날짜: 05-13-2024 12:48 AM
Hello, I am currently testing the IPSec Ikev2 VTI Based (routed-based) interworking of FPR2110 and 3rd party equipment (Fortigate) running ASA OS 9.18(3)56 as shown in the picture above.
I understand that in the process of creating a Tunnel interface when setting up IPSec VTI in ASA, IP must be assigned as follows. (192.168.255.1/30)
I also understand that when configuring a static route for end-to-end communication using IPSec Tunnel, you must specify the next-hop IP as follows.
(route IPSEC 200.200.200.0 255.255.255.0 192.168.255.2, where 192.168.255.2 is the remaining band of 192.168.255.0/30 allocated to the Tunnel Interface)
However, for Fortigate firewalls, creating a tunnel interface is the same, but it has been confirmed that there are no requirements at Fortigate such as assigning an IP to that tunnel like, assigning Next-hop IP when setting up static routing for IPSec End-to-End communication.
But also we have confirmed that IPSec end-to-end communication are normal, leaving behind the difference in IPSec configuration mechanisms between ASA and Fortigate.
I want to know about the role about '192.168.255.1' which the ASA should assign to the Tunnel0 interface in IPSec.
As a result of the actual test, the actual end-to-end communication was normal, even though the Fortigate Tunnel Interface did not set the ip separately.
(i.e., Fortigate did not allocate 192.168.255.2/30 and there are no settings related to it)
This means that the ASA can process IPSec packets normally even though it cannot perform routing lookup for 192.168.255.2, which is the next-hop during IPSec end-to-end communication.
As such, apart from IPSec interworking and communication normal, the customer is questioning the overall ASA restrictions and IPSec communication mechanisms when configuring IPSec, such as making sure to set IP to Tunnel and specifying next-hop when configuring static routing.
In the network configuration above, in the case of ASA, do I have to set IP on the Tunnel interface when using the IPSec VTI method? Or is there another way to configure IPSec without setting IP?
Please refer to the attached ASAv running-config log. Any questions other than that are welcome.
Thank you.
날짜: 05-13-2024 01:01 AM
In cisco the tunnel meaning vti
In other vendor the tunnel can meaning vti or legacy crypto map.
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/250464
MHM
날짜: 05-13-2024 01:27 AM
Hello MHM Cisco World, thank you for your response.
We already know the difference between crypto-map (policy-based) and routed-based (VTI) methods.
In the current configuration, the IPsec Site-to-Site VPN is configured using a routed-based method for both Cisco ASA and Fortigate.
However, as I mentioned in the question, Fortigate does not need to configure IP on the tunnel interface when configuring a Site-to-Site IPSec VPN or next-hop when configuring Static Routing for IPSec End-to-End communication,
In Cisco ASA, you must configure IP on the Tunnel interface (Tunnel0 in the above example) or next-hop IP when you configure Static Routing.
I wonder if ASA can configure Site-to-Site VPN without setting IP on Tunnel interface, or if IP must be configured, what is the role of that ip in IPSec communication?
Thank you.
05-13-2024 02:20 AM - 편집 05-13-2024 02:21 AM
in ASA S2S route-based VPN
Need IP for tunnel for
Static route
Any other IGP (ospf/eigrp) or BGP.
It mandatory.
You can use any IP not need to be specific subnet.
MHM
날짜: 05-13-2024 12:49 PM
Hello MHM Cisco World, thank you for your response.
"You can use any IP not needed to be a specific subnet." Is the IP to be used for Tunnel0 supposed to be an independent subnet that is not in use by the internal network? (Of course it is, but I'm asking just in case.)
And it's still hard to understand the role of IPs that are assigned to Tunnel0. I understood that when implementing GRE Tunneling, IPs should be assigned to that GRE Tunnel interface, but what role does this IP have in the case of a regular S2S IPSec Tunnel?
Thanks.
날짜: 05-13-2024 03:22 PM
Policy based VPN the interest traffic hit the acl
Route based VPN not use ACL use routing via tunnel to protect it' so we need routing for route based'
Routing traffic toward tunnel need tunnel to have IP
For example
Route VTI x.x.x.x x.x.x.x <next-hop>
Next-hop is tunnel peer IP.
This only for ASA/FTD for cisco ios xe you can use LO as tunnel IP and use tunnel in static route without use next-hop.
MHM
새로운 아이디어를 발견하고 저장하세요. 전문가 답변, 단계별 가이드, 최근 주제 등 다양한 내용을 확인해 보세요.
처음이신가요? 아래 팁들을 확인해 보세요. 시스코 커뮤니티 사용하기 새 멤버 가이드