02-07-2024 03:26 AM
Hello community,
I would like to know if it is possible to configure IKEv2 DVTI (dynamic VTI) between a ASA and an IOS router.
The ASA would be the fixed-IP hub and the router would be the dynamic-IP spoke.
I only found configuration examples with dynamic routing.
But i want to advertise static routes via IKEv2 authorization policy referenced in the IKEv2 profile.
On IOS this would be "route set remote ..." command in the IKEv2 authorization policy.
On the ASA i could not find any possibility to configure a IKEv2 authorization under the tunnel-group to advertise routes.
Thanks in advance
02-07-2024 04:13 AM - edited 02-07-2024 09:28 AM
The ASA can not work as DVTI hub only router with IOS can do that.
So can you make any router even behind ASA as DVTI hub router ?
MHM
02-07-2024 04:43 AM
@MHM Cisco World wrote:
The ASA can not work as DVTI only router with IOS can do that.
So can you make any router even behind ASA as DVTI hub router ?
MHM
@MHM Cisco World FYI since ASA 9.19 you can configure dVTI on the ASA.
@tilo.harder I do not believe you can currently configure the ASA to deploy static IKEv2 routes like FlexVPN on an IOS router.
02-07-2024 07:51 AM
@Rob Ingram, @tilo.harder I didn't test myself, but from below article it appears that it is possible to announce arbitrary subnets from ASA/FTD running as DVTI hub:
Note how they announce OnPrem subnet 192.168.5.0/24 from "Protected Networks" box. Description says that this is to "Generate access-list on the spoke". Funny. Also, I don't see CLI generated on the ASA, but the document has many typos, so it worth to check which options are available after "ikev2 route set ?" in the "tunnel-group ipsec-attributes" section. To be honest, I can hardly believe Cisco forgot to add this simple feature and only implemented "ikev2 route set interface".
02-07-2024 08:58 AM
@tvotna not quite what I was expecting if comparing to FlexVPN IKEv2 routing. I've not used it either, but it looks like the policy on the ASA changes the traffic selectors to specific networks rather than any any and RRI is used on the remote spoke....but I guess it does achieve the samething (in a less elegant way IMO).
02-07-2024 09:42 PM
02-08-2024 01:06 AM
@tilo.harder, I understand what you're looking for. VPN implementation is nearly identical on ASA and FTD (in fact, code came from ASA). Unfortunately, we have to rely on FTD here, because "ikev2 route" command is still undocumented in ASA Command Reference even though the feature was introduced long ago in 9.19 (hey, Cisco!).
It seems I figured out what they do in this example. On FMC we configure VPN topology, not individual devices, so at step 11 both hub and spoke are configured together on the same screen: "Send VTI IP ..." and "Allow incoming IKEv2 routes ..." generate "ikev2 route set interface" and "ikev2 route accept any" (although not seen in the running-config, probably enabled by default) and "Protected networks ..." box generates destination subnet in the ACL used by the following CLI on the Spoke: "tunnel protection ipsec policy <ACL>" (the source is populated by "Protected networks" configured later at step 21 during Spoke configuration). Complete mess. How do use this product guys?
@Rob Ingram, I'm not sure that multi-SA SVTI on the Spoke will populate *Spoke's* routing table with RRI routes, because the Hub still announces "any-any" proxies to spokes, even though the Spoke will announce specific subnets to the Hub, as configured in this example. What do you think? (Of course, RRI on DVTI Hub is automatic).
So, it seems that Cisco indeed forgot to add basic "route-set ACL" feature on ASA for DVTI Hub.
02-08-2024 10:07 AM
Anyway, what we have now is suitable for almost all cases. ASA, FTD and IOS spokes can use multi-SA SVTI to send proper traffic selectors, this adds RRI routes on DVTI Hub, which can be redistributed to dynamic routing protocols if necessary. Announcing INTERNAL_IP4_SUBNET ("route set") is not needed in this case.
02-07-2024 11:37 PM - edited 02-07-2024 11:51 PM
Can you draw the topolgy here
Let me check it.
what is in my mind and this depends totally on your topolgy' since we can not set static route and we can only set interface so we can NATing traffic to interface and in this case we dont need anymore set static route. And again asa can not fully work as dvti hub like ios xe router
MHM
02-19-2024 07:08 AM
Hello all together,
I have now set up a little Test-Lab:
Hub: ASA 9.20.(2)2
dyn. Spoke: IR829 15.9(3)M9
IKEv2 SA and IPsec SA are established.
IOS is routin into the tunnel because of static route pointing out tne tunnel interface.
But ASA is not routin back into the tunnel because as static route is not configurable without a defined IP address of the peer.
The 'route set remote ipv4 ...' commands set on IOS do not reflect at the ASA.
02-19-2024 07:49 AM - edited 02-19-2024 07:50 AM
I already share solution before
If we can not config Static route in both side we can NAT traffic to tunnel'
Here the hub knownthe tunnel IP and traffic in spoke NATing to tunnel IP
So no need any more static route
MHM
02-19-2024 07:18 AM
02-19-2024 10:55 PM
This is probably expected. Of course, ASA implementation is ugly, but we cannot do anything about it. You can open a TAC case and then wait ages when they implement route exchange via standards-based IKEv2 attributes. For now ASA/FTD DVTI Hub relies on multiple traffic selectors sent by spokes to add 'V' routes into its routing table. IOS spoke must be configured with
tunnel protection ipsec policy ipv4 ipsec-policy
02-19-2024 11:39 PM
I discussed this with Cisco at Cisco Live, unfortunately they are not looking to implement route config exchange on FTD/ASA as you can on IOS routers. They recommend using BGP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide