Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
356
Views
1
Helpful
1
Comments

Site-to-Site FlexVPN with IKEv2 Routing

Blue_Bird
VIP
VIP

on ‎08-07-2025 05:13 AM

                                                                                Site-to-Site FlexVPN with IKEv2 Routing

Introduction

Lab Topology

Configuration

Verification

Introduction:

With FlexVPN, we have two options for routing:

  • Use a dynamic routing protocol like EIGRP, OSPF, or BGP.
  • Advertise routes within the IKEv2 Security Association (SA).

In this article, I am going show advertising routes within IKEv2 Security Association.

Lab Topology

                       Blue_Bird_0-1754568393340.png

R1 Configuration

Step-1: Interface Configuration

Router(config)#hostname R1

R1(config)#interface Loopback0

R1(config-if)# ip address 192.168.1.1 255.255.255.255

R1(config-if)#interface Ethernet0/0

R1(config-if)#ip address 1.1.1.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

Step-2: Configure FlexVPN Settings

R1(config)#crypto ikev2 keyring KEYRING-R1

R1(config-ikev2-keyring)# peer R2

R1(config-ikev2-keyring-peer)#  address 1.1.1.2

R1(config-ikev2-keyring-peer)#  pre-shared-key local cisco@123

R1(config-ikev2-keyring-peer)#  pre-shared-key remote cisco@123

R1(config-ikev2-keyring-peer)#exit

 

R1(config)#aaa new-model

R1(config)#aaa authorization network FLEXVPN_LOCAL local

 

R1(config)#crypto ikev2 authorization policy AUTH-POLICY

R1(config-ikev2-author-policy)#route set access-list FLEXVPN_ROUTES

R1(config-ikev2-author-policy)#exit

 

R1(config)#ip access-list standard FLEXVPN_ROUTES

R1(config-std-nacl)#permit host 192.168.1.1

R1(config-std-nacl)#exit

 

R1(config)#crypto ikev2 profile IKEv2-PROFILE-R1

R1(config-ikev2-profile)# match identity remote fqdn R2.KL.LAB

R1(config-ikev2-profile)# identity local fqdn R1.KL.LAB

R1(config-ikev2-profile)# authentication remote pre-share

R1(config-ikev2-profile)# authentication local pre-share

R1(config-ikev2-profile)# keyring local KEYRING-R1

R1(config-ikev2-profile)#exit

Step-3: Configure IPSEC Settings

R1(config)#crypto IPsec transform-set TSET-R1 esp-aes 256 esp-sha-hmac

R1(cfg-crypto-trans)#mode tunnel

R1(cfg-crypto-trans)#exit

R1(config)#crypto ipsec profile IPSEC-PROFILE-R1

R1(ipsec-profile)# set transform-set TSET-R1

R1(ipsec-profile)# set ikev2-profile IKEv2-PROFILE-R1

R1(ipsec-profile)# exit

Step-4: Configure Tunnel Interface

R1(config)#interface Tunnel0

R1(config-if)# ip address 10.0.0.1 255.255.255.0

R1(config-if)# tunnel source Ethernet0/0

R1(config-if)# tunnel destination 1.1.1.2

R1(config-if)# tunnel protection ipsec profile IPSEC-PROFILE-R1

R1(config-if)#exit

R2 Configuration

Step-1: Interface Configuration

Router(config)#hostname R1

R2(config)#interface Loopback0

R2(config-if)# ip address 192.168.2.2 255.255.255.255

R2(config-if)#interface Ethernet0/0

R2(config-if)#ip address 1.1.1.2 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#exit

Step-2: Configure FlexVPN Settings

R2(config)#crypto ikev2 keyring KEYRING-R2

R2(config-ikev2-keyring)# peer R1

R2(config-ikev2-keyring-peer)#  address 1.1.1.1

R2(config-ikev2-keyring-peer)#  pre-shared-key local cisco@123

R2(config-ikev2-keyring-peer)#  pre-shared-key remote cisco@123

R2(config-ikev2-keyring-peer)#exit

 

R2(config)#aaa new-model

R2(config)#aaa authorization network FLEXVPN_LOCAL local

 

R2(config)#crypto ikev2 authorization policy AUTH-POLICY

R2(config-ikev2-author-policy)#route set access-list FLEXVPN_ROUTES

R2(config-ikev2-author-policy)#exit

 

R2(config)#ip access-list standard FLEXVPN_ROUTES

R2(config-std-nacl)#permit host 192.168.2.2

R2(config-std-nacl)#exit

 

R2(config)#crypto ikev2 profile IKEv2-PROFILE-R2

R2(config-ikev2-profile)# match identity remote fqdn R1.KL.LAB

R2(config-ikev2-profile)# identity local fqdn R2.KL.LAB

R2(config-ikev2-profile)# authentication remote pre-share

R2(config-ikev2-profile)# authentication local pre-share

R2(config-ikev2-profile)# keyring local KEYRING-R2

R2(config-ikev2-profile)#exit

Step-3: Configure IPSEC Settings

R2(config)#crypto IPsec transform-set TSET-R2 esp-aes 256 esp-sha-hmac

R2(cfg-crypto-trans)#mode tunnel

R2(cfg-crypto-trans)#exit

R2(config)#crypto ipsec profile IPSEC-PROFILE-R2

R2(ipsec-profile)# set transform-set TSET-R2

R2(ipsec-profile)# set ikev2-profile IKEv2-PROFILE-R2

R2(ipsec-profile)# exit

Step-4: Configure Tunnel Interface

R2(config)#interface Tunnel0

R2(config-if)# ip address 10.0.0.2 255.255.255.0

R2(config-if)# tunnel source Ethernet0/0

R2(config-if)# tunnel destination 1.1.1.1

R2(config-if)# tunnel protection ipsec profile IPSEC-PROFILE-R2

R2(config-if)#exit

Verification:

Blue_Bird_1-1754568555661.pngBlue_Bird_2-1754568579754.pngBlue_Bird_3-1754568611043.pngBlue_Bird_4-1754568643747.png

............................................................................ Thank you very much..! ...............................................................................

 

Comments
Jeongjun Park
VIP
VIP
‎08-07-2025 05:28 AM

Well explained with CLI configs !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents