0% found this document useful (0 votes)
86 views5 pages

FlexVPN Hub and Spoke Using Dynamic VTI-2

Uploaded by

ash.shibu1997
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
86 views5 pages

FlexVPN Hub and Spoke Using Dynamic VTI-2

Uploaded by

ash.shibu1997
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

FlexVPN Hub and Spoke using Dynamic VTI-2

The FlexVPN hub and spoke topology can be useful when you have a central site and multiple remote sites.
After configuring the hub and your first spoke router, adding extra spoke routers is easy.
FlexVPN is an improvement over DMVPN and is sometimes (unofficially) referred to as DMVPN phase 4.
FlexVPN uses virtual tunnel interfaces (VTI), an alternative to the older crypto-maps.

There are two VTI types:

• Dynamic VTI (DVTI)


• Static VTI (VTI)-Regular Tunnel interface

we used static VTIs. This is a “regular” tunnel interface which define Tunnel source and Tunnel destination.
Dynamic VTI, we use a single virtual template on our hub router. Whenever a new IPSec session is needed, the router
automatically creates a virtual access interface that is cloned from the virtual template. With two remotes spoke routers, you will
have one virtual-template and two virtual-access interfaces.

The virtual template can include most of what you would use on a regular interface. You can add access-lists, policy-maps for
QoS, etc. These are all copied to the virtual access interfaces. The DVTI makes it easy to create lots of IPSec sessions with remote
peers.

In this hub and spoke topology, we use a dynamic VTI on the hub and static VTIs on the spoke routers.

Ø The hub router has a loopback 0 interface with an IP address we will use for the dynamic VTI interface.

Below lab we will do the routing with external routing protocol like EIGRP,OSPF or BGP
R1(HUB)
1.IKEv2 Proposal
The proposal is a collection of items we use in the negotiation of the IKEv2 security
association (SA).

crypto ikev2 proposal IKEV2-PROPOSAL


encryption 3des aes-cbc-128
integrity md5 sha1
group 15

2.IKEv2 Policy
This policy contains proposals we want to use in the negotiation

crypto ikev2 policy IKEV2-POLICY


proposal IKEV2-PROPOSAL

3. IKEv2 Keyring
a keyring that contains the pre-shared key(s) we want to use.

crypto ikev2 keyring IKEV2-KEYRING


peer SPOKES
address 0.0.0.0 0.0.0.0
pre-shared-key local iprulers
pre-shared-key remote iprulers

4.IKEv2 Profile
The IKEv2 profile, we configure the local and remote identity and the authentication we want
to use.

crypto ikev2 profile IKEV2-PROFILE


match identity remote address 0.0.0.0 0.0.0.0
Identity local address 201.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local IKEV2-KEYRING
Virtual-template 1

5.IPSec Transform-Set
The transform-set is where we configure the encryption and hashing algorithms, we want to use:

crypto ipsec transform-set TRANSFORM-SET esp-aes 256 esp-sha256-hmac


mode tunnel

6. IPSec Profile
This is where we combine the IKEv2 profile and our IPSec transform-set:

crypto ipsec profile IPSECPROFILE


set transform-set TRANSFORM-SET
set ikev2-profile IKEV2-PROFILE

7. Dynamic VTI
The hub connects to multiple spoke routers, we need a dynamic VTI. Same IP address and subnet as the tunnel
interfaces on the spoke routers. However, you can’t configure the IP address directly on the dynamic VTI interface.

Int looopback0
Ip address 172.16.1.1 255.255.255.255
No shut
!
Int virtual-template 1 type tunnel
Ip unnumbered Loopback 0
Tunnel protection ipsec profile IPSECPROFILE

8.Configure Routing Protocol

Router EIGRP 100


Network 192.168.1.0 0.0.0.255
Network 172.16.1.0 0.0.0.255

R2 (Spoke 1) R3(Spoke2)
1.IKEv2 Proposal 1.IKEv2 Proposal
The proposal is a collection of items we use in the The proposal is a collection of items we use in the
negotiation of the IKEv2 security negotiation of the IKEv2 security
association (SA). association (SA).

crypto ikev2 proposal IKEV2-PROPOSAL crypto ikev2 proposal IKEV2-PROPOSAL


encryption 3des aes-cbc-128 encryption 3des aes-cbc-128
integrity md5 sha1 integrity md5 sha1
group 15 group 15

2.IKEv2 Policy 2.IKEv2 Policy


This policy contains proposals we want to use in the This policy contains proposals we want to use in the
negotiation negotiation

crypto ikev2 policy IKEV2-POLICY crypto ikev2 policy IKEV2-POLICY


proposal IKEV2-PROPOSAL proposal IKEV2-PROPOSAL

3. IKEv2 Keyring 3. IKEv2 Keyring


a keyring that contains the pre-shared key(s) we want to a keyring that contains the pre-shared key(s) we want to
use. use.

crypto ikev2 keyring IKEV2-KEYRING crypto ikev2 keyring IKEV2-KEYRING


peer HUB peer HUB
address 201.0.0.1 address 201.0.0.1
pre-shared-key local iprulers pre-shared-key local iprulers
pre-shared-key remote iprulers pre-shared-key remote iprulers

5.IKEv2 Profile 5.IKEv2 Profile


The IKEv2 profile, we configure the local and remote The IKEv2 profile, we configure the local and remote
identity and the authentication we want identity and the authentication we want
to use. to use.

crypto ikev2 profile IKEV2-PROFILE crypto ikev2 profile IKEV2-PROFILE


match identity remote address 201.0.0.1 match identity remote address 201.0.0.1
255.255.255.255 255.255.255.255
Identity local address 202.0.0.1 Identity local address 203.0.0.1
authentication remote pre-share authentication remote pre-share
authentication local pre-share authentication local pre-share
keyring local IKEV2-KEYRING keyring local IKEV2-KEYRING

6.IPSec Transform-Set 6.IPSec Transform-Set


The transform-set is where we configure the encryption The transform-set is where we configure the encryption
and hashing algorithms, we want to use: and hashing algorithms, we want to use:

crypto ipsec transform-set TRANSFORM-SET esp-aes crypto ipsec transform-set TRANSFORM-SET esp-aes
256 esp-sha256-hmac 256 esp-sha256-hmac
mode tunnel mode tunnel

7. IPSec Profile
This is where we combine the IKEv2 profile and our 7. IPSec Profile
IPSec transform-set: This is where we combine the IKEv2 profile and our
IPSec transform-set:
crypto ipsec profile IPSECPROFILE
set transform-set TRANSFORM-SET crypto ipsec profile IPSECPROFILE
set ikev2-profile IKEV2-PROFILE set transform-set TRANSFORM-SET
set ikev2-profile IKEV2-PROFILE
8.Static VTI
On the spoke routers, we use a “regular” static VTI 8.Static VTI
(tunnel interface): On the spoke routers, we use a “regular” static VTI
(tunnel interface):
Int Tunnel 0
Ip address 172.16.1.2 255.255.255.0 Int Tunnel 0
Tunnel source G1 Ip address 172.16.1.3 255.255.255.0
Tunnel destination 201.0.0.1 Tunnel source G1
Tunnel protection ipsec profile IPSECPROFILE Tunnel destination 201.0.0.1
Tunnel protection ipsec profile IPSECPROFILE
8.Configure Routing Protocol
8.Configure Routing Protocol
Router EIGRP 100
Network 192.168.2.0 0.0.0.255 Router EIGRP 100
Network 172.16.1.0 0.0.0.255 Network 192.168.3.0 0.0.0.255
Network 172.16.1.0 0.0.0.255
Verification
Hub#show crypto ikev2 sa
Hub#show crypto ipsec sa
Hub#show ip interface brief | include Virtual
Hub#show derived-config interface Virtual-Access1
Hub#show ip route

You might also like