03-25-2020 04:35 AM
Hi,
I have been trying to configure the ASA5515X (9.12.4) with IOS as FlexVPN with VTI on ASA. IOS Router 4331 is acting as HUB and ASA as spoke. In order to run the dynamic routing protocol, its must to have tunnel interface on ASA.
The configuration is working to a far extend (Tunnel gets established, IKEv2 SA is visible, IPSEC SA is visible) but the traffic is not passing through the vpn tunnel.
HUB IOS Config:
interface Virtual-Template10 type tunnel
ip unnumbered Loopback100
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile static-ip-pro
end
crypto ikev2 profile static-ip-pro
match identity remote key-id stat01
identity local address 1.1.1.1
authentication remote pre-share key cisco
authentication local pre-share key cisco
virtual-template 10
Interface Loopback 100
ip address 172.16.121.1 255.255.255.252
router eigrp 100
network 172.16.121.1 0.0.0.0
Spoke Config (ASA5515X):
interface Tunnel100
nameif VTI100
ip address 172.16.121.2 255.255.255.252
tunnel source interface outside
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
router eigrp 100
network 172.16.121.2 255.255.255.255
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy AZURE
tunnel-group 1.1.1.1 ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
crypto ipsec ikev2 ipsec-proposal prop2
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec profile VTI
set ikev2 ipsec-proposal prop1 prop2
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup
crypto ca trustpool policy
crypto isakmp identity key-id stat01
crypto ikev2 policy 10
encryption aes
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes-256 aes
integrity sha512 sha384 sha256
group 19 14 5 2
prf sha512 sha384 sha256
lifetime seconds 86400
crypto ikev2 enable outside
!
"show cry ikev2 sa" shows that the tunnel is established. The tu100 on ASA shows up/up. But no traffic is passing through the tunnel.
Please advise.
Regards
Saif
03-25-2020 04:50 AM
The ASA does not support running an IGP on the VTI. You have two options here:
03-25-2020 06:49 AM
I would like to go with option 1 - BGP.
But there is an issue. I believe that for BGP to work, the peers should have IP connectivity. Here Im not being able to ping the VTI Tunnel Interface to the DVTI on the IOS and vice-versa.
03-25-2020 07:08 AM
03-25-2020 10:17 AM
"set route interface" makes a difference with the IOS spoke. But there is no change in the routing table or SAs in ASA acting as spoke.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide