cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1816
Views
3
Helpful
10
Replies

Use FDQN for VTI interface instead of IP

Aaida
Level 1
Level 1

We are planning to establish a site to site vpn tunnel between our Cisco ASR router and their third party firewall.
They have a requirement of back up peer IP. Hence we need to accommodate that IP as well in our config. First we thought of establishing two VTI and failover using IP SLA. But due to our organization standard that is not possible. Then next option came into our mind is using FQDN as remote peer instead of static IP. We are planning to make use of Embedded Event Manager (EEM) to update DNS. Please find a sample config below.

Please note one more thing. we got this idea from below link , if anyone need reference. Please let me know if someone already did the scenario i have mentioned above and can answer my doubts.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/118048-technote-ipsec-00.html

My question is:

1.Since we are refreshing the config with EEM do they make any interruptions to tunnel. How EEM will work here
2.Do the fail over will be smooth
3.will there be any risk with this config, also please note we are using cisco asr router. Whether this is supported.

Router A

crypto isakmp policy 10
encryption aes
authentication pre-share
group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile
set transform-set ESP-AES-SHA
!
interface Tunnel1
ip address 172.16.12.1 255.255.255.0
tunnel source fastethernet0/0
tunnel destination example-b.cisco.com
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-profile

event manager applet change-tunnel-dest
event timer cron name TAC cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel1"
action 1.3 cli command "tunnel destination example-b.cisco.com"

10 Replies 10

M02@rt37
VIP
VIP

Hello @Aaida,

Using FQDN as the remote peer instead of a static IP, and updating it with EEM, introduces additional dependencies on DNS resolution and the EEM functionality itself. It's crucial to consider theses points:

--Ensure that the DNS infrastructure is reliable and provides fast resolution for the FQDN used as the remote peer. If DNS resolution is slow or unreliable, it may lead to delays or interruptions in the tunnel failover process.

--Embedded Event Manager is a powerful tool, but it's important to thoroughly test and validate its functionality in your network environment. Ensure that EEM updates the DNS entry promptly and accurately when a failure occurs. Consider potential edge cases and failure scenarios to ensure the EEM script behaves as expected...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

You can use DVTI instead.

Hi @MHM Cisco World

Can you help me with example config for dvti. What is the command to configure dvti. Also if i configure dvti what will be the difference.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/118888-configure-flexvpn-00.html

this close example I found, 
the Flexvpn support DVTI via virtual template, which dont need destination IP,  and you can use hostname in Auth of Spoke.

Hi @MHM Cisco World

The thing is other end is a thrid party firewall and they can not configure bgp. Also they are having primary and back up peer configured in same HA device. Its just that back up circuit will be active one primary circuit is down. Do you still think we can achieve this with dvti. I am trying to understand how dvti works.

two way either DMVPN or DVTI 

what is idea 
one End (spoke) have static destination toward other end (hub) 
the Spoke start IPsec IKEv2 session, the Hub receive this session auth the session with hostname and PSK, and then add virtual tunnel to Spoke using what Spoke add to IP header of IKEv2 session. 
this simply the idea of DVTI.
you mention that other end is 3rd party FW but the config is done in your side not in other end, 
other end use same config as before your side will change config. 
NOTE:- only other end need to use IKEv2

4ca1f858-5c01-485a-80c8-8530f1be12c8.png

The above picture depicts simple topology which i have explained.peer a is fixed which is our side. Other peer will be either b or c in the same device. According to they change b to c we have to auto failover.. Can you help me with a sample config if this is possible with dvti. That will help. Or if any other simple way which you can suggest to make this failover smoothly without any manual interaction 

Sure I will run lab and test some idea 

IOU1#
IOU1#
IOU1#sh
*Jul 1 11:28:01.615: %TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up
IOU1#show run
IOU1#show running-config
Building configuration...

Current configuration : 2719 bytes
!
! Last configuration change at 11:21:21 UTC Sat Jul 1 2023
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IOU1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!


!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
redundancy
!
!
track 1 ip sla 1 reachability
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 0.0.0.0
!
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
!
crypto ipsec profile mhm
set transform-set mhm
!
!
!
!
!
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 150.0.0.2
tunnel protection ipsec profile mhm shared
!
interface Tunnel1
ip address 15.0.0.1 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 200.0.0.2
tunnel protection ipsec profile mhm shared
!
interface Ethernet0/0
ip address 100.0.0.1 255.255.255.0
!
interface Ethernet0/1
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
interface Ethernet1/0
no ip address
shutdown
!
interface Ethernet1/1
no ip address
shutdown
!
interface Ethernet1/2
no ip address
shutdown
!
interface Ethernet1/3
no ip address
shutdown
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 20.0.0.0 255.255.255.0 Tunnel0 track 1
ip route 0.0.0.0 0.0.0.0 100.0.0.3
ip route 20.0.0.0 255.255.255.0 Tunnel1 100
!
ip sla 1
icmp-echo 5.0.0.2 source-interface Tunnel0
ip sla schedule 1 life forever start-time now
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
transport input none
!
!
end

 


IOU2#show run
IOU2#show running-config
Building configuration...

Current configuration : 2894 bytes
!
! Last configuration change at 11:27:23 UTC Sat Jul 1 2023
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IOU2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!


!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
redundancy
!
!
track 1 ip sla 1 reachability
!
track 10 ip sla 10 reachability
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 0.0.0.0
!
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
!
crypto ipsec profile mhm
set transform-set mhm
!
!
!
!
!
!
interface Tunnel0
ip address 5.0.0.2 255.255.255.0
tunnel source Ethernet1/1
tunnel destination 100.0.0.1
tunnel protection ipsec profile mhm
!
interface Tunnel1
ip address 15.0.0.2 255.255.255.0
tunnel source Ethernet1/3
tunnel destination 100.0.0.1
tunnel protection ipsec profile mhm
!
interface Ethernet0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 20.0.0.2 255.255.255.0
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
!
interface Ethernet1/0
no ip address
shutdown
!
interface Ethernet1/1
ip address 150.0.0.2 255.255.255.0
!
interface Ethernet1/2
no ip address
shutdown
!
interface Ethernet1/3
ip address 200.0.0.2 255.255.255.0
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 150.0.0.3 track 1
ip route 10.0.0.0 255.255.255.0 Tunnel0 track 1
ip route 0.0.0.0 0.0.0.0 200.0.0.3 100
ip route 10.0.0.0 255.255.255.0 Tunnel1 100
!
ip sla 1
icmp-echo 150.0.0.3 source-interface Ethernet1/1
ip sla schedule 1 life forever start-time now
ip sla 10
icmp-echo 5.0.0.1 source-interface Tunnel0
ip sla schedule 10 life forever start-time now
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
transport input none
!
!

Screenshot (884).png

Joseph W. Doherty
Hall of Fame
Hall of Fame

The biggest possible issue I see is that IPSec is stateful.  If you move the other side's end-point, and it doesn't, somehow, have a copy of the IPSec session, the tunnel would be broken, I believe.

These are some of the issues mentioned, and addressed, by the technology suggested by @MHM Cisco World