Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
89
Views
0
Helpful
1
Replies

Connecting dynamic IP endpoints to static public IP hub FlexVPN?

Niels Adam
Level 1
Level 1

‎11-18-2025 03:10 PM

Im trying to configure a simple VPN network with 2 LTE enabled routers at remote locations connecting to my homelab ISR1941 router. I want to collect IoT data from these remotes (wildlife cameras), share Internet access and be able to manage these devices remotelly. I have succedeed with IKEv1 crypto map setup with PSK authentication.

After applying of a ZBF security at lab's router I'm not able to access these devices. IDK if this is because traffic arriving at hub is no-zone traffic or did I mistook policies and set IPSec as inspect instead of passing it both ways. It took me many trials and errors to apply working zone based security but Im satisfied with the result so I don't want to move back to access-lists I had applied earlier.

Reading trough various guides I have set a ikev2 policy allowing two remote devices to connect and both show up as Virtual-Access tunnels on the HUB device. But I'm not able to pass a single packetto there and back fro. Im attaching part of configs with an unfinished FlexVPN policy that I dared to try

I don't need both spokes talking to each other (but it would be OK) and have no need for enterprise class security with certificates and trustpoint.  My question is: Is there a simple way to get these three devices to communicate with HUB in way they would show up as logical interface?

Labels:
Preview file
5 KB
Preview file
4 KB
0 Helpful
1 Reply 1

Ben Weber
Level 1
Level 1

‎11-18-2025 07:22 PM

Hey @Niels Adam 

Your issue is that FlexVPN dynamically assigns Virtual-Access interfaces when VPN traffic flows in from spokes. As these are dynamically assigned, they do not fall into a particular zone, and thus the traffic is blocked.

What you need to do is define a security zone in the Virtual-Template for your VPN configuration. So, you need security zones for your outside and inside interfaces (which I assume you already have), and then you need to create a DVTI and assign it to a separate security zone (say, DMZ/VPN/whatever you'd like).  

Let me know if you've got any further questions, happy to try and help.

- BW
Please rate posts if they have been helpful.
0 Helpful
Customers Also Viewed These Support Documents