuration on the Headend (Server) Router
1. Define the IKEv2 Keyring and Profile
Begin by setting up the keyring that binds the peer’s address with the shared secret:
crypto ikev2 keyring 1 peer RA-CLIENT address 203.0.113.2 pre-shared-key cisco123 exit
Now configure the IKEv2 profile:
crypto ikev2 profile 1 match identity remote address 203.0.113.2 authentication local pre-share authentication remote pre-share keyring local 1 exit
2. Define the IPSec Profile
This binds the IKEv2 profile into a usable IPSec configuration:
crypto ipsec profile RA_PROFILE set ikev2-profile 1 exit
3. Authorization and Address Assignment
Define internal access policies and dynamic address assignment:
ip access-list standard RA_ACL permit 192.168.10.0 0.0.0.255 ip local pool RA_POOL 10.10.10.10 10.10.10.50 crypto ikev2 authorization policy RA_POLICY pool RA_POOL route set interface route set access-list RA_ACL exit
Attach this policy to the IKEv2 profile:
crypto ikev2 profile 1 aaa authorization group psk list default RA_POLICY virtual-template 1 exit
4. Tunnel Interface Setup
Configure a virtual template for scalable tunnel instantiation:
interface virtual-template 1 type tunnel ip unnumbered g2 tunnel source g2A tunnel mode ipsec ipv4 tunnel protection ipsec profile RA_PROFILE
Configuration on the Client (Remote Router)
1. Define Local Authorization and Address Assignment
Similar to the headend, the client also needs an ACL and local pool:
ip access-list standard RA_ACL permit 192.168.20.0 0.0.0.255 ip local pool RA_POOL 10.10.20.10 10.10.20.50 crypto ikev2 authorization policy RA_POLICY pool RA_POOL route set interface route set access-list RA_ACL exit
Bind the policy to the IKEv2 profile:
crypto ikev2 profile 1 aaa authorization group psk list default RA_POLICY exit
2. Configure the Tunnel Interface
interface tunnel0 ip address negotiated tunnel source GigabitEthernet0/0 tunnel destination dynamic tunnel mode ipsec ipv4 tunnel protection ipsec profile RA_PROFILE
3. FlexVPN Client Setup
Use the crypto ikev2 client flexvpn command to connect the client tunnel:
crypto ikev2 client flexvpn RA_CLIENT client connect tunnel 0 connect auto peer 1 198.51.100.1
This tells the client to automatically initiate the tunnel toward the headend IP and bind it to tunnel0.
This end-to-end FlexVPN RA PSK setup illustrates how to configure a full Remote Access solution using IKEv2 and pre-shared keys. The server uses a virtual template for scalability and dynamic session instantiation, while the client uses a static tunnel interface and auto-connect logic. With authorization policies and IP pools in place, this design supports clean separation of routing and dynamic address assignment for remote nodes.
FlexVPN IPv4 Remote Access VPN with IOS CA and RSA-SIG Authentication
When security and scalability are essential, FlexVPN with RSA signatures authenticated via a local IOS-based Certificate Authority (CA) is an ideal solution. This setup avoids the management complexity of external PKI systems and provides robust, certificate-based authentication for remote access VPN clients. In this lab, you’ll learn how to build a full FlexVPN RA configuration using IOS routers for both the CA and VPN endpoints.
Step 1: IOS CA Server Setup
Ensure your IOS CA router has its clock set and is synchronized with NTP. This is critical for certificate validity.
Generate and export RSA keys:
crypto key generate rsa general-keys exportable label CA_KEY modulus 1024 crypto key export rsa CA_KEY pem url nvram: 3des MySecurePassword
Enable HTTP server and define the PKI CA server:
ip http server crypto pki server MY-CA database level minimum database url nvram: issuer-name cn=MY-CA l=HQ c=US lifetime certificate 730 grant auto no shutdown
This setup creates a lightweight CA service on the router, auto-approves certificate requests, and stores the database in NVRAM.
