Table of Contents
Introduction
Topology
Prerequisite
Requirements
Configuration
VPN Configuration
BGP Configuration
Verification
VPN Verification
iBGP Verification
Introduction:
This blog will help to configure iBGP over IPSec VPN tunnel. IKEv2 is used for configuration VPN.
Topology:
Prerequisite:
In this Configuration example ASAv with 9.5.2 is used. Make sure License are available for (Encryption-DES, 3DES-AES, VPN Peer).
Requirements:
In this example we’ll be establishing IKEv2 Site-to-Site VPN tunnel between Site-A ASA to Site-B ASA. Once tunnel is established we can configure iBGP on both ASA to establish connection through VPN Tunnel.
Configuration:
VPN Configuration:
Site-A ASA Configuration:
Configuration Object for ACL & Identity twice NAT (No NAT)
object network Local-Lan
subnet 20.1.1.0 255.255.255.0
object network Remote-Lan
subnet 20.2.1.0 255.255.255.0
object network Local-ASA-Outside-Interface
host 10.1.1.5
object network Remote-ASA-Outside-Interface
host 10.2.1.5
Configure ACL for Crypto MAP
access-list LAN_LAN extended permit ip object Local-Lan object Remote-Lan
access-list LAN_LAN extended permit ip object Local-ASA-Outside-Interface object Remote-ASA-Outside-Interface
Configuration NO NAT or Identity Twice NAT
nat (Inside,Outside) source static Local-Lan Local-Lan destination static Remote-Lan Remote-Lan
nat (Inside,Outside) source static Local-ASA-Outside-Interface Local-ASA-Outside-Interface destination static Remote-ASA-Outside-Interface Remote-ASA-Outside-Interface
Configuration for Crypto
crypto ikev2 enable Outside
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto map Outside_map 1 match address LAN_LAN
crypto map Outside_map 1 set peer 10.2.1.5
crypto map Outside_map 1 set ikev2 ipsec-proposal AES
crypto map Outside_map interface Outside
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
Configuration for Group & Tunnel Policy
group-policy GroupPolicy_10.2.1.5 internal
group-policy GroupPolicy_10.2.1.5 attributes
vpn-tunnel-protocol ikev2
tunnel-group 10.2.1.5 type ipsec-l2l
tunnel-group 10.2.1.5 general-attributes
default-group-policy GroupPolicy_10.2.1.5
tunnel-group 10.2.1.5 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco123
ikev2 local-authentication pre-shared-key cisco123
Site-B ASA Configuration:
Configuration Object for ACL & Identity twice NAT (No NAT)
object network Local-Lan
subnet 20.2.1.0 255.255.255.0
object network Remote-Lan
subnet 20.1.1.0 255.255.255.0
object network Local-ASA-Outside-Interface
host 10.2.1.5
object network Remote-ASA-Outside-Interface
host 10.1.1.5
Configure ACL for Crypto MAP
access-list LAN_LAN extended permit ip object Local-Lan object Remote-Lan
access-list LAN_LAN extended permit ip object Local-ASA-Outside-Interface object Remote-ASA-Outside-Interface
Configuration NO NAT or Identity Twice NAT
nat (Inside,Outside) source static Local-Lan Local-Lan destination static Remote-Lan Remote-Lan
nat (Inside,Outside) source static Local-ASA-Outside-Interface Local-ASA-Outside-Interface destination static Remote-ASA-Outside-Interface Remote-ASA-Outside-Interface
Configuration for Crypto
crypto ikev2 enable Outside
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto map Outside_map 1 match address LAN_LAN
crypto map Outside_map 1 set peer 10.1.1.5
crypto map Outside_map 1 set ikev2 ipsec-proposal AES
crypto map Outside_map interface Outside
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
Configuration for Group & Tunnel Policy
group-policy GroupPolicy_10.1.1.5 internal
group-policy GroupPolicy_10.1.1.5 attributes
vpn-tunnel-protocol ikev2
tunnel-group 10.1.1.5 type ipsec-l2l
tunnel-group 10.1.1.5 general-attributes
default-group-policy GroupPolicy_10.1.1.5
tunnel-group 10.1.1.5 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco123
ikev2 local-authentication pre-shared-key cisco123
iBGP Configuration
Site-A ASA Configuration
router bgp 100
bgp log-neighbor-changes
bgp bestpath compare-routerid
address-family ipv4 unicast
neighbor 10.2.1.5 remote-as 100
neighbor 10.2.1.5 activate
network 20.1.1.0 mask 255.255.255.0
network 30.1.1.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
Site-B ASA Configuration
router bgp 100
bgp log-neighbor-changes
bgp bestpath compare-routerid
address-family ipv4 unicast
neighbor 10.1.1.5 remote-as 100
neighbor 10.1.1.5 activate
network 20.2.1.0 mask 255.255.255.0
network 30.2.1.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
Verification
VPN Verification
VPN can we verified using Show crypto ISAKMP sa and show crypto IPSec Sa
Site-A-ASA (config)# show crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
2672961 10.1.1.5/500 10.2.1.5/500 READY RESPONDER
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/153 sec
Child sa: local selector 10.1.1.5/0 - 10.1.1.5/65535
remote selector 10.2.1.5/0 - 10.2.1.5/65535
ESP spi in/out: 0x63f6013/0x223c01a9
Site-A-ASA(config)# show crypto ipsec sa
interface: Outside
Crypto map tag: Outside_map, seq num: 1, local addr: 10.1.1.5
access-list LAN_LAN extended permit ip host 10.1.1.5 host 10.2.1.5
local ident (addr/mask/prot/port): (10.1.1.5/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.2.1.5/255.255.255.255/0/0)
current_peer: 10.2.1.5
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 19, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.1.1.5/500, remote crypto endpt.: 10.2.1.5/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 223C01A9
current inbound spi : 063F6013
inbound esp sas:
spi: 0x063F6013 (104816659)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 4096, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3916798/28571)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0007FFFF
outbound esp sas:
spi: 0x223C01A9 (574357929)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 4096, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4239358/28571)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
BGP Verification
Some of ASA Verification commands are, show BGP summary, Show BGP neighbors, show route
Site-A
Site-A-ASA(config)# show bgp summary
BGP router identifier 30.1.1.5, local AS number 100
BGP table version is 5, main routing table version 5
4 network entries using 800 bytes of memory
4 path entries using 320 bytes of memory
2/2 BGP path/bestpath attribute entries using 416 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1536 total bytes of memory
BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.2.1.5 4 100 10 10 5 0 0 00:06:39 2
Site-A-ASA(config)# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 10.1.1.0 255.255.255.0 is directly connected, Outside
L 10.1.1.5 255.255.255.255 is directly connected, Outside
S 10.2.1.0 255.255.255.0 [1/0] via 10.1.1.1, Outside
C 20.1.1.0 255.255.255.0 is directly connected, Inside
L 20.1.1.5 255.255.255.255 is directly connected, Inside
B 20.2.1.0 255.255.255.0 [200/0] via 10.2.1.5, 00:08:26
C 30.1.1.0 255.255.255.0 is directly connected, DMZ
L 30.1.1.5 255.255.255.255 is directly connected, DMZ
B 30.2.1.0 255.255.255.0 [200/0] via 10.2.1.5, 00:08:26
Addtional Link:
Configuring eBGP over IPSec Tunnel