FlexVPN at a glance

Blog

Mar 16, 2012 6:26 AM
Mar 16th, 2012

What is Flex VPN?

A technology taking quite a bit of my time these days is Flex VPN (or flex as we refer to it).

Flex VPN is a new framework to configure IPsec VPN with IKE version 2 (IKEv2) on IOS platforms .

The word framework is an intended one; You will notice that a lot of configuration is still the same or familiar, but multiple capabilities have ended up in one configuration block.


Why develop Flex?

Flex is a way to combine multiple frameworks (crypto maps, ezvpn, DMVPN) into single, comprehendible set of CLI and bind it together with something offering more flexibility and means to extend functionality in future.

Quite frankly we learned a lot of things from our customers deploying crypto maps, DMVPN, VTIs, it was time to collapse this knowledge and extend what we can do to better fit today's world.

Benefits of Flex

FlexVPN is on old friend with new clothes and a new heart. It still allows you to do all the cool things but in a better way.

  • You can run Flex along all your previous IPsec VPNs. Most scenarios will allow coexistence of previous configuration and flex.
  • based on IKEv2 and not IKEv1, which improves almost all aspects of negotiation and protocol stability.
  • using GRE over IPsec or VTI as encapsulation. GRE allows you to run almost anything over it. IPsec provides security for payload.
  • supports IPv6 and IPv4 for transport and overlay protocol.
  • Multiple functionalities achievable with one framework .
  • Utilizing virtual interfaces - allowing per-spoke features like firewall, QoS, ACLs, etc.
  • Remote access server and client (software and hardware) - similar to ezvpn.
  • Dynamic spoke to spoke tunnels - familiar to everyone who knows DMVPN.
  • Ease of conffiguration by using sane defaults - no longer will you need to define policies, transform sets etc, IKEv2 has built in defaults that make sense and will be updated.

What is working with Flex.

1. Hardware.

Since Flex is based on IKEv2, there a restriction currently in place on what platforms support it:

- 2nd generation of ISRs (19xx,29xx,39xx platforms). Remember to check for sec-k9 or hsec-k9 license!

- ASR 1000.

Note: 7200p images might have IKEv2 and CLI present, but at the time of writing, we do not support Flex on 7200/7200p.

2. On software client side

  • Anyconnect 3.0 using IKEv2/IPsec.
  • Windows 7's built in IKEv2 based IPsec client.

What platforms will work with Flex in future

Since Flex is based on GRE over IPsec or VTI, bound together with IKEv2, other vendors should be able to connect.

At the time of writing ASA support for flex is not yet implmented.

Where can I learn more?

Documentation

More about IKEv2

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2010/12/22/ike-version-2-at-a-glance

How to configure Flex VPN on ISRs

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-vpn-15-2mt-book.html

Configuration guide for Flex on ASR 1k:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-3s/sec-flex-vpn-xe-3s-book.html


Supportforums

Over coming weeks we will publish documents on supportforums showing different ways to deploy this functionality.

Comments? Feedback? Questions?


Feel free to ask in comments section of this post.

Average Rating: 5 (10 ratings)

Comments

SHECHTER_2 Tue, 06/05/2012 - 04:51

Good read.

What are the redundancy options for FlexVPN Server?

If stateless redundancy is acceptable, can we just use HSRP as the address the AnyCOnnect clients point to?

Marcin Latosiewicz Tue, 06/05/2012 - 06:51 (reply to SHECHTER_2)

Dan,

AFAIR, Tunnel protection still only allows stateful HA cluster.

That being said, IKEv2 has built in redirection feature & we have a IOS IKEv2 clustering solution for Flex that should be made available  in coming weeks, that will allow redundancy.

Obviously I can't give you too many details or (unfortunately) when it's going to be exactly available, but you can get that info through your SE.

HTH,

M.

fdetienn Tue, 06/12/2012 - 00:05 (reply to SHECHTER_2)

Hi Dan,

I forgot to answer the first part of your question.

Flex supports a variety of backup options depending on the client (IOS or AnyConnect).

For IOS branch routers:

  . Dual active tunnels

  . Tunnel pivot

  . Multiple peer + backup list

With anyconnect or IOS branch routers:

  . HSRP (stateless failover)

  . DNS based hub resolution (allowing inter geographical load balancing and backup)

As Marcin stated, an IKEv2 based load balancer that doubles as an N+1 backup strategy will be available in 3.8 (nov release) on ASR and 15.3M (July release) on ISR g2. As usual with future features, better monitor status through your account team to verify the item is on track.

