Part 1: Introduction to FlexVPN

In FlexVPN, IKEv2 is used as the underlying technology for unified VPN that connects site-to-site, remote access, hub-spoke and spoke-to-spoke topologies. It is a software-based solution that makes use of the IOS Point-to-Point tunnel interface.

Cisco based FlexVPN is good solution over the DMVPN solution and we will also show you what makes FlexVPN a better choice over the DMVPN by showing you the table at the end.

To understand FlexVPN, you need to understand the fundamentals of FlexVPN technologies first. Although many of you guy thought it is a upgraded version of DMVPN with more features and Cisco is also moving from DMVPN to FlexVPN technology due to the below reasons:

  • The IPsec SAs in FlexVPN aren't negotiated with IKEv1, but with IKEv2. IKEv2 has several advantages over IKEv1, including greater resilience and fewer messages needed to establish a protected channel.
  • In FlexVPN, There are not only static multipoint GRE interfaces, but also dynamic point-to-point interfaces, unlike DMVPN. Per-spoke/per-hub behavior is easy to customize with this configuration.
  • NHRP: FlexVPN relies heavily on NHRP for inter-speaker communication. Hubs do not register with spokes.
Fig 1.1- FlexVPN Topology

To ensure hub and spokes can communicate bi-directionally, other mechanisms must be used since spokes do not register to hubs with NHRP. However, FlexVPN allows you to use IPsec to introduce routing information. 

FlexVPN allows the introduction of routing information via IPsec. The default setting allows an IP address on the other side of the tunnel to be routed over a /32 route, enabling spoke-to-hub communication.

IKEv2 Configuration based on the various parameters which include

  • IKEv2 Proposal : Specifies Encryption algorithm, Integrity algorithm, DH group and PRF algorithm
  • IKEv2 Policy : Specifies fVRF, Local address
  • IKEv2 Keyring : Local database of pre-shared keys, Keys can be symmetrical or asymmetrical and Key lookup based on Address, Hostname & Identity
  • IKEv2 Profile: Specifies Local/Remote authentication, local IKE identity, keyring, trustpoints, Peer identity/certificate, fVRF, local address
Let's check why FlexVPN over the DMVPN through the table below

Fig 1.2- DMVPN & FlexVPN

In our next article, we will talk about all the parameters and configuration based on the topology (Hub-spoke, spoke-spoke).