FlexVPN Hub and Spoke

This topic is to discuss the following lesson:

Hi Rene and Team,

How about if I use 1 Router is same ISP, spoke routers will have different IP public, so we need one default route to ISP. So my question is: in the case. can we do Hub advertise to spoke routers ? and when I did lab in this case, My lab can not advertise subnet to peer :frowning: , can you show idea to troubleshoot ?
Thank a lot !

Hello Tung

You must remember that in such a topology, you have an overlay network and an underlay network. The underlay network in the lesson is the network. This represents the Internet or any other network over which you will create your tunnels. This underlay network can be anything, using the same ISPs or different ISPs, just as long as the routers have connectivity between them. The routing between routers here is the responsibility of the ISPs. In fact, a static IP is needed only for the hub. The IP addresses of the spokes can actually be dynamic. Notice the hub configuration doesn’t include any information bout the IP addresses of the spokes.

Now the overlay network is the network you create that will be tunneled over the underlay network. In the lesson, this is the network. Here, there is no actual routing protocol being used, but you can see, in the verification section of the lesson, that the spokes have been configured with a static default route to the hub, via the tunnel interface, which was “advertised” based on the flexVPN configuration. Similarly, the routes in the hub to the spokes were also advertised via IKEv2 and are based on the configuration in the IKEv2 authorization policy of the spokes themselves.

So in the lesson, the is already configured in the spoke routers, due to the configuration implemented at the hub.

I hope this has been helpful!


Spoke2(config-ikev2-profile)#identity local fqdn SPOKE1.FLEXVPN.LAB

should this conf line be

Spoke2(config-ikev2-profile)#identity local fqdn SPOKE2.FLEXVPN.LAB

Hello Terry

Yes, you seem to be correct. I will let @Rene know…


Thanks Terry. I just fixed this.


Hello Laz ,
how does the Hub Router advertise the default Route to Spoke ? with access list permit any? BUT There is no command to advetise the default route or this will occur automatically ?

Thanks in Advanced .

Hello Mohammad

The routes in this network topology are shared using IKEv2 routing. The default route that the spokes learn about comes from the hub, and is based on the configuration found in the IKEv2 Authorization Policy found in section 1.1.2 of the lesson.

Specifically, it is the route set access-list FLEXVPN_ROUTES command that advertises the default route. Tee FLEXVPN_ROUTES access list says permit any, which is the same as which is the default route.

This then appears as a static route that sends all default traffic via the Tunnel0 interface, which connects to the hub.

I hope this has been helpful!


Hi @ReneMolenaar

Unless I am mistaken it seems to be a mistake in this configuratin,
although the shou running config at the bottom is correct but they are not the same as the step by step configuration when you are explaine the command,

1-Spoke1(config-ikev2-profile)# aaa authorization group psk list FLEXVPN_LOCAL IKEV2_AUTHORIZATION is missing on the IKEv2 Profile - on Spoke1 router

2- on Spoke2 the above command is there but ends with “default” and not IKEV2_AUTHORIZATION here:
Spoke2(config-ikev2-profile)#aaa authorization group psk list FLEXVPN_LOCAL default

but on the full config(show run) the config is correct, I am not sure if i am missing something here or not since although i followed your config step by step but the tunnel was down and had to trubolshoot it, because when I copy your entire “sho run” into my spoke routers it worked for me, and that is when I noticed the difference between the step by step config and the running config,

apart from that I have a question, the loopback interface on the HUB1 is while this subnet is /24 on the spokes, is this ok?


Hello Ryfa

Yes, it looks like you are correct. I’ll let Rene know to make the necessary modifications. Thanks for pointing that out!

Idealy the subnets should be the same, however, because FlexVPN simply needs communication between the spoke and the hub routers, something that has been established not by simple routing, but by the virtual access ports created in the hub. If you take a look at the output of the show ip route command on the Hub router, you will see that both and are reachable from the hub because they are directly connected to the virtual access ports, and not because they are directly connected via the loopback interface. If the latter was the case, the subnet mask of /32 would make those two spokes unreachable.

I hope this has been helpful!


1 Like

I am not seeing the full configs of the routers only the ip interfaces are showing up in the article

Hello Timothy

The configs that appear near the beginning of the lesson are the startup configurations of each device. This includes only configurations that are necessary to prepare before applying any of the configurations you see in the lesson. These initial configs don’t include all of the default settings that are already set up in the config of IOS routers. They only include the changes you need to make before you begin. Those changes include only the configuration of the hostname and the loopback and GE interfaces.

The configurations near the end of the lesson show all of the configs that have been applied in all of the sections of the lesson, so you can see the results that you should have after applying all of the described configs.

I hope this has been helpful!