{"id":2843,"date":"2026-01-13T22:40:00","date_gmt":"2026-01-13T22:40:00","guid":{"rendered":"https:\/\/www.balajibandi.com\/?p=2843"},"modified":"2026-02-01T17:56:20","modified_gmt":"2026-02-01T17:56:20","slug":"90-days-to-ccie-sec-v6-1-lab","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=2843","title":{"rendered":"90 Days to CCIE SEC v6.1 Lab"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Cisco Flex VPN  &#8211; Active\/Active and Active\/Standby<\/mark><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>FlexVPN<\/strong> is Cisco\u2019s unified framework for deploying\u00a0<strong>IKEv2-based<\/strong>\u00a0IPsec VPNs. It replaces legacy technologies like DMVPN and EasyVPN by providing a single, modular CLI that scales from simple site-to-site tunnels to complex hub-and-spoke and full-mesh topologies.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"toc-hId--252108290\">Key Features<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dynamic Configuration and On-Demand Tunnels:\n<ul class=\"wp-block-list\">\n<li>FlexVPN connection is initiated, the system generates a virtual access interface based on a pre-configured template. This interface acts as the tunnel endpoint for the duration of the connection. Once the tunnel is no longer needed, the virtual access interface is torn down, freeing up system resources.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Flexibility in Deployment:\n<ul class=\"wp-block-list\">\n<li>Hub-and-Spoke Model: A central hub connects to multiple branch offices. FlexVPN simplifies setting up these connections with a single framework, making it ideal for large networks.<\/li>\n\n\n\n<li>Full Mesh and Partial Mesh Topologies: All sites can communicate directly without going through a central hub, reducing delay and improving performance.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>High Availability and Redundancy:\n<ul class=\"wp-block-list\">\n<li>Redundant Hubs: Supports multiple hubs for backup. If one hub fails, branches can connect to another hub, ensuring continuous connectivity.<\/li>\n\n\n\n<li>Load Balancing: This distributes VPN connections across multiple devices to avoid any single device becoming overloaded, which is crucial for maintaining performance in large deployments.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"toc-hId-140918720\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">IKEv2 vs IKEv1<\/mark><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">FlexVPN leverages IKEv2, which supports modern cryptographic algorithms such as AES (Advanced Encryption Standard) and SHA-256 (Secure Hash Algorithm). These algorithms provide strong encryption and data integrity, protecting the data transmitted over the VPN from being intercepted or tampered with.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">IKEv2 offers more authentication methods compared to IKEv1. Besides Pre-Shared Key (PSK) and certificate-based and hybrid authentication types, IKEv2 allows the responder to utilize the Extensible Authentication Protocol (EAP) for client authentication.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In FlexVPN, EAP is used for client authentication, the router acts as a relay, passing EAP messages between the client and the backend EAP server, typically a RADIUS server. FlexVPN supports various EAP methods, including&nbsp;EAP-TLS, EAP-PEAP, EAP-PSK, and others, for securing the authentication process.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The table shows the differences between the IKEv1 and IKEv2 functions:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"384\" src=\"https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/image-1024x384.png\" alt=\"\" class=\"wp-image-2844\" srcset=\"https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/image-1024x384.png 1024w, https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/image-300x113.png 300w, https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/image-768x288.png 768w, https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/image-705x264.png 705w, https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/image.png 1088w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"290\" src=\"https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/image-1-1024x290.png\" alt=\"\" class=\"wp-image-2845\" srcset=\"https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/image-1-1024x290.png 1024w, https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/image-1-300x85.png 300w, https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/image-1-768x218.png 768w, https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/image-1-705x200.png 705w, https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/image-1.png 1292w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">The FlexVPN Concept<\/mark><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At its core, FlexVPN is built on\u00a0<strong>Internet Key Exchange version 2 (IKEv2)<\/strong>. Unlike older IKEv1-based solutions, it uses a simplified exchange process (4 messages instead of 6) and natively supports advanced features like\u00a0Next-Generation Encryption (NGE).<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Virtual Access Interfaces:<\/strong>\u00a0Instead of static crypto maps, FlexVPN dynamically clones &#8220;Virtual Access&#8221; interfaces from a\u00a0<strong>Virtual Template<\/strong>. This allows a single Hub configuration to support thousands of spokes without unique tunnel interfaces for each.<\/li>\n\n\n\n<li><strong>Modular Architecture:<\/strong>\u00a0Components (IKEv2 Proposal, Policy, Profile, and IPsec Profile) are configured independently and then linked together. This modularity allows for\u00a0<strong>asymmetric authentication<\/strong>, where the Hub and Spoke can use different keys or methods (e.g., PSK vs. Certificates).<\/li>\n\n\n\n<li><strong>Smart Defaults:<\/strong>\u00a0Cisco includes &#8220;smart defaults&#8221; for many crypto parameters to reduce configuration complexity, though these can be disabled for custom high-security requirements.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Step-by-Step Configuration (Hub-and-Spoke)<\/mark><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Below is the standard workflow to establish a FlexVPN tunnel between two routers:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Define IKEv2 Proposal &amp; Policy:<\/strong>\u00a0Specify encryption (e.g., AES-256), integrity (SHA-256), and Diffie-Hellman group (Group 14+).<\/li>\n\n\n\n<li><strong>Configure a Keyring:<\/strong>\u00a0Define the\u00a0Pre-Shared Keys (PSKs)\u00a0for peer authentication.<\/li>\n\n\n\n<li><strong>Create an IKEv2 Profile:<\/strong>\u00a0This acts as the &#8220;glue&#8221; that matches peer identities (like IP address or FQDN), links the keyring, and specifies the authentication method.<\/li>\n\n\n\n<li><strong>Define IPsec Parameters:<\/strong>\u00a0Create an IPsec transform set (for data protection) and wrap it in an\u00a0<strong>IPsec Profile<\/strong>\u00a0that references your IKEv2 profile.<\/li>\n\n\n\n<li><strong>Provision the Tunnel Interface:<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>On the Hub:<\/strong>\u00a0Create a\u00a0<code>virtual-template<\/code>\u00a0interface and apply\u00a0<code>tunnel protection ipsec profile<\/code>.<\/li>\n\n\n\n<li><strong>On the Spoke:<\/strong>\u00a0Create a standard\u00a0<code>interface Tunnel<\/code>, pointing to the Hub&#8217;s public IP.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Enable Routing:<\/strong>\u00a0Use protocols like\u00a0EIGRP or BGP\u00a0over the tunnel to exchange internal network prefixes.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Verification &amp; Troubleshooting<\/mark><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Use these commands on the\u00a0Cisco CLI\u00a0to confirm operation and resolve issues:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>show crypto ikev2 sa<\/code><\/strong>: Verifies that the Phase 1 control tunnel is established.<\/li>\n\n\n\n<li><strong><code>show crypto ipsec sa<\/code><\/strong>: Confirms Phase 2 (data) SAs are up and shows packet counters for encryption\/decryption.<\/li>\n\n\n\n<li><strong><code>show crypto ikev2 profile<\/code><\/strong>: Checks if the peer is matching the correct profile.<\/li>\n\n\n\n<li><strong><code>debug crypto ikev2 [error|packet]<\/code><\/strong>: Essential for identifying mismatched keys, unsupported encryption algorithms, or identity mismatches.<\/li>\n\n\n\n<li><strong><code>show ip route<\/code><\/strong>: Verifies that routes are being learned across the tunnel.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>FlexVPN<\/strong>\u00a0deployment, you need to handle multiple ISP connections. FlexVPN\u2019s modularity makes it significantly easier to manage Dual WAN compared to legacy DMVPN.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Dual WAN Technical Logic<\/mark><\/strong><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">In a Dual WAN setup, the Spoke router maintains two physical paths to the Hub. FlexVPN treats these as separate&nbsp;<strong>IKEv2 sessions<\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Active\/Active:<\/strong>\u00a0Both tunnels are up simultaneously. Traffic is balanced using\u00a0<strong>Equal-Cost Multi-Path (ECMP)<\/strong>\u00a0routing or\u00a0<strong>Performance Routing (PfR)<\/strong>.<\/li>\n\n\n\n<li><strong>Active\/Standby:<\/strong>\u00a0Both tunnels may be up, but routing metrics (like\u00a0<strong>Administrative Distance<\/strong>\u00a0or\u00a0<strong>Interface Priority<\/strong>) ensure only one path is used unless the primary fails.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">2. Configuration Workflow<\/mark><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>A. The Hub Side (Agostic to Spoke WAN)<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Hub typically doesn&#8217;t care how many WANs the spoke has. It simply needs a&nbsp;<strong>Virtual Template<\/strong>&nbsp;ready to clone an interface for every incoming request.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure the Hub has a static public IP for each ISP or a DNS name mapped to both for\u00a0Redundancy.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>B. The Spoke Side (The Intelligence)<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On the Spoke, you define two separate Tunnel interfaces, each tied to a specific physical WAN interface using the&nbsp;<code>tunnel source<\/code>&nbsp;command.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Define Two Tunnels:<\/strong>\n<ul class=\"wp-block-list\">\n<li><code>interface Tunnel1<\/code>\u00a0->\u00a0<code>tunnel source GigabitEthernet1<\/code>\u00a0(ISP-A)<\/li>\n\n\n\n<li><code>interface Tunnel2<\/code>\u00a0->\u00a0<code>tunnel source GigabitEthernet2<\/code>\u00a0(ISP-B)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Apply Security:<\/strong>\u00a0Both tunnels can share the same\u00a0<strong>IKEv2 Profile<\/strong>\u00a0and\u00a0<strong>IPsec Profile<\/strong>, keeping the config clean.<\/li>\n\n\n\n<li><strong>Routing Strategy:<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>For Active\/Active:<\/strong>\u00a0Use a routing protocol (like BGP or EIGRP) and ensure the metrics for both tunnel paths are identical. Check the\u00a0Cisco BGP Multipath guide\u00a0for load-balancing steps.<\/li>\n\n\n\n<li><strong>For Active\/Standby:<\/strong>\u00a0Apply a higher\u00a0<code>delay<\/code>\u00a0(EIGRP) or higher\u00a0<code>cost<\/code>\u00a0(OSPF) to the backup tunnel. Alternatively, use\u00a0Floating Static Routes\u00a0with different Administrative Distances.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">3. Verification &amp; Troubleshooting<\/mark><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>show crypto session<\/code><\/strong>: In a Dual WAN setup, you should see two sessions for the same Hub destination but via different local interfaces.<\/li>\n\n\n\n<li><strong><code>show ip route [destination]<\/code><\/strong>: Verify if the routing table shows one path (Standby) or two paths (Active\/Active).<\/li>\n\n\n\n<li><strong><code>show monitor event-trace vpn<\/code><\/strong>: Useful for seeing how FlexVPN reacts when one WAN link flapps.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u00a0Use\u00a0<strong>IP SLA<\/strong>\u00a0(Service Level Agreements) to monitor the health of the primary ISP. If latency spikes or packets drop, the Spoke can automatically pull the primary route, forcing traffic to the Standby tunnel.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cisco Reference Guide as PDF.<\/p>\n\n\n\n<div data-wp-interactive=\"core\/file\" class=\"wp-block-file\"><object data-wp-bind--hidden=\"!state.hasPdfPreview\" hidden class=\"wp-block-file__embed\" data=\"https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/118888-configure-flexvpn-00-1.pdf\" type=\"application\/pdf\" style=\"width:100%;height:200px\" aria-label=\"Embed of 118888-configure-flexvpn-00.\"><\/object><a id=\"wp-block-file--media-e98143f8-af7a-4d49-9212-c80665518d5c\" href=\"https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/118888-configure-flexvpn-00-1.pdf\">118888-configure-flexvpn-00<\/a><a href=\"https:\/\/www.balajibandi.com\/wp-content\/uploads\/2026\/02\/118888-configure-flexvpn-00-1.pdf\" class=\"wp-block-file__button wp-element-button\" download aria-describedby=\"wp-block-file--media-e98143f8-af7a-4d49-9212-c80665518d5c\">Download<\/a><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Happy Labingggggggggggggggg!<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cisco Flex VPN &#8211; Active\/Active and Active\/Standby FlexVPN is Cisco\u2019s unified framework for deploying\u00a0IKEv2-based\u00a0IPsec VPNs. It replaces legacy technologies like DMVPN and EasyVPN by providing a single, modular CLI that scales from simple site-to-site tunnels to complex hub-and-spoke and full-mesh topologies. Key Features IKEv2 vs IKEv1 FlexVPN leverages IKEv2, which supports modern cryptographic algorithms such [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[],"class_list":["post-2843","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2843"}],"version-history":[{"count":1,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2843\/revisions"}],"predecessor-version":[{"id":2848,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2843\/revisions\/2848"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}