Advanced Configurations for Hub and Spokes in a Route-based VPN

Configure the following advanced configurations for a hub and spoke in a route-based VPN:

Before you begin

Configure the basic parameters for a hub and spoke in a route-based VPN as described in Configure Endpoints for a Hub and Spoke Topology and expand Advance Settings.

Note	Only the Connection Type field is applicable to the device running on software version 7.2. The remaining fields don't apply to this version of the device.

Procedure

Step 1	Check the Send Virtual Tunnel Interface IP to the peers check box to send the VTI IP address to the peer device. For a hub, you must check this check box if you use BGP as the routing protocol. This configuration ensures that the loopback IP address is shared in the BGP routing table. For a spoke, this option is enabled by default.
Step 2	Add the Protected Networks to define the networks protected by the VPN endpoint. Click + to select a protected network. For a hub, configure the protected networks behind the hub. This information and the spoke's protected network generate the spoke access list. You cannot create a static route for a virtual access interface on a hub with dynamic VTI. The hub creates and deletes these interfaces dynamically during tunnel establishment and termination. For a spoke, configure the spoke's protected network. To enable static routing for the spokes, after you configure the endpoints for your topology, click the IPsec tab and check the Enable Reverse Route Injection check box. You do not need this option if you use BGP, OSPF, or EIGRP.
Step 3	Check the Allow incoming IKEv2 routes from the peers check box to allow incoming IKEv2 routes from the spokes and peers. For a hub: During an IKE exchange, the hub advertises the dynamically created virtual access interfaces to the spokes, and the spokes advertise their VTI IP addresses to the hub. For a spoke: By default, this option is enabled.
Step 4	In the Connection Type drop-down list, choose one of the following: Answer Only: The device can only respond when a peer device initiates a connection, it can’t initiate any connection. Bidirectional: The device can initiate or respond to a connection. This is the default option.