cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

37811
Views
35
Helpful
63
Replies
Rising star

Nathan,

Nathan,

Your config for the VTI approach is correct. You should use the VTI IP addresses for peering and as next-hop just like you did.

Beginner

hey Nathan, Thomas, and

hey Nathan, Thomas, and husycisco, this is super helpful. I found myself in a situation where I need mutiple cisco ASAs at different sites to connect to a single Azure VNet.

How does one go about finding the INNER Tunnel BGP Peering IP?

I too have the same issue where if I route to the azure public vpn gateway ip I cannot pass traffic through, although tunnel is established. I am unsure where to find the BGP peering ip from Azure though..

edit////i found how to get this...it is usually the last ip address on the vpn gateway itself per the docs here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview

also you can just run the command in Azure to find it: . Get-AzureRmVirtualNetworkGateway -ResourceGroupName <yourResourceGroupName>

it is up and running and passing traffic...very nice!!!

thanks!

Rising star

This is an incorrect use of

This is an incorrect use of the VTI approach.

Beginner

I tried this config on our

I tried this config on our ASA but the azure dynamic tunnel didn't come up. The debugging logs showing the following error "

"All IPSec SA proposals found unacceptable" Error processing payload:1. Can anyone please tell me what could be wrong with my setup? 

Thanks. MS

Beginner

Hi,Guys

Hi,Guys

Does VTI work with IOS or asa peer?I tried ASAv connect ASAv or ASAv connect IOS,both solution were failed.I move the tunnel mode ipsec and protection.

the VTI interface IP address can not ping successful.Why?

Rising star

ASAv to ASAv can work only

ASAv to ASAv can work only with an IKEv1 version of the instructions. IKEv2 support will come with 9.8.1 which keeps bricking my virtual appliance so I am waiting for it.

I successfully made VTIs work both ASAv to ASAv and ASAv to CSR.

Pinging the interface itself must be some sort of a bug but if you run a packet capture you will see that echo reply is coming back. For now, avoid testing the connectivity with direct VTI interface pings, try pinging some network behind.

Beginner

Husycisco,

Husycisco,

Have you had any luck with IKEV2 VTI with BGP Routing? I am trying to create a site to site mesh topography and I would like to use BGP across it for failover and finding the fastest paths.

I can not get them to peer. I found this great blog on doing it over IKEV1, but it didn't working for me. FYI I think he got is BGP ASN's backwards. 

Cisco ASA VTI (9.7) Route Based VPN with load-balancing and failover - Setup Guide - Techstat

It looks like on all the research I've done the BGP neighbors are always going to be the VTI interface's ip addresses of the opposite sites.

This is an older article showing a router using BGP over VTI tunnels. 

http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/118977-config-ebgp-00.html

In this article Cisco adds a route map to redirect to the public ip peer of the remote site for the next hop. 

The Cisco 9.8 release claims BGP can work over VTI. Is this only for IKEV1 and not IKEV2? What are your thoughts?

Beginner

Re: ASAv to ASAv can work only

Hi Husycisco,

 

I am also testing VTI in ASA5515(9.7(1)4) and other end is ASR1000 (03.16.06b.S) but my VTI is not coming up any expert comment would be appreciated if anything i am missing.

 

Config at both ends as per below.

 

asa# show interface tunnel 100
Interface Tunnel100 "vti", is down, line protocol is down
Hardware is Virtual Tunnel MAC address N/A, MTU 1500
IP address 192.168.1.10, subnet mask 255.255.255.252
Traffic Statistics for "vti":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Tunnel Interface Information:
Source interface: outside IP address: 192.165.0.2
Destination IP address: 192.165.0.1
Mode: ipsec ipv4 IPsec profile: PROFILE1
asa#

 

Router:

ASR#show interfaces tunnel100
Tunnel100 is up, line protocol is down
Hardware is Tunnel
Internet address is 192.168.1.9/30
MTU 10000 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation down - linestate protection reg down
Tunnel source 192.165.0.1, destination 192.165.0.2
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1500 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "PROFILE1")
Last input never, output never, output hang never
Last clearing of "show interface" counters 2d19h
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
ASR#

 

Config at ASR:-

crypto ipsec ikev1 transform-set SET1 esp-aes esp-sha-hmac
crypto ipsec profile PROFILE1
set ikev1 transform-set SET1
set security-association lifetime kilobytes 102400
set security-association lifetime seconds 900

interface Tunnel100
nameif vti
ip address 192.168.1.10 255.255.255.252
tunnel source interface outside
tunnel destination 192.165.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE1

 

Router Config:-

crypto ipsec transform-set SET1 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROFILE1
set security-association lifetime kilobytes 102400
set security-association lifetime seconds 900
set transform-set SET1
!

interface Tunnel100
ip address 192.168.1.9 255.255.255.252
tunnel source 192.165.0.1
tunnel mode ipsec ipv4
tunnel destination 192.165.0.2
tunnel protection ipsec profile PROFILE1

 

Physical interfaces ping from both sides

ASA# ping 192.165.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.165.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA#

ASR#ping 192.165.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.165.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASR#

Beginner

Thomas,

Thomas,

Have you guys had any luck with IKEV2 VTI with BGP Routing? I am trying to create a site to site mesh topography and I would like to use BGP across it for failover and finding the fastest paths.

