Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
14971
Views
5
Helpful
3
Comments

Establishing iBGP over IPSec VPN Tunnel on CISCO ASA

Nanda Kumar Kirubakaran
Cisco Employee
Cisco Employee
‎12-06-2015 09:59 PM

Table of Contents

Introduction

Topology

Prerequisite

Requirements

Configuration

VPN Configuration

BGP Configuration

Verification

VPN Verification

iBGP Verification

 

Introduction:

This blog will help to configure iBGP over IPSec VPN tunnel. IKEv2 is used for configuration VPN.

 

Topology:

Prerequisite:

In this Configuration example ASAv with 9.5.2 is used. Make sure License are available for (Encryption-DES, 3DES-AES, VPN Peer).

 

Requirements:

In this example we’ll be establishing IKEv2 Site-to-Site VPN tunnel between Site-A ASA to Site-B ASA. Once tunnel is established we can configure iBGP on both ASA to establish connection through VPN Tunnel.

Configuration:

VPN Configuration:

Site-A ASA Configuration:

Configuration Object for ACL & Identity twice NAT (No NAT)

object network Local-Lan

subnet 20.1.1.0 255.255.255.0

object network Remote-Lan

subnet 20.2.1.0 255.255.255.0

object network Local-ASA-Outside-Interface

host 10.1.1.5

object network Remote-ASA-Outside-Interface

host 10.2.1.5

 

Configure ACL for Crypto MAP

access-list LAN_LAN extended permit ip object Local-Lan object Remote-Lan

access-list LAN_LAN extended permit ip object Local-ASA-Outside-Interface object Remote-ASA-Outside-Interface

 

Configuration NO NAT or Identity Twice NAT

nat (Inside,Outside) source static Local-Lan Local-Lan destination static Remote-Lan Remote-Lan

nat (Inside,Outside) source static Local-ASA-Outside-Interface Local-ASA-Outside-Interface destination static Remote-ASA-Outside-Interface Remote-ASA-Outside-Interface

 

Configuration for Crypto

crypto ikev2 enable Outside

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto map Outside_map 1 match address LAN_LAN

crypto map Outside_map 1 set peer 10.2.1.5

crypto map Outside_map 1 set ikev2 ipsec-proposal AES

crypto map Outside_map interface Outside

 

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

 

Configuration for Group & Tunnel Policy

group-policy GroupPolicy_10.2.1.5 internal

group-policy GroupPolicy_10.2.1.5 attributes

vpn-tunnel-protocol ikev2

 

tunnel-group 10.2.1.5 type ipsec-l2l

tunnel-group 10.2.1.5 general-attributes

default-group-policy GroupPolicy_10.2.1.5

tunnel-group 10.2.1.5 ipsec-attributes

ikev2 remote-authentication pre-shared-key cisco123

ikev2 local-authentication pre-shared-key cisco123

 

Site-B ASA Configuration:

Configuration Object for ACL & Identity twice NAT (No NAT)

object network Local-Lan

subnet 20.2.1.0 255.255.255.0

object network Remote-Lan

subnet 20.1.1.0 255.255.255.0

object network Local-ASA-Outside-Interface

host 10.2.1.5

object network Remote-ASA-Outside-Interface

host 10.1.1.5

 

Configure ACL for Crypto MAP

access-list LAN_LAN extended permit ip object Local-Lan object Remote-Lan

access-list LAN_LAN extended permit ip object Local-ASA-Outside-Interface object Remote-ASA-Outside-Interface

 

Configuration NO NAT or Identity Twice NAT

nat (Inside,Outside) source static Local-Lan Local-Lan destination static Remote-Lan Remote-Lan

nat (Inside,Outside) source static Local-ASA-Outside-Interface Local-ASA-Outside-Interface destination static Remote-ASA-Outside-Interface Remote-ASA-Outside-Interface

 

Configuration for Crypto

crypto ikev2 enable Outside

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

 

crypto map Outside_map 1 match address LAN_LAN

crypto map Outside_map 1 set peer 10.1.1.5

crypto map Outside_map 1 set ikev2 ipsec-proposal AES

crypto map Outside_map interface Outside

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

 

Configuration for Group & Tunnel Policy

group-policy GroupPolicy_10.1.1.5 internal

group-policy GroupPolicy_10.1.1.5 attributes

vpn-tunnel-protocol ikev2

 

tunnel-group 10.1.1.5 type ipsec-l2l

tunnel-group 10.1.1.5 general-attributes

default-group-policy GroupPolicy_10.1.1.5

tunnel-group 10.1.1.5 ipsec-attributes

ikev2 remote-authentication pre-shared-key cisco123

ikev2 local-authentication pre-shared-key cisco123

 

