The topology above is going to setup a DMVPN type scenario but it’s going to run FlexVPN. The shared subnet the three routers are connected to is 10.30.1.0/29.

R1: Loopback 1 – 172.16.1.254
R2: Loopback 2 – 2.2.2.2/32
R3: Loopback3 – 3.3.3.3/32

Hub:

  • Keyring
    • Using quad 0 for remote addresses (any)
    • Same PSK across the board.
  • AAA authorization settings (IKEv2 Routing)(‘aaa new-model’)
    • Using routing via IKEv2
    • Requires access list which is any.
  • IKEv2 Profile
    • Identity for simplicity is ‘any’
  • IPSEC Profile
    • IPSEC profile that specifies the IKEv2 profile
  • Virtual-Template
    • The virtual template is a virtual interface, but the IP address cannot be applied directly to it. It requires unnumbered with the loopback interface we’re connecting to each spoke with.

Spoke:

  • Keyring
  • Authorization Policy
  • IKEv2 Profile
  • IPSEC Profile
  • Static VTI
    • Note there is no virtual template on the spokes, just the hub.
  • Verify
    • ‘show crypto ikev2 sa’
    • ‘show crypto ipsec sa’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s