Site-to-Site FlexVPN Lab 4: Spoke-to-Spoke with NHRP and VTI

Lab Introduction This lab is the final post in my site-to-site FlexVPN series. I may further write up AnyConnect FlexVPN depending on my time (as we a

Use pfSense to Load Balance Web Servers (1)
Site-to-Site FlexVPN Lab 1: static tunnel + pre-shared key

Lab Introduction

This lab is the final post in my site-to-site FlexVPN series. I may further write up AnyConnect FlexVPN depending on my time (as we all know documentation takes time…).

In addition to Lab 3 configuration, this lab further creates dynamic tunnels between SPOKEs using NHRP.

LAB 3: Created HUB-SPOKE tunnel using virtual template interface (VTI) on HUB, IKEv2 encryption, and achieved HUB-SPOKE communication as result. Please refer to Site-to-Site FlexVPN Lab 3: Hub-to-Spoke with Virtual Template Interface(VTI)

LAB 4: To create dynamic tunnel between SPOKEs using NHRP and additional VTI (refer to topology chart, the tunnel in dotted line) on SPOKE, IKEv2 encryption, and to achieve SPOKE-SPOKE communication as result.

  • This lab adopts mixed authentication of RSA and PSK as previous
  • HUB functions as Certificate Authority. SPOKE1 and SPOKE2 request and receive certificates from HUB
  • External NTP server
  • IP pool is created on HUB. SPOKE negotiates with HUB to obtain assigned tunnel IP address.

Topology is as below. Verification section is at the end of the lab.

Interface Configuration

GigabitEthernet1 (mgmt)

GigabitEthernet1 (mgmt)

GigabitEthernet1 (mgmt)

FlexVPN SPOKE to SPOKE Configuration Rationale

NHRP is utilised in DMVPN to allow traffic directly between SPOKEs without detour to HUB. FlexVPN also adopts NHRP to realise SPOKE-to-SPOKE communication. Different from DMVPN, following are the key points configuring NHRP for FlexVPN:

  • No need to configure NHS, SPOKE will use the previously configured HUB-SPOKE tunnel to register on HUB. Although there may be errors in log saying NHS is not found, it is safe to ignore the error. I came across this error message, and it turned out as a message bug.
  • Configure ‘nhrp network’ and ‘nhrp redirect’ on HUB, same as DMVPN
  • Configure ‘nhrp network’ and ‘nhrp shortcut’ on SPOKE, same as DMVPN
  • Configure VTI on SPOKE (refer to topology chart, the tunnel in dotted line), to establish dynamic tunnel between SPOKEs. It is critical in FlexVPN SPOKE-to-SPOKE configuration.

In addition, I made a human error in LAB 3 on purpose to demonstrate the importance of verification. If the configuration error is not corrected, SPOKE-to-SPOKE communication will not work in this Lab; though it didn’t affect Lab 3 result. Therefore, please read LAB 3 carefully, before LAB 4.

The following are further configured in addition to LAB 3.

CSR-HUB Additional Configuration

CSR-SPOKE1 Additional Configuration

CSR-SPOKE2 Additional Configuration

CSR-HUB Complete Configuration

CSR-SPOKE1 Complete Configuration

CSR-SPOKE2 Complete Configuration


If tunnel is not negotiated up but configuration looks right, it is possible to fix via shut and no shut tunnel interface, and execute ‘clear crypto session ikev2’.


  • comment-avatar


  • DISQUS: 0