Thanks Rob! This is new to me

Do you know if the command “ tunnel protection ipsec policy ipv4 ACLX” works in newer IOS versions?

The ISO version on my router is 16.9 and I remember setting up a router-based VPN tunnel with maybe FortiNet and the engineer there asked me about a traffic selector. I got confused as I know that route based tunnel do not have ACL so I had to google this traffic selector and I found this command, however, my router didn’t accept it

I’ll look at configuration and CLI references for 17.5 on Cisco website 

Out of curiosity are you attempting to split-tunnel traffic for specific traffic (I.E. not all traffic to 1.1.1.1 is protected) or is this a traditional site-to-site?

I ask as it may be more efficient to convert your configuration to an IPsec profile and fully encrypt all traffic to your target subnets.

Traditional policy based tunnel. 
As far as I know the term “split tunnelling” is only used in client VPN, isn’t that correct?

@Ab26 yes, as per the link I provided above, it has the example below which is an example of multi SA VPN.

interface Tunnel0
 ip  address 100.0.2.1 255.255.255.252
 tunnel source GigabitEthernet0/0/0
 tunnel mode ipsec ipv4
 tunnel destination 192.0.2.2
 tunnel protection ipsec policy ipv4 CACL
 tunnel protection ipsec profile PROF

It's not a traditional route based VPN, but it is backwards compatible with crypto map-based and other policy-based implementations.

More information - https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214728-configure-multi-sa-virtual-tunnel-interf.html

FlexVPN is a traditional routed based VPN - https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

I've looked at version v17.x
The traditional crypto map is not deprecated  
https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-cfg-vpn-ipsec-0.html 

@Ab26 as mentioned before it's depreciated/EOL from 17.18 as per this link https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/bulletin-c25-744830.html

If you are using an older version of IOS now and upgrade in future to a newer version you may well find your crypto maps no longer work. The recommendations provided in my previous replies are the migration path from a policy based VPN (crypto map) to a route based VPN.

Aha I see, thank again for the clarification!

I'll deeper on it. As for the router I'm using, the newest release of Cisco is 17.9

there are three 
1- policy based 
2- router based 
3- route-based with simulated policy-based traffic selector 

from cisco ASA

""Microsoft Azure supports route-based, policy-based, or route-based with simulated policy-based traffic selectors. Azure currently restricts what Internet Key Exchange (IKE) version you are able to configure based upon the VPN selected method. Route-based requires IKEv2 and policy-based requires IKEv1. If IKEv2 is used, then route-based in Azure must be selected and ASA must use a VTI.""

so cisco command

tunnel protection ipsec policy ipv4 ACL

is simulate policy-based for router-based VPN 
and I think it work for IOS XE 16.x.x and later

MHM

Thanks MHM !

I have a router not an ASA. The IOS is 16.9 and unfortunately it doesn't support "tunnel protection ipsec policy ipv4 ACL" command under the tunnel interface. I'll look at the newer version 17.5 that I want to upgrade to.

Thanks a lot for helping !

If the IOS router not supported simulate then it sure supports crypto map under physical interface. 

If your network work stable with crypto map and IOS support it don't update.

MHM

Do I sense some feelings of difficulties or instability with "route-based with simulated policy-based traffic selector"? 
The IOS release I'm using in my router is almost 5 years old, and we got an instruction to move to Smart license.

I'll try to upgrade the IOS again, apply the crypto map to physical interface and see what if the router takes it, as well as try to see if the "traffic selector" works on my router. 

@Ab26 if you are referring "route-based with simulated policy-based traffic selector" to the Multi SA VPN - as per the link I provided previously, this is considered a migration path from a policy based VPN to a route based VPN. It's not supported on all IOS-XE versions, it is supported from 16.12.

You should aim to migrate to a route based VPN, i.e. - FlexVPN. This is the future, whereas continuing to use a policy based VPN (crypto map) is as already explained EOL in newer versions.

selector 

1- policy based (ACL decide the selector you can see by show cry ipsec sa )
2- router based (selector is 0.0.0.0/0) so it use route via tunnel to encrypt traffic 
3- route-based with simulated policy-based traffic selector (traffic selector not 0.0.0.0/0 it what you config in ACL and hence the traffic still need to route via tunnel to encrypt 

MHM