Tag Archives: ipsec

FLEX VPN: Sample LAN-to-LAN configuration with Dynamic Routing

As a follow on to our FLEX VPN Overview  (http://wp.me/p1loe7-fJ) and to the first post presenting a sample configuration  (http://wp.me/p1loe7-hX), we will now examine a site-to-site scenario that relies on Cisco EIGRP to forward packets over the VPN tunnel. The only modification in our reference environment was the replacement of static routes by a dynamic routing protocol on the participant ISR G2 routers. Some new commands (not explored in the first article) will be used here in an attempt to help you build a tool set that might be handy on your monitoring and troubleshooting tasks.

Figures 1 and 2, respectively summarize the main settings on the HUB and on the SPOKE. Using a routing protocol not only brings scalability to your deployment but also simplies maintenance.

Figure 1: Main settings on HUB1

As depicted in the topologies, the EIGRP adjacency is built over the GRE Tunnel interface (whose subnet is After the routers become neighbors, the LAN subnets that need IPSec protection services ( on the HUB and on the SPOKE) are advertised to the remote peer. Detailed reachability information for our sample network is provided in Figure 5.

Figure 2: Main settings on SPOKE1

Figure 3 registers the type of information unveiled by the show crypto ikev2 session detail command.

Figure 3: Detailed information about the IKEv2 Session

Figure 4 brings a partial output of the show crypto ipsec sa command and characterizes that the tunnel in place, which is secured by the profile IPSEC-PROFILE1, uses the GRE protocol (notice the permit 47 statement on the IPSEC FLOW).

Figure 4: Information about the IPSec SA and Tunnel interface

Figure 5 reveals connectivity details from the HUB perspective. The show ip route command clearly demonstrates that the EIGRP updates flow trough the GRE tunnel, whereas the show ip cef commands are insightful with respect to forwarding activities. Notice that the show ip cef exact-route even displays the underlying interface used to reach the tunnel destination (, associated with Loopback 2000 on the SPOKE).

Figure 5: Routing and Forwarding information

It would be instructive at this point to compare the current scenario with that one covering static routes (http://wp.me/p1loe7-hX), document the commands already analyzed and make sure you understand the overall structure (and building blocks) of a FLEX VPN policy.

** Related Posts:

** Additional Reading:

Leave a comment

Filed under English, Security, VPN

Hello World: Simple LAN-to-LAN Flex VPN configuration

Having discussed the motivations behind FLEX VPN (http://wp.me/p1loe7-fJ) and presented information about positioning of Cisco IOS VPN solutions (http://wp.me/p1loe7-gy), it’s now time to jump to some practical scenarios.

Our site-to-site topology consists of two ISR G2 routers connected by a GRE interface, as depicted in Figures 1. The Integrated Services Routers rely on static routes to direct traffic to the tunnel and reach the protected networks ( on the HUB1 site and on SPOKE1 site). Authentication is performed by Pre-shared Keys (PSK) defined within a crypto ikev2 keyring. The main settings for this  environment are summarized for HUB1 and SPOKE1 on Figures 1 and 2, respectively.

This sample configuration is also useful to illustrate the overall structure of a FLEX VPN policy. The main building blocks are:

  • IKEv2 profile: basically defining how authentication is handled and what identities to consider. Settings such as the keyring (for PSK) and crypto trustpoint (for rsa-sig) are established here. The complete set of parameters contained in the IKEv2 profile are displayed with the show crypto ikev2 profile command.
  • IPSec Profile: determines the transform-set for IKE phase 2 (IPSec SA) and points to the IKEv2 profile. This type of profile is tied to the interface (similar to what we did for a crypto-map) by means of the tunnel protection ipsec profile command.

Other important entities (not shown in the configuration) are:

  • IKEv2 proposal: specifies the algorithms used to secure the IKE phase 1 SA. Take a look at Figure 3 and use the show crypto ikev2 proposal command to obtain more information about this policy component.
  • IKEv2 policy:  selects the IKEv2 proposal and VRFs where to place the VPN packets. Figure 4 registers the settings for the default IKEv2 policy.

