This is the most important configuration for vpn to work. The IKEv2 profile dictates which tunnel the user making a remote connection belongs to.

ISR-LAB(config)#crypto ikev2 profile ikev2-local-profile
match identity remote key-id VPN-KEY-ID #key-id is sent by user to connect to the right ikev2 profile. Check your xml-file
identity local fqdn vpn123.justnetworks.ca #the vpn url remote user will connect to and the routers local identity
authentication local rsa-sig ##using certificate as local authentication method
authentication remote eap query-identity ##using Anyconnect-EAP (radius) as remote authentication method
authentication remote anyconnect-eap aggregate
pki trustpoint TEST-TP ##Referencing the certificate trustpoint it must use for local authentication
aaa authentication anyconnect-eap authC-list ## for authentication, use this list
aaa authorization group anyconnect-eap list authZ-list ikev2-authZ-profile #for authorization, use this list
aaa authorization user anyconnect-eap cached
virtual-template 100 ##Referencing the tunnel interface # used for this profile