Here is a quick overview of the building blocks you need in order to configure a FlexVPN:
*Remember that FlexVPN uses IKEv2 as its standard.
IKEv2 Proposal: think HAGLE (hash, authentication, dh group, lifetime, encryption). Your proposal defines what you are trying to use during negotiation with the remote side when attempting to establish an IKE phase 1 tunnel security association.
IKEv2 Policy: the policy essentially binds the already configured proposal to a local interface address.
The next two blocks depend on what you choose to use for peer authentication:
IKEv2 Keyring: simply configures/declares a pre-shared key, which can be symmetric or asymmetric for authentication.
Trustpoint: think more secure and an advanced tool for authentication via PKI. Essentially configures identity and CA attributes.
IKEv2 Profile: this step is a collection of every config block to thus point that is NONNEGOTIABLE. Items configure here include the remote peer address and authentication method. Note, that you will bind either the keyring or trustpoint in your profile (all of which depends on which one you choose for authentication).
IPsec Transform Set: declares acceptable combinations of security protocols and algorithms you will use to form your IPsec tunnel security association.
IPsec Profile: This is the final configuration block for FlexVPN that binds everything together. Within the IPsec profile you reference the IPsec transform set and your IKEv2 Profile containing your NONNEGOTIABLE parameters. This gets assigned to an interface.