cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1168
Views
30
Helpful
14
Replies

Dynamic VTI - IKEV2 - Cisco ASR

shaheryar.khan
Beginner
Beginner

Hello Everyone,

 

Can anyone explain how Dynamic VTI - IKEV2 works , if possible share some sample configurations for ASR and ASA.

 

Thanks

 

5 Accepted Solutions

Accepted Solutions

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@shaheryar.khan A DVTI on the Cisco ASR and ISE router uses FlexVPN configuration.

A DVTI uses a virtual template on the hub(s), the spoke routers use static VTI. On the hub routers a dynamic virtual-access interface is dynamically created for each connected spoke router.

 

Refer to these FlexVPN guides for more information

https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

 

ASA does not support DVTI, only static VTI.

 

View solution in original post

@shaheryar.khan that first link I provided had multiple examples, of which this one has examples of BGP configuration.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/118888-configure-flexvpn-00.html

 

View solution in original post

@shaheryar.khan yes, FlexVPN is the name of the solution which uses DVTI and VTI.

View solution in original post

@shaheryar.khan just don't setup the spoke-to-spoke configuration. So on the spoke routers don't configure a DVTI (used to communicate with the spokes), just setup a SVTI to the hub. Therefore all traffic goes via the hub.

View solution in original post

@shaheryar.khan  
If remove ip nhrp success please send me last full config.

View solution in original post

14 Replies 14

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@shaheryar.khan A DVTI on the Cisco ASR and ISE router uses FlexVPN configuration.

A DVTI uses a virtual template on the hub(s), the spoke routers use static VTI. On the hub routers a dynamic virtual-access interface is dynamically created for each connected spoke router.

 

Refer to these FlexVPN guides for more information

https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

 

ASA does not support DVTI, only static VTI.

 

shaheryar.khan
Beginner
Beginner

Thanks @Rob Ingram quick response, do you think BGP supports DVTI type of configuration ?

@shaheryar.khan Yes BGP certainly is supported.

@Rob Ingram  Thanks again, Can you please share a Cisco document that shows BGP configuration implement on the DVTI or Flex VPN

 

Thanks

@shaheryar.khan that first link I provided had multiple examples, of which this one has examples of BGP configuration.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/118888-configure-flexvpn-00.html

 

I appreciated for your help. Looks like DVTI and FLEX vpn are same concept?

@shaheryar.khan yes, FlexVPN is the name of the solution which uses DVTI and VTI.

Screen Shot 2022-04-07 at 6.04.29 PM.png
ASR DVTI can work as HUB and ASA SVTI can work as Spoke IF there are many Peer IF NOT
ASR and ASA connect via SVTI. 

shaheryar.khan
Beginner
Beginner

If I do not want to allow Spoke-to-Spoke communication in FLex VPN BGP. Is it possible to remove the IP nhrp configuration? Does it still work?

@shaheryar.khan just don't setup the spoke-to-spoke configuration. So on the spoke routers don't configure a DVTI (used to communicate with the spokes), just setup a SVTI to the hub. Therefore all traffic goes via the hub.

@shaheryar.khan  
If remove ip nhrp success please send me last full config.

This is working config someone gave me . but i have not tried yet.

*****************************************************
Flex VPN - S-VTI/D-VTI Combination
*****************************************************

------------
R2 - S-VTI <--- SPOKE
------------

! 1. Phase I A. Configure an IKEv2 Proposal

crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5

! 1. Phase I B. Configure an IKEv2 Policy and call the Proposal

crypto ikev2 policy POL1
proposal PROP1

! 1. Phase I C. Configure an IKEv2 Keyring

crypto ikev2 keyring KR1
peer R1
address 192.1.10.1
pre-shared-key cisco123

! 1. Phase I D. Configure an IKEv2 Profile that will later on be linked to your Crypto Map

crypto ikev2 profile IKEv2-PROF
match identity remote address 192.1.10.1
authentication local pre-share
authentication remote pre-share
keyring local KR1

! 2. Transform Set

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

! 3. IPSec Profile

Crypto ipsec profile IPROF
set transform-set TSET
set ikev2-profile IKEv2-PROF

! 4. Tunnel Interface

Interface Tunnel 1
ip address 192.168.1.2 255.255.255.0
tunnel source E 0/0
tunnel destination 192.1.10.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPROF

! 5. Run the Routing Protocol

router eigrp 123
network 192.168.1.0
network 10.0.0.0
network 172.16.0.0

------------
R1 - D-VTI <--- Home
------------

! 1. Phase I A. Configure an IKEv2 Proposal

crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5

! 1. Phase I B. Configure an IKEv2 Policy and call the Proposal

crypto ikev2 policy POL1
proposal PROP1

! 1. Phase I C. Configure an IKEv2 Keyring

crypto ikev2 keyring KR1
peer R2
address 0.0.0.0
pre-shared-key cisco123

! 1. Phase I D. Configure an IKEv2 Profile that will later on be linked to your Crypto Map

crypto ikev2 profile IKEv2-PROF
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local KR1
virtual-template 1

! 2. Transform Set

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

! 3. IPSec Profile

Crypto ipsec profile IPROF
set transform-set TSET
set ikev2-profile IKEv2-PROF

! 4. Tunnel Interface

Interface Loopback99
ip address 192.168.1.1 255.255.255.0
!
Interface virtual-template 1 type tunnel
ip unnumbered loopback99
tunnel source E 0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPROF
!
crypto ikev2 profile IKEv2-PROF
virtual-template 1

! 5. Run the Routing Protocol

router eigrp 123
network 192.168.1.0
network 10.0.0.0
network 172.16.0.0

@shaheryar.khan I wouldn't use those crypto algorithms, they are weak an insecure, the pre-built in IKEv2 smart defaults algorithms are more secure. 

 

If you want to define your own specific algorithms, use AES CBC/SHA 256 at a minimum or AES-GCM. Example:

 

crypto ikev2 proposal PROP1
encryption aes-cbc-256
group 19 20 21
integrity sha256
!
crypto ikev2 policy POL1
proposal PROP1
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac

 

 

@Rob IngramI agreed, It was just a sample configuration.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers