04-02-2013 06:04 AM - edited 02-21-2020 06:47 PM
so i have a solution, and then a question on that solution :
first the solution and config for any guy in the future who would need that :
to configure ASA VPN to ASR :
crypto keyring KEYS-SITE-B-DC
local-address [asr-ip-address]
pre-shared-key address [ASA-ip-address] key test123
!
crypto isakmp profile ISAKMP-SITE-B-DC
vrf VPN
keyring KEYS-SITE-B-DC
match identity address [ASA-ip-address] 255.255.255.255
!
crypto isakmp policy 9
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto map VPN-S2S local-address Loopback11
crypto map VPN-S2S 10 ipsec-isakmp
description ### VPN S2S SITE-B-DC ASA ###
set peer [ASA-ip-address]
set transform-set TRANS_SET-SITE-B-DC
set pfs group2
set isakmp-profile ISAKMP-SITE-B-DC
match address IPSEC-VPN-ACL_SITE-B-DC
!
crypto ipsec transform-set TRANS_SET-SITE-B-DC esp-aes esp-sha-hmac
mode tunnel
!
interface EGRESS/INGRESS
description ### BECAUSE WE RUN DYNAMIC PROTOCOL(BGP in my case), ANY INTERFACE COULD BE THE INGRESS/EGRESS IF , SO THESE IFs MUST ALSO HAVE THE CRYPTOMAP ###
crypto map VPN-S2S
!
interface Loopback11
description ### TEST IPSEC ###
ip address [asr-ip-address] 255.255.255.255
!
!
ip access-list extended IPSEC-VPN-ACL_SITE-B-DC
permit ip host [ASR-LAN-addresses] host [ASA-LAN-addresses]
!
ip route vrf VPN [ASA-LAN-addresses] 255.255.255.x 8.8.8.8 global name GENERIC-IPSEC-CRYPTO-ROUTE(ANYCAST) **the route here is for the traffic to be encrypted , the next hop MUST be non-recursive route **
!
So now for my question :
does it REALLY have to be a route that has a matching on the routing table OTHER than a Default route ?
( because it doesnt work with a route that directs to the default route , even when the recursive route points to the same interface the spefic route does ) .
is there any other way of doing that ? because to point the route to 8.8.8.8 , means im depending my tunnels to be available on the availability of a route for 8.0.0.0 in the RIB .
help would be much appriciated here guys !
Solved! Go to Solution.
04-02-2013 07:42 AM
Why not let the router hide the complexity from admin by using RRI?
The example is not perfect because of point to point connection between two routers, but you can figure out what IP address to put as gateway.
I would also suggest coming away from crypto maps on new software. logical interfaces with tunnel protection is the way to go. The problem does not appear there.
04-02-2013 07:42 AM
Why not let the router hide the complexity from admin by using RRI?
The example is not perfect because of point to point connection between two routers, but you can figure out what IP address to put as gateway.
I would also suggest coming away from crypto maps on new software. logical interfaces with tunnel protection is the way to go. The problem does not appear there.
04-02-2013 08:04 AM
Thanks for your Comment Marcin !
The ASA does not support VTIs which is what you are talking about . so the ASR must use the "OLD" method .
ps i would check the Reverse Route Option , with the static option , sounds best for me when i have multiple tunnels .
ASR-01(config-crypto-map)#reverse-route ?
remote-peer Create route in route table for remote tunnel endpoint
static Create routes based on static ACLs permanently
but doesnt the example here refers to a situation where the crypto-map is applied to a VRF interface ?
my scenario is different .
My interface is in the global RIB , not in vrf , thus i did the route :
ASR01#ip route vrf VPN [LAN-BEHIND-ASA] 255.255.255.255 8.8.8.8 global name GENERIC-IPSEC-CRYPTO-ROUTE
is there a way to perform this with the reverse route ? or perhaps i just misunderstod it ?
04-02-2013 08:08 AM
The example is showing pretty well the overall challange of routing with front and back VRFs, you can check what the result was on iVRF and fVRF in the example, same will ablly whether front is global or any other.
"static" is not the option you're looking for, it will only make the entires permanent, regardless of state of IPsec SAs.
It can be of some help in certain scenarios indeed, but it's not the solution to the problem you outline in original post.
04-02-2013 08:11 AM
ok , ill check that ,
thanks !
04-02-2013 08:00 PM
I use:
ip route vrf xxxx
tunnel can be turn up.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide