What is Flex VPN?
A technology taking quite a bit of my time these days is Flex VPN (or flex as we refer to it).
Flex VPN is a new framework to configure IPsec VPN with IKE version 2 (IKEv2) on IOS platforms .
The word framework is an intended one; You will notice that a lot of configuration is still the same or familiar, but multiple capabilities have ended up in one configuration block.
Why develop Flex?
Flex is a way to combine multiple frameworks (crypto maps, ezvpn, DMVPN) into single, comprehendible set of CLI and bind it together with something offering more flexibility and means to extend functionality in future.
Quite frankly we learned a lot of things from our customers deploying crypto maps, DMVPN, VTIs, it was time to collapse this knowledge and extend what we can do to better fit today's world.
Benefits of Flex
FlexVPN is on old friend with new clothes and a new heart. It still allows you to do all the cool things but in a better way.
- You can run Flex along all your previous IPsec VPNs. Most scenarios will allow coexistence of previous configuration and flex.
- based on IKEv2 and not IKEv1, which improves almost all aspects of negotiation and protocol stability.
- using GRE over IPsec or VTI as encapsulation. GRE allows you to run almost anything over it. IPsec provides security for payload.
- supports IPv6 and IPv4 for transport and overlay protocol.
- Multiple functionalities achievable with one framework .
- Utilizing virtual interfaces - allowing per-spoke features like firewall, QoS, ACLs, etc.
- Remote access server and client (software and hardware) - similar to ezvpn.
- Dynamic spoke to spoke tunnels - familiar to everyone who knows DMVPN.
- Ease of conffiguration by using sane defaults - no longer will you need to define policies, transform sets etc, IKEv2 has built in defaults that make sense and will be updated.
What is working with Flex.
Since Flex is based on IKEv2, there a restriction currently in place on what platforms support it:
- 2nd generation of ISRs (19xx,29xx,39xx platforms). Remember to check for sec-k9 or hsec-k9 license!
- ASR 1000.
Note: 7200p images might have IKEv2 and CLI present, but at the time of writing, we do not support Flex on 7200/7200p.
On software client side
- Anyconnect 3.0 using IKEv2/IPsec.
- Windows 7's built in IKEv2 based IPsec client.
What platforms will work with Flex in future
Since Flex is based on GRE over IPsec or VTI, bound together with IKEv2, other vendors should be able to connect.
At the time of writing ASA support for flex is not yet implmented.
Where can I learn more?
More about IKEv2
How to configure Flex VPN on ISRs
Configuration guide for Flex on ASR 1k:
Over coming weeks we will publish documents on supportforums showing different ways to deploy this functionality.
Comments? Feedback? Questions?
Feel free to ask in comments section of this post.