Solved: DVT IPSec Between Cisco Secure Threat Defense and Cisco IOS-XE router

sahmadhashmi · ‎09-27-2025

Hi Cisco Community Team,

I need help configuring a Dynamic Virtual Tunnel Interface (DVTI) setup in a hub-and-spoke topology where:

The Cisco Secure Firewall Threat Defense (FTD, managed by FMC) is the hub (with a static public IP).

The Cisco IOS XE router is the spoke, but it connects using a dynamic/unknown public IP.I’ve successfully deployed static VTI tunnels in the past, but in this scenario, since the spoke uses a dynamic IP, I’m not sure of the correct way to configure the FTD hub in FMC.

Are there any sample configuration examples or validated design guides for this hub/spoke use case (FTD hub + IOS XE dynamic IP spokes)?

Environment details:

Cisco Secure Firewall Threat Defense (FTD) 7.7, managed by FMC 7.7

Cisco IOS XE ISR (spoke) running IOS XE 17.16.1a

IKEv2/IPsec with DVTI

Goal: multiple dynamic spoke routers should connect to the FTD hubAny configuration guidance, best practices, or sample templates would be very helpful.

Rob Ingram · ‎09-27-2025

@sahmadhashmi that scenario is supported, refer to the cisco live presentation BRKSEC 3058 which covers this scenario. I would recommend watching the full video as the slides won't provide all the infornation. https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2023/pdf/BRKSEC-3058.pdf

If you have any particular concerns let us know.

View solution in original post

Rob Ingram · ‎10-01-2025

@sahmadhashmi you can configure the spoke with an authorisation policy, specify the command route set interface that will send the tunnel IP address to the hub, so the hub will have the route in it's routing table.

Example- https://integrate.uk.com/ios-xe-ikev2-routing/

View solution in original post

Rob Ingram · ‎09-27-2025

@sahmadhashmi that scenario is supported, refer to the cisco live presentation BRKSEC 3058 which covers this scenario. I would recommend watching the full video as the slides won't provide all the infornation. https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2023/pdf/BRKSEC-3058.pdf

If you have any particular concerns let us know.

sahmadhashmi · ‎09-30-2025

Hello @rob,

Thanks for sharing the information

I’ve successfully configured the dynamic VPN, but I’m facing an issue:

I cannot ping the tunnel IP of the Cisco ISR 1000 router from the FTD.

However, when I ping the FTD tunnel IP from the ISR 1000,

it works fine.Because of this, neither EIGRP nor BGP neighborship is coming up.Could you please help me troubleshoot this issue?

Rob Ingram · ‎10-01-2025

@sahmadhashmi Does the hub have a route to the remote peer's tunnel interface IP via the virtual access tunnel interface?

sahmadhashmi · ‎10-01-2025

Hi Rob,

Okay, there is static route to reach spoke routers public IP and Vice versa.

However I don't find any option to create static route for interesting traffic sitting behind spoke.

Please note that spoke tunnel IP (172.16.32.10) is not pingable from Hub(172.16.32.1) however thats not the case of If ping hub tunnel IP from spoke

Rob Ingram · ‎10-01-2025

@sahmadhashmi you can configure the spoke with an authorisation policy, specify the command route set interface that will send the tunnel IP address to the hub, so the hub will have the route in it's routing table.

Example- https://integrate.uk.com/ios-xe-ikev2-routing/

sahmadhashmi · ‎10-01-2025

Hello @Rob Ingram

Thanks for sharing the information.

This is exactly what I was looking for - apologies if I sound a bit greedy here, but I’m curious: is this the only way that FTD learns the tunnel peer IP address? Are there any alternative methods (for example, an FTD configuration or some dynamic mechanism/protocol) that would allow FTD to automatically discover the peer tunnel IP?

I ask because when I create the same hub-and-spoke topology on Cisco IOS-XE devices, I don’t need to declare a crypto authorization policy to send the peer tunnel IP to the hub.

MD Irshad Ansari · ‎09-30-2025

Hi,

For a Dynamic VTI (DVTI) IPSec hub and spoke setup between FTD and IOS-XE routers with dynamic peer IPs, you need to configure FMC to match peers by identity rather than IP.

On the FTD (hub):

Use FlexConfig or the VPN wizard with IKEv2.
Allow dynamic peers (0.0.0.0/any).
Match the tunnels using IKE ID instead of IP address.

On the IOS-XE (spoke):

Configure DVTI with a virtual-template.
Make sure the IKEv2 ID matches the hub configuration.
Enable NAT traversal if the spoke is behind NAT.

General tips: proposals must match on both sides, and DPD/keepalive is important for re-establishing when the spoke IP changes.

Reference docs to check:
Cisco DVTI IKEv2 Config: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215695-configure-dynamic-virtual-template-dvti.html
Cisco FlexVPN Hub-Spoke: https://www.cisco.com/c/en/us/support/docs/security-vpn/flexvpn/118978-configure-flexvpn-00.html

Once the first spoke is up, you can re-use the same template for multiple spokes.

Regards
Irshad

sahmadhashmi · ‎10-01-2025

Hello Irshad,

Appreciate your input. My DVTI tunnels are indeed UP, but the challenge I’m dealing with is that the FTD (Hub) cannot reach the spoke tunnel IP.

From the spoke side, I can successfully ping the FTDv tunnel IP, but the return path from FTD to spoke fails. This leads me to believe it’s a routing issue on FTDv.

What I can’t figure out is how to configure routes in FTDv that point directly to the virtual tunnel interface as the next hop.