Flex VPN

Flex VPN (IKEv2)

One of the advantages of IKEv2 is that we can use multiple options in the proposal while in IKEv1, we need to create mutiple proposals for this to happen.
ciscoasa(config-ikev2-policy)# encryption aes-192 aes
ciscoasa(config-ikev2-policy)# integrity sha256 sha
ciscoasa(config-ikev2-policy)# prf sha256 sha
ciscoasa(config-ikev2-policy)# group 5 2

IKEv2
 -Proposas (hagle)
   -Key Ring (keys)
 -Policy (VRF & address limits)/Restriction
 -Profile (identities, auth methods)

IPsec
 -Transforms
 -Profiles

#show crypto ikev2 proposal default
#show crypto ikev2 policy default
#show crypto ikev2 profile default
#show crypto ipsec transform-set default
#show crypto ipsec profile default

#show crypto ikev2 sa
#show crypto ipsec sa
#show crypto engine connections active

Benefits of IKEv2
 -DPD(dead peer detection), NAT traversal
 -DoS Attack Resilience (in v1, CAC is used to limit)
 -EAP, Better Sequencing
 -Same engine option IPv4/IPv6
In IKEv2, only HGE(of HAGLE) are configured in IKEv2 Proposal.
A and L are configured under IKEv2 Profile. Profile also holds Key Ring.

FlexVPN "Mode Configuration"

Added Componenets on Hub
 AAA network Authorization method list
 IKEv2 Authorization policy
 IP local pool(for demo)
 Add Author Policy to IKEv2 Profile

FlexVPN Clients

Added to Spokes:
 AAA Network Authorization method list
 ACL to ID Routes to Push to Server
 IKEv2 Authorization Policy to Call on ACL
 Add Author Policy to IKEv2 Profile
 Tunnel destination Dynamic
 Create FlexVPN "Client" config


show crypto ikev2 client flexvpn