Looking for confirmation whether 8.4.3 code (or higher) can support the ability for spoke endpoint ASA5505's to have certificate based, IKEv2 Site to Site VPN tunnels to separate ASA hub sites at separate geographical locations for high availability/DR purposes. We are able to accomplish this with IKEv1 with PSK's, configuring the peer public ip addresses of the separate ASA hubs in the crypto map (1.1.1.1 and 2.2.2.2 in the example below), but not with IKEv2 with certificates:
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 30 match address matchACLAdresses
crypto map outside_map 30 set pfs
crypto map outside_map 30 set connection-type originate-only
crypto map outside_map 30 set peer 1.1.1.1 2.2.2.2
crypto map outside_map 30 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 30 set reverse-route
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400