This config example shows a Site-to-Site configuration of IPsec VPN established between two Cisco routers. VPN will use IKEv2 protocol with PreSharedKey (PSK) remote-site authentication. Topology simulates a Branch router connected over an ISP to the HQ router. There are several options for how to configure IKEv2. In this example, I’m using the symmetric PSK witch crypto map, where the IKEv2 process is started by ACL that identifies interesting traffic. I also do not use GRE tunnel for the interconnection of both sides, instead, simple static default routes are used.
Topology
Configuration runs on GNS3 emulator and I’m using the CSR1000v platform with version 16.12.01a IOS XE as the older ISR platform (7200 15.4 IOS) does not support IKEv2. On real devices, IKEv2 is supported on Cisco ISR Generation 2 (G2) that runs Cisco IOS software version 15.2(4)M or later (for example 29xx ISR), ASA with 8.4.(1) and later (including ASA 5510).