I can not get them to peer. I found this great blog on doing it over IKEV1, but it didn't working for me. FYI I think he got is BGP ASN's backwards. 

Cisco ASA VTI (9.7) Route Based VPN with load-balancing and failover - Setup Guide - Techstat

It looks like on all the research I've done the BGP neighbors are always going to be the VTI interface's ip addresses of the opposite sites.

This is an older article showing a router using BGP over VTI tunnels. 

http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/118977-config-ebgp-00.html

In this article Cisco adds a route map to redirect to the public ip peer of the remote site for the next hop. 

The Cisco 9.8 release claims BGP can work over VTI. Is this only for IKEV1 and not IKEV2? What are your thoughts?

Beginner

Re: Yes, we have just updated our

Hello all,

Thomas, please specify, ip addresses 169.254.2.1 and 169.254.2.2 - Why did you use these ip addresses? Is it necessary to assign IP address from this range on the equipment from Azure side?

 

interface Tunnel1
  nameif VPN-AZURE
  ip address 169.254.2.1 255.255.255.0 standby 169.254.2.2 

 

Thank you in advance

Beginner

I have successfully gotten my

I have successfully gotten my Cisco ASA to Connect to my Azure Gateway with BGP ikev2 put after about 12-24 hours my connections stop and I have to change the VTI interface IP to any random value. Once I change it the tunnels come back up (pinging) even though the debug still show everything up and connected on both the ASA and Azure Gateway Status.

Any ideas what is causing comm to stop and why it restarts when I change the VTI Interface IP to a different value?

Odd. 

Thanks!

Beginner

We have upgraded our ASAs to

We have upgraded our ASAs to IOS Version 9.8(1). I currently have issues with two 5516-X FIREPOWER Services. I have successfully moved to Route Based VPN for our Site-To-Site connectivity. Everything works well with a static route, but we are looking to create resilient mesh by using BGP routing over VTI.

We are using IKEV2, AES256, Sha1, 86400 Lifetime, and so on. The tunnel comes up perfectly and WILL pass traffic within a virtual tunnel interface.

We are looking to get support to get the BGP routing working over these tunnel interfaces (VTI) with IKEV2 IPSEC.

I tried this blog with no luck (IT DOES USE IKEV1)
https://techstat.net/cisco-asa-9-7-route-based-vpn-load-balancing-failover-setup-guide/

I tried this Cisco Doc for VTI / BGP on a Cisco router (DOESN'T WORK ON ASA 9.8)
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/118977-config-ebgp-00.html

I can get the BGP Peers to see the remote VTI IP Address inside the tunnel, but it will only stay IDLE or ACTIVE and no messages will pass between the two BGP Peers to exchange route information.

Please advise. Any technical documentation or example configuration file for Cisco ASA 9.8(1) for BGP over VTI for ASA to ASA connectivity while using IKEV2 would be extremely helpful.

Thanks!
Nate

Beginner

I'm really loving the VTIs on

I'm really loving the VTIs on ASA and have been waiting a long time for this.  The only issue I've run into so far was how to put ACLs on these tunnels without doing a filter.  When I entered the no sysopt connection permit-vpn command to get it to have to hit the interface ACL.  I had entered the appropriate ACLs to permit the traffic on the outside interface but when the command above was entered it gave me a bunch of errors like this, in green:

"Inbound TCP connection denied from x.x.x.x/port to x.x.x.x/port flags SYN on interface Tunnel4"

"Inbound TCP connection denied from x.x.x.x/port to x.x.x.x/port flags RST on interface Tunnel4"

"Deny inbound UDP from x.x.x.x/port to x.x.x.x/53 due to DNS Query"

So I went to try to take the ACLs from the outside interface and put them on the ACL for the Tunnel4 interface...only to see I couldn't.  It does not show up in the GUI as an interface I can create an ACL on.

Is the technology too new for this and I have to do filters to do ACLs?  I would love to just apply the ACLs to the actual interface.  Anyone have any luck with this type of setup?  

Beginner

A quick configuration for a VTI VPN between an ISR and an ASA.

I was able to get this tested and working using an ASA5506 and an ISR4331. I thought someone looking might find this configuration helpful to get started.

 

ROUTER CONFIGURATIONS FOR VTI VPN

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 86400

crypto isakmp key cisco1234 address 1.1.1.1

crypto ipsec transform-set SET1 esp-3des esp-sha-hmac
mode tunnel

crypto ipsec profile MY_PROFILE
set transform-set SET1

interface Tunnel0
ip address 10.1.1.2 255.255.255.0
tunnel source 1.1.1.2
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile MY_PROFILE

****************************************************************************************************************************

ASA CONFIGURATIONS FOR VTI VPN

interface Tunnel1
nameif TUNNEL1
ip address 10.1.1.1 255.255.255.0
tunnel source interface outside
tunnel destination 1.1.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MY_PROFILE


crypto ipsec ikev1 transform-set SET1 esp-3des esp-sha-hmac
crypto ipsec profile MY_PROFILE
set ikev1 transform-set SET1
responder-only

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco1234

Beginner

Re: A quick configuration for a VTI VPN between an ISR and an ASA.

It looks like sVTI is supported.  I am trying to run remote-access vpn, does asa 9.8.1 support running dVTI ?