Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1347
Views
5
Helpful
4
Replies

ASA5515X FLEXVPN

saifuddin.miyaji
Level 3
Level 3

‎03-25-2020 04:35 AM

Hi,

I have been trying to configure the ASA5515X (9.12.4) with IOS as FlexVPN with VTI on ASA. IOS Router 4331 is acting as HUB and ASA as spoke. In order to run the dynamic routing protocol, its must to have tunnel interface on ASA.

 

The configuration is working to a far extend (Tunnel gets established, IKEv2 SA is visible, IPSEC SA is visible) but the traffic is not passing through the vpn tunnel.

 

HUB IOS Config:

interface Virtual-Template10 type tunnel
ip unnumbered Loopback100
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile static-ip-pro
end


crypto ikev2 profile static-ip-pro
match identity remote key-id stat01
identity local address 1.1.1.1
authentication remote pre-share key cisco
authentication local pre-share key cisco
virtual-template 10

Interface Loopback 100
ip address 172.16.121.1 255.255.255.252

 

router eigrp 100
network 172.16.121.1 0.0.0.0

 

Spoke Config (ASA5515X):

 

interface Tunnel100
nameif VTI100
ip address 172.16.121.2 255.255.255.252
tunnel source interface outside
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI

 

router eigrp 100
network 172.16.121.2 255.255.255.255
!

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy AZURE
tunnel-group 1.1.1.1 ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

 

crypto ipsec ikev2 ipsec-proposal prop2
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec profile VTI
set ikev2 ipsec-proposal prop1 prop2
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup
crypto ca trustpool policy
crypto isakmp identity key-id stat01
crypto ikev2 policy 10
encryption aes
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes-256 aes
integrity sha512 sha384 sha256
group 19 14 5 2
prf sha512 sha384 sha256
lifetime seconds 86400
crypto ikev2 enable outside
!

 

"show cry ikev2 sa" shows that the tunnel is established. The tu100 on ASA shows up/up. But no traffic is passing through the tunnel.

Please advise.

 

Regards

Saif

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎03-25-2020 04:50 AM

The ASA does not support running an IGP on the VTI. You have two options here:

 

  1. Run BGP between the two peers.
  2. Reconfigure the ASA to crypto-maps. When the ASA initiates the tunnel, the Hub sees the proxy-IDs on the ASA and can add these networks to the routing table.

saifuddin.miyaji
Level 3
Level 3
In response to Karsten Iwen

‎03-25-2020 06:49 AM

I would like to go with option 1 - BGP.

But there is an issue. I believe that for BGP to work, the peers should have IP connectivity. Here Im not being able to ping the VTI  Tunnel Interface to the DVTI on the IOS and vice-versa.

0 Helpful

Rob Ingram
VIP
VIP
In response to saifuddin.miyaji

‎03-25-2020 07:08 AM

Hi,
You will need to use a FlexVPN authorisation policy with the command "route set interface" set, which will allow you to run BGP over the tunnel.

HTH
0 Helpful

saifuddin.miyaji
Level 3
Level 3
In response to Rob Ingram

‎03-25-2020 10:17 AM

"set route interface" makes a difference with the IOS spoke. But there is no change in the routing table or SAs in ASA acting as spoke.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents