cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
750
Views
5
Helpful
6
Replies

Route-based L2L IPSEC Tunnel ASA to ASA

curdubanbogdan
Level 1
Level 1

Hello all,

 

We have a site2site vpn tunnel between 2 asa's policy-based that is working and we want to migrate to route-based vpn.

We are trying first to get this tunnel up so we can make static routes to the LAN behind. But somehow the tunnel is still down/down. 

 

One thing to mention: ASA A has 2 Providers with 2 default-routes having ip sla + track configured to give priority to PROVIDER_A, not B of the tunnel source. I have to ask if there is any incompatibility on ASA to have a vti tunnel via secondary link with the same location that his main link has via policy-based vpn? (PS: The interfaces below are in shut copied because i stopped the continous negotiation without a conclusion)

 

Configuration on ASA A:

 

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256 aes 3des
integrity sha384 sha256 sha
group 19
prf sha
lifetime seconds 86400
crypto ikev2 policy 3
encryption aes-256 aes-192
integrity sha
group 14
prf sha
lifetime seconds 86400
crypto ikev2 policy 5
encryption aes-256
integrity sha512 sha384 sha256 sha
group 19 14
prf sha
lifetime seconds 86400
crypto ikev2 policy 6
encryption aes-256
integrity sha512 sha256 sha
group 19 14 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400

crypto ikev2 enable PROVIDER_B

crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA
protocol esp encryption aes-256 aes 3des
protocol esp integrity sha-384 sha-256 sha-1

crypto ipsec profile HQ-TO-HDC
set ikev2 ipsec-proposal ESP-AES256-SHA
set pfs group14

group-policy GroupPolicy_B.B.B.B internal
group-policy GroupPolicy_B.B.B.B attributes
vpn-tunnel-protocol ikev1 ikev2

tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B general-attributes
default-group-policy GroupPolicy_B.B.B.B
tunnel-group B.B.B.B ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

 

interface Tunnel200
nameif ?????
ip address 10.200.0.1 255.255.255.252
tunnel source interface PROVIDER_B
tunnel destination B.B.B.B
tunnel mode ipsec ipv4
tunnel protection ipsec profile HQ-TO-HDC


Configuration ASA B:

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256 aes 3des
integrity sha384 sha256 sha
group 19
prf sha
lifetime seconds 86400
crypto ikev2 policy 3
encryption aes-256 aes-192
integrity sha
group 14
prf sha
lifetime seconds 86400
crypto ikev2 policy 5
encryption aes-256
integrity sha512 sha384 sha256 sha
group 19 14
prf sha
lifetime seconds 86400
crypto ikev2 policy 6
encryption aes-256
integrity sha512 sha256 sha
group 19 14 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400

crypto ikev2 enable OUTSIDE

crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA
protocol esp encryption aes-256 aes 3des
protocol esp integrity sha-384 sha-256 sha-1

crypto ipsec profile HDC-TO-HQ
set ikev2 ipsec-proposal ESP-AES256-SHA
set pfs group14

 

group-policy GroupPolicy_A.A.A.A internal
group-policy GroupPolicy_A.A.A.A attributes
vpn-tunnel-protocol ikev2

tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A general-attributes
default-group-policy GroupPolicy_A.A.A.A
tunnel-group A.A.A.A ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****



interface Tunnel200
shutdown
nameif ????
ip address 10.200.0.2 255.255.255.252
tunnel source interface OUTSIDE
tunnel destination A.A.A.A
tunnel mode ipsec ipv4
tunnel protection ipsec profile HDC-TO-HQ

1 Accepted Solution

Accepted Solutions

Thanks for the additional information. In looking at my post I realize that I was a bit ambiguous in referring to source and destination. What I should have said is that 2 VPN sessions from the same source device to the same destination device is not supported. If we were dealing with tunnels like GRE than having separate source addresses would be ok and it should work. But with VPN it is different and I believe that what you are trying to do is not supported.

 

HTH

 

Rick

HTH

Rick

View solution in original post

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

I do not believe that it is supported to have 2 IPSEC sessions from the same source to the same destination.

 

HTH

 

Rick

HTH

Rick

Sorry, 

The ASA A has 2 sources, i am not having the same source from it, but i have the same destination. And from ASA B i do not have the same destination, but have the same source. Please confirm if it is clear.

Thanks for the additional information. In looking at my post I realize that I was a bit ambiguous in referring to source and destination. What I should have said is that 2 VPN sessions from the same source device to the same destination device is not supported. If we were dealing with tunnels like GRE than having separate source addresses would be ok and it should work. But with VPN it is different and I believe that what you are trying to do is not supported.

 

HTH

 

Rick

HTH

Rick

So that means that i should delete de policy based configuration.

Ultimately yes you should delete the policy based config when you are ready to use the route based config. For testing purposes it should be sufficient to disable the policy based config while you test the route based config. But when testing is completed then the policy based config should be removed.

 

I am glad that my suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the Community to identify discussions which have helpful content. This Community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

HTH

Rick

So basically i can't have to the same destination a policy-based tunnel and a route-based tunnel even though I have 2 different sources?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco