02-11-2024 08:35 AM - edited 02-11-2024 08:37 AM
Hi Eveyone,
I've noticed (via the release notes) some improvements to VTI in ASA v9.19/9.20 and have decided it's time for a CryptoMap -> VTI migration.
Could I ask a few questions please?
1. To get RRI working with an ASA VTI, do we need to attach a tunnel protection ipsec policy ?
access-list CACL-THIRDPARTYA extended permit ip 10.0.0.0 255.255.255.248 10.1.0.0 255.255.255.248
interface Tunnel 1
tunnel protection ipsec policy CACL-THIRDPARTYA
exit
!
crypto ipsec profile PR-THIRDPARTYA
[...]
set reverse-route
exit
The config guide explains that without the above it will use traffic selectors of "any/any" so I suspect the protection ipsec policy is needed to generate those routes which show up "V" with "show route".
2. The VPN Config Guide mentions ACLs can be attached to the VTI
! Old - Cryto Map filtering with VPN Filter List:
group-policy GP_L2L_170.0.0.1 attributes
vpn-filter value VFL-THIRDPARTY-INOUT
exit
! New - VTI Filtering
access-group VCL-THIRDPARTY-INOUT in interface vti-name
access-group VCL-THIRDPARTY-INOUT out interface vti-name
Exciting stuff! I would like to be rid of those of those old filter lists with the odd syntax. Has anyone tried filtering the VTI?
Thanks in advance for any insights.
02-13-2024 02:59 PM
@MHM Cisco World Thank you very much for taking the time to lab this up. In my tests though on the ASAv v9.20 code, invalid PSK was also brining the tun if status down. It's possible that ASA and IOS-XE behave differently.
02-14-2024 10:32 AM
I will make double check
Thanks
MHM
02-16-2024 02:59 PM
hi friend
you are correct
the tunnel mode I was use is IPsec over GRE so the tunnel not effect by IPSec
so
I add
tunnel mode ipsec ipv4
change the tunnel to IPsec SVTI and then tunnel UP when IPsec is ON
so ASA and IOS for sVTI is same the tunnel depend on status of IPsec
thanks
MHM
and the tunnel is UP imm
02-11-2024 10:24 AM
Thank you @Rob Ingram . I think this is the answer I'm looking for. Give me a couple of days to test RRI/tunnel protection ipsec policy and the static routes. I will also test the ACLs and VPNFilters and report back here.
02-13-2024 02:55 PM
So the results are in...and there is some good news for v9.20 code.
The only other thing to call out is that I needed to apply "next-hop-self" on my iBGP neighbors following the upgrade to v9.20 - presumably the introduction of loopback support has led to some changes in the BGP implementation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide