Site-to-Site FlexVPN Lab 3: Hub-to-Spoke with Virtual Template Interface(VTI)

Lab Introduction This lab is the third post in my site-to-site FlexVPN series. We will use virtual template to establish tunnel between HUB and SPOKE.

Set up NGINX as Reverse Proxy with Caching
Site-to-Site DMVPN IKEv2 + VRF + OSPF + Dual Hub Single Domain
DMVPN Phase3 IKEv1 and NHS Cluster

Lab Introduction

This lab is the third post in my site-to-site FlexVPN series. We will use virtual template to establish tunnel between HUB and SPOKE. Same as Lab 2 (ref.Site-to-Site FlexVPN Lab 2: static tunnel + RSA key within PKI), RSA and PSK mixed authentication will be adopted.

As the result of this lab, we should be able to ping SPOKE 1 tunnel IP and SPOKE 2 tunnel IP from the HUB virtual-access interface

Lab 4 (ref.Site-to-Site FlexVPN Lab 4: Spoke-to-Spoke with NHRP and VTI) will further implement NHRP to enable a dynamic tunnel between SPOKEs.

Lab topology is as below. HUB 1 functions as Certificate Authority (CA). SPOKE 1 and SPOKE 2 request and receive certificates from HUB1. NTP points to external NTP server.

I made a human error in the configuration, please read my configuration and verification comments in red carefully. I intended to demonstrate the importance of verification and the approach to verify. DO NOT leave tests to the end as an overall test or end-user test only.

Virtual Template and Virtual Access Interface

Virtual template is used to provide configuration for dynamically created virtual-access interfaces.

When a user/device requests to connect, virtual-access interface is dynamically created based on the configured virtual template. When the peer drops connection, the virtual-access interface automatically freed. As name suggests virtual template provides a configuration template, the configuration details can be customised based on dial-in peer identity via different authorisation, either configured as authorisation policy on the device holding the virtual template or defined in AAA server, such as ACS and ISE.

In this case, one virtual template can support different virtual-access interfaces with customised configuration. Use ‘show interfaces virtual-access x configuration’ to display the derived virtual-access interface configuration.


Interface Configuration


GigabitEthernet1 (mgmt)


GigabitEthernet1 (mgmt)


GigabitEthernet1 (mgmt)

CSR-HUB1 Configuration

CSR-SPOKE1 Configuration

CSR-SPOKE2 Configuration



  • comment-avatar

    I was trying to configure hub and spoke lab but without success. Then i found you guide and i made it. The reason why it didnt work was because i didnt issue the command
    crypto ikev2 client flexvpn FLEX_CLIENT
    peer 1
    client connect Tunnel1

    I cant thank you enough!!!

    Keep up the good work.


    • comment-avatar

      Thanks for letting me know my lab helped, so happy ^^ The blog also works as my knowledge management tool; I will keep working on 🙂

  • DISQUS: 0