FlexVPN Configuration Blocks Tidbit

Here is a quick overview of the building blocks you need in order to configure a FlexVPN:

*Remember that FlexVPN uses IKEv2 as its standard.


IKEv2 Proposal: think HAGLE (hash, authentication, dh group, lifetime, encryption). Your proposal defines what you are trying to use during negotiation with the remote side when attempting to establish an IKE phase 1 tunnel security association.

IKEv2 Policy: the policy essentially binds the already configured proposal to a local interface address.


The next two blocks depend on what you choose to use for peer authentication:

IKEv2 Keyring: simply configures/declares a pre-shared key, which can be symmetric or asymmetric for authentication.


Trustpoint: think more secure and an advanced tool for authentication via PKI. Essentially configures identity and CA attributes.


IKEv2 Profile: this step is a collection of every config block to thus point that is NONNEGOTIABLE. Items configure here include the remote peer address and authentication method. Note, that you will bind either the keyring or trustpoint in your profile (all of which depends on which one you choose for authentication).


IPsec Transform Set: declares acceptable combinations of security protocols and algorithms you will use to form your IPsec tunnel security association.


IPsec Profile: This is the final configuration block for FlexVPN that binds everything together. Within the IPsec profile you reference the IPsec transform set and your IKEv2 Profile containing your NONNEGOTIABLE parameters. This gets assigned to an interface.


Cheers!

0 comments

Recent Posts

See All

Email Security - S/MIME Tidbit

So it has definitely been a minute since I produced a tidbit. Lately I have been investing personal time into email security. The topics that I have covered thus far are in no particular order, but

November 21 Update Tidbit

Sharing some quick personal news as well as an update with where my head is currently at. I recently invested most of my time with VPNs the last couple of months. So I finally decided to take a stab

Personal Tidbit - Oct 2021

Sharing some exciting news. I recently participated in a Cisco Championship Content competition, & actually claimed first place! Pretty excited to receive the news since I frequently spend time on Ci