top of page
Search

VPN - FlexVPN, Hub & Spoke

  • Writer: dale warner
    dale warner
  • Aug 22, 2024
  • 2 min read

Updated: Aug 23, 2024

Here is a basic FlexVPN Hub and Spoke deployment using 3 routers (R5, R6, R7). This is using PSK and IKEv2.


The image below details the basic setup of the lab, with VPN links in green. It should be assummed all devices have been given a basic setup beforehand (hostname, Interfaces, IP addresses, etc).




R5 Hub configuration

interface loopback 0
 ip address 172.16.0.1 255.255.255.0
!
router eigrp 1
 no auto-summary
 network 172.16.0.0
 network 10.5.5.0 0.0.0.255
!
crypto ikev2 keyring KEYRING
 peer ANY-PEER
 address 0.0.0.0
 pre-shared-key local Cisco1234
 per-shared-key remote Cisco1234
!
crypto ikev2 profile IKEV2_PROF
 match identity remote fqdn domain lab.local
 identity local fqdn R5.lab.local
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
 virtual-template 1
!
crypto ipsec profile IPSEC_PROF
 set ikev2-profile IKEV2_PROF
!
interface virtual-template 1 type tunnel
 tunnel source gigabitethernet 5
 ip unnumbered lookback 0
 tunnel protection ipsec profile IPSEC_PROF

R6 Spoke configuration

interface loopback 0
 ip address 172.16.0.2 255.255.255.0
!
router eigrp 1
 no auto-summary
 network 172.16.0.0
 network 10.6.6.0 0.0.0.255
!
crypto ikev2 keyring KEYRING
 peer ANY-PEER
 address 0.0.0.0
 pre-shared-key local Cisco1234
 per-shared-key remote Cisco1234
!
crypto ikev2 profile IKEV2_PROF
 match identity remote fqdn domain lab.local
 identity local fqdn R6.lab.local
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
!
crypto ipsec profile IPSEC_PROF
 set ikev2-profile IKEV2_PROF
!
interface tunnel 0
 ip unnumbered loopback 0
 tunnel source gigsbitethernet 2
 tunnel destination 172.27.10.5
 tunnel protection ipsec profile IPSEC_PROF

R7 Spoke configuration

interface loopback 0
 ip address 172.16.0.3 255.255.255.0
!
router eigrp 1
 no auto-summary
 network 172.16.0.0
 network 10.7.7.0 0.0.0.255
!
crypto ikev2 keyring KEYRING
 peer ANY-PEER
 address 0.0.0.0
 pre-shared-key local Cisco1234
 per-shared-key remote Cisco1234
!
crypto ikev2 profile IKEV2_PROF
 match identity remote fqdn domain lab.local
 identity local fqdn R7.lab.local
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
!
crypto ipsec profile IPSEC_PROF
 set ikev2-profile IKEV2_PROF
!
interface tunnel 0
 ip unnumbered loopback 0
 tunnel source gigsbitethernet 2
 tunnel destination 172.27.10.5
 tunnel protection ipsec profile IPSEC_PROF

Recent Posts

See All
ASA - Clustering

Configuration examples for ASA Clustering Individual interfaces (L3) Clustering Master Unit cluster interface-most indiviual force ! ip...

 
 
ASA - Contexts

Configuration example of setting up ASA contexts mode multiple ! mac-address auto ! interface g0/1 no shut interface g0/2 no shut...

 
 
ASA - High Availability

Some configuration examples related to Cisco ASA HA (Active/Passive and Active/Active) Active/Passive Failover - Same Failover & State...

 
 
bottom of page