Configuring FlexVPN¶
IKEv2 Authorization Policies¶
Configurations sent during VPN setup
FlexVPN can take full advantage of Authorization Policies
IP Addresses
Server Settings
Static Routes
We’re going to:
Enable AAA
Create an Authorization List
Create an IPv6 ACL allowing IPs we want to include in peer’s routing table
Reference the ACL in an Authorization Policy
Reference both the Authorization List and Authorization Policy in the IKEv2 Profile
Hub Config
Globomantics-HQ(config)#aaa new-model
Globomantics-HQ(config)#aaa authorization network FlexAuthList local
Globomantics-HQ(config)#ipv6 access-list Flex-IPs-Out
Globomantics-HQ(config-ipv6-acl)#permit ipv6 fd00::/8 any
Globomantics-HQ(config-ipv6-acl)#exit
Globomantics-HQ(config)#crypto ikev2 authorization policy FlexAuthPolicy
Globomantics-HQ(config-ikev2-author-policy)#route set access-list ipv6 Flex-IPs-Out
Globomantics-HQ(config-ikev2-author-policy)#route set interface
Globomantics-HQCconfig-ikev2-author-policy)#exit
Globomantics-HQ(config)#crypto ikev2 profile FlexIKEv2Profile
Globomantics-HQCconfig-ikev2-profile)#aaa authorization group cert list FlexAuthList FlexAuthPolicy
Spoke Config
Globomantics-0MA(config)#aaa authorization network FlexAuthList local
Globomantics-OMA(config)#ipv6 access-list Flex-IPs-Out
Globomantics-0MA(config-ipv6-acl)#permit ipv6 fd00:2::/64 any
Globomantics-0MACconfig-ipv6-acl)#exit
Globomantics-0MA(config)#crypto ikev2 auth policy FlexAuthPolicy
Globomantics-0MA(config-ikev2-author-policy)#Sccess-list ipv6 Flex-IPs-Out
Globomantics-0MA(config-ikev2-author-policy)#exit
Globomantics-0MA(config)#crypto ikev2 profile FlexIKEv2Profile
Globomantics-0MA(config-ikev2-profile)#faaa authorization group cert list FlexAuthList FlexAuthPolicy
Creating a Dynamic VTI¶
Dynamic VTIs¶
Allow VPN interfaces to be automatically created
Reduces administrative overhead
Virtual template
Globomantics-HQ#conf t
Globomantics-HQ(config)#interface virtual-template 6 type tunnel
Globomantics-HQ(config-if)#ipv6 unnumbered loopback
Globomantics-HQ(config-if)#tunnel source 1000:1::1
Globomantics-HQ(config-if)#tunnel mode ipsec ipv6
Globomantics-HQ(config-if)#tunnel protection ipsec profile FlexIPsecProfile
Globomantics-HQ(config-if)#
Globomantics-HQ(config-if)#exit
Globomantics-HQ(config)#crypto ikev2 profile FlexIKEv2Profile
Globomantics-HQ(config-ikev2-profile)#virtual-template 6
Globomantics-HQ(config-ikev2-profile)#exit
Enrolling in Globomantics’ PKI¶
Still need to configure authentication
Digital certificates are more secure
Easier to scale
Use RSA signatures as authentication
Match on the issuer of the certificates
We’re going to:
Configure NTP
Generate RSA keys
Create PKI trustpoint pointing to Globomantics’ CA server
Install CA cert
Generate CSR and install our own cert
Reference our cert in our IKEv2 profile by using a certificate map
Globomantics-HQ#conf t
Globomantics-HQ(Config)#ntp server 8.8.8.8
Globomantics-HQ(config)#clocl timezone est -5
Globomantics-HQ(config)# Globomantics-HQ(config)#
Globomantics-HQ(config)#$generate rsa modulus 2048 label HQ-RSA-Keys
Globomantics-HQ(config)#crypto pki trustpoint Globo-CA
Globomantics-HQ(ca-trustpoint)#enrollment terminal
Globomantics-HQ(ca-trustpoint)#fqdn hq.globomantics.com
Globomantics-HQ(ca-trustpoint)t#subject-name cn=hq.globomantiCs.com
Globomantics-HQ(ca-trustpoint)#revocation-check none
Globomantics-HQ(ca-trustpoint)#rsakeypair HA-RSA-Keys
Globomantics-HQ(ca-trustpoint)#exit
Globomantics-HQ(config)#crypto pki authenticate Globo-CA
Globomantics-HQ(config)#crypto pki enroll Globo-CA
Globomantics-H0(confia)#crypto pki import Globo-CA certificate
Globomantics-HQ(config)#do show crypto pki certificates
Using Digital Certificates for Authentication¶
Globomantics-HQ(config)#crypto pki certificate map FlexCerts 1
Globomantics-HQ(ca-certificate-map)#issuer-name co globomantics
Globomantics-HQ(ca-certificate-map)#exit
Globomantics-HQ(config)#crypto ikev2 profile FlexIKEv2Profile
Globomantics-HQ(ca-certificate-Map)#issuer-name co globomantics
Globomantics-HQ(ca-certificate-map)#exit
Globomantics-HQ(config)#crypto ikev2 profile FlexIKEv2Profile
Globomantics-HQ(config-ikev2-profile)#identity local dn Globomantics-HQ(config-ikevZ-profile)#match certificate FlexCerts
Globomantics-HQ(config-ikev2-profile)#authentication remote rsa-sig
Globomantics-HQCconfig-ikev2-profile)#authen local rsa-sig
Globomantics-HQ(config-ikev2-profile)#pki trustpoint Globo-CA
Globomantics-HQ(config-ikev2-profile)#lifetime 86400
Globomantics-HQ(Config-ikev2-profile)#exit
Configuring a FlexVPN Client¶
FlexVPN Clients¶
Previously configured static tunnels
Configure spokes to act as FlexVPN client
Connect to multiple peers
Use SLA tracking objects
Globomantics-OMA(config)#crypto ikev2 client flexvpn GloboFlex
Globomantics-0MA(config-ikev2-flexvpn)#peer 1 1000:1::1
Globomantics-OMA(config-ikev2-flexvpn)#peer 2 1111:1::1
Globomantics-0MA(config-ikev2-flexvpn)#connect auto
Globomantics-OMA(config-ikev2-flexvpn)#client inside loop2
Globomantics-OMA(config-ikevZ-flexvpn)#client connect tunnel 6
Globomantics-OMA(config)#int tun 6
Globomantics-0MA(config-if)#ipv6 unnumbered lo6
Globomantics-OMA(config-if)#tunnel source 2000:2::2
Globomantics-OMA(config-if)#tunnel mode ipsec ipv6
Globomantics-QMA(config-if)#tunnel protection ipsec profile FlexIPsecProfile
Globomantics-OMA(config-if)#tunnel destination dynamic
Globomantics-0MA(config-if)#