VPN-FlexVPN, D-VTI, Spoke-to-Spoke, Static Routing
- dale warner
- Aug 22, 2024
- 2 min read
Updated: Aug 23, 2024
FlexVPN hub and spoke deployment with dynamic virtual tunnel interfaces, tunnel IPs assigned by the hub device, and static routing.
The image below details the basic setup of the lab, with VPN links in green. It should be assummed all devices have been given a basic setup beforehand (hostname, Interfaces, IP addresses, etc).
R5 Hub configuration
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network AUTHZ local
!
ip local pool FLEX-POOL 172.16.0.10 172.16.0.20
!
interface loopback 0
ip address 172.16.0.1 255.255.255.0
!
ip access-list standard FLEX-ROUTE
permit any
!
crypto ikev2 authorization policy FLEX-AUTHZ-POLICY
route set access-list FLEX-ROUTE
route set interface
pool FLEX-POOL
!
crypto ikev2 keyring KEYRING
peer ANY-PEER
address 0.0.0.0
pre-shared-key local Cisco1234
pre-shared-key remote Cisco1234
!
crypto ikev2 profile IKEV2-PROF
match identity remote fqdn domain lab.local
identity local fqdn R5.lab.local
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
aaa authorization group psk list AUTHZ FLEX-AUTHZ-POLICY
virtual-template 1
!
crypto ipsec profile IPSEC-PROF
set ikev2-profile IKEV2-PROF
!
interface virtual-template 1 type tunnel
ip unnumbered lookback 0
ip nhrp network-id 1
ip nhrp redirect
tunnel-source gigabitethernet 5
tunnel protection ipsec profile IPSEC-PROFR6 Spoke configuration
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network AUTHZ local
!
ip access-list standard FLEX-ROUTE
permit 10.6.6.0 0.0.0.255
!
crypto ikev2 authorization policy FLEX-AUTHZ-POLICY
route set access-list FLEX-ROUTE
route set interface
!
crypto ikev2 keyring KEYRING
peer ANY-PEER
address 0.0.0.0
pre-shared-key local Cisco1234
pre-shared-key remote Cisco1234
!
crypto ikev2 profile IKEV2-PROF
match identity remote fqdn domain lab.local
identity local fqdn R6.lab.local
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
aaa authorization group psk list AUTHZ FLEX-AUTHZ-POLICY
virtual-template 1
!
crypto ipsec profile IPSEC-PROF
set ikev2-profile IKEV2-PROF
!
interface virtual-template 1 type tunnel
ip unnumbered tun 0
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
tunnel protection ipsec profile IPSEC-PROF
!
interface tunnel 0
ip address negotiated
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
tunnel source gigabitethernet 2
tunnel destination 172.27.10.5
tunnel protection ipsec profile IPSEC-PROFR7 Spoke configuration
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network AUTHZ local
!
ip access-list standard FLEX-ROUTE
permit 10.7.7.0 0.0.0.255
!
crypto ikev2 authorization policy FLEX-AUTHZ-POLICY
route set access-list FLEX-ROUTE
route set interface
!
crypto ikev2 keyring KEYRING
peer ANY-PEER
address 0.0.0.0
pre-shared-key local Cisco1234
pre-shared-key remote Cisco1234
!
crypto ikev2 profile IKEV2-PROF
match identity remote fqdn domain lab.local
identity local fqdn R7.lab.local
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
aaa authorization group psk list AUTHZ FLEX-AUTHZ-POLICY
virtual-template 1
!
crypto ipsec profile IPSEC-PROF
set ikev2-profile IKEV2-PROF
!
interface virtual-template 1 type tunnel
ip unnumbered tun 0
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
tunnel protection ipsec profile IPSEC-PROF
!
interface tunnel 0
ip address negotiated
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
tunnel source gigabitethernet 2
tunnel destination 172.27.10.5
tunnel protection ipsec profile IPSEC-PROF