Step 2: Enroll Peer Routers with the CA
On all other routers (RA server and clients), define a trustpoint and enroll certificates:
crypto pki trustpoint MY-CA enrollment url http://10.0.0.1 revocation-check none exit crypto pki authenticate MY-CA crypto pki enroll MY-CA
Step 3: Configure the FlexVPN RA Server (Headend Router)
1. IKEv2 and IPSec Profiles:
crypto ikev2 profile RA_PROFILE match identity remote address 0.0.0.0 authentication local rsa-sig authentication remote rsa-sig pki trustpoint MY-CA exit crypto ipsec profile RA_IPSEC set ikev2-profile RA_PROFILE exit
2. IP Pool and ACL Configuration:
ip local pool RA_POOL 10.10.10.10 10.10.10.50 ip access-list standard RA_ACL permit 192.168.10.0 0.0.0.255
3. Authorization Policy:
crypto ikev2 authorization policy RA_AUTH pool RA_POOL route set access-list RA_ACL exit crypto ikev2 profile RA_PROFILE aaa authorization group cert list default RA_AUTH virtual-template 1 exit
4. Virtual Tunnel Interface:
interface virtual-template 1 type tunnel
ip unnumbered g2
tunnel source g2
tunnel mode ipsec ipv4
tunnel protection ipsec profile RA_IPSEC
Step 4: Configure the RA Client Router
1. IKEv2 and IPSec Profiles:
crypto ikev2 profile RA_CLIENT match identity remote address 0.0.0.0 authentication local rsa-sig authentication remote rsa-sig pki trustpoint MY-CA exit crypto ipsec profile RA_CLIENT_IPSEC set ikev2-profile RA_CLIENT exit
2. Local ACL and Authorization Policy:
ip access-list standard RA_CLIENT_ACL permit 192.168.20.0 0.0.0.255 crypto ikev2 authorization policy RA_CLIENT_AUTH route set interface route set access-list RA_CLIENT_ACL exit crypto ikev2 profile RA_CLIENT aaa authorization group cert list default RA_CLIENT_AUTH exit
3. Tunnel Interface Configuration:
interface tunnel0 ip address negotiated tunnel source g2 tunnel destination dynamic tunnel mode ipsec ipv4 tunnel protection ipsec profile RA_CLIENT_IPSEC
4. FlexVPN Client Initialization:
crypto ikev2 client flexvpn RA_CLIENT connect auto client connect tunnel 0 peer 1 198.51.100.1 exit
This complete FlexVPN RA configuration leverages IOS-native PKI and RSA signatures for secure remote access. With dynamic virtual interfaces, policy-based authorization, and certificate-based identity validation, the setup is secure and scalable—perfect for organizations that want certificate authentication without the overhead of external CAs.
FlexVPN IPv6 Remote Access (RA) VPN with Pre-Shared Keys (PSK)
With the growing adoption of IPv6, network engineers must ensure secure remote access capabilities are IPv6-capable. Cisco FlexVPN offers native support for IPv6 remote access deployments using IKEv2 and IPSec. This lab provides a step-by-step walkthrough for setting up a FlexVPN RA solution over IPv6 using pre-shared keys, covering both the server and client configurations.
Step 1: Configure the IKEv2 Keyring and Profile
Begin by creating a keyring on the headend router to define the peer address and associated pre-shared key:
crypto ikev2 keyring 1 peer RA-CLIENT address ::/0 pre-shared-key MySecureKey exit
The ::/0 wildcard allows any IPv6 peer to match.
Now define the IKEv2 profile:
crypto ikev2 profile 1 match identity remote address ::/0 authentication local pre-share authentication remote pre-share keyring local 1 exit
Step 2: Define the IPSec Profile
Bind the IKEv2 profile to an IPSec profile, which will be applied to tunnel interfaces:
crypto ipsec profile IPV6_RA_PROFILE set ikev2-profile 1 exit
Step 3: Configure Address Assignment and Authorization (Server Side)
Create an IPv6 ACL to define internal traffic destinations:
ipv6 access-list RA_ACL permit ipv6 2001:db8:1::/64 any
Define the local address pool for assigning IPv6 addresses to RA clients:
ipv6 local pool RA_POOL 2001:db8:10::10 2001:db8:10::50
Create the IKEv2 authorization policy:
crypto ikev2 authorization policy RA_AUTH ipv6 pool RA_POOL route set interface route set access-list ipv6 RA_ACL exit
Then, link this policy to the IKEv2 profile:
crypto ikev2 profile 1 aaa authorization group psk list default RA_AUTH virtual-template 1 exit
Step 4: Virtual Tunnel Interface on the Server
Configure the tunnel template that will be cloned for each client session:
interface virtual-template 1 type tunnel ipv6 unnumbered g2 tunnel source g2 tunnel mode ipsec ipv6 tunnel protection ipsec profile IPV6_RA_PROFILE
Step 5: RA Client Configuration
1. ACL and Authorization Policy
On the client router, define its own IPv6 ACL and authorization policy:
ipv6 access-list RA_CLIENT_ACL permit ipv6 2001:db8:2::/64 any crypto ikev2 authorization policy RA_CLIENT_AUTH pool RA_POOL route set interface route set access-list ipv6 RA_CLIENT_ACL exit
Bind this policy to the IKEv2 profile:
crypto ikev2 profile 1 aaa authorization group psk list default RA_CLIENT_AUTH exit
2. Client Tunnel Configuration
Create the tunnel interface for initiating the FlexVPN session:
interface tunnel0 ipv6 address negotiated tunnel source g2 tunnel destination dynamic tunnel mode ipsec ipv6 tunnel protection ipsec profile IPV6_RA_PROFILE exit
Define the client connection behavior:
crypto ikev2 client flexvpn RA_CLIENT client connect tunnel 0 connect auto peer 1 2001:db8::1 exit
This configuration ensures the client automatically initiates the tunnel to the headend’s IPv6 address.