 

iBGP Configuration

Site-A ASA Configuration

router bgp 100

bgp log-neighbor-changes

bgp bestpath compare-routerid

address-family ipv4 unicast

neighbor 10.2.1.5 remote-as 100

neighbor 10.2.1.5 activate

network 20.1.1.0 mask 255.255.255.0

network 30.1.1.0 mask 255.255.255.0

no auto-summary

no synchronization

exit-address-family

 

 

Site-B ASA Configuration

router bgp 100

bgp log-neighbor-changes

bgp bestpath compare-routerid

address-family ipv4 unicast

neighbor 10.1.1.5 remote-as 100

neighbor 10.1.1.5 activate

network 20.2.1.0 mask 255.255.255.0

network 30.2.1.0 mask 255.255.255.0

no auto-summary

no synchronization

exit-address-family

 

Verification

VPN Verification

VPN can we verified using Show crypto ISAKMP sa and show crypto IPSec Sa

Site-A-ASA (config)# show crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local               Remote     Status         Role

2672961         10.1.1.5/500         10.2.1.5/500     READY   RESPONDER

     Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

     Life/Active Time: 86400/153 sec

Child sa: local selector 10.1.1.5/0 - 10.1.1.5/65535

         remote selector 10.2.1.5/0 - 10.2.1.5/65535

         ESP spi in/out: 0x63f6013/0x223c01a9

 

 

Site-A-ASA(config)# show crypto ipsec sa

interface: Outside

   Crypto map tag: Outside_map, seq num: 1, local addr: 10.1.1.5

 

     access-list LAN_LAN extended permit ip host 10.1.1.5 host 10.2.1.5

     local ident (addr/mask/prot/port): (10.1.1.5/255.255.255.255/0/0)

     remote ident (addr/mask/prot/port): (10.2.1.5/255.255.255.255/0/0)

     current_peer: 10.2.1.5

 

     #pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19

     #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18

     #pkts compressed: 0, #pkts decompressed: 0

     #pkts not compressed: 19, #pkts comp failed: 0, #pkts decomp failed: 0

     #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

     #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

     #TFC rcvd: 0, #TFC sent: 0

     #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

     #send errors: 0, #recv errors: 0

 

     local crypto endpt.: 10.1.1.5/500, remote crypto endpt.: 10.2.1.5/500

     path mtu 1500, ipsec overhead 74(44), media mtu 1500

     PMTU time remaining (sec): 0, DF policy: copy-df

     ICMP error validation: disabled, TFC packets: disabled

     current outbound spi: 223C01A9

     current inbound spi : 063F6013

 

   inbound esp sas:

     spi: 0x063F6013 (104816659)

         transform: esp-aes esp-sha-hmac no compression

        in use settings ={L2L, Tunnel, IKEv2, }

         slot: 0, conn_id: 4096, crypto-map: Outside_map

         sa timing: remaining key lifetime (kB/sec): (3916798/28571)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

         0x00000000 0x0007FFFF

   outbound esp sas:

     spi: 0x223C01A9 (574357929)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv2, }

         slot: 0, conn_id: 4096, crypto-map: Outside_map

         sa timing: remaining key lifetime (kB/sec): (4239358/28571)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

         0x00000000 0x00000001

 

 

BGP Verification

Some of ASA Verification commands are, show BGP summary, Show BGP neighbors, show route

Site-A

Site-A-ASA(config)# show bgp summary

BGP router identifier 30.1.1.5, local AS number 100

BGP table version is 5, main routing table version 5

4 network entries using 800 bytes of memory

4 path entries using 320 bytes of memory

2/2 BGP path/bestpath attribute entries using 416 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 1536 total bytes of memory

BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs

 

Neighbor       V           AS MsgRcvd MsgSent   TblVer InQ OutQ Up/Down State/PfxRcd

10.2.1.5       4         100 10     10             5   0   0 00:06:39 2

 

Site-A-ASA(config)# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

 

C       10.1.1.0 255.255.255.0 is directly connected, Outside

L       10.1.1.5 255.255.255.255 is directly connected, Outside

S       10.2.1.0 255.255.255.0 [1/0] via 10.1.1.1, Outside

C       20.1.1.0 255.255.255.0 is directly connected, Inside

L       20.1.1.5 255.255.255.255 is directly connected, Inside

B       20.2.1.0 255.255.255.0 [200/0] via 10.2.1.5, 00:08:26

C       30.1.1.0 255.255.255.0 is directly connected, DMZ

L       30.1.1.5 255.255.255.255 is directly connected, DMZ

B       30.2.1.0 255.255.255.0 [200/0] via 10.2.1.5, 00:08:26

Addtional Link:

Configuring eBGP over IPSec Tunnel

Labels:
Preview file
38 KB
3 Comments
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents