FlexVPN PKI Authentication

ReneMolenaar · January 4, 2021, 1:42pm

This topic is to discuss the following lesson:

kansangeeth · November 29, 2022, 12:05pm

Hi Rene,
Why is ipsec tranform-set missing in router configurations?

lagapidis · December 1, 2022, 6:00am

Hello Nipun

One of the advantages of using FlexVPN is that it uses Smart Defaults. These are pre-defined settings that are automatically set to default values based on general best practices. These configuration parameters don’t need to be configured by you, and this is one of the benefits of FlexVPN.

One of those parameters is the IPSec transform set. FlexVPN uses specific smart defaults for that, so you don’t have to configure it. All of these smart defaults are detailed in the following lesson:

I hope this has been helpful!

Laz

kansangeeth · December 3, 2022, 5:25am

Thanks a lot for the explaination

raviluchmun · April 5, 2025, 9:01pm

Hi Rene,

2 questions from this post (FlexVPN PKI authentication).

In the final configs section, why do you provide PSK for both remote and local, since one will only be using a cert ?

Secondly, on R2 final config why 3 lines below

authentication remote pre-share
authentication remote rsa-sig
authentication local pre-share

lagapidis · April 8, 2025, 6:07am

Hello Ravi

I’ll do my best to answer your questions.

The reason both pre-shared-key local and pre-shared-key remote are configured on both routers, even though only one side uses a certificate, is because of how IKEv2 mutual authentication works in Cisco IOS when using a mixed mode of RSA-sig and PSK:

R1 uses local authentication, where an RSA signature is used, and the certificate is from its PKI trustpoint. R1 also uses PSK for remote authentication.
R2 uses PSK for local authentication and RSA signature for its remote authentication (it expects R1’s certificate

So why are both local and remote PSK configured? Because in Cisco IOS, the pre-shared-key local = the key each router sends to authenticate itself, and the pre-shared-key remote = the key each router expects from the peer.

So even though R1 authenticates itself with a certificate, it still expects a PSK from R2, and R2 authenticates itself with a PSK, but expects a certificate from R1. Therefore, each side must define both directions of the PSK. Does that make sense?

I hope this has been helpful!

Laz