This setup demonstrates a complete end-to-end FlexVPN RA deployment using IPv6 and PSK. The configuration includes IPv6-compliant routing, address assignment, policy enforcement, and dynamic tunnel negotiation. It’s ideal for enterprises transitioning to IPv6 that still require secure, scalable remote access solutions.
FlexVPN IPv6 Remote Access (RA) with IOS CA and RSA Authentication
For modern network environments adopting IPv6, secure remote access is a must. Cisco’s FlexVPN supports IPv6 and integrates seamlessly with an IOS-based Certificate Authority (CA) to enable RSA signature authentication. This lab walks through the full setup—from CA provisioning to both server and client router configurations—for a scalable and secure IPv6 RA VPN.
Step 1: Set Up the IOS-Based Certificate Authority
Before generating or using certificates, make sure the router acting as the CA has an accurate clock and is synced via NTP.
On the IOS CA router:
crypto key generate rsa general-keys exportable label CA_KEY modulus 1024 crypto key export rsa CA_KEY pem url nvram: 3des MySecurePassword ip http server crypto pki server FLEXVPN-CA database level minimum database url nvram: issuer-name cn=FLEXVPN-CA l=HQ c=US lifetime certificate 730 grant auto no shutdown
Step 2: Enroll Server and Client Routers in the CA
On each router (RA server and clients):
crypto pki trustpoint FLEXVPN-CA enrollment url http://[2001:db8::1] revocation-check none exit crypto pki authenticate FLEXVPN-CA crypto pki enroll FLEXVPN-CA
This process enrolls and installs a valid RSA certificate signed by the IOS CA.
Step 3: Define the IKEv2 Proposal and Policy
On both the server and the client:
crypto ikev2 proposal PROP_RSA encryption aes-cbc-256 integrity sha512 group 5 exit crypto ikev2 policy RSA_POL proposal PROP_RSA exit
These define the cryptographic parameters used for IKEv2 Phase 1 negotiation.
Step 4: Configure the RA Server (Headend)
1. Define IKEv2 Profile with Certificate-Based Authentication:
crypto ikev2 profile RA_IPV6_CERT match identity remote address ::/0 authentication local rsa-sig authentication remote rsa-sig pki trustpoint FLEXVPN-CA exit
2. Define Transform Set and IPSec Profile:
crypto ipsec transform-set TSET_AES esp-aes esp-sha-hmac mode tunnel crypto ipsec profile RA_PROFILE set transform-set TSET_AES set ikev2-profile RA_IPV6_CERT exit
3. Define IPv6 ACL, Pool, and Authorization Policy:
ipv6 access-list RA6_ACL permit ipv6 2001:db8:100::/64 any ipv6 local pool RA6_POOL 2001:db8:10::10 2001:db8:10::50 crypto ikev2 authorization policy RA6_POLICY ipv6 pool RA6_POOL route set access-list ipv6 RA6_ACL exit
4. Bind Authorization to IKEv2 Profile and Define Tunnel Template:
crypto ikev2 profile RA_IPV6_CERT aaa authorization group cert list default RA6_POLICY virtual-template 1 exit interface virtual-template 1 type tunnel ipv6 unnumbered g2 tunnel source g2 tunnel mode ipsec ipv6 tunnel protection ipsec profile RA_PROFILE
Step 5: Configure the RA Client Router
1. Define IKEv2 Proposal and Policy (same as server):
crypto ikev2 proposal PROP_RSA encryption aes-cbc-256 integrity sha512 group 5 exit crypto ikev2 policy RSA_POL proposal PROP_RSA exit
2. Define IKEv2 Profile with RSA Authentication:
crypto ikev2 profile RA_CLIENT_CERT match identity remote address ::/0 authentication local rsa-sig authentication remote rsa-sig pki trustpoint FLEXVPN-CA exit
3. Create Transform Set and IPSec Profile:
crypto ipsec transform-set TSET_AES esp-aes esp-sha-hmac mode tunnel crypto ipsec profile RA_CLIENT_PROFILE set transform-set TSET_AES set ikev2-profile RA_CLIENT_CERT exit
4. Define Authorization Policy and IPv6 ACL:
ipv6 access-list CLIENT6_ACL permit ipv6 2001:db8:200::/64 any crypto ikev2 authorization policy CLIENT6_POLICY route set interface route set access-list ipv6 CLIENT6_ACL exit crypto ikev2 profile RA_CLIENT_CERT aaa authorization group cert list default CLIENT6_POLICY exit
Step 6: Configure the Client Tunnel Interface and FlexVPN Behavior
Tunnel Interface and Auto-Connect Profile:
interface tunnel0 ipv6 address negotiated tunnel source g2 tunnel destination dynamic tunnel mode ipsec ipv6 tunnel protection ipsec profile RA_CLIENT_PROFILE exit crypto ikev2 client flexvpn RA_CLIENT client connect tunnel 0 connect auto peer 1 2001:db8::1 exit
This configuration allows the client to initiate the VPN tunnel to the headend router automatically, using certificate-based authentication and IPv6 transport.
With FlexVPN over IPv6 and IOS CA-based RSA authentication, you get a secure, scalable, and standards-compliant remote access solution. This configuration is ideal for environments migrating to IPv6 who need strong identity validation without relying on pre-shared keys. By leveraging Cisco IOS native CA capabilities, you can maintain complete control over your VPN trust infrastructure.
FlexVPN SVTI to DVTI
Cisco FlexVPN allows for highly flexible VPN designs, including hybrid deployments between routers using static virtual tunnel interfaces (SVTI) and those using dynamic virtual tunnel interfaces (DVTI). This scenario is useful for a hub-and-spoke architecture where the hub maintains a static configuration while the spokes establish tunnels dynamically. This lab walks through both sides of the configuration: the SVTI-based hub and the DVTI-based spoke.
Configuring the SVTI Router (Hub)
1. IKEv2 Phase 1: Proposal and Policy
Start by defining the IKEv2 proposal with strong encryption and hashing algorithms:
crypto ikev2 proposal FLEX_SVTI_PROPOSAL encryption 3des aes-cbc-192 integrity sha1 sha256 group 2 5 exit
Now bind that proposal to a policy:
crypto ikev2 policy FLEX_SVTI_POLICY proposal FLEX_SVTI_PROPOSAL exit
2. Keyring and Profile Configuration
Define the keyring that maps to the peer with its pre-shared key:
crypto ikev2 keyring FLEX_KEYRING peer DVTI-PEER address 0.0.0.0 pre-shared-key cisco123 exit
Link that keyring to a profile that matches incoming remote identities:
crypto ikev2 profile FLEX_PROFILE match identity remote address 0.0.0.0 0.0.0.0 authentication local pre-share authentication remote pre-share keyring local FLEX_KEYRING exit
3. IPSec Configuration (Phase 2)
Define the IPSec transform set and profile:
crypto ipsec transform-set FLEX_TSET esp-3des esp-sha-hmac crypto ipsec profile FLEX_IPSEC_PROFILE set transform-set FLEX_TSET set ikev2-profile FLEX_PROFILE exit
4. Tunnel Interface via Virtual Template
Since the SVTI cannot define a destination in advance, we use a loopback address:
interface loopback1 ip address 192.168.1.1 255.255.255.0
Now define the virtual template:
interface virtual-template 1 type tunnel ip unnumbered loopback1 tunnel source GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile FLEX_IPSEC_PROFILE
Finally, link the virtual template to your IKEv2 profile:
crypto ikev2 profile FLEX_PROFILE virtual-template 1 exit
Configuring the DVTI Router (Spoke)
1. IKEv2 Phase 1: Proposal and Policy
crypto ikev2 proposal FLEX_DVTI_PROPOSAL encryption 3des aes-cbc-192 integrity sha1 sha256 group 2 5 exit crypto ikev2 policy FLEX_DVTI_POLICY proposal FLEX_DVTI_PROPOSAL exit
2. Keyring and Profile Configuration
crypto ikev2 keyring FLEX_KEYRING peer HUB address 192.0.2.1 pre-shared-key cisco123 exit crypto ikev2 profile FLEX_PROFILE match identity remote address 192.0.2.1 255.255.255.255 authentication local pre-share authentication remote pre-share keyring local FLEX_KEYRING exit
3. IPSec Configuration
crypto ipsec transform-set FLEX_TSET esp-3des esp-sha-hmac crypto ipsec profile FLEX_IPSEC_PROFILE set transform-set FLEX_TSET set ikev2-profile FLEX_PROFILE exit
4. Tunnel Interface
Unlike the SVTI side, the DVTI side uses a standard tunnel interface:
interface tunnel1
ip address 10.10.10.2 255.255.255.0
tunnel source GigabitEthernet0/1
tunnel destination 192.0.2.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile FLEX_IPSEC_PROFILE
This configuration allows the spoke router to dynamically initiate the VPN tunnel to the hub. The SVTI hub will handle multiple such connections using the virtual template.
This SVTI-to-DVTI FlexVPN configuration provides a scalable and efficient way to build a hub-and-spoke VPN architecture. The hub remains static, configured with a loopback interface and virtual templates, while spokes dynamically form tunnels using DVTI. Pre-shared key authentication and strong crypto policies ensure secure communication between endpoints.
