Solved: ASAv VTI with fortinet

vivarock12 · ‎03-15-2024

im trying to do a route based vpn between cisco ASAv and FortigateVM(before production)

but on the asa im getting this:

#pkts not compressed: 21, #pkts comp failed: 0, #pkts decomp failed: 0

and trasffic only flows from Fortigate to the ASA.

commands at the end

this is phase 1 and phase 2:

crypto ikev2 policy 5
encryption aes-256
integrity sha256
group 14 5
prf sha384 sha256
lifetime seconds 86400

FASE 2
crypto ipsec ikev2 ipsec-proposal AES256-SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ipsec profile FortiProfile
set ikev2 ipsec-proposal AES256-SHA256
set pfs group14
set security-association lifetime kilobytes 10000
set security-association lifetime seconds 3600

!
!

fortigate
config vpn ipsec phase1-interface
edit "VTI-ASA"
set interface "port2"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set remote-gw 172.31.144.20
set psksecret ENC Ivi8Z0x9NQsNPm7JdDJ4GE+Y8P2EKsH4OACiGiksK1Efntw0e1vXbvQCQUokd+A6HHpR44Lmpf2ersDoPyvWBmwv/Zcn2hWRNKckKsB6bDBx6QLSGfwLVhYxc0eTcfiLsog2B7BHaBDFRUmBaHkt97OUxA8obFn84CrEUapyJW4J/bouvFfEqAzswa7GohbUd+3sKw==
next
edit "ASA-VTI-2"
set interface "port3"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set remote-gw 10.10.10.1
set psksecret ENC M1QOABXnV9Ygvh3+jF/d2PvirRE4YkDU0aEntbLhpAthzn6+QbsyipXtfZFMslnq32H55ZRpExexkSfuj4s15Vkdswv566D2Y4bsV9LMjExGYbtfFgMAYfWU1JHE2SoRkZ6s44VJeHch5eCpdqVcklm7IgD6Kuq8Gl+1cbSL7ox3ZXUA/Yd2UScdY9kmXj7Q2Lku8g==
next
end
config vpn ipsec phase2-interface
edit "VTI-ASA"
set phase1name "VTI-ASA"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set keylifeseconds 3600
next
edit "ASA-VTI-2"
set phase1name "ASA-VTI-2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
next
end

!
!
!
!

any idea why this happends

!
!
!
!
!
show crypto ipsec sa
interface: Asa-vti
Crypto map tag: __vti-crypto-map-Tunnel100-0-100, seq num: 65280, local addr: 172.31.144.20

Protected vrf (ivrf): Global
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 172.31.144.10

#pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
#pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 24, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 172.31.144.20/500, remote crypto endpt.: 172.31.144.10/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C703B21D
current inbound spi : CD3974C5

inbound esp sas:
spi: 0xCD3974C5 (3443094725)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
slot: 0, conn_id: 25, crypto-map: __vti-crypto-map-Tunnel100-0-100
sa timing: remaining key lifetime (kB/sec): (3962878/3479)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x3FFFFFFD
outbound esp sas:
spi: 0xC703B21D (3338908189)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
slot: 0, conn_id: 25, crypto-map: __vti-crypto-map-Tunnel100-0-100
sa timing: remaining key lifetime (kB/sec): (4285438/3479)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

interface: Asa-vti2
Crypto map tag: __vti-crypto-map-Tunnel111-0-111, seq num: 65280, local addr: 10.10.10.1

Protected vrf (ivrf): Global
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 10.10.10.2

#pkts encaps: 21, #pkts encrypt: 21, #pkts digest: 21
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 21, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 10.10.10.1/500, remote crypto endpt.: 10.10.10.2/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C703B21C
current inbound spi : 331FA2FB

inbound esp sas:
spi: 0x331FA2FB (857711355)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
slot: 0, conn_id: 24, crypto-map: __vti-crypto-map-Tunnel111-0-111
sa timing: remaining key lifetime (kB/sec): (4055038/3478)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x03FFFFFD
outbound esp sas:
spi: 0xC703B21C (3338908188)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
slot: 0, conn_id: 24, crypto-map: __vti-crypto-map-Tunnel111-0-111
sa timing: remaining key lifetime (kB/sec): (4101118/3478)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

HN#

MHM Cisco World · ‎03-15-2024

the traffic is asymmetric
the forti know the ASA LAN via 192.168.200.2
and asa know the Forti LAN via 192.168.100.1

this make both FW drop the traffic you can use TCP bypass but this not solution from my view,
you need to use BGP path prefer in both FW to make traffic always go and back via same VTI tunnel.
to make sure this case here
shut one tunnel in ASA and check route in both FW if point to same UP tunnel try pass traffic

MHM

View solution in original post

MHM Cisco World · ‎03-15-2024

you use BGP between ASAv and Forti and you dont advertise any prefix ?
also the security level of VTI tunnel is not specify ?

