Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1341
Views
5
Helpful
2
Replies

Cisco IOS Router to ASA VTI tunnel up and down

Go to solution
chrisbuchner
Level 1
Level 1

‎03-11-2021 01:45 PM

Hi All,

 

This is my first time setting up a VTI tunnel between a Router and an ASA. The Router has other VPN locations running from it (routers). It seems the tunnel is up but not able to send and receive traffic. tunnel closes after a while and on the Router side I seem to have both no state (usually routing issue) and Idle (tunnel UP). I do not see a show crypto ipsec SA on the ASA.

 

Diagram:

Core Switch>VPN Router <----Tunnel---->VPN ASA>Switch

Connections:

Static to Static

 

show Isakmp sa ASA:

1 IKE Peer: Remote IP
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

 

Show Isakmp sa Router:

Source: x.x.x.x Destination:x.x.x.x QM_IDLE ACTIVE

Source: x.x.x.x Destination:x.x.x.x MM_NO_STATE ACTIVE (delete)

 

Config Router:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 5
crypto isakmp key TestKey12345 address 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set dmvpn-Hub esp-aes 256
mode tunnel
!
crypto ipsec profile VPN-EXT
description Remote Sites
set transform-set dmvpn-Hub

 

interface Tunnel0
description ***** HUB tunnel for internet VPN *****
ip address 10.55.9.1 255.255.255.0
no ip redirects
ip mtu 1390
ip flow ingress
ip nhrp authentication veySA154
ip nhrp map multicast dynamic
ip nhrp network-id 5
ip nhrp holdtime 600
ip tcp adjust-mss 1350
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 6
tunnel protection ipsec profile VPN-EXT shared

 

 

ip route 10.55.150.0 255.255.255.0 10.55.9.140 name *-Test-Main-Subnet-*

 

Config ASA:

crypto ipsec ikev1 transform-set dmvpn-UTH esp-aes-256 esp-sha-hmac
crypto ipsec profile VPN-EXT
set ikev1 transform-set dmvpn-UTH
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

 

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key ***** (Key same as Hub)

 

interface Tunnel10
nameif VTI-Uitenhage-Primary
ip address 10.55.9.140 255.255.255.0
tunnel source interface outside
tunnel destination X.X.X.X
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-EXT

 

route VTI-Uitenhage-Primary 10.0.0.0 255.0.0.0 10.55.9.1 1 used for testing connection with traffic.

 

Theres routes from core and from remote switch towards each other like the other locations.

 

What am I missing with this setup?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-11-2021 02:01 PM - edited ‎03-11-2021 02:10 PM

@chrisbuchner 

It looks like you've created a GRE multipoint tunnel on the router (this is typically used in DMVPN, which the ASA does not support). The tunnel mode on the router would need to be ipsec ipv4, which matches the configuration of your ASA. If you are running DMVPN for the other routers, then you'll have to create another VTI using tunnel mode ipsec ipv4 or use a crypto map.

 

interface Tunnel1
 ip address 10.55.9.1 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4

Here is an example configuration of a VPN between and ASA and IOS router.

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎03-11-2021 02:01 PM - edited ‎03-11-2021 02:10 PM

@chrisbuchner 

It looks like you've created a GRE multipoint tunnel on the router (this is typically used in DMVPN, which the ASA does not support). The tunnel mode on the router would need to be ipsec ipv4, which matches the configuration of your ASA. If you are running DMVPN for the other routers, then you'll have to create another VTI using tunnel mode ipsec ipv4 or use a crypto map.

 

interface Tunnel1
 ip address 10.55.9.1 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4

Here is an example configuration of a VPN between and ASA and IOS router.

Go to solution
chrisbuchner
Level 1
Level 1
In response to Rob Ingram

‎03-11-2021 02:15 PM

You sir are a life saver, I just needed that hint I never even thought of creating another tunnel interface in order for it to not interfere with the other tunnel! Thank you for pointing me into the right direction this should be enough to make it work thanks!!

0 Helpful
Customers Also Viewed These Support Documents