FlexVPN Spoke to Spoke-1

FlexVPN hub and spoke tunnel ,there is no direct communication between the spoke routers. All traffic goes through the
hub router. It is possible to configure FlexVPN so that spoke routers can communicate with each other directly just like
DMVPN Phase 2 & 3. we use the Next Hop Resolution Protocol (NHRP) to accomplish this.
There is a difference between how DMVPN and FlexVPN use NHRP:

• DMVPN uses NHRP for registration and resolution.

• FlexVPN uses NHRP only for resolution.

FlexVPN doesn’t use NHRP to register spoke routers with the hub router. Instead, we can use IKEv2 routing to advertise a
/32 route for the IP address of the tunnel interface to the remote router. This allows communication between the hub and
spoke router.

To “convert” a regular FlexVPN hub and spoke network into a network where direct spoke to spoke traffic is possible, we
need to make these changes:

• On the hub router, we have to add an NHRP network ID and enable NHRP redirection.
• The spoke routers require a dynamic VTI for spoke-to-spoke VPN tunnels.
• The spoke routers require the NHRP network ID and we need to enable NHRP shortcut switching.
• The spoke routers require some IKEv2 changes so they can authenticate each other.

IN this lab we exchange route using of IKEV2 instead of Dynamic routing protocol
 R1(HUB)
1.IKEv2 Proposal
The proposal is a collection of items we use in the negotiation of the IKEv2 security
association (SA).

crypto ikev2 proposal IKEV2-PROPOSAL

encryption 3des aes-cbc-128
integrity md5 sha1
group 15

2.IKEv2 Policy
This policy contains proposals we want to use in the negotiation

crypto ikev2 policy IKEV2-POLICY

proposal IKEV2-PROPOSAL

3. IKEv2 Keyring
a keyring that contains the pre-shared key(s) we want to use.

crypto ikev2 keyring IKEV2-KEYRING

peer SPOKES
address 0.0.0.0 0.0.0.0
pre-shared-key local iprulers
pre-shared-key remote iprulers

4. IKEv2 Authorization Policy

IKEv2 routing so that the hub advertises his local route tunnel interface ip to the spoke routers as a static route:

AAA new-model
AAA authorization network FLEX-LOCAL local
ip access-list standard FLEX-ROUTE
permit 192.168.1.0 0.0.0.255
crypto ikev2 authorization policy IKEV2-AUTHORIZ
route set interface
route set access-list FLEX-ROUTE

5.IKEv2 Profile
The IKEv2 profile, we configure the local and remote identity and the authentication we want
to use.

crypto ikev2 profile IKEV2-PROFILE

match identity remote address 0.0.0.0 0.0.0.0
Identity local address 201.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local IKEV2-KEYRING
aaa authorization group psk list FLEX-LOCAL IKEV2-AUTHORIZ
Virtual-template 1
6.IPSec Transform-Set
The transform-set is where we configure the encryption and hashing algorithms, we want to use:

crypto ipsec transform-set TRANSFORM-SET esp-aes 256 esp-sha256-hmac

mode tunnel

7. IPSec Profile
This is where we combine the IKEv2 profile and our IPSec transform-set:

crypto ipsec profile IPSECPROFILE

set transform-set TRANSFORM-SET
set ikev2-profile IKEV2-PROFILE

8. Dynamic VTI
The hub connects to multiple spoke routers, we need a dynamic VTI. Same IP address and subnet as the tunnel
interfaces on the spoke routers. However, you can’t configure the IP address directly on the dynamic VTI interface.
We need to add an NHRP ID and enable NHRP redirection on the virtual-template interface:

Int looopback0
Ip address 172.16.0.1 255.255.255.255
No shut
!
Int virtual-template 1 type tunnel
Ip unnumbered Loopback 0
Tunnel protection ipsec profile IPSECPROFILE
Ip nhrp network-id 1
Ip nhrp redirect

R2 (Spoke 1) R3(Spoke2)
1.IKEv2 Proposal 1.IKEv2 Proposal
The proposal is a collection of items we use in the The proposal is a collection of items we use in the
negotiation of the IKEv2 security negotiation of the IKEv2 security
association (SA). association (SA).

crypto ikev2 proposal IKEV2-PROPOSAL crypto ikev2 proposal IKEV2-PROPOSAL

encryption 3des aes-cbc-128 encryption 3des aes-cbc-128
integrity md5 sha1 integrity md5 sha1
group 15 group 15

2.IKEv2 Policy 2.IKEv2 Policy

This policy contains proposals we want to use in the This policy contains proposals we want to use in the
negotiation negotiation

crypto ikev2 policy IKEV2-POLICY crypto ikev2 policy IKEV2-POLICY

proposal IKEV2-PROPOSAL proposal IKEV2-PROPOSAL
3. IKEv2 Keyring 3. IKEv2 Keyring
a keyring that contains the pre-shared key(s) we want to a keyring that contains the pre-shared key(s) we want to
use. use.

crypto ikev2 keyring IKEV2-KEYRING crypto ikev2 keyring IKEV2-KEYRING

peer HUB peer HUB
address 201.0.0.1 address 201.0.0.1
pre-shared-key local iprulers pre-shared-key local iprulers
pre-shared-key remote iprulers pre-shared-key remote iprulers
! !
Peer SPOKE2 Peer SPOKE1
address 203.0.0.1 address 202.0.0.1
pre-shared-key local iprulers pre-shared-key local iprulers
pre-shared-key remote iprulers pre-shared-key remote iprulers

4. IKEv2 Authorization Policy 4. IKEv2 Authorization Policy

IKEv2 routing so that the spoke advertises a route to the IKEv2 routing so that the spoke advertises a route to the
hub and other spokes routers: hub and other spokes routers:

AAA new-model AAA new-model

AAA authorization network FLEX-LOCAL local AAA authorization network FLEX-LOCAL local
ip access-list standard FLEX-ROUTE ip access-list standard FLEX-ROUTE
permit 192.168.2.0 0.0.0.255 permit 192.168.3.0 0.0.0.255
! !
crypto ikev2 authorization policy IKEV2-AUTHORIZ crypto ikev2 authorization policy IKEV2-AUTHORIZ
route set interface route set interface
route set access-list FLEX-ROUTE route set access-list FLEX-ROUTE

5.IKEv2 Profile 5.IKEv2 Profile

The IKEv2 profile, we configure the local and remote The IKEv2 profile, we configure the local and remote
identity and the authentication we want identity and the authentication we want
to use. to use.

crypto ikev2 profile IKEV2-PROFILE crypto ikev2 profile IKEV2-PROFILE

match identity remote address 201.0.0.1
255.255.255.255
match identity remote address 203.0.0.1
255.255.255.255
Identity local address 202.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local IKEV2-KEYRING
aaa authorization group psk list FLEX-LOCAL IKEV2-
AUTHORIZ
match identity remote address 201.0.0.1
255.255.255.255
match identity remote address 202.0.0.1
255.255.255.255
Identity local address 203.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local IKEV2-KEYRING
aaa authorization group psk list FLEX-LOCAL IKEV2-
AUTHORIZ
6.IPSec Transform-Set
The transform-set is where we configure the encryption
and hashing algorithms, we want to use:
crypto ipsec transform-set TRANSFORM-SET esp-aes
256 esp-sha256-hmac
mode tunnel
7. IPSec Profile
This is where we combine the IKEv2 profile and our
IPSec transform-set:
crypto ipsec profile IPSECPROFILE
set transform-set TRANSFORM-SET
set ikev2-profile IKEV2-PROFILE
8.Dynamic VTI
we need a dynamic VTI for spoke-to-spoke traffic.We
need to identify and authenticate spoke routers we want
to communicate with.
Int Tunnel 0
Ip address 172.16.0.2 255.255.255.0
Tunnel source G1
Tunnel destination 201.0.0.1
Ip nhrp network-id 1
Ip nhrp shortcut virtual-template 1
Tunnel protection ipsec profile IPSECPROFILE
! !
Int virtual-template 1 type tunnel
Ip unnumbered tunnel 0
Ip nhrp network-id 1
Ip nhrp shortcut virtual-template 1
Tunnel source G1
Tunnel protection ipsec profile IPSECPROFILE
6.IPSec Transform-Set
The transform-set is where we configure the encryption
and hashing algorithms, we want to use:
crypto ipsec transform-set TRANSFORM-SET esp-aes
256 esp-sha256-hmac
mode tunnel
7. IPSec Profile
This is where we combine the IKEv2 profile and our
IPSec transform-set:
crypto ipsec profile IPSECPROFILE
set transform-set TRANSFORM-SET
set ikev2-profile IKEV2-PROFILE
8.Dynamic VTI
we need a dynamic VTI for spoke-to-spoke traffic.We
need to identify and authenticate spoke routers we want
to communicate with.
Int Tunnel 0
Ip address 172.16.0.3 255.255.255.0
Tunnel source G1
Tunnel destination 201.0.0.1
Ip nhrp network-id 1
Ip nhrp shortcut virtual-template 1
Tunnel protection ipsec profile IPSECPROFILE
Int virtual-template 1 type tunnel
Ip unnumbered tunnel 0
Ip nhrp network-id 1
Ip nhrp shortcut virtual-template 1
Tunnel source G1
Tunnel protection ipsec profile IPSECPROFILE