Site-to-Site FlexVPN Lab 1: static tunnel + pre-shared key

This is a translation version of my original post in Chinese. There are 4 labs in my site-to-site FlexVPN series using CSR1000v on GNS3 (ref. Install CSR1000v on GNS3):

  1. Static tunnel + PSK
  2. Static tunnel + PKI
  3. Hub-to-spoke dynamic tunnel
  4. Spoke-to-spoke dynamic tunnel enabled by NHRP

Different from traditional DMVPN which uses IKEv1, FlexVPN adopts Internet Key Exchange Version as key exchange protocol. IOS version 15.2(1)T and plus has built-in Smart Default function to provide default IKEv2 configuration and simplify FlexVPN configuration.

Following is quick mind refresher of IKEv1 and IKEv2.


IKEv1 framework includes two explicit phases: Phase 1 is to authenticate IPSec peers and negotiate IKE SAs; Phase 2 is to negotiate IPSec SAs.

We can choose main mode or aggressive mode in Phase 1. Main mode requires more packet exchange, but it provides better security than aggressive mode as it protests peer identity information. In aggressive mode, PSK information is sent in clear text. Phase 2 only has one mode, which is quick mode.

IKEv2 explicitly segments the 2 phases; therefore, in troubleshooting, we will verify whether IKE/ISAKMP SA is successfully negotiated and then whether IPSEC SA is successfully negotiated.


IKEv2 mixes IKE SA and IPSec SA negotiation together. Whoever developed the protocol, all of sudden, noticed that everybody deploys IKE and IPSec in conjunction. Nobody configures IPSec without configuration IKE…then why separate the phases and send IKE and IPSec messages in different packets?

A single packet can carry both IKE and IPSec messages in IKEv2. In this case, fewer packets are exchanged to establish IPSec tunnel. IKEv2 combines benefits of both main mode and aggressive mode – fewer packet exchange and better security. It provides secured approach to verify peer identity, which helps prevent DoS attack.

IKEv2 framework includes 3 phases: 1) IKE_INIT phase; 2) IKE_AUTH phase ; and 3) Create_Child_SA phase.

Phase 1 is to encrypt tunnel; Phase 2 and Phase 3 information exchanges will be protected then. Phase 2 is to authenticate and exchange IKE and IPSec SA information. In addition to IKEv1 supporting RSA and PSK, IKEv2 also supports EAP, which makes remote user authentication easier. Phase 3 is similar to IKEv1 Phase 2 but with less packet exchange.

The following diagram illustrates IKEv1 vs. IKEv2 packet exchange process and phases


IKEv2 vs. IKEv1

In summary, IKEv2 provides better security anti-DoS, quicker tunnel establishment due to less packet exchange required, less bandwidth usage, more authentication option EAP and etc.

Lab Introduction

This lab is to establish site-to-site static FlexVPN tunnel, with PSK as authentication. Lab topology as below; only HUB1 and SPOKE1 are used in this lab. HUB2 and SPOKE1-HOST are NOT required in this lab.

NTP points to external NTP server.

Interface Configuration

Tunnel 0:



CSR-HUB1 Configuration

Step 1 – Configure pre-share key

# configure peer group and restrict IP to enhance security
crypto ikev2 keyring mykeys
peer SPOKE
pre-shared-key Cisco123

Step 2 – Configue IKEv2 profile

crypto ikev2 profile FLEXVPN-Static
# restrict remote address to enhance security. It can be configured as ‘any'.
match identity remote address
# configure PSK authentication when authenticate to remote device
authentication remote pre-share
# configure PSK authentication when remote device authenticates to local. Remote and local authentication can be different.
authentication local pre-share
# use previously define key ring
keyring local mykeys
# configure dead peer detection attributes
dpd 60 2 on-demand

Step 3 – Apply IKEv2 profile to IPSec profile, so that when IPSec profile is applied on interface the designated IKEv2 profile will be executed

crypto ipsec profile default
set ikev2-profile FLEXVPN-Static

Step 4 – Apply IPSec profile on tunnel interface to encrypt

CSR-HUB1#show run interface tu 0

interface Tunnel0
ip address
tunnel source GigabitEthernet3
tunnel destination
tunnel protection ipsec profile default

CSR-SPOKE 1 Configuration

Please refer to HUB1 and configure correspondingly.


CSR-SPOKE1#     show crypto ikev2 sa detailed

IPv4 Crypto IKEv2 SA
Tunnel-id Local                 Remote               fvrf/ivrf           Status
1       none/none           READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1792 sec
CE id: 1561, Session-id: 1
Status Description: Negotiation done
Local spi: 4A27CEEEEB3E4CA7       Remote spi: E83A70F5492CE2C7
Local id:
Remote id:
Local req msg id: 3             Remote req msg id: 1
Local next msg id: 3             Remote next msg id: 1
Local req queued: 3             Remote req queued: 1
Local window:     5             Remote window:     5
DPD configured for 60 seconds, retry 2
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
IPv6 Crypto IKEv2 SA
CSR-SPOKE1#     show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr
protected vrf: (none)
 local ident (addr/mask/prot/port): (
   remote ident (addr/mask/prot/port): (
current_peer port 500
PERMIT, flags={origin_is_acl,}
   #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
   #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.:, remote crypto endpt.:
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
current outbound spi: 0xC7C8CD12(3351825682)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x1405901D(335908893)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607999/1725)
IV size: 16 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC7C8CD12(3351825682)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607999/1725)
IV size: 16 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
CSR-HUB1#show crypto session

Crypto session current status
Interface: Tunnel0
Profile: FLEXVPN-Static
Session status: UP-ACTIVE
Peer: port 500
Session ID: 288
IKEv2 SA: local remote Active
IPSEC FLOW: permit 47 host host
Active SAs: 2, origin: crypto map
CSR-HUB1#show ip int br

Interface             IP-Address     OK? Method Status                Protocol
GigabitEthernet1   YES manual up                   up
GigabitEthernet2       unassigned     YES NVRAM administratively down down
GigabitEthernet3     YES manual up                   up
GigabitEthernet4       unassigned     YES NVRAM administratively down down
Tunnel0            YES manual up                   up

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s