---

@MHM Cisco World wrote:

The ASA can not work as DVTI only router with IOS can do that.

So can you make any router even behind ASA as DVTI hub router ?

MHM

---

@MHM Cisco World FYI since ASA 9.19 you can configure dVTI on the ASA.

@tilo.harder I do not believe you can currently configure the ASA to deploy static IKEv2 routes like FlexVPN on an IOS router.

@Rob Ingram, @tilo.harder  I didn't test myself, but from below article it appears that it is possible to announce arbitrary subnets from ASA/FTD running as DVTI hub:

https://www.cisco.com/c/en/us/support/docs/security-vpn/security-vpn/220322-configure-dvti-with-multi-sa-on-secure-f.html

Note how they announce OnPrem subnet 192.168.5.0/24 from "Protected Networks" box. Description says that this is to "Generate access-list on the spoke". Funny. Also, I don't see CLI generated on the ASA, but the document has many typos, so it worth to check which options are available after "ikev2 route set ?" in the "tunnel-group ipsec-attributes" section. To be honest, I can hardly believe Cisco forgot to add this simple feature and only implemented "ikev2 route set interface".

@tvotna not quite what I was expecting if comparing to FlexVPN IKEv2 routing. I've not used it either, but it looks like the policy on the ASA changes the traffic selectors to specific networks rather than any any and RRI is used on the remote spoke....but I guess it does achieve the samething (in a less elegant way IMO).

@tilo.harder, I understand what you're looking for. VPN implementation is nearly identical on ASA and FTD (in fact, code came from ASA). Unfortunately, we have to rely on FTD here, because "ikev2 route" command is still undocumented in ASA Command Reference even though the feature was introduced long ago in 9.19 (hey, Cisco!).

It seems I figured out what they do in this example. On FMC we configure VPN topology, not individual devices, so at step 11 both hub and spoke are configured together on the same screen: "Send VTI IP ..." and "Allow incoming IKEv2 routes ..." generate "ikev2 route set interface" and "ikev2 route accept any" (although not seen in the running-config, probably enabled by default) and "Protected networks ..." box generates destination subnet in the ACL used by the following CLI on the Spoke: "tunnel protection ipsec policy <ACL>" (the source is populated by "Protected networks" configured later at step 21 during Spoke configuration). Complete mess. How do use this product guys?

@Rob Ingram, I'm not sure that multi-SA SVTI on the Spoke will populate *Spoke's* routing table with RRI routes, because the Hub still announces "any-any" proxies to spokes, even though the Spoke will announce specific subnets to the Hub, as configured in this example. What do you think? (Of course, RRI on DVTI Hub is automatic).

So, it seems that Cisco indeed forgot to add basic "route-set ACL" feature on ASA for DVTI Hub.

Anyway, what we have now is suitable for almost all cases. ASA, FTD and IOS spokes can use multi-SA SVTI to send proper traffic selectors, this adds RRI routes on DVTI Hub, which can be redistributed to dynamic routing protocols if necessary. Announcing INTERNAL_IP4_SUBNET ("route set") is not needed in this case.

I already share solution before 

If we can not config Static route in both side we can NAT traffic to tunnel'

Here the hub knownthe tunnel IP and traffic in spoke NATing to tunnel IP

So no need any more static route 

MHM

This is probably expected. Of course, ASA implementation is ugly, but we cannot do anything about it. You can open a TAC case and then wait ages when they implement route exchange via standards-based IKEv2 attributes. For now ASA/FTD DVTI Hub relies on multiple traffic selectors sent by spokes to add 'V' routes into its routing table. IOS spoke must be configured with

tunnel protection ipsec policy ipv4 ipsec-policy

I discussed this with Cisco at Cisco Live, unfortunately they are not looking to implement route config exchange on FTD/ASA as you can on IOS routers. They recommend using BGP.