08-14-2018 10:41 AM
I have seen several posts regarding this topic, but nothing seems to be fully inclusive. This post is also not fully inclusive, but hopefully the discussion will help iron out some details. As of version 9.8.1 (I think) the ASA has support for IKEv2 route-based VPN with the virtual tunnel interface (VTI). You still configure your phase 1 & phase 2, but you no longer need the crypto map on your outside interface. You also don't need NAT exclusions. You can still use a tunnel-group to set the PSK, but from what I can tell, a group-policy is not required (but is optional). Most of the configuration seems pretty simple as far as getting the ASA ready. I do have two questions though and they relate to a VPN to Azure. (I've only been exposed to Azure in the past few weeks and in limited context) What IP should be used for the VTI? If this was between ASAs I believe that both VTI interfaces should be on the same subnet. Since this is with Azure...I have no idea. Second, what IP should be used for a static route on the ASA that points to the Azure environment? My tunnel is up and I just picked a random, private IP. I put in a static route to our Azure public IP. This is how the configuration looks.
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 28800
crypto ikev2 enable OUTSIDE
!
crypto ipsec ikev2 ipsec-proposal AZURE_PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
!
crypto ipsec profile AZURE_PROFILE
set ikev2 ipsec-proposal AZURE_PROPOSAL
!
interface tunnel 1
nameif AZURE_VPN
description "TUNNEL TO AZURE"
ip address 172.X.X.254 255.255.255.0
tunnel source interface OUTSIDE
tunnel destination <AZURE_PUBLIC_IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile AZURE_PROFILE
route AZURE_VPN <AZURE_PRIVATE_NETWORK_ADDRESS> <AZURE_PN_MASK> <AZURE_PUBLIC_IP>
access-list AZURE_ALLOWED extended permit ip object AZURE_LAN object LOCAL_LAN
access-group AZURE_ALLOWED in interface AZURE_VPN
12-14-2018 06:53 AM
What IP should be used for the VTI? If this was between ASAs I believe that both VTI interfaces should be on the same subnet.
This can be any private IP address, and yes, should be the same subnet on both ends. Just don't use one that you are already using internally.
Second, what IP should be used for a static route on the ASA that points to the Azure environment?
The route you have is almost correct, except that you want your destination to be the IP address of the remote VTI interface. For example:
AZURE_LAN subnet 192.168.0.0 255.255.255.0
AZURE_REMOTE VTI Interface 172.X.X.253
route AZURE_VPN 192.168.0.0 255.255.255.0 172.X.X.253
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide