FlexVPN Hub and Spoke

This topic is to discuss the following lesson:

Hi Rene and Team,

How about if I use 1 Router is same ISP, spoke routers will have different IP public, so we need one default route to ISP. So my question is: in the case. can we do Hub advertise to spoke routers ? and when I did lab in this case, My lab can not advertise subnet to peer :frowning: , can you show idea to troubleshoot ?
Thank a lot !

Hello Tung

You must remember that in such a topology, you have an overlay network and an underlay network. The underlay network in the lesson is the network. This represents the Internet or any other network over which you will create your tunnels. This underlay network can be anything, using the same ISPs or different ISPs, just as long as the routers have connectivity between them. The routing between routers here is the responsibility of the ISPs. In fact, a static IP is needed only for the hub. The IP addresses of the spokes can actually be dynamic. Notice the hub configuration doesn’t include any information bout the IP addresses of the spokes.

Now the overlay network is the network you create that will be tunneled over the underlay network. In the lesson, this is the network. Here, there is no actual routing protocol being used, but you can see, in the verification section of the lesson, that the spokes have been configured with a static default route to the hub, via the tunnel interface, which was “advertised” based on the flexVPN configuration. Similarly, the routes in the hub to the spokes were also advertised via IKEv2 and are based on the configuration in the IKEv2 authorization policy of the spokes themselves.

So in the lesson, the is already configured in the spoke routers, due to the configuration implemented at the hub.

I hope this has been helpful!


Spoke2(config-ikev2-profile)#identity local fqdn SPOKE1.FLEXVPN.LAB

should this conf line be

Spoke2(config-ikev2-profile)#identity local fqdn SPOKE2.FLEXVPN.LAB

Hello Terry

Yes, you seem to be correct. I will let @Rene know…


Thanks Terry. I just fixed this.