cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Establishing iBGP over IPSec VPN Tunnel on CISCO ASA

6481
Views
5
Helpful
3
Comments
Beginner

Table of Contents

Introduction

Topology

Prerequisite

Requirements

Configuration

VPN Configuration

BGP Configuration

Verification

VPN Verification

iBGP Verification

 

Introduction:

This blog will help to configure iBGP over IPSec VPN tunnel. IKEv2 is used for configuration VPN.

 

Topology:

Prerequisite:

In this Configuration example ASAv with 9.5.2 is used. Make sure License are available for (Encryption-DES, 3DES-AES, VPN Peer).

 

Requirements:

In this example we’ll be establishing IKEv2 Site-to-Site VPN tunnel between Site-A ASA to Site-B ASA. Once tunnel is established we can configure iBGP on both ASA to establish connection through VPN Tunnel.

Configuration:

VPN Configuration:

Site-A ASA Configuration:

Configuration Object for ACL & Identity twice NAT (No NAT)

object network Local-Lan

subnet 20.1.1.0 255.255.255.0

object network Remote-Lan

subnet 20.2.1.0 255.255.255.0

object network Local-ASA-Outside-Interface

host 10.1.1.5

object network Remote-ASA-Outside-Interface

host 10.2.1.5

 

Configure ACL for Crypto MAP

access-list LAN_LAN extended permit ip object Local-Lan object Remote-Lan

access-list LAN_LAN extended permit ip object Local-ASA-Outside-Interface object Remote-ASA-Outside-Interface

 

Configuration NO NAT or Identity Twice NAT

nat (Inside,Outside) source static Local-Lan Local-Lan destination static Remote-Lan Remote-Lan

nat (Inside,Outside) source static Local-ASA-Outside-Interface Local-ASA-Outside-Interface destination static Remote-ASA-Outside-Interface Remote-ASA-Outside-Interface

 

Configuration for Crypto

crypto ikev2 enable Outside

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto map Outside_map 1 match address LAN_LAN

crypto map Outside_map 1 set peer 10.2.1.5

crypto map Outside_map 1 set ikev2 ipsec-proposal AES

crypto map Outside_map interface Outside

 

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

 

Configuration for Group & Tunnel Policy

group-policy GroupPolicy_10.2.1.5 internal

group-policy GroupPolicy_10.2.1.5 attributes

vpn-tunnel-protocol ikev2

 

tunnel-group 10.2.1.5 type ipsec-l2l

tunnel-group 10.2.1.5 general-attributes

default-group-policy GroupPolicy_10.2.1.5

tunnel-group 10.2.1.5 ipsec-attributes

ikev2 remote-authentication pre-shared-key cisco123

ikev2 local-authentication pre-shared-key cisco123

 

Site-B ASA Configuration:

Configuration Object for ACL & Identity twice NAT (No NAT)

object network Local-Lan

subnet 20.2.1.0 255.255.255.0

object network Remote-Lan

subnet 20.1.1.0 255.255.255.0

object network Local-ASA-Outside-Interface

host 10.2.1.5

object network Remote-ASA-Outside-Interface

host 10.1.1.5

 

Configure ACL for Crypto MAP

access-list LAN_LAN extended permit ip object Local-Lan object Remote-Lan

access-list LAN_LAN extended permit ip object Local-ASA-Outside-Interface object Remote-ASA-Outside-Interface

 

Configuration NO NAT or Identity Twice NAT

nat (Inside,Outside) source static Local-Lan Local-Lan destination static Remote-Lan Remote-Lan

nat (Inside,Outside) source static Local-ASA-Outside-Interface Local-ASA-Outside-Interface destination static Remote-ASA-Outside-Interface Remote-ASA-Outside-Interface

 

Configuration for Crypto

crypto ikev2 enable Outside

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

 

crypto map Outside_map 1 match address LAN_LAN

crypto map Outside_map 1 set peer 10.1.1.5

crypto map Outside_map 1 set ikev2 ipsec-proposal AES

crypto map Outside_map interface Outside

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

 

Configuration for Group & Tunnel Policy

group-policy GroupPolicy_10.1.1.5 internal

group-policy GroupPolicy_10.1.1.5 attributes

vpn-tunnel-protocol ikev2

 

tunnel-group 10.1.1.5 type ipsec-l2l

tunnel-group 10.1.1.5 general-attributes

default-group-policy GroupPolicy_10.1.1.5

tunnel-group 10.1.1.5 ipsec-attributes

ikev2 remote-authentication pre-shared-key cisco123

ikev2 local-authentication pre-shared-key cisco123

 

 

iBGP Configuration

Site-A ASA Configuration

router bgp 100

bgp log-neighbor-changes

bgp bestpath compare-routerid

address-family ipv4 unicast

neighbor 10.2.1.5 remote-as 100

neighbor 10.2.1.5 activate

network 20.1.1.0 mask 255.255.255.0

network 30.1.1.0 mask 255.255.255.0

no auto-summary

no synchronization

exit-address-family

 

 

Site-B ASA Configuration

router bgp 100

bgp log-neighbor-changes

bgp bestpath compare-routerid

address-family ipv4 unicast

neighbor 10.1.1.5 remote-as 100

neighbor 10.1.1.5 activate

network 20.2.1.0 mask 255.255.255.0

network 30.2.1.0 mask 255.255.255.0

no auto-summary

no synchronization

exit-address-family

 

Verification

VPN Verification

VPN can we verified using Show crypto ISAKMP sa and show crypto IPSec Sa

Site-A-ASA (config)# show crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local               Remote     Status         Role

2672961         10.1.1.5/500         10.2.1.5/500     READY   RESPONDER

     Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

     Life/Active Time: 86400/153 sec

Child sa: local selector 10.1.1.5/0 - 10.1.1.5/65535

         remote selector 10.2.1.5/0 - 10.2.1.5/65535

         ESP spi in/out: 0x63f6013/0x223c01a9

 

 

Site-A-ASA(config)# show crypto ipsec sa

interface: Outside

   Crypto map tag: Outside_map, seq num: 1, local addr: 10.1.1.5

 

     access-list LAN_LAN extended permit ip host 10.1.1.5 host 10.2.1.5

     local ident (addr/mask/prot/port): (10.1.1.5/255.255.255.255/0/0)

     remote ident (addr/mask/prot/port): (10.2.1.5/255.255.255.255/0/0)

     current_peer: 10.2.1.5

 

     #pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19

     #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18

     #pkts compressed: 0, #pkts decompressed: 0

     #pkts not compressed: 19, #pkts comp failed: 0, #pkts decomp failed: 0

     #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

     #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

     #TFC rcvd: 0, #TFC sent: 0

     #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

     #send errors: 0, #recv errors: 0

 

     local crypto endpt.: 10.1.1.5/500, remote crypto endpt.: 10.2.1.5/500

     path mtu 1500, ipsec overhead 74(44), media mtu 1500

     PMTU time remaining (sec): 0, DF policy: copy-df

     ICMP error validation: disabled, TFC packets: disabled

     current outbound spi: 223C01A9

     current inbound spi : 063F6013

 

   inbound esp sas:

     spi: 0x063F6013 (104816659)

         transform: esp-aes esp-sha-hmac no compression

        in use settings ={L2L, Tunnel, IKEv2, }

         slot: 0, conn_id: 4096, crypto-map: Outside_map

         sa timing: remaining key lifetime (kB/sec): (3916798/28571)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

         0x00000000 0x0007FFFF

   outbound esp sas:

     spi: 0x223C01A9 (574357929)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv2, }

         slot: 0, conn_id: 4096, crypto-map: Outside_map

         sa timing: remaining key lifetime (kB/sec): (4239358/28571)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

         0x00000000 0x00000001

 

 

BGP Verification

Some of ASA Verification commands are, show BGP summary, Show BGP neighbors, show route

Site-A

Site-A-ASA(config)# show bgp summary

BGP router identifier 30.1.1.5, local AS number 100

BGP table version is 5, main routing table version 5

4 network entries using 800 bytes of memory

4 path entries using 320 bytes of memory

2/2 BGP path/bestpath attribute entries using 416 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 1536 total bytes of memory

BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs

 

Neighbor       V           AS MsgRcvd MsgSent   TblVer InQ OutQ Up/Down State/PfxRcd

10.2.1.5       4         100 10     10             5   0   0 00:06:39 2

 

Site-A-ASA(config)# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

 

C       10.1.1.0 255.255.255.0 is directly connected, Outside

L       10.1.1.5 255.255.255.255 is directly connected, Outside

S       10.2.1.0 255.255.255.0 [1/0] via 10.1.1.1, Outside

C       20.1.1.0 255.255.255.0 is directly connected, Inside

L       20.1.1.5 255.255.255.255 is directly connected, Inside

B       20.2.1.0 255.255.255.0 [200/0] via 10.2.1.5, 00:08:26

C       30.1.1.0 255.255.255.0 is directly connected, DMZ

L       30.1.1.5 255.255.255.255 is directly connected, DMZ

B       30.2.1.0 255.255.255.0 [200/0] via 10.2.1.5, 00:08:26

Addtional Link:

Configuring eBGP over IPSec Tunnel

3 Comments
Beginner

Hi nandakum,

We have run iBGP between two ASA. On routing table can see route. But Local-LAN cannot ping and access Remote-LAN.

Please help me fix issue. 

Thanks

Can you try ping any of host instead of ASA interface, also enable logging and see and packet capture on both router will help you find where the drop is.

Beginner

Does ASA support bgp connection from inside interface? We need to connect to the inside interface and there is no update source command under BGP in ASA.