FlexVPN Configuration Blocks Tidbit

Here is a quick overview of the building blocks you need in order to configure a FlexVPN:

*Remember that FlexVPN uses IKEv2 as its standard.


IKEv2 Proposal: think HAGLE (hash, authentication, dh group, lifetime, encryption). Your proposal defines what you are trying to use during negotiation with the remote side when attempting to establish an IKE phase 1 tunnel security association.

IKEv2 Policy: the policy essentially binds the already configured proposal to a local interface address.


The next two blocks depend on what you choose to use for peer authentication:

IKEv2 Keyring: simply configures/declares a pre-shared key, which can be symmetric or asymmetric for authentication.


Trustpoint: think more secure and an advanced tool for authentication via PKI. Essentially configures identity and CA attributes.


IKEv2 Profile: this step is a collection of every config block to thus point that is NONNEGOTIABLE. Items configure here include the remote peer address and authentication method. Note, that you will bind either the keyring or trustpoint in your profile (all of which depends on which one you choose for authentication).


IPsec Transform Set: declares acceptable combinations of security protocols and algorithms you will use to form your IPsec tunnel security association.


IPsec Profile: This is the final configuration block for FlexVPN that binds everything together. Within the IPsec profile you reference the IPsec transform set and your IKEv2 Profile containing your NONNEGOTIABLE parameters. This gets assigned to an interface.


Cheers!

0 comments

Recent Posts

See All

Dual Hub FlexVPN Error Tidbit

Sharing an issue that took me some time to troubleshoot & figure out in my dual hub single cloud FlexVPN lab/post (see here: Configuring & Verifying FlexVPN Redundancy with Dual Hub & Single Cloud). S

FlexVPN Redundancy Tidbit

I want to cover the most commonly used FlexVPN redundancy designs since I intend on building out a few scenarios to play with for studying purposes. The most common designs include: Dual cloud approa

IKEv2 Configuration Payload Tidbit

In this tidbit I want to cover what IKEv2 configuration payloads are & why they are needed. So it is sometimes desirable for the hub in hub & spoke topologies to provide configuration data to the spo

#learnITwithCifelli

© 2023 by Train of Thoughts. Proudly created with Wix.com