Figure 1: Main Configs on router HUB1

It’s interesting to observe that FLEX provides extra flexibility with regards to the authentication process (that can even be asymmetric). Some possibilities are listed below:

  • The HUB can use a pre-shared key with all the spokes (which is not the ideal) but still have an individual key to authenticate each of the remotes. In previous models if the HUB had to share a key with all the spokes, that key would be known to all the routers involved. (And therefore it would be easy for spokes to spoof one another).
  • Digital certificates (rsa-sig method) can be used to authenticate both sides.
  • You can use digital certificates to authenticate the hub and PSK for the spokes.
  • There is also support for the Elliptic Curve Digital Signature Algorithm (ecdsa-sig) and for the Extensible Authentication Protocol (EAP).
  • Although you can configure only one local authentication method, multiple remote authentication methods are allowed, so that you can cope with different types of peers connecting to a certain router (normally the central element in your topology).

Figure 2: Main configs on router SPOKE1

Figure 3 provides visibility about the IKEv2 and IPSec SAs corresponding to our configuration. Notice that the show crypto session detail command is particularly useful to obtain summarized information about the Security Associations in place, interfaces in use for protected traffic and even encrypted/decrypted packets. The command also characterizes that the IPSec flow is protecting GRE packets (protocol 47) between HUB1 ( and SPOKE1 (

Figure 3: Information about the IKEv2 and IPSec Security Associations

Figure 4 allows us to gain additional insight about this basic deployment. For instance, it reveals:

  • The default IKEv2 policy and how it binds to the default proposal (not shown in the configuration)
  • Some characteristics of the tunnel interface (source/destination, GRE-based, MTU and attached IPSec profile).
  • Another quick way of displaying encrypted and decrypted packets.

Figure 4: IKEv2 Policy, Tunnel Interface and Encrypted Packets

This is the very first article covering sample configurations… So stay tuned for more !

** Related Posts:

** Additional Reading:

Leave a comment

Filed under English, Security, VPN

GET VPN or Flex VPN…? Do I need both ?

– How Flex is GET ? – What do you get from FLEX ?

On two recent posts we summarized the concepts and motivations pertaining to Flex VPN and GET VPN, two important IPSec-based solutions offered by Cisco. But the availability of these two VPN paradigms may eventually generate some confusion: – Which way to go ? – Do I need both… ?

The figure below provides the backdrop for our current discussion. The two technologies are actually complementary:

  • GET VPN is designed for use within environments that do not have the public/private addressing issue and is well suited for materializing what I frequently name the Secure Intranet Service. FLEX is more flexible in that sense because it allows you to deal with either Intranet or Internet-related scenarios.
  • GET VPN is tunnel-less in nature and aims at scenarios in which the trust level is shared by VPN participants. An attractive by-product of not using tunnels: GET is very adequate to encrypt multicast, because the same distribution tree built in the WAN to forward the clear text multicast packets is equally available for ciphered ones. (Remember the IP Header Preservation inherent to GET…)
  • FLEX is tunnel-based and is able to handle environments involving dynamic (on demand) tunnel setup between spokes, EasyVPN style deployments (when the remote behaves as a hardware client) and many more.
  • GET VPN employs group-based Security Associations (SAs), as opposed to the point-to-point SAs that appear on tunnel-based VPNs (including the FLEX VPN framework). Again, this is possible as a result of the trust level parity that characterizes remote sites on INTRANET-only deployments. This is not a limitation of FLEX, which was conceived to cover a broader spectrum of VPN styles ( for which you cannot assume the same trust level for every site).
  • GET VPN is used for site-to-site only, whereas FLEX VPN is able to work with site-to-site and Remote Access (RA VPN) deployments at once.
  • GET VPN was designed to take advantage of the inherent full-mesh capabilities of MPLS networks. Of course FLEX can be employed on any-to-any clouds but, given that it is tunnel-based, its logical configuration possibilities will be hub-and-spoke and spoke-to-spoke.
  • FLEX VPN requires IKEv2 while GET VPN currently supports only IKEv1. (Of course there are plans to add IKEv2 to the GET VPN side of life at some point in time… :-)) The key information to remember: immediate IKEv2 support is less critical for GET (which presupposes private transport) than for FLEX VPN, a technology aimed at tunnel-based scenarios that involve Internet-based transport.

Flex VPN or GET VPN: quick comparison

The good news: if you have a security license on your Cisco ISR G2, the two options are available simultaneously allowing you to select the option that better fits the needs of your specific environment (eventually you will end up employing both). Some general guidelines are presented below:

  • For INTRANET-only site-to-site scenarios, GET may prove very appealing. Policy distribution and key management tasks are centralized and the Group SA concept is really convenient. The other key differentiator (associated with its tunnel-less nature) is encrypted multicast.
  • On the other hand, for any environment that includes external connections (INTERNET, EXTRANETS and the like), go FLEX. It provides an unified and structured approach for VPN creation and can handle so many connectivity options. And, remember, it relies on IKEv2 for SA negotiation (much more secure than its v1 counterpart).
  • If you want to stick to a single way of dealing with all VPNs (site-to-site and Remote Access), FLEX is the answer. Although not offering the Group SA, it covers everything. As discussed in the FLEX article, you can end up with a single block of configuration at the hub and be prepared to terminate any VPN connection.
  • If necessary, you can still leverage both technologies at the same router (GET for INTRANET site-to-site interconnection) and FLEX for all the rest.

