i have a scenario with a router with an internet line with two public ip addresses routed on it.
I want to create two different vpns on the two loopbacks with the same remote peer for different types of traffic.
The problem is that only one crypto map applies to the WAN interface and I can only apply one source loopback.
I wanted to know if there is a possible solution.
Solved! Go to Solution.
i agree the VTI would be the prefered solution with a full cisco solution.
Unfortunately, these are third party companies wher we do not have control on config and equipment.
Some third party endpoint support VTI but not all.
But agreed, VTI is the best solution if internal prganisation.
Attached is an example of using flexvpn hub and client. The flex client has 49 IKEv2 sessions to the hub. This was used in a lab to simulate multiple IKEv2 clients going to a flexvpn hub but could be scaled back for your use case as well. The 192.168.77.X addresses (in the config below) are loopbacks interfaces on the client that represent the IKEv2 endpoint and tunnel source address. This solution passed most of the attributes over RADIUS. If you are not using RADIUS then local attributes may need to be added to the config.
lab-csr7#show crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 34 192.168.77.35/500 10.64.1.203/500 none/MGMT-OVERLAY3 READY Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/1320 sec Tunnel-id Local Remote fvrf/ivrf Status 18 192.168.77.31/500 10.64.1.203/500 none/MGMT-OVERLAY3 READY Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/1324 sec