version 15.5 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core ! hostname SPOKE1 ! boot-start-marker boot system flash bootflash:asr1001-universalk9.03.16.02.S.155-3.S2-ext.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ! aaa new-model ! ! aaa authorization network FLEXVPN_LOCAL local ! ! ! ! ! aaa session-id common ! ip vrf COE rd 1:1 route-target export 1:1 route-target import 1:1 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ipv6 multicast rpf use-bgp ipv6 multicast vrf Mgmt-intf rpf use-bgp ! ! ! ! ! ! ! subscriber templating ! mpls label mode all-vrfs protocol bgp-vpnv4 per-vrf multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! license udi pid ASR1001 sn JAE171203KT license boot level adventerprise ! spanning-tree extend system-id ! ! redundancy mode none ! crypto ikev2 authorization policy IKEV2_AUTHORIZATION route set interface ! ! ! crypto ikev2 keyring IKEV2_KEYRING peer HUB1 address 192.168.1.254 pre-shared-key local CISCO pre-shared-key remote CISCO ! peer SPOKE2 address 192.168.1.2 pre-shared-key local CISCO pre-shared-key remote CISCO ! peer SPOKE_ROUTERS address 0.0.0.0 0.0.0.0 pre-shared-key local CISCO pre-shared-key remote CISCO ! ! ! crypto ikev2 profile IKEV2_PROFILE match identity remote fqdn HUB.FLEXVPN.LAB match identity remote fqdn SPOKE2.FLEXVPN.LAB match identity remote fqdn domain FLEXVPN.LAB identity local fqdn SPOKE1.FLEXVPN.LAB authentication local pre-share authentication remote pre-share keyring local IKEV2_KEYRING aaa authorization group psk list FLEXVPN_LOCAL IKEV2_AUTHORIZATION ! ! ! ! ! ! ! ! ! ! ! ! ! crypto ipsec profile IPSEC_PROFILE set ikev2-profile IKEV2_PROFILE ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback1 ip address 1.1.1.1 255.255.255.255 ! interface Loopback202 ip vrf forwarding COE ip address 10.242.1.1 255.255.255.255 ! interface Port-channel1 no ip address load-interval 30 no negotiation auto load-balancing vlan ! interface Port-channel1.601 encapsulation dot1Q 601 ip address 192.168.1.1 255.255.255.0 ! interface Tunnel0 ip address negotiated ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 mpls nhrp tunnel source Port-channel1.601 tunnel destination 192.168.1.254 tunnel protection ipsec profile IPSEC_PROFILE ! interface GigabitEthernet0/0/0 no ip address load-interval 30 negotiation auto cdp enable no cdp tlv app channel-group 1 ! interface GigabitEthernet0/0/1 no ip address load-interval 30 negotiation auto cdp enable no cdp tlv app channel-group 1 ! ! interface Virtual-Template1 type tunnel ip unnumbered Tunnel0 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 mpls nhrp tunnel source Port-channel1.601 tunnel protection ipsec profile IPSEC_PROFILE ! router ospf 1 router-id 1.1.1.1 ispf log-adjacency-changes detail redistribute connected subnets route-map CONNECTED_to_OSPF network 172.16.1.0 0.0.0.255 area 1 ! router bgp 1 bgp router-id 1.1.1.1 bgp always-compare-med bgp log-neighbor-changes bgp deterministic-med no bgp default ipv4-unicast timers bgp 4 12 neighbor HUB peer-group neighbor HUB remote-as 1 neighbor HUB update-source Loopback1 neighbor 11.11.11.11 peer-group HUB ! address-family ipv4 exit-address-family ! address-family vpnv4 neighbor HUB send-community both neighbor 11.11.11.11 activate exit-address-family ! address-family ipv4 vrf COE redistribute connected default-information originate exit-address-family ! ip forward-protocol nd ! no ip http server no ip http secure-server ip tftp source-interface GigabitEthernet0 ip route vrf COE 0.0.0.0 0.0.0.0 Null0 ! ! route-map CONNECTED_to_OSPF permit 10 match interface Loopback1 set metric 1 set metric-type type-1 ! !