Cisco CCNP Security 300-730 SVPN – Site-to-Site Virtual Private Networks on Routers and Firewalls Part 8
14. IKEv2 FlexVPN hub-and-spoke AAA
So let’s go ahead and start with this configuration. I always start from the hub. Before I do that, I want to make sure that I have connectivity. So from the hub I’m going to ping router one, two and three. I’m able to ping router one, router two and router three. So that’s good. We have a connectivity. So now let’s go ahead and start with this configuration. First I want to make sure that I have my do show run do show IP interface brief. I want to make sure that I have my loop back on figure because I’m going to be doing an IPR number and I’m going to be borrowing that IP address from here.
So it is there. That’s good. So before we start with anything, I want to create a I want to start AAA and the way you do that is by doing AAAA new model. After we do that we need to do AAA, not authentication authorization network. So we want to authorize from the network and we want to authorize using this flexvpn on the score list that we are going to be creating. It’s going to be a local list.
After that I want to create a couple of local pool and this one is going to be I’m going to call it Flex VPN pool. And since I’m going to be borrowing this look back address, I want to provide IP addresses on the same ranges for the tonal interfaces because the tone interfaces are going to communicate to the hub and they are going to get an IP address from this hub. Okay, you guys are going to see that in a little bit. That’s going to be my range.
So from this range I’m going to be providing actually let’s do a higher let’s just do 15 just in case. You said that it overlaps. Why don’t we just say no and then we go back and say 15? Didn’t I just say no? There we go. It’s still giving me the same IP ranges overlap. I see. Show IP local. Do show IP local pool. There we go. So we still have this one pool right here. I was not able to delete this. So we have four free ones and I want to add more where we do no IP local pool. Flexvpn pool. There we go. Okay, there we go.
So let’s go ahead and do it again because I want to have more. So IP local pool from eight to eight, nine all the way to 815. Good. And then if we do show up IP local, there we go. Now we have seven free ones that we could use for R one, R two and three tunnel interfaces. Okay. So after we do that, what I have to do is I have to go into the crypto. I give you two authorization policy and I’m going to be using the default policy. I’m not going to be configuring it. And from the default policy. I want to attach that flexvpn pool. So we do pool and we want to attach that flexvpn pool that we created. There we go. Okay, so that’s good. That’s it for now.
So let’s go ahead and exit. And now when I go ahead and create my virtual interface virtual template, let’s call it eight oops. Keep making too many mistakes. There we go. It’s going to be a type tunnel interface. Can we say no interface type tunnel to show IP interface breathe? No interface virtual access one that is still there. Interesting. That’s fine. Let’s go ahead and create just another one. Interface type or interface virtual. Sorry for this template and we’re going to use 88. It’s going to be a type toner. It doesn’t matter what number I give it. And from here what I want to do is do a toner mode GRE.
It’s going to be IP and this toner mode GRE IP means that we are going to be creating a point to point connection because it’s going to be a help to spoke. So it’s going to be only one connection, right? Hope to spoke. So it is going to be a GRE IP which means that it is going to be a point to point. Then we can do the source which is gigabit zero. And then after that we’re going to do IP on number and this IP on number I’m going to take it from look back zero and that means that I’m going to borrow the same IP address that this look back. If I do show IP interface breathe, you’re going to see that I have it right here. My templates 88 is using the same one as look back at zero. Okay? So I’m borrowing the same IP address because I don’t want to use another IP and just waste it, right? I want to use the same another one that somebody’s using like look back at zero.
Okay, so after that is done we need to go ahead and configure Ike version two. And to start with that you need to configure the key ring and then you need to configure the IC version two profile and then the IPsec profile and also the transform set and all that good stuff. So let’s go ahead and start with that configuration. The first one is going to be crypto Ike version two curing we’re going to call this IQB two. IQB two keyring. That’s what we want to call it.
So we need to now add all the peers that I’m going to be connecting to. The first one is going to be router one. The address of router one is going to be this one right here, the MBMA IP address which is that one. And we need to do a picture key that we’re going to be using and the local one is going to be the mVPN key. And I’m going to keep the same keys for all of them so I don’t get confused. And then let’s go ahead to router two. The IP address is going to be 21. That’s the one that’s configured here. You’re going to be using the same pre shared key for the remote, the same for the local as well. Then we go ahead to route three. IP address is different. 31. You’re going to be using the same remote key and the same local key. So the keyword has been configured. Now we can go ahead and configure the IC version two profile.
So I agree. Two profile. This one’s going to be called IV two profile. So from over here I want you to do identity local address. So my local address is going to be one nine 2181. And then we need to match a couple of remote identities which is going to be one nine 2110. One always forget to put address in front of it. And then we need to do 21 and then 31 for those remote identities, right? And then we need to add the local keyring which we call aggregate. So we need to attach it. We also need to attach that virtual template which we call 88. There we go, virtual template 88. And then we need to do authentication for the locals going to pressure key. And authentication for the remote is also going to be pressure key. And then we do AAA authorization.
And then we need to do the group pressure key list and we need to add that list that we created earlier, which was, let’s see if we have it. This one right here, flexvpn on the score list, the AAA Authorization network that we created paste. And at the end you want to add default because we are using the default for default crypto aggregate two authorization policy which has the pool flexibility attached to it and that’s how the spokes are going to be able to get this IP addresses. This one use of IP addresses. Okay, so that is good. Let’s see what else we need to do. And I believe that’s it. We did the Identity Caring Authorization match for all three of the local. So we are good. So we are done with aggression. Two profile. Now let’s go ahead and configure that. We need to go ahead and configure the crypto IPsec transform set. And I’m going to be calling this TSET and it’s going to have an Espy Six for encryption and then ESP shot with HMAC for data integrity. Done.
Now we need to go ahead and create a crypto. We are going to add the crypto IPsec profile and this one’s going to be called IPsec Profile. Need to spell the right profile. And from here we need to attach the transform set which we call TSET. And also we need to attach the IV two profile which we call IV two underscore profile. We leave. Let’s go ahead and go up and take a look. I agree. Two profile. Yes. There we go. After that is done, what we need to do, we need to go ahead and do a routerp ten no auto summary and we need to add a couple of networks. The first one is going to be the 80 because this one is going to be the tunnels, right. The tunnel for the hub is already borrowing an IP address from this interface, this look back interface and then the rest of them are going to be in the same network. So I need to add this network and then I need to add for the hub it’s going to be which I’m going to create right now, look back 88 IP address of IP address of 80. 80. 80, 88. Good. And now we need to go ahead and enter the interface virtual here first. Interface virtual, virtual template which we call 88. It was a type toner. And from here we need to do the no IP split horizon.
If you do know what that means, if you do not know what that means, you should go ahead and search it or go into my YouTube channel and watch my other videos where I explain it. Okay? And then we do a ton of protection using IPsec and we’re using the profile and we need to go ahead and attach that IPsec profile and that should bring up the Isaac amp. As you can see, it is now on. Great. So we are done with the configuration of the hub. If we do a show run section crypto, we can see everything we have configured from the ICB two. And what I want to do, I just want to go ahead and copy all this. You’re going to copy it and we’re going to open Leafpad and on leaf pad, we’re going to go ahead and paste that over here and we’re going to clear this a little bit up. Because from the writer one, whenever we configure writer one, we only need one connection. And that one connection is going to be to the hub only. Right? And the IP address of the Hub is going to be 81.
Everything is going to be the same, the remote identity. So we only need one remote identity and it’s going to be the one of the hub. So 81 and the local identity is going to change to ten because we’re doing the router one, we’re now going to be using the virtual template because we’re not going to be configuring a virtual template and everything is going to stay the same. So I’m going to put this to the side and let’s go ahead and configure router one. So let’s go ahead and do first of all, let’s go ahead and configure a look back interface of eleven, an IP address of 1111. 1111 eleven exit. And after we do that, we need to go ahead and configure or start the AAA technology and then we need to do AAA authorization network and we’re going to be calling this Flexvpn.
We need to spell this right flexvpn on the score list. We’re going to be using the local because this is how we are going to get that IP address from the Hub. It’s going to be through this triple authorization network like Swift. Okay, so that is done. Let’s go ahead and go into configure interface tunnel one and tonal one is going to have a ton of mode of GRE over IP, which is a point to point tono toner source is going to be gigabit zero ton of destination. It’s going to be the IP address of the Hub. Right? And then we’re going to do IP address negotiated. And this means that we are going to negotiate that IP address with the Hub and the Hub is going to provide us with that IP address. Remember that we configure that if we go ahead over here and we go show IP local pool, you’re going to see that it’s going to be negotiated with the Hub.
And the Hub is going to assign an IP address from these ranges right here. Okay? So that is great. So after that, what we need to do is we need to go ahead and configure I version two and since I have it already on liftpad, which is right here that I put on the side, I want to make sure that everything looks good. Flexvpn, let’s see, we don’t need this right here because the pool is being provided by the Hub. But we need the rest, which is the keyring IQB two profile, the transform set and the IPsec profile. So let’s go ahead and copy all of it and go over here to write a one and paste everything. There we go. Good. No errors. We did not get any errors. That is good. So since we did not get any errors, what we need to do is now go ahead into the interface toner one and we need to add that tonal protection IPsec profile and we need to attach that IPsec profile that we just created, copy paste and that should turn on Isaac amp. It is on. The interface came up.
You can go to the Hub and you can see that we have now a virtual interface. If you do a Show IP interface brief, now we have the access to which has this IP address, the same IP address as the template is using, right? So if we now do a Show IP local pool, you can see that now we have one in use and six free IP addresses, right? So that means that we negotiate it. Remember that negotiated command that we put in the interface tunnel? It was negotiated. And now if we do a do show IP interface brief, we should have IP appeared just eight, nine configuring this tunnel because it was negotiated with the Hub. Okay? So now what we could do, we can do a router ERP ten no outer summary network 1111, 1111 and then network 80. And that’s you for my neighbor relationship. There we go. So now we also have a neighbor relationship. If we do show IP ERRP neighbors, which you see that we have an ERP neighbor. If we do a Show IP route ERP, we can see now that we have a route to 80, 80, 88, which is coming from the tunnel okay, via which is coming from the Hub. So now we have a Hub to spoke communication. If you go to the Hub and do show DMVPN, we don’t have anything show crypto crypto IP two SA we have an essay.
Do we have a crypto IPsec? SA we should have it as well. And yes, we do. The crypto map tag is virtual access to the local IP address. Is the local IP address of the Hub. The NBMA IP address. You can see the local client. You can see the remote client, which is one I two, one, which is router one. You can see that how many packets are being encapsulated and encapsulated. And if we ping let’s go ahead to router one. Let’s ping 80, 80, 80, 88. Let’s bring it repeat 100 times. And now if you go to if we do a Show Crypto IPsec essay, you can see now that the package went up by 100 because we paint that source 100 times. So that means that it’s being encrypted and decrypted 100 times. If you paint 100 more times and we go back to the Hub and we do a Showcrypto IP check essay again, you can see that the package went up to 400 more because we sent 100 more packets and they were encrypted, encrypted and decrypted. So it means that IPsec it is working.
And I version two is working. All right, so that is good. Now let’s go ahead and do router two and do the same thing that we do that we did with router one. Okay? So let’s go ahead and do AAA new Model a authorization network. And it’s going to be using Flexvpn list, I believe, local. Let me verify that we’re using flexible PN list local. So that’s good. After we do that, we need to go into interface tonal tonal, two tonal mode IP tonal source gigaby, right? Gigabyte. It’s going to 181, which is the one of the Hub. And then we need to do IP address negotiated so we can negotiate with the Hub. And the Hub is going to provide us with that IP address. That’s what IP address negotiator means. Okay, now if we bring up this ignores two configuration, we’re going to leave the key in the same. The only thing that we need to change is this one right here. It’s going to be 21, which is the local identity of router two. Go ahead and copy this right here. And let’s go ahead and paste it. No errors. That makes it good, right? Yes. So now let’s go and also do an IP address.
Look back, look back to going to an IP address. 255255 exit. Let’s do a router ERP ten. Actually, before we do that, it’s going to interface tonal two and do a network. Let’s do another network. We need to do a toner protection IPsec profile. Maybe we need to attach a profile that was created, paste it right here. Then Isaac camp should come up. Good. And now let’s go ahead and provide GRP ten no auto summary network. We need to add 2222-2222 and then the network that we are on. Because if we do Show IP interface brief, the network that the toner is on is this one right here. As you can see, we have negotiated an IP address with the Hub and the Hub gave us this IP address. So if you do now a network 80 five, that should bring up the URP configuration. Good. It is working. If you go to the Hub and we do a Show IP or show say Show local, show IP local pool, which you see now that we have now two unused five are still free. Right. We are using two IP address, which is router One and router Two. Router one is using eight, nine and router two is using 810 right here. And router one I do show up in the face brief eight dot eight, nine and 810. Good. So it is working.
Okay. And also if we do go from the Hub and do Show IP interface brief, you’re going to see now that we have access to and this one is the one that has the connection with Router One and access three has a connection with Router two. And we can verify that by doing show crypto IPsec. You can see that the first one, access Two, has a connection with the remote identity of the one I two one, which is what I want. And if we scroll down and we go to the other one, you can see that virtual access three has a connection with one I 2121, which is router two. So now let’s go ahead and configure router Three and we do the same thing that we did in router One and Router two. So let’s go ahead and do AAA new model authorization network flexvpn underscore list local. Okay, now we’re going to interface tunnel. We create a new tunnel. We’re going to say that the tunnel mode is GRE over IP tonal source is gigabyte tonal destination. It’s going to be the Hub. All right. And then we do IP address negotiated so we can get that IP address from the Hub, just like router One and rotter two did. Router One got eight, nine rotate 810 and router three is probably going to get 811. Okay.
And we’re going to see that. So eight to 811, that’s the IP address that you get after we are done with the configuration so let’s go into Leafpad and the only thing that we need to modify is the local identity. Go ahead and copy all of this. We can just put it down, paste it. Good. Now let’s go ahead and configure IP loop 33. And this one is going to get an IP address 3333-3333-2552-5252-55. All right, and then the first thing I want to do is let’s do an interface tonal three and let’s add the tonal protection first. IPsec profile. IPsec profile is this one right here, base. And then let’s do a Router JRP ten route, router. And you can see the Isaacamp is now on and you can see if you go to the Hub, you can see that the line virtual Access Four is now up. And that means, guys, is that we have now sent a new IP address. So if you do a Show IP interface brief from the Hub, you can see now that access four is up and running as well. And if we go to we do a do show IP interface brief which you have IP address 811, like I said before. Good. Now let’s do an auto summary.
Let’s add the two networks that we need to add 3333-3333 and also network 80. And there we go. That brought it up. If you do a Show neighbor, which you see that we have three neighbors, one with eight nine two, router 110, router 211, router three up and running all of them with Virtual Interface Four, interface three and virtual Interface two. And each one of them got a different IP address or a different virtual interface because we’re using Dvti and Dvti, what it does is that it creates a new virtual interface per IPsec connection. So every VPN connection is going to have its own virtual interface. Okay? So also if you do a Show IP or Show Crypto IPsec, which you see that virtual access to as a connection with water one. And if you keep going down, you can see that virtual Access Three has a connection with ladder two and Virtual interface four has a connection with the remote identity of one I 2131, which is letter three. So everything is working the way we wanted it.
So we are done with this configuration. So you had just learned how to configure DMVPN connection using Dvti with IC version two and also AAA authorization. So we were authorizing and giving out IP addresses if they were authorized to be on the network. Right. So when the spokes say that they were authorized to be on the network, the help provided them with an IP address in the eight to eight to nine, all the way to the 15 range as we saw. So everything is working and this is set for this video. And also let’s just do a Show crypto. I agree. Two essays which you see three connections tonal ID 12133 has a connection with the local identity of one nine 2181 which is the Hub 500. This means that we are not using that because if we were using that, we were going to be connected with the 4500 ports, I believe. And this one is the remote for that connection, which is router three. This one is for router two.
This one is for router one. And you can see that we are using the encryption method of AES CBC with a key size of two, five, six, using shaft 512, do free home and group five. And it’s all the same for all of them. Okay? So if you also do a show before we leave, show IP routes ergrp, which you see that we have three ergrp connections or three ERP routes one to eleven 1111, which is via eight, nine, which is router one. We have another 122-222-2222 via 810, which is router two. And you can see that it’s using virtual access three. This one is using virtual access two. This one is virtual access four. And it is a connection to 33, 32, 33 via 811. Let’s go into what I want to do.
Show IP route. ERP and you can see that we also have connections over here to 810, eleven, the. But the only difference is that whenever we ping, whenever we try to ping, they spoke from any spoke, we are going to go via the Hub. We always have to go via the Hub. So if we do a trace route to from router one, I want to ping, let’s say router 333-33-3333, it’s always going to go via the Hub because we only have a hope to spoke connection. We don’t have spoke to spoke connection, right? And if we also ping 2222-2222, it is also going to go via the Hub because we do not have spoke to spoke to us. We only have spoke to Hub. Therefore, all the traffic makes you go to the Hub. And if the Hub goes down, then the entire network goes down. Okay? So this is why we need to go ahead and configure a spoke to spoke communication as well. And we’re going to be doing that on the next video. If you enjoyed this video and it showed.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »