cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2398
Views
0
Helpful
5
Replies

iPsec S2S ASA to ASR with VRF Using Lo IF ADDRESS

so i have a solution, and then a question on that solution :

first the solution and config for any guy in the future who would need that :

to configure ASA VPN to ASR :

crypto keyring KEYS-SITE-B-DC 

  local-address [asr-ip-address]

  pre-shared-key address [ASA-ip-address] key test123

!

crypto isakmp profile ISAKMP-SITE-B-DC

   vrf VPN

   keyring KEYS-SITE-B-DC

   match identity address [ASA-ip-address] 255.255.255.255

!

crypto isakmp policy 9

encr aes

authentication pre-share

group 2

lifetime 28800

!        

crypto map VPN-S2S local-address Loopback11

crypto map VPN-S2S 10 ipsec-isakmp

description ### VPN S2S SITE-B-DC ASA ###

set peer [ASA-ip-address]

set transform-set TRANS_SET-SITE-B-DC

set pfs group2

set isakmp-profile ISAKMP-SITE-B-DC

match address IPSEC-VPN-ACL_SITE-B-DC

!        

crypto ipsec transform-set TRANS_SET-SITE-B-DC esp-aes esp-sha-hmac

mode tunnel

!

interface EGRESS/INGRESS

description ### BECAUSE WE RUN DYNAMIC PROTOCOL(BGP in my case), ANY INTERFACE COULD BE THE INGRESS/EGRESS IF , SO THESE IFs MUST ALSO HAVE THE CRYPTOMAP ###

crypto map VPN-S2S

!

interface Loopback11

description ### TEST IPSEC ###

ip address [asr-ip-address] 255.255.255.255

!

!

ip access-list extended IPSEC-VPN-ACL_SITE-B-DC

permit ip host [ASR-LAN-addresses] host [ASA-LAN-addresses]

!

ip route vrf VPN [ASA-LAN-addresses] 255.255.255.x 8.8.8.8 global name GENERIC-IPSEC-CRYPTO-ROUTE(ANYCAST) **the route here is for the traffic to be encrypted , the next hop MUST be non-recursive route **

!

So now for my question :

does it REALLY have to be a route that has a matching on the routing table OTHER than a Default route ?

( because it doesnt work with a route that directs to the default route , even when the recursive route points to the same interface the spefic route does ) .

is there any other way of doing that ? because to point the route to 8.8.8.8 , means im depending my tunnels to be available on the availability of a route for 8.0.0.0 in the RIB .

help would be much appriciated here guys !

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Why not let the router hide the complexity from admin by using RRI?

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-rev-rte-inject.html#GUID-DEBFE993-16DF-4599-946A-1B7A42521C92

The example is not perfect because of point to point connection between two routers, but you can figure out what IP address to put as gateway.

I would also suggest coming away from crypto maps on new software. logical interfaces with tunnel protection is the way to go. The problem does not appear there.

View solution in original post

5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Why not let the router hide the complexity from admin by using RRI?

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-rev-rte-inject.html#GUID-DEBFE993-16DF-4599-946A-1B7A42521C92

The example is not perfect because of point to point connection between two routers, but you can figure out what IP address to put as gateway.

I would also suggest coming away from crypto maps on new software. logical interfaces with tunnel protection is the way to go. The problem does not appear there.

Thanks for your Comment Marcin !

The ASA does not support VTIs which is what you are talking about . so the ASR must use the "OLD" method .

ps i would check the Reverse Route Option , with the static option , sounds best for me when i have multiple tunnels .

ASR-01(config-crypto-map)#reverse-route ?                         

  remote-peer  Create route in route table for remote tunnel endpoint

  static       Create routes based on static ACLs permanently

 

but doesnt the example here refers to a situation where the crypto-map is applied to a VRF interface ?

my scenario is different .

My interface is in the global RIB , not in vrf , thus i did the route :

ASR01#ip route vrf VPN [LAN-BEHIND-ASA] 255.255.255.255 8.8.8.8 global name GENERIC-IPSEC-CRYPTO-ROUTE

is there a way to perform this with the reverse route ? or perhaps i just misunderstod it ?

The example is showing pretty well the overall challange of routing with front and back VRFs, you can check what the result was on iVRF and fVRF in the example, same will ablly whether front is global or any other.

"static" is not the option you're looking for, it will only make the entires permanent, regardless of state of IPsec SAs.

It can be of some help in certain scenarios indeed, but it's not the solution to the problem you outline in original post.

ok , ill check that ,

thanks !

I use:

ip route vrf xxxx loopbackxxx global

tunnel can be turn up.