** Notes:

** Related Posts:

Leave a comment

Filed under English, VPN

Building secure and scalable INTRANETS with GET VPN

The term Virtual Private Network (VPN) is employed to define technologies designed to reproduce the characteristics of a private network even when traffic is being transported over a shared infrastructure. The common motivation behind the various VPN options are to extend the reach of corporate networks in a secure and inexpensive manner.

But the word security has a broad meaning and may represent very distinct resources when considered from the standpoint of each of the VPN technologies. For instance, two of the main categories of VPNs (IPSec and MPLS-VPN) are optimized to solve complementary problems and present challenges that are also complementary.  A brief summary is presented below:

  • The IPSec Framework provides answers for questions such as data confidentiality, integrity, peer authentication and management of cryptographic keys. And, interesting enough, all of these tasks are accomplished by means of standardized protocols and algorithms, a fact that contributed to render IPSec almost omnipresent when the subject is VPN. On the other hand, classic IPSec uses point-to-point negotiations between the communicating parties, which brings significant challenges, mainly in terms of routing, when deployed on a large network.
  • The MPLS-VPN service, by its own nature, provides logical segmentation of the transport network and optimized routing (any-to-any) but establishes no definition in what refers to the typical problems solved by IPSec (confidentiality, integrity and the like).

Keeping in mind the capabilities just presented, let’s consider the demand of building the Intranet of a large company that uses Unified Communications among its sites (the traffic nature is any-to-any) and that, in order to comply with market regulations, is supposed to take advantage of the services beneath the IPSec umbrella.

In an initial analysis, two simple-minded solutions could be provided:

  • Build IPSec Security Associations (SAs) between each remote entity and HQ. Well, this approach would not be satisfactory because it could compromise the acceptable end-to-end delay budget for voice traffic (150 ms). Moreover we would be giving up the full-mesh appeal of MPLS networks.
  •  Create sessions betwen each pair of remote sites, so that you keep inter-branch traffic from crossing HQ. Besides being almost unmanageable from a configuration point of view, such a scenario would require that each VPN gateway in the remote location (typically a router) supported a very large of concurrent tunnels, thus impacting the cost.

If the mere superimposition of IPSec on MPLS does not meet the specified project goals, would it be possible to develop a new technology that could benefit from the IPSec security services without losing the optimized connectivity provided by MPLS ?

As a matter of fact, this was exactly what Cisco did. Building upon RFC 3507 (Group Domain of Interpretation – GDOI) and assuming that on Intranets you don’t need to worry about the private/public address issue, the Group Encrypted Transport VPN (GET VPN) came to existence. The main charateristics of GET VPN are listed in the following:

  • Definition of group-based Security Associations instead of the traditional point-to-point SAs. This choice is justifiable because we are dealing with Intranets, in which the same degree of trustworthiness can be assumed for the remote routers.
  • The access control function, which allows a VPN gateway (Group Member or GM in the GET VPN context) to be accepted in a given group, is performed by an element called the Key Server (KS). The KS is also responsible for centrally distributing the cipher keys and encryption policies that will be used by the GMs.
  • IP Header Preservation in the encrypted packet, without changing the standard ESP format. This means that a GET VPN packet is a particular case of IPSec and, therefore, the algorithms and hardware in place can be reused.

GET VPN: IP Header Preservation

Some direct results of the basic GET VPN definitions:

  1. IP Header preservation ensures that the encrypted packets use the same routing table available for the clear text traffic, thus avoiding the creation of a new layer of routing for the VPN packets.
  2. The DSCP information is automatically copied to the external IP header and your Quality of Service (QoS) investments (classification and marking) remain valid for the VPN traffic.
  3. It is possible to account for network utilization on a per-user basis, irrespectively of packets being encrypted. This represents an advance in terms of visibility when compared to classic IPSec.
  4. Because Group Members (GMs) own the the key to decrypt the packets sent by any member of the group, the distribution of encrypted multicast traffic becomes natural ( in an identical manner that would be employed for clear text). It is important to highlight that GET VPN is the first technology to truly deliver on the promise of encrypting IP multicast (without requiring any tunneling artifice such as GRE).
  5. The management of encryption policies becomes much easier because it is centrally conducted by the Key Server. This is particularly relevant for Service Providers that will not need to configure VPN tunnels and interesting traffic definitions in hundreds of devices anymore.

