crypto pki trustpoint SEC_TRUSTPOINT enrollment mode ra enrollment url serial-number none ip-address none subject-name CN=router1.example.com subject-alt-name router1.example.com revocation-check none rsakeypair SEC_RSA_KEY ! crypto pki trustpoint PRI_TRUSTPOINT enrollment mode ra enrollment url serial-number none ip-address none subject-name CN=router1.example.com subject-alt-name router1.example.com revocation-check none rsakeypair PRI_RSA_KEY crypto pki certificate map SEC_CERT_MAP 10 subject-name co example.com ! crypto pki certificate map PRI_CERT_MAP 10 subject-name co example.com crypto ikev2 profile SEC_IKEV2_PROFILE match fvrf PUBLIC match certificate SEC_CERT_MAP identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint SEC_TRUSTPOINT ! crypto ikev2 profile PRI_IKEV2_PROFILE match fvrf PUBLIC match certificate PRI_CERT_MAP identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint PRI_TRUSTPOINT crypto ipsec transform-set SEC_TRANSFORM_SET esp-aes 256 esp-sha-hmac mode transport crypto ipsec transform-set PRI_TRANSFORM_SET esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile SEC_IPSEC_PROFILE set transform-set SEC_TRANSFORM_SET set pfs group16 set ikev2-profile SEC_IKEV2_PROFILE ! crypto ipsec profile PRI_IPSEC_PROFILE set transform-set PRI_TRANSFORM_SET set pfs group16 set ikev2-profile PRI_IKEV2_PROFILE !!!! THIS DOESNT WORK interface Tunnel1 tunnel protection ipsec profile SEC_IPSEC_PROFILE ! interface Tunnel2 tunnel protection ipsec profile PRI_IPSEC_PROFILE !!!! THIS WORKS interface Tunnel1 tunnel protection ipsec profile SEC_IPSEC_PROFILE shared ! interface Tunnel2 tunnel protection ipsec profile SEC_IPSEC_PROFILE shared