MHM

vivarock12 · ‎03-15-2024

yes theres BGP between them:
router bgp 65501
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 192.168.100.1 remote-as 65500
neighbor 192.168.100.1 activate
neighbor 192.168.100.1 next-hop-self
neighbor 192.168.200.1 remote-as 65500
neighbor 192.168.200.1 activate
neighbor 192.168.200.1 next-hop-self
network 10.241.120.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family

!

config router bgp
set as 65500
set router-id 10.12.12.19
config neighbor
edit "192.168.200.2"
set next-hop-self enable
set soft-reconfiguration enable
set remote-as 65501
next
edit "192.168.100.2"
set next-hop-self enable
set soft-reconfiguration enable
set remote-as 65501
next
end
config network
edit 1
set prefix 10.12.12.0 255.255.255.0
next
end
config redistribute "static"
set status enable
end

!

also the security level of VTI tunnel is not specify ?

cant specify any security level to the tunnel interface:
source of the tunnel

!
interface GigabitEthernet0/0
nameif ENTRE_FIREWALL
security-level 0
ip address 172.31.144.20 255.255.255.0
HN(config)# show run int gi0/1
!
interface GigabitEthernet0/1
nameif ENTRE_FIREWALL2
security-level 0
ip address 10.10.10.1 255.255.255.252
!

VTI-interfaces

interface Tunnel100
nameif Asa-vti
ip address 192.168.200.2 255.255.255.252
tunnel source interface ENTRE_FIREWALL
tunnel destination 172.31.144.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile TEST
!
interface Tunnel111
nameif Asa-vti2
ip address 192.168.100.2 255.255.255.252
tunnel source interface ENTRE_FIREWALL2
tunnel destination 10.10.10.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile TEST
!

access-group for testing

access-group ANY in interface ENTRE_FIREWALL
access-group ANY out interface ENTRE_FIREWALL
access-group ANY in interface ENTRE_FIREWALL2
access-group ANY out interface ENTRE_FIREWALL2
access-group ANY in interface Asa-vti
access-group ANY out interface Asa-vti
access-group ANY in interface Asa-vti2
access-group ANY out interface Asa-vti2

!

MHM Cisco World · ‎03-15-2024

network 10.241.120.0 mask 255.255.255.0 <- this net advertise and must access by forti.

This subnet connect to other interface? What is secuirty level?

Can you do show route and see the prefix forti advertise to your ASA? Share here if you can show route

MHM

vivarock12 · ‎03-15-2024

ASA side

inside 10.241.120.0 interna from ASA SIDE

route table from asa SIDE

BGP asa SIDE

___________________________________________________________________________________

Forti Side

inside 10.12.12.0 internal from FTG SIDE

routes from FTG

internal interface and BGP FTG

on both sides the internal is frim the other side is being advertise and recived.

!

and i just ADD a new backup from the ASA and FTG.

MHM Cisco World · ‎03-15-2024

the traffic is asymmetric
the forti know the ASA LAN via 192.168.200.2
and asa know the Forti LAN via 192.168.100.1

this make both FW drop the traffic you can use TCP bypass but this not solution from my view,
you need to use BGP path prefer in both FW to make traffic always go and back via same VTI tunnel.
to make sure this case here
shut one tunnel in ASA and check route in both FW if point to same UP tunnel try pass traffic

MHM

vivarock12 · ‎03-15-2024

cant believe dindt check that part jajaja its 3:44 am in my country im going to excuse my self with that.

thanks for the help by the way.

just to add i just put LOCAL PREFERENCE on both of the link with the 192.168.100.X so that connection is prefer.

ASA:

FTG:

MHM Cisco World · ‎03-15-2024

You are so so welcome

I hope you can take a rest now after long day.

MHM