FlexVPN an introduction.

FlexVPN, unofficially called “DMVPN phase 4” is a newer “solution” for deployment of VPNs and for this you must have newer hardware to support the versions of IOS code which offer FlexVPN features. DMVPN is an option on almost every Cisco router.

FlexVPN is a configuration framework (a collection of CLI/API commands) aimed to simplify setup of remote access, site-to-site and DMVPN topologies. From a technology standpoint, FlexVPN is Cisco’s way of configuring IKEv2 [RFC].

Most of the configuration commands begin with crypto ikev2 and come with “smart defaults” representing Cisco’s view of best practice design. Dynamic tunnel configuration has been simplified so that, theoretically, you’d only need a single interface template on the Hub site to allow all types of incoming VPN connections

FlexVPN is based on these same fundamental technologies:

  • IPsec: Unlike default in DMVPN, IKEv2 is used instead of IKEv1 to negotiate IPsec SAs. IKEv2 offers improvements over IKEv1, starting with resiliency and ending with how many messages are needed to establish a protected data channel.
  • GRE: Unlike DMVPN, static and dynamic point to point interfaces are used, and not only one static multpoint GRE interface. This configuration allows added flexibility, especially for per-spoke/per-hub behavior.
  • NHRP: In FlexVPN NHRP is primarily used to establish spoke to spoke communication. Spokes do not register to hub.
  • Routing: Because spokes do not perform NHRP registration to hub, you need to rely on other mechanisms to make sure hub and spokes can communicate bidirectionally. Similar to DMVPN, dynamic routing protocols can be used. However, FlexVPN allows you to use IPsec to introduce routing information. The default is to introduce as /32 route for the IP address on the other side of the tunnel, which will allow spoke-to-hub direct communication.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.