Relationships between GET VPN elements

An important aspect to keep in mind is that a router enabled for GET VPN still comes with the classic IPSec solutions provided by Cisco. For example, you can leverage GET VPN to securely build your Intranet and traditional IPSec to establish a VPN connection though the Internet. Another fact to be aware of is that the same router may participate in multiple distinct groups, thus providing a simple solution to isolate departments within the same company.

** Additional Reading:

** Related Posts:

Leave a comment

Filed under English, VPN

Flex VPN: A new paradigm for IPSec deployment on Cisco Routers

Virtual Private Networks (VPNs) are a classic resource designed to securely and inexpensevely extend the reach of corporate networks. Several options available are built on top of IPSec, a framework that deals with the tasks of ensuring Confidentiality, Integrity, Authentication of origin and secure key distribution for VPNs.

Some of the notable strengths of IPSec are its independence of the transport (UDP, TCP or raw IP) and the provision for easy replacement of one or more of its components (such as the hash functions and cryptographic algorithms) so that it can keep up with hardware evolution and what it means in terms of feasibility of brute force attacks.

If you are familiar with Cisco IOS software, you probably heard terms such as Classic IPSec, IPSec/GRE, Virtual Tunnel Interface (VTI), EasyVPN, Dynamic Multipoint VPN (DMVPN)… But, which of these site-to-site VPN options available on Cisco IOS software should you select ? Well, I will start by saying that each of the technologies was developed to solve specific problems:

  • Crypto Maps are the initial/legacy solution that was devised before IPsec was even an RFC. Although the services available are very basic they do help on interoperability.
  • VTI brings a logical interface to IPSec deployments without the need of using Generic Routing Encapsulation (GRE).
  • EasyVPN allows branch routers (or other types of VPN appliances) to behave as hardware clients that are centrally configured by a VPN concentrator.
  • DMVPN provides the capability of dynamically establishing tunnels between spokes on a hub-and-spoke scenario.

The good news is that Cisco now offers a unified way of dealing with all these options, allowing your network to be prepared to simultaneously handle the different VPN models. The new approach is called Flex VPN and, as the name suggests, is really flexible in terms of configuration possibilities:

  • A router implementing Flex VPN may be configured to expect connections in any of these site-to-site forms: VTI, EasyVPN, GRE/IPSec, DMVPN (and even Classic IPSec tunnels, in case you need to guarantee interoperability with other vendors or older Cisco routers).
  • Flex VPN can deal with remote access either using the Windows 7 native client or a dedicated client such as Cisco AnyConnect.
  • Flex VPN supports both IPv4 and IPv6 implementations.
  • Authentication and Authorization may be performed by means of a local database or using RADIUS (more convenient for Service Provider environments, which typically require multi tenancy).

A critical point in which Flex VPN does not allow flexibility, though, is for Security Association (SA) negotiation and establishment. Flex VPN requires the use of the version 2 of the Internet Key Exchange protocol (IKEv2), a more secure option than the original implementation (IKEv1). But, instead of getting frustrated with the obligation of moving to IKEv2, I hope that you become motivated to start learning Flex VPN. After all, the return on investment is significant: you will not only have a much better control plane protocol in place but also will have just one VPN to support !

It is relevant to emphasize that IKEv2, by design, is not backward compatible with IKEv1. And, as such, if you want to benefit from the increased security in IKEv2, you will need to reconfigure your IPSec VPNs anyway…

To finish this quick post, I present a figure that shows some possibilities associated with the Flex VPN approach. Future articles will cover specific deployment scenarios… Stay tuned !

Summary of Flex VPN Options

** Notes:

  • Backward compatibility may sound attractive for network protocols (remember the example of RIPv1/RIPv2) but for security features it is rather questionable. If IKEv2 was allowed to interoperate with its v1 counterpart, you would be giving up the flexibility and security that v2 provides.
  • Even though it is not possible to enable IKEv1 as part of the Flex VPN framework, you can gradually migrate your IKEv1 configurations (crypto isakmp syntax) to IKEv2/FlexVPN.

** Further Reading:

1 Comment

Filed under English, Security, VPN