Best regards,

   Fred

SHECHTER_2 Wed, 06/13/2012 - 20:23

Hi Fred,

Thanks for the answers.

Regarding HSRP, as I understand, FlexVPN will respond to requests coming to the HSRP's virtual IP  address, and all further communications with the remote access client, such as DPD/rekeying etc, will use that HSRP address as the source address. Am I correct?

What will happen if the router will stop being the active HSRP? will is drop all it's FlexVPN connections? I hope so... For regular VPN, the one with crypto-maps, we have the redundancy keyword when applying a crypto-map on an interface. I can't find anything similar with FlexVPN which ties it to the HSRP status of an interface.

Thanks,

Dan

fdetienn Wed, 06/20/2012 - 08:16 (reply to SHECHTER_2)

Hi Dan,

sorry for the late reply; I am traveling and my agenda is quite busy (and messy).

You are correct: the HSRP active server will take all requests. There is nothing special to configure (no specific CLI).

Here is what happens:

Assume two servers A & B. Initially A is active, B is standby. All the clients are connected on the active A.

A goes down (standby or shut down or reboot or phyiscal interface down...). B becomes the active server.

If A reboots or hangs or crashes, the SA's are lost and that's easy. If A simply loses its connectivity to the WAN,  the virtual-access interfaces will go in up-down state (i.e. line protocol down state). They will come back up if the HSRP state swings back otherwise, they just "hang" there. They will possibly be deleted because of DPD, idle timer or simply lifetime expiration. So regardless of what happens, the SA's do not interfere anymore.

The clients then discover the VIP (which is now B) does not own the SA's thanks to the liveness check and rebuild the SA's with B.

The liveness check takes the longest time in this process. (28s). We are working on a mechanism to make this faster (almost immediate) but the feature is not committed.

To be honest, I strongly recommend active-active tunnels (i.e. both hubs active, each spoke dual homed) instead of HSRP because the mechanism is more straightforward (tunnels are always up and can be monitored - no bad surprise at failover time). The only advantage of HSRP is that it consumes a single public IP address instead of two but if you can spend an IP address wisely, I would say it is on having active-active instead.

best regards,

   Fred

lucy.west@uk.ea... Fri, 02/01/2013 - 04:12

hi -  we are trying to get FlexVPN on ASR1k working to a remote site which is hidden behind a NAT, using GRE as the tunnel encapsulation: this doesn't work.

If we keep the same config but change the tunnel type to 'Tunnel mode ipsec ipv4’  it works fine

Using GRE tunnel encapsulation to a CPE IP which is not hidden behind a NAT - this also works.

Does anyone know if there is a known limitation on doing FlexVPN using GRE tunnel encapsuation to a CPE which sits behind a NAT?

We want to use GRE as it's the only way we've been able to get V6 and V4 attributes applied by RADIUS; we found this didn't work with 'Tunnel mode ipsec ipv4’ as the tunnel encapsulation.

All help gratefully received!

Lucy

lucy.west@uk.ea... Fri, 02/01/2013 - 04:56 (reply to Marcin Latosiewicz)

Thanks Marcin - we are only trying to make 1 tunnel behind a NAT work, not 2 as in the Bug description....Did you test FlexVPN with a GRE tunnel for just one CPE behind a NAT?

Marcin Latosiewicz Fri, 02/01/2013 - 05:13 (reply to lucy.west@uk.ea...)

I've done tests for both GRE and VTI behind NAT also with multiple peers (to reproduce the bug). Granted that not all my test were done with ASR1k - I'm not a testing engineer ;-)

We've seen probelms with NAT-T but quite early on.

Open up a TAC case we'd need to look into the config and most likely QFP drops.

You can also check parts of QPF yourself (shameless plug)

https://supportforums.cisco.com/docs/DOC-16275

Also, when opening TAC case, it would help to know what doesn't work - is it establishing the tunnel or passing data

lucy.west@uk.ea... Fri, 02/01/2013 - 05:29 (reply to Marcin Latosiewicz)

We did open a case yesterday but not heard back yet, hence I posted on here just to see if it's a known problem: i'll get some debugs and follow your very handy-looking doc

Many thanks!

wzhang Wed, 02/06/2013 - 19:04

Hi, Calin:

The data sheet is correct - flexvpn is not supported on the 7200 platform. We'll try to get this corrected.

Thanks,

Wen

Actions

Login or Register to take actions

This Blog

Posted March 16, 2012 at 6:26 AM
Stats:
Comments:13 Avg. Rating:5
Views:26663   
Shares:1
Tags: No tags.

Blogs Leaderboard