FlexVPN IKEv2 Routing

With FlexVPN, we have two options for routing:

  • Use a dynamic routing protocol like EIGRP, OSPF, or BGP.
  • Advertise routes within the IKEv2 Security Association (SA).

In this lesson, I’ll explain how to advertise routes with IKEv2.

Configuration

This is the topology we are going to use:

Flexvpn R1 R2 Tunnel Interface Loopback

I’m using the same topology and configuration which we used in the FlexVPN site-to-site smart defaults lesson. The only difference is that this time, each router has a loopback interface. We will advertise the networks on these loopback interfaces with IKEv2.

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

R1

hostname R1
!
ip cef
!
crypto ikev2 keyring KEYRING
 peer R2
  address 192.168.12.2
  pre-shared-key local CISCO
  pre-shared-key remote CISCO
!
crypto ikev2 profile default
 match identity remote fqdn R2.NWL.LAB
 identity local fqdn R1.NWL.LAB
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
!
crypto ipsec profile default
 set ikev2-profile default
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 172.16.12.1 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 192.168.12.2
 tunnel protection ipsec profile default
!
interface GigabitEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
end

R2

hostname R2
!
ip cef
!
crypto ikev2 keyring KEYRING
 peer R1
  address 192.168.12.1
  pre-shared-key local CISCO
  pre-shared-key remote CISCO
!
crypto ikev2 profile default
 match identity remote fqdn R1.NWL.LAB
 identity local fqdn R2.NWL.LAB
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
!
crypto ipsec profile default
 set ikev2-profile default
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip address 172.16.12.2 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 192.168.12.1
 tunnel protection ipsec profile default
!
interface GigabitEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
end

To configure IKEv2 routing, we need an IKEv2 authorization policy. You can configure this locally on the router or on a RADIUS server. We’ll configure a local policy.

R1

Let’s start with R1. First, we need to enable AAA and create a new AAA authorization list:

R1(config)#aaa new-model 
R1(config)#aaa authorization network FLEXVPN_LOCAL local

We need to configure which routes we want to advertise to the other router. We do this by specifying an access-list under the IKEv2 authorization policy:

R1(config)#crypto ikev2 authorization policy default
R1(config-ikev2-author-policy)#route set access-list FLEXVPN_ROUTES
   
R1(config)#ip access-list standard FLEXVPN_ROUTES
R1(config-std-nacl)#permit host 1.1.1.1
IKEv2 advertises whatever you add to the access-list, even routes you don’t have in your routing table. This could be useful if you want to advertise a summary route.

The final step is to add the AAA authorization list under the IKEv2 profile:

R1(config)#crypto ikev2 profile default
R1(config-ikev2-profile)#aaa authorization group psk list FLEXVPN_LOCAL default

This completes our configuration.

R2

We’ll configure the same thing on R2:

R2(config)#aaa new-model 

R2(config)#aaa authorization network FLEXVPN_LOCAL local

R2(config)#crypto ikev2 authorization policy default
R2(config-ikev2-author-policy)#route set access-list FLEXVPN_ROUTES

R2(config)#ip access-list standard FLEXVPN_ROUTES
R2(config-std-nacl)#permit host 2.2.2.2

R2(config)#crypto ikev2 profile default
R2(config-ikev2-profile)#aaa authorization group psk list FLEXVPN_LOCAL default

That’s all we need. Let’s verify our work.

Verification

If you already configured FlexVPN, you might want to clear the SA with the clear crypto sa command. When the tunnel is back up, we can check the IKEv2 SA:

R1#show crypto ikev2 sa detailed 
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         192.168.12.1/500      192.168.12.2/500      none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/851 sec
      CE id: 1060, Session-id: 57
      Status Description: Negotiation done
      Local spi: 798CFC24798EED13       Remote spi: DF621FC6F730E675
      Local id: R1.NWL.LAB
      Remote id: R2.NWL.LAB
      Local req msg id:  0              Remote req msg id:  3         
      Local next msg id: 0              Remote next msg id: 3         
      Local req queued:  0              Remote req queued:  3         
      Local window:      5              Remote window:      5         
      DPD configured for 0 seconds, retry 0
      Fragmentation not  configured.
      Dynamic Route Update: disabled
      Extended Authentication not configured.
      NAT-T is not detected  
      Cisco Trust Security SGT is disabled
      Initiator of SA : No
      Remote subnets:
      172.16.12.2 255.255.255.255
      2.2.2.2 255.255.255.255
R2#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         192.168.12.2/500      192.168.12.1/500      none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/884 sec
      CE id: 1060, Session-id: 2
      Status Description: Negotiation done
      Local spi: DF621FC6F730E675       Remote spi: 798CFC24798EED13
      Local id: R2.NWL.LAB
      Remote id: R1.NWL.LAB
      Local req msg id:  3              Remote req msg id:  0         
      Local next msg id: 3              Remote next msg id: 0         
      Local req queued:  3              Remote req queued:  0         
      Local window:      5              Remote window:      5         
      DPD configured for 0 seconds, retry 0
      Fragmentation not  configured.
      Dynamic Route Update: disabled
      Extended Authentication not configured.
      NAT-T is not detected  
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes
      Remote subnets:
      172.16.12.1 255.255.255.255
      1.1.1.1 255.255.255.255

In the output of R1 and R2 above, we see two remote subnets on each router:

  • One remote subnet for the loopback interface.
  • One remote subnet for the remote tunnel IP address.

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 800 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
527 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags: ,


Ask a question or start a discussion by visiting our Community Forum