Hi Rob!

Thanks for taking look. What do I have to change to assign the authorisation policy? IKEV2 SA details are below for your reference.

This is the SPOKE

IR829#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 172.16.2.5/4500 [PUBLIC IP]/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/48 sec
CE id: 1002, Session-id: 2
Status Description: Negotiation done
Local spi: 53BEAF22B9E02AA5 Remote spi: E67F6B961F4390D5
Local id: SPOKE.FLEXVPN.LAB
Remote id: HUB.FLEXVPN.LAB
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: disabled
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Remote subnets:
192.168.1.254 255.255.255.255
10.10.0.0 255.255.0.0
172.16.11.0 255.255.255.0
0.0.0.0 0.0.0.0
Post NATed Address : 123.456.789.000

IPv6 Crypto IKEv2 SA

This is the HUB

CISCOCloudRouter#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 10.10.10.4/4500 123.123.123.123/64916 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/64 sec
CE id: 1001, Session-id: 1
Status Description: Negotiation done
Local spi: E67F6B961F4390D5 Remote spi: 53BEAF22B9E02AA5
Local id: HUB.FLEXVPN.LAB
Remote id: SPOKE.FLEXVPN.LAB
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : No
Post NATed Address : [PUBLIC IP]

IPv6 Crypto IKEv2 SA

@nadeesh.sam you just need to reference the authorisation policy under the IKEv2 Profile. You've already got the authorisation policy IKEV2_AUTHORIZATION defined, you just haven't referenced it.

crypto ikev2 profile IKEV2_PROFILE
aaa authorization group psk list FLEXVPN_LOCAL IKEV2_AUTHORIZATION

From your output I can tell the IR829 has received the routes (Remote Subnets) from the Hub

Remote subnets:
192.168.1.254 255.255.255.255
10.10.0.0 255.255.0.0
172.16.11.0 255.255.255.0
0.0.0.0 0.0.0.0

....but no routes (Remote subnets) on the IR829.

So by applying the authorisation policy this will send the routes defined in the ACL FLEXVPN_ROUTES to the hub.

I really appreciate you taking the time to help. I added following like to the IR829 but I still can't see the remote subnets on the HUB

crypto ikev2 profile IKEV2_PROFILE
  aaa authorization group psk list FLEXVPN_LOCAL IKEV2_AUTHORIZATION

@nadeesh.sam you will need to clear the IKEv2 SA in order for the routes to be sent during the IKEv2 exchange.

clear crypto ikev2 sa

Hi Rob,

I'm back at the router. I've added the routes manually and I'm still getting the same SA on the HUB. I'll look at EIGRP to see how to set it up.

What would be the reason for this not to work? It's doing NAT-T but I assume its not the issue here.\\

Thanks!

I made both routers to send static routes and removed ACL from the config. And it works now. Thanks Rob!