What is FlexVPN ? 
  • Flexible VPN Common umbrella for all IKEv2 IPsec VPNs deployed on IOS routers 
  • Not supported on ASA Has technical benefits, but also marketing term 
Technical Benefits 
  • A common configuration template for all VPN types 
    • No longer 50+ templates of VPN configuration 
    • Feature parity between all VPN types, no more restrictions 
  • Based on each VPN type 
    • Additional extra configuration templates are required

FlexVPN Building Blocks
  • Scope of IKEv2 
    • Context specific or globally 
      • Context specific Used for a specific group of peers and/or negotiation context, like a VRF and local address 
      • Referenced from an IKEv2 profile or policy 
    • Global 
      • Defined globally 
      • Used irrespective of the context, for all peers and negotiations Configuration
  • Constructs IKEv2 - Profile, proposal, policy, keyring and global configuration 
  • IKEv2 Proposal – is mandatory I
    • n IKEv1 this was the ISAKMP policy 
    • Is defined with a name, not with a number 
    • Default one exists, known as smart default 
      • The most commonly used transform values 
    • Called from the IKEv2 policy 
      • The proposal must be removed from the policy to be deleted 
    • Defines cryptographic transforms used to negotiate IKE_SA_INIT exchanges and protect the SA to be created 
    • Authentication and SA lifetime are not created under the proposal 
    • A proposal can have any combination of attributes that can be used to correspond to when negotiating SAs 
  • IKEv2 Proposal Rules 
    • At least one transform must be configured or the proposal is considered incomplete 
    • If multiple transforms are defined, they must be listed in order of preference 
    • When the initiator and responder have conflicting proposal preferences, the initiators preference is preferred 
    • At least one proposal must be present and a match in order for negotiation to be successful 
  • Combined mode and normal ciphers cannot be combined in a single proposal 
  • IKEv2 Proposal configuration - mandatory 
    • Encryption (multiple entries can be configured) 
      • For data confidentiality 
      • Used to encrypt the IKEv2 SA 
      • Combined mode ciphers give the benefit of authenticated encryption 
      • Provides both confidentiality and integrity with a single algorithm 
    • Integrity (multiple entries can be configured) 
      • Provides assurance that data was changed in transit 
      • This is achieved by calculating an ICV or Integrity Checksum Value 
        • Covering the IKE header and encrypted payload 
      • The ICV is included in the encrypted payload 
        • Ensures the IKE header and encrypted payload are not modified 
      • The larger the integrity size the greater security 
    • DH group Diffie Hellman (multiple entries can be configured) 
      • Used in exchanging the shared secret key between VPN peers 
    • PRF or Pseudorandom Function (multiple entries can be configured) 
      • Used to generate key material from the shared secret 
      • It is a keyed hash message authentication code or HMAC 
        • Cryptographic hash function combined with a secret cryptographic key 
    • IKEv2 Proposal no longer contains 
      • Authentication method 
      • SA lifetime 
    • IKEv2 Policy – is mandatory 
      • Default one exists 
      • In IKEv1 it did NOT exist 
      • It needs an IKEv2 proposal attached 
      • Its scope is to control which proposal is used per IPsec VPN tunnel 
        • However this is not yet available 
    • IKEv2 Policy configuration 
      • Bind IKEv2 proposal (mandatory) 
      • Terminating local address for IPsec VPN (optional) 
      • FVRF (optional) 
    • IKEv2 Keyring – is for PSK authentication (optional)
      • In IKEv1 this was the ISAKMP keyring 
      • Used to define pre-shared-keys 
    • IKEv2 Keyring configuration
      • Pre-shared key used by local peer 
      • Pre-shared key used by remote peer 
    • IKEv2 Profile – is mandatory 
      • In IKEv1 this was the ISAKMP profile 
      • Used to define local/remote IKEv2 identities 
      • It needs IKEv2 Keyring attached 
    • IKEv2 Profile configuration - mandatory 
      • Bind the IKEv2 keyring, if PSK authentication is used 
      • Bind the PKI trustpoint if PKI authentication is used 
      • Configure local/remote authentication type 
      • Configure local/remote IKEv2 ID 
    • IPsec configuration remains almost the same 
      • Just like in the case of IKEv1 IPsec VPN 
    • Main difference to IKEv1 IPsec VPN 
      • You have to bind the IKEv2 Profile at the crypto-map or IPsec profile level 
      • Although it can work without, it’s not expected behavior

IKEv2 proposal defines the encryption, hash and group to be used 
IKEv2 policy calls the IKEv2 proposal 
IKEv2 Keyring if PSK is used 
  • PKI Trustpoint if certificates are used 
IKEv2 Profile calls the authentication mechanisms 
IPsec profile calls the IPsec transform set and IKEv2 profile 
  • The IKEv2 profile defines the authentication method 
  • The IPsec transform set defines how to protect the data, encryption or authentication