The topology above is going to setup a DMVPN type scenario but it’s going to run FlexVPN. The shared subnet the three routers are connected to is

R1: Loopback 1 –
R2: Loopback 2 –
R3: Loopback3 –


  • Keyring
    • Using quad 0 for remote addresses (any)
    • Same PSK across the board.
  • AAA authorization settings (IKEv2 Routing)(‘aaa new-model’)
    • Using routing via IKEv2
    • Requires access list which is any.
  • IKEv2 Profile
    • Identity for simplicity is ‘any’
  • IPSEC Profile
    • IPSEC profile that specifies the IKEv2 profile
  • Virtual-Template
    • The virtual template is a virtual interface, but the IP address cannot be applied directly to it. It requires unnumbered with the loopback interface we’re connecting to each spoke with.


  • Keyring
  • Authorization Policy
  • IKEv2 Profile
  • IPSEC Profile
  • Static VTI
    • Note there is no virtual template on the spokes, just the hub.
  • Verify
    • ‘show crypto ikev2 sa’
    • ‘show crypto ipsec sa’

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s