FlexVPN Configuration Blocks Tidbit

Here is a quick overview of the building blocks you need in order to configure a FlexVPN:

*Remember that FlexVPN uses IKEv2 as its standard.

IKEv2 Proposal: think HAGLE (hash, authentication, dh group, lifetime, encryption). Your proposal defines what you are trying to use during negotiation with the remote side when attempting to establish an IKE phase 1 tunnel security association.

IKEv2 Policy: the policy essentially binds the already configured proposal to a local interface address.

The next two blocks depend on what you choose to use for peer authentication:

IKEv2 Keyring: simply configures/declares a pre-shared key, which can be symmetric or asymmetric for authentication.

Trustpoint: think more secure and an advanced tool for authentication via PKI. Essentially configures identity and CA attributes.

IKEv2 Profile: this step is a collection of every config block to thus point that is NONNEGOTIABLE. Items configure here include the remote peer address and authentication method. Note, that you will bind either the keyring or trustpoint in your profile (all of which depends on which one you choose for authentication).

IPsec Transform Set: declares acceptable combinations of security protocols and algorithms you will use to form your IPsec tunnel security association.

IPsec Profile: This is the final configuration block for FlexVPN that binds everything together. Within the IPsec profile you reference the IPsec transform set and your IKEv2 Profile containing your NONNEGOTIABLE parameters. This gets assigned to an interface.



Recent Posts

See All

ASA MultiContext Mode Packet Classification Tidbit

In order to understand how traffic flows through the segregated contexts it is important to understand how the ASA determines the context in which it will send the packets. This process is known as c

ASA Security Contexts Tidbit

In this tidbit I want to explain what Cisco ASA Security Contexts are in this blog. A very plain & simple way to put it, security contexts are a way to logically divide the ASA into multiple logical

Fundamentals of PKI Tidbit

I want to touch on some of the fundamentals and standards involved with PKI to give us an overview of what things are/mean. To start let's cover what the standards are. So you have probably seen or