04-07-2022 07:29 AM
Hello Everyone,
Can anyone explain how Dynamic VTI - IKEV2 works , if possible share some sample configurations for ASR and ASA.
Thanks
Solved! Go to Solution.
04-07-2022 07:36 AM
@shaheryar.khan A DVTI on the Cisco ASR and ISE router uses FlexVPN configuration.
A DVTI uses a virtual template on the hub(s), the spoke routers use static VTI. On the hub routers a dynamic virtual-access interface is dynamically created for each connected spoke router.
Refer to these FlexVPN guides for more information
https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
ASA does not support DVTI, only static VTI.
04-07-2022 07:56 AM
@shaheryar.khan that first link I provided had multiple examples, of which this one has examples of BGP configuration.
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/118888-configure-flexvpn-00.html
04-07-2022 08:04 AM
@shaheryar.khan yes, FlexVPN is the name of the solution which uses DVTI and VTI.
04-07-2022 09:02 AM
@shaheryar.khan just don't setup the spoke-to-spoke configuration. So on the spoke routers don't configure a DVTI (used to communicate with the spokes), just setup a SVTI to the hub. Therefore all traffic goes via the hub.
04-09-2022 04:19 AM
@shaheryar.khan
If remove ip nhrp success please send me last full config.
04-07-2022 07:36 AM
@shaheryar.khan A DVTI on the Cisco ASR and ISE router uses FlexVPN configuration.
A DVTI uses a virtual template on the hub(s), the spoke routers use static VTI. On the hub routers a dynamic virtual-access interface is dynamically created for each connected spoke router.
Refer to these FlexVPN guides for more information
https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
ASA does not support DVTI, only static VTI.
04-07-2022 07:41 AM
Thanks @Rob Ingram quick response, do you think BGP supports DVTI type of configuration ?
04-07-2022 07:43 AM
@shaheryar.khan Yes BGP certainly is supported.
04-07-2022 07:51 AM
@Rob Ingram Thanks again, Can you please share a Cisco document that shows BGP configuration implement on the DVTI or Flex VPN
Thanks
04-07-2022 07:56 AM
@shaheryar.khan that first link I provided had multiple examples, of which this one has examples of BGP configuration.
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/118888-configure-flexvpn-00.html
04-07-2022 08:02 AM
I appreciated for your help. Looks like DVTI and FLEX vpn are same concept?
04-07-2022 08:04 AM
@shaheryar.khan yes, FlexVPN is the name of the solution which uses DVTI and VTI.
04-07-2022 08:06 AM
ASR DVTI can work as HUB and ASA SVTI can work as Spoke IF there are many Peer IF NOT
ASR and ASA connect via SVTI.
04-07-2022 08:59 AM
If I do not want to allow Spoke-to-Spoke communication in FLex VPN BGP. Is it possible to remove the IP nhrp configuration? Does it still work?
04-07-2022 09:02 AM
@shaheryar.khan just don't setup the spoke-to-spoke configuration. So on the spoke routers don't configure a DVTI (used to communicate with the spokes), just setup a SVTI to the hub. Therefore all traffic goes via the hub.
04-09-2022 04:19 AM
@shaheryar.khan
If remove ip nhrp success please send me last full config.
04-09-2022 06:41 AM
This is working config someone gave me . but i have not tried yet.
*****************************************************
Flex VPN - S-VTI/D-VTI Combination
*****************************************************
------------
R2 - S-VTI <--- SPOKE
------------
! 1. Phase I A. Configure an IKEv2 Proposal
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5
! 1. Phase I B. Configure an IKEv2 Policy and call the Proposal
crypto ikev2 policy POL1
proposal PROP1
! 1. Phase I C. Configure an IKEv2 Keyring
crypto ikev2 keyring KR1
peer R1
address 192.1.10.1
pre-shared-key cisco123
! 1. Phase I D. Configure an IKEv2 Profile that will later on be linked to your Crypto Map
crypto ikev2 profile IKEv2-PROF
match identity remote address 192.1.10.1
authentication local pre-share
authentication remote pre-share
keyring local KR1
! 2. Transform Set
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
! 3. IPSec Profile
Crypto ipsec profile IPROF
set transform-set TSET
set ikev2-profile IKEv2-PROF
! 4. Tunnel Interface
Interface Tunnel 1
ip address 192.168.1.2 255.255.255.0
tunnel source E 0/0
tunnel destination 192.1.10.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPROF
! 5. Run the Routing Protocol
router eigrp 123
network 192.168.1.0
network 10.0.0.0
network 172.16.0.0
------------
R1 - D-VTI <--- Home
------------
! 1. Phase I A. Configure an IKEv2 Proposal
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5
! 1. Phase I B. Configure an IKEv2 Policy and call the Proposal
crypto ikev2 policy POL1
proposal PROP1
! 1. Phase I C. Configure an IKEv2 Keyring
crypto ikev2 keyring KR1
peer R2
address 0.0.0.0
pre-shared-key cisco123
! 1. Phase I D. Configure an IKEv2 Profile that will later on be linked to your Crypto Map
crypto ikev2 profile IKEv2-PROF
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local KR1
virtual-template 1
! 2. Transform Set
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
! 3. IPSec Profile
Crypto ipsec profile IPROF
set transform-set TSET
set ikev2-profile IKEv2-PROF
! 4. Tunnel Interface
Interface Loopback99
ip address 192.168.1.1 255.255.255.0
!
Interface virtual-template 1 type tunnel
ip unnumbered loopback99
tunnel source E 0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPROF
!
crypto ikev2 profile IKEv2-PROF
virtual-template 1
! 5. Run the Routing Protocol
router eigrp 123
network 192.168.1.0
network 10.0.0.0
network 172.16.0.0
04-09-2022 07:34 AM - edited 04-09-2022 07:38 AM
@shaheryar.khan I wouldn't use those crypto algorithms, they are weak an insecure, the pre-built in IKEv2 smart defaults algorithms are more secure.
If you want to define your own specific algorithms, use AES CBC/SHA 256 at a minimum or AES-GCM. Example:
crypto ikev2 proposal PROP1
encryption aes-cbc-256
group 19 20 21
integrity sha256
!
crypto ikev2 policy POL1
proposal PROP1
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac
04-09-2022 07:43 AM
@Rob IngramI agreed, It was just a sample configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide