Solved: Re: IPSec cisco ASA crypto map - cisco ASA VTI

Jessica-Brown-2000 · ‎05-09-2025

Hello everyone.
Please help me with the following issue, I'm setting up IPsec between ASA crypto map and ASA VTI.
I make the following settings

ASA crypto map

crypto ikev1 enable Internet

crypto ikev1 policy 1 
encryption aes-256 
hash sha 
group 14 
authentication pre-share
lifetime 86400


tunnel-group 23.23.23.3 type ipsec-l2l
tunnel-group 23.23.23.3 ipsec-attributes
ikev1 pre-shared-key Futurama#1

access-list ACL_IPSec extended permit ip 12.12.10.0 255.255.255.248 34.34.10.0 255.255.255.248 
access-list ACL_IPSec extended permit ip 12.12.20.0 255.255.255.248 34.34.10.0 255.255.255.248 
access-list ACL_IPSec extended permit ip 12.12.30.0 255.255.255.248 34.34.10.0 255.255.255.248 
access-list ACL_IPSec extended permit ip 12.12.10.0 255.255.255.248 34.34.20.0 255.255.255.248 
access-list ACL_IPSec extended permit ip 12.12.20.0 255.255.255.248 34.34.20.0 255.255.255.248 
access-list ACL_IPSec extended permit ip 12.12.30.0 255.255.255.248 34.34.20.0 255.255.255.248 
access-list ACL_IPSec extended permit ip 12.12.10.0 255.255.255.248 34.34.30.0 255.255.255.248 
access-list ACL_IPSec extended permit ip 12.12.20.0 255.255.255.248 34.34.30.0 255.255.255.248 
access-list ACL_IPSec extended permit ip 12.12.30.0 255.255.255.248 34.34.30.0 255.255.255.248

crypto ipsec ikev1 transform-set TS_aes-sha esp-aes esp-sha-hmac

crypto map CM_IPSec 10 match address ACL_IPSec
crypto map CM_IPSec 10 set peer 23.23.23.3
crypto map CM_IPSec 10 set ikev1 transform-set TS_aes-sha
crypto map CM_IPSec interface Internet

route Internet 0.0.0.0 0.0.0.0 23.23.23.3 1

ASA VTI


crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
exit

tunnel-group 23.23.23.2 type ipsec-l2l
tunnel-group 23.23.23.2 ipsec-attributes
ikev1 pre-shared-key Futurama#1
exit

crypto ipsec ikev1 transform-set TS_aes-sha esp-aes esp-sha-hmac

crypto ipsec profile P_ASAv-9-17-2
set ikev1 transform-set TS_aes-sha
set security-association lifetime seconds 3600
exit

interface Tunnel0
nameif Tu_ASAv-9.17-2
ip address 123.123.123.3 255.255.255.248
tunnel source interface Internet
tunnel destination 23.23.23.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile P_ASAv-9-17-2
exit

crypto ikev1 enable Internet

route Tu_ASAv-9.17-2 12.12.10.0 255.255.255.248 123.123.123.2
route Tu_ASAv-9.17-2 12.12.20.0 255.255.255.248 123.123.123.2
route Tu_ASAv-9.17-2 12.12.30.0 255.255.255.248 123.123.123.2

When I run ping 34.34.10.4-->12.12.10.1 - the result is negative
When I run ping on 12.12.10.1-->34.34.10.4 - ok

If after ping 12.12.10.1-->34.34.10.4, I immediately run 34.34.10.4-->12.12.10.1, then ping will pass. But if you stop it, then after a while ping 34.34.10.4-->12.12.10.1 will stop working again.

When I configure the options ASA crypto map - ASA crypto map, or cisco ASA VTI - cisco ASA VTI, then everything works fine.

Version 9.17(1)7

Jessica-Brown-2000 · ‎05-09-2025

Thank you all!
I figured out how to do it.:

Removing:
access-list ACL_IPSec extended permit ip 12.12.10.0 255.255.255.248 34.34.10.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.20.0 255.255.255.248 34.34.10.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.30.0 255.255.255.248 34.34.10.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.10.0 255.255.255.248 34.34.20.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.20.0 255.255.255.248 34.34.20.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.30.0 255.255.255.248 34.34.20.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.10.0 255.255.255.248 34.34.30.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.20.0 255.255.255.248 34.34.30.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.30.0 255.255.255.248 34.34.30.0 255.255.255.248

Adding:
access-list ACL_IPSec extended permit ip any any

View solution in original post

Syed Hassan Shah · ‎05-09-2025

Hi Jessica,

What I was able to observe after assessing the extract you pasted is the following.

Before I proceed, I would like to ask you a question that is there a specific reason that makes you config VTI and Crypto Map together? Is it a requirement or you just configured something on top of one thing? It happens usually when we dont wipe the earlier design or config, anyways............

Coming on to the point, since there are two modes in your config visible I see the reason that, Crypto map ASA only brings up the IPSec tunnel when it sees interesting traffic matching the ACL, whereas VTI ASA is always "up" and expects the tunnel to stay up.

Even though ASA VTI allows route-based VPNs, the crypto map ASA still behaves as policy-based, which means it won't decrypt incoming packets unless it has an SA initiated by interesting traffic.

Calling 12.12.10.1 = Site A
and 34.34.10.4 = Site B

Therefore, when Site A (crypto map) doesn't initiate anything, its SA expires or was never established. and when Site B (VTI) tries to send, Site A drops the packet because there is no matching SA yet.

Main problem statement

When 34.34.10.4 (Site B) → 12.12.10.1 (Site A), ping fails because policy-based VPN (Site A) doesn't initiate the tunnel until it sees interesting traffic outbound.

Crypto map ASA only creates the tunnel when traffic matches ACL_IPSec in the outbound direction

When 12.12.10.1 → 34.34.10.4
The tunnel comes up because policy-based VPN (Site A) sees outbound interesting traffic → it initiates the IPSec tunnel. Once the tunnel is up, both directions work temporarily.

Solution Suggested -

It is best to make it a consistent config. Either you convert all to Cryp Map or all to VTI.

Which one is more dynamic? My opinion is VTI.

If you have flexibility to modify Site A then make VTI both sides, but if not then make Site B crypto map to match.

NOTE: Plz always remember, VTI is an always On tunnel. The config, which you shared was already creating a scenario of Assymetric routing.

Hope that helps and feel free to reachout and ask further questions.

Jessica-Brown-2000 · ‎05-09-2025

Thanks for the help!
I was doing this just for a test, I was wondering if it was possible to set up the equipment this way.
Please tell me more about the question - it turns out that the ASA VTI mode can only be used with ASA VTI?
I was setting up IPsec crypto map - Fortigate (you also need to specify local and remote networks on Fortigate), everything worked for me. Now I think that ASA VTI - Fortigate will not work.

M02@rt37 · ‎05-09-2025

Hello @Jessica-Brown-2000

Cisco ASA's support for VTIs, introduced in version 9.7(1), allows for route-based VPN configurations, which can interoperate with FortiGate's route-based VPNs. This setup enables dynamic routing protocols like BGP over the VPN tunnel:

https://community.fortinet.com/t5/Cybersecurity-Forum/ASA-Route-Based-VPN-VTI-with-Fortigate-Firewall/td-p/234925

Some ressources:

https://www.networktcpip.com/post/vti-tunnel-between-asa-and-fortinet-and-internet-access-over-vti

https://weberblog.net/route-based-vpn-tunnel-fortigate-cisco-asa/

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Jessica-Brown-2000 · ‎05-09-2025

Thank you all!
I figured out how to do it.:

Removing:
access-list ACL_IPSec extended permit ip 12.12.10.0 255.255.255.248 34.34.10.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.20.0 255.255.255.248 34.34.10.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.30.0 255.255.255.248 34.34.10.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.10.0 255.255.255.248 34.34.20.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.20.0 255.255.255.248 34.34.20.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.30.0 255.255.255.248 34.34.20.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.10.0 255.255.255.248 34.34.30.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.20.0 255.255.255.248 34.34.30.0 255.255.255.248
access-list ACL_IPSec extended permit ip 12.12.30.0 255.255.255.248 34.34.30.0 255.255.255.248

Adding:
access-list ACL_IPSec extended permit ip any any