Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1552
Views
0
Helpful
2
Replies

VTI on ISR to ASA

stephan.ochs
Level 1
Level 1

‎11-26-2018 06:28 AM

Hi

I am trying to establish some IPSec via VTI from an ISR to an ASA.
With each step I got forward, I found the next restriction to VTI and/or ASA.

I don't understand, why it is not possible to implement.

 

First my requirements/environment:

- My branch routers (ISR) have dynamic IP addresses.

- I have to tunnel IPv4 in IPv6, so I have to use VTI.

- My central ASA is in multi context mode, so I can't use VTIs. They are only supported in single context mode.

Therefore I tried to establish the VPN from a VTI to the "normal" VPN (with crypto map) on ASA.

My thought: IPSec is IPSec. Why shouldn't it work?

I only get the following errors:

IKEv2 Received a IKE_INIT_SA request

IKEv2 Failed to process Configuration Payload request for attribute 0x123. Error: Platform errors

IKEv2 Negotiation aborted due to ERROR: Auth exchange failed

 

Maybe someone here can give me some hints. I'm stuck...

 

Thanks in advance

 

Stephan

Labels:
0 Helpful
2 Replies 2

Marius Gunnerud
VIP
VIP

‎11-26-2018 02:35 PM

What version ASA are you running?

As of ASA 9.7.x the ASA supports VTI tunnel configuration.

 

I would need to lab this, but my first thoughts are that the reason it is failing for you is the way that VTI encapsulates VPN traffic and the ASA doesn't understand this encapsulation.  However, since this is now supported in newer versions of ASA this is possible.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

stephan.ochs
Level 1
Level 1
In response to Marius Gunnerud

‎11-26-2018 11:16 PM - edited ‎11-26-2018 11:17 PM

I am running 9.8(2)26.

 

But those restrictions prevent the usage of VTIs:

(https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.pdf)

"Supported in single mode only." / I need to use a multi context ASA.

"IPv6 is not supported" / I need to tunnel IPv4 in IPv6.

"VTI supports IKEv1..." / I need IKEv2.

"By default, all traffic through VTI is encrypted." / I need to tunnel different subnets from my router to the ASA. Each subnet to a different context of the ASA.

 

In previous tests, I was able to establish an IPv4 in IPv6-Tunnel from ASA to ASA. That Shows me, it could work.

But some circumstances don't allow me to use ASA as branch device.

 

So, the main question is: What's the difference between IPSec encapsulation on VTI and "normal" IPSec SA on ASA?

Second question is: Why are VTIs on ASA much more restricted than on Routers?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents