In a FlexVPN Hub and Spoke design spoke routers are configured with a normal static VTI with the tunnel destination of the Hub’s IP address, the Hub however is configured with a Dynamic VTI. The DVTI on the Hub router is not configured with a static mapping to the peer’s IP address. The VTI on the Hub is created dynamically from a preconfigured tunnel template “virtual-template” when a tunnel is initiated by the spoke router/peer. The dynamic tunnel spawns a separate “virtual-access” interface for each spoke tunnel, inheriting the configuration from the cloned the template.
FlexVPN Hub and Spoke Configuration
Hub Router
Step 1 – Define a loopback interface (this will be used as a source IP address for the tunnel)
interface loopback 0
ip address 172.16.0.1 255.255.255.255
Step 2 – Create a Tunnel Template (tunnel of source WAN interface and use Lo0 as IP for Tunnel)
interface virtual-template 1 type tunnel
tunnel source gigabitethernet 0/0
ip unnumbered loopback 0
Step 3 – Create a PSK Keyring (use address of 0.0.0.0 for lab purposes to match all peers, use symmetric PSK key for simplicity)
crypto ikev2 keyring KEYRING
peer ANY-PEER
address 0.0.0.0
pre-shared-key local cisco1234
pre-shared-key remote cisco1234
exit
Step 4 – Create IKEv2 Profile (specify local identity of FQDN, match any peer on the domain name, specify authentication PSK, specify the Keyring to use and specify the Virtual Template to clone)
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain lab.net
identity local fqdn R1.lab.net
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
virtual-template 1
Step 5 – Create IPSec Profile (set IKEv2 Profile, default Transform set will be used so no need to specify)
crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEV2_PROFILE
Step 6 – Specify the IPSec Profile on the Tunnel Template
interface virtual-template 1 type tunnel
tunnel protection ipsec profile IPSEC_PROFILE
Step 7 – Specify some Loopback Interfaces to simulate LAN Subnets & configure Dynamic Routing Protocol
interface loopback1
ip address 10.1.0.1 255.255.255.0
interface loopback2
ip address 10.1.1.1 255.255.255.0
router eigrp 1
no auto-summary
network 172.16.0.1
network 10.1.0.0 0.0.255.255
Spoke Router
Step 1 – Specify some Loopback Interfaces to simulate LAN Subnets & configure Dynamic Routing Protocol
interface loopback0
ip address 172.16.0.2 255.255.255.0
interface loopback1
ip address 10.3.0.1 255.255.255.0
interface loopback2
ip address 10.3.1.1 255.255.255.0
router eigrp 1
no auto-summary
network 172.16.0.2
network 10.3.0.0 0.0.255.255
Step 2 – Create a PSK Keyring (use address of 0.0.0.0 for lab purposes to match all peers, use symmetric PSK key for simplicity)
crypto ikev2 keyring KEYRING
peer ANY-PEER
address 0.0.0.0
pre-shared-key local cisco1234
pre-shared-key remote cisco1234
exit
Step 3 – Create IKEv2 Profile (specify local identity of FQDN, match any peer on the domain name, specify authentication PSK, specify the Keyring to use)
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain lab.net
identity local fqdn R2.lab.net
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
Step 4 – Create IPSec Profile (set IKEv2 Profile, default Transform set will be used so no need to specify)
crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEV2_PROFILE
Step 5 – Create a SVTI (use Lo0 as tunnel interface, specify tunnel source, tunnel destination as Hub’s WAN IP, specify IPSec Profile)
interface tunnel0
ip unnumbered loopback 0
tunnel source gigabitethernet 0/0
tunnel destination 1.1.1.1
tunnel protection ipsec profile IPSEC_PROFILE
Verify Configuration
Use the command “show ip interface brief” to display that a virtual-access interface has been created.
Using the command “show crypto ikev2 sa detailed” you can verify the IKEv2 SA was established correct with the peer
Use the “show crypto ipsec sa” command to configure the IPSec tunnel is UP and passing traffic. Each IPSec SA will identify the Virtual-Access interface associated with the remote ID of the peer.
integrating IT 
Hi.
Thanks for the example, how do I do if I wanna add redundancy to this, with one more hub? Just one more tunnel interface to the “standby” spoke?
LikeLike
Hi Jacob,
You don’t necessarily need to create an additional tunnel, you can use the Flex Client inconjunction with IP SLA/Track commands. When the primary tunnel goes down, it will failover to the secondary. E.g:-
crypto ikev2 client flexvpn FLEX_CLIENT
peer 1 1.1.1.1 track 1
peer 2 2.2.2.1 track 2
peer reactivate
client connect tunnel0
connect auto
interface tunnel 0
tunnel destination dynamic
HTH
LikeLike
Okey I dont have that option.
Using a CISCO 867 as client.
Router(config)#crypto ikev2 ?
authorization IKEv2 authorization
certificate-cache Cache for storing certs fetched from HTTP URLs
cookie-challenge Set Cookie-challenge watermark
diagnose IKEV2 diagnose
dpd Enable IKE liveness check for peers
fragmentation Enable fragmentation of ikev2 packets
http-url Enable http URL lookup
keyring Define IKEv2 Keyring
limit Limit the number of maximum and negotiating sa
name-mangler Name mangler
nat NAT-transparency
policy Define IKEV2 policies
profile Define IKEv2 Profiles
proposal Define IKEV2 proposals
window IKEV2 window size
LikeLike
Perhaps the IOS firmware version you have doesn’t support FlexVPN Client, check how old your version is and potentially upgrade.
Alternatively you could run 2 tunnels and use a routing protocol for ECMP (2 equal cost routes over both tunnels) or with a delay on the tunnel interfaces for 1 active route over 1 tunnel and the 2nd route as backup.
HTH
LikeLike