Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1571
Views
15
Helpful
5
Replies

HSRP Crypto Map..... sourcing it form a different VIP or other ways

Wan_Whisperer
Level 1
Level 1

‎09-28-2020 07:01 AM - edited ‎09-28-2020 07:05 AM

I currently have a working setup but I took a full class C and sub netted it down to use a /29 to route between my edge and core routers.  I did this so I could have my crypto endpoint redundant.  I have having to break the C down and I some thought on a different setup using private IPs.  

 

I have attached a simplified network diagram. 

 

My first Ideal would be to replace the public IPs for routing and replace them with private IPs and and add the command "crypto map MYMAP local-address GigabitEthernet0/0/0.3" but I know this will not give me the VIP.  So this will not work.  I do not know a command that would use the VIP of Vlan3.  Is there any?

 

This ideal is a little out there but what if I replace all the public IPs for routing with private and just NAT one of my publics to the private VIP of the crypto endpoint.

 

The goal would be to not break down that public calss C.

 

I have not listed all my IP ranges in the diagram so it not possible to put the crypto map on a sub interface.  (not any way I currently know of)   

 

 

Thoughts?

 

 

 

 

 

 

 

 

 

 

Labels:
Preview file
190 KB
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎09-28-2020 11:31 AM

Hi @Wan_Whisperer 

Don't use HSRP. Just define multiple peers in the crypto map, use DPD (Dead Peer Detection) to detect failure of peer, you can source traffic from loopback.

Best practice is to actually use VTI (Virtual Tunnel Interface) instead of crypto maps, Cisco considers crypto maps as legacy.

 

HTH

Wan_Whisperer
Level 1
Level 1
In response to Rob Ingram

‎10-05-2020 04:05 PM

Rob,

 

I think you are right and I need to move away from Crypto maps

 

I spent the last week refreshing myself on VTI  and IKEv2 and I want to move over to it!

 

Please take a look at the new network diagram and look at the configs below.  I do not have any test equipment and my current GNS3 setup has limitations to IKEv2 

 

 

IKEv2 on router

crypto ikev2 keyring NYC-Keyring
peer NYC_ASA
address X.X.100.59 255.255.255.255
pre-shared key local key123
pre-shared key remote key123
description Keyring entry for NYC-KR

crypto ipsec transform-set NYC-HS-TS esp-aes 256 esp-sha256-hmac esp-aes 256
mode tunnel

crypto ikev2 profile NYC-IKEv2
authentication local pre-shared key
authentication remote pre-shared key
match identity remote address X.X.100.59 This is the outside interface of my ASA
identity local address X.X.50.1 This is the VIP Can I use it or does it need to be phsyical?
keyring local NYC-Keyring


crypto ipsec profile NYC-isakmp-1
set transform-set NYC-HS-TS
set ikev2-profile NYC-IKEv2

 

 


interface Tunnel500
ip address 10.0.0.1 255.255.255.252
ip virtual-reassembly
tunnel source X.X.50.1 This is the VIP Can I use it or does it need to be physical
tunnel destination X.X.100.59 This is the outside interface of my ASA
tunnel mode ipsec ipv4
tunnel protection ipsec profile NYC-isakmp-1
end

 

 

ip route 10.6.6.0 255.255.255.0 10.0.0.1


==============================================================================================
IKEv2 ASA


crypto ikev2 policy 678
encryption aes-256
integrity sha256
group 5
lifetime seconds 43200


crypto ikev2 enable OUTSIDE


tunnel-group X.X.50.1 type ipsec-l2l
tunnel-group X.X.50.1 ipsec-attributes
ikev2 local-authentication pre-shared-key key123
ikev2 remote-authentication pre-shared-key key123

 

 

crypto ipsec ikev2 ipsec-proposal NYC-proposal
protocol esp encruption aes-256
protocol esp integrity sha-256


crypto ipsec profile NYC-isakmp-1
set ikev2 ipsec-proposal NYC-proposal


interface Tunnel501
nameif VTI
ip address 10.0.0.2 255.255.255.252

tunnel source OUTSIDE
tunnel destination X.X.50.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile NYC-isakmp-1


route OUTSIDE 10.6.6.0 255.255.255.0 10.0.0.2 1

 

Preview file
196 KB
0 Helpful

Rob Ingram
VIP
VIP

‎10-05-2020 11:42 PM

@Wan_Whisperer 

 

Use the real IP address not the VIP on the router.
Ensure IKEv2 vpn-tunnel-protocol is enabled in the ASA's group-policy.
Don't use DH group 5, it is weak and will soon be depreciated.

If you are using NAT on either device, ensure you have a NAT exemption rule defined.

 

For reference, here is an example VPN between a IOS router and ASA.


HTH

Wan_Whisperer
Level 1
Level 1
In response to Rob Ingram

‎10-06-2020 07:56 AM

Rob,

 

Thanks for all your input.  That link you sent was great! 

 

I do have a question

 

I why would I not use the VIP?  On the ASA side how can I point the static route to two different tunnels? 

 

  

0 Helpful

Rob Ingram
VIP
VIP

‎10-06-2020 08:23 AM

You could use HSRP for VPN failover, it's not widely used IMO. Reference this 16 year old document.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/17826-ipsec-feat.html

 

If you run a VTI you can 2 active tunnels up (with IPSec SAs), use a routing protocol to route traffic over a tunnel, but preferring one tunnel over the other. Failover of the routing protocol on a VTI would be quicker than waiting for DPD to detect the tunnel is down and then establishing a tunnel on the secondary peer if you were using a crypto map. A VTI tunnel is always UP, but a crypto map will only establish a tunnel if traffic is sent over it.

 

Alternatively you could use IP SLA with the VTI to detect the peer is down and track a static route.

Customers Also Viewed These Support Documents