================
crypto key generate rsa general-key modulus 2048 label my-ca
crypto pki trustpoint my-ca
enrollment terminal
serial-number 
ip-address none
subject-name cn=*.test.local
revocation-check none
rsakeypair my-ca 2048
crypto pki authenticate my-ca
crypto pki enroll my-ca
crypto pki import my-ca cert
ip access-list extended VPN-TRAFFIC
permit 10.10.10.0 0.0.0.255 10.100.0.0 0.0.0.255
!
crypto ikev2 proposal PHASE-1
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy VPN-POLICY
proposal PHASE-1
!
crypto ikev2 profile RTR1-RTR2-PROFILE
#match identity remote fqdn RTR2.TEST
match identity remote 13.251.172.245
#identity local fqdn RTR1.TEST
identity local 102.27.51.61
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca
!
crypto ipsec transform-set PHASE-2 esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map VPN-MAPS 10 ipsec-isakmp
set peer 113.251.172.245
set transform-set PHASE-2
set ikev2-profile RTR1-RTR2-PROFILE
match address VPN-TRAFFIC
!
interface FastEthernet0/1
crypto map VPN-MAPS