Cisco supports many VPN types and most of them require different configurations, show commands, and debug commands. Each VPN type also supports different features. If you want to see what I am talking about, take a look at some of these examples:
- Cisco IPSec Tunnel Mode
- Encrypted GRE tunnel with IPSec
- IPSec Static Virtual Tunnel Interface
- IPSec Virtual Tunnel Interface
- DMVPN Phase 1 Basic Configuration
FlexVPN is Cisco’s solution to simplify VPN deployments and covers all VPN types. For example:
- Site-to-site
- Hub and spoke (including spoke-to-spoke traffic).
- Remote access
The only VPN type that FlexVPN doesn’t cover is GETVPN.
FlexVPN uses IKEv2 for all VPN types. IKEv2 is the successor of IKEv1 and has some interesting features:
- More secure than IKEv1 because it supports the latest Suite B cryptographic algorithms.
- Built-in support for dead peer detection (DPD) and NAT-Traversal.
- Combined IKEv1 main and aggressive modes into one method called “initial”.
- Supports native routing.
- Besides certificates and PSKs, also supports EAP authentication.
- XAUTH is replaced by EAP tunneling.
You can read more about IKEv2 in RFC 7296.
The configuration of FlexVPN is supposed to be easy. One reason why it is easy is because of smart defaults. With smart defaults, you can use pre-defined values based on best practices. This minimizes the things you have to configure.
To explain FlexVPN in detail, I created a series of lessons that explain the different VPN types. Everything I explained above will be demonstrated in detail with configuration examples. Here is the full list: