cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
88236
Views
135
Helpful
65
Replies

Route-based VPN (VTI) for ASA finally here!

Michael Muenz
Level 5
Level 5

I just read over the release notes for the new 9.7.1 release and stumbled upon this:

Virtual Tunnel Interface (VTI) support for ASA VPN module

The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.

We introduced the following commands: crypto ipsec profile, interface tunnel, responder-only, set ikev1 transform-set, set pfs, set security-association lifetime, tunnel destination, tunnel mode ipsec, tunnel protection ipsec profile, tunnel source interface.

Finally a dream becomes true! Thank you Cisco! :)

Michael Please rate all helpful posts
65 Replies 65

Rahul Govindan
VIP Alumni
VIP Alumni

Awesome, been a long time waiting for this. This saves a lot of headaches doing multi-vendor VPN tunnels.

Yeah its awesome that finally ASA has such function. 

Was anyone lucky to configure it between 2 ASAs? 

Because I was able to configure tunnel interface on both, did tunnel protection for that, but for IOS there is step with key - but these commands are missing on ASA. Seems I am missing something - some part that would make this configuration working, because tunnel is down/down on both and wont come up/up. 

Also - couldn't find any configuration guide for VTI implementation at Cisco ASA. 

Thanks for any input. 

This is the official link to the configuration but I haven't tried it yet:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.html

Michael Please rate all helpful posts

I tried this in my lab this morning, for the PSK, use the traditional tunnel-group configuration.

tunnel-group 198.51.100.1 type ipsec-l2l
tunnel-group 198.51.100.1 ipsec-attributes
ikev1 pre-shared-key *****

Big thanks both. 

I was able to configure the tunnel correctly and now its UP/UP. 

When the tunnel is UP/UP I tried to ping remote end of tunnel from ASA. Unfortunately at IOS it is working - for ASA it is not (not good for troubleshooting tho).

So I connected clients to each ASA to simulate remote subnets and configured static routes for these subnets with next hop as remote end of tunnel. Traffic going successfully through.

And now I am trying to configure OSPF through tunnel and again I have problem to configure it. At IOS its enough to configure tunnel subnet at OSPF and it will form OSPF connection. Again not working for ASA.

I found some guides how to configure OSPF for L2L at ASA and trying now to bend it for new VTI interface. 

Anyone had luck with this? 

I'm not sure if OSPF is supported since only BGP is listed in the documentation link.

Michael Please rate all helpful posts

Yes - you are correct. 

I just configured BGP and seems that this one is working through tunnel.

But for routing L2L tunnel its little overkill routing protocol - but at least working as expected. :)  

Regarding OSPF: 

When I was reading guideline I read: 

General Configuration Guidelines

  • You can use dynamic or static routes for traffic using the tunnel interface.

So I thought that at least OSPF will be supported. 

Lets see. 

Try configure static neighbor adj, perhaps it doesn't support multicast yet?

Michael Please rate all helpful posts

I already tried that when I was trying to bend the config of OSPF VPN config. 

With OSPF neighbor command is following problem: 

neighbor 192.168.1.2
ERROR: Neighbor address does not map to any interface

when 192.168.1.2 is IP address of remote end tunnel. 

And when I do following: 

neighbor 192.168.1.2 interface ?

router mode commands/options:
Current available interface(s):
Inside Name of interface GigabitEthernet0/1
Management Name of interface Management0/0
Outside Name of interface GigabitEthernet0/0

There are only Interfaces for Inside,Outside and Management - but no Tunnel interface. So seems that Tunnel interface is not visible for OSPF. 

It seems that only IKEv1 is supported with VTI.

Michal, could you test if IKEv2 is usable with VTI?

Thx

IKEv2 is not available for the VTI IPSec profile.

ASA(config)# crypto ipsec profile TUNNELv2
ASA(config-ipsec-profile)# set ?

profile mode commands/options:
ikev1 Configure ISAKMP policy
pfs Specify pfs settings
security-association Security association duration
ASA(config)#

Collin, thank you.

So, no IKEv2 with route based VPNs on ASA.

It's a pity, because for example MS Azure requires only IKEv2 for route based VPNs.

Does anybody know if IKEv2 is on the roadmap? And if, then when will be available?

Thx L.

Oh no, very disappointing! I was about to post with happiness, but no IKEv2 support yet? I have been looking forward for route-based VPN functionality for ages to connect to Azure. Instead I've been hacking together workarounds to be able to handle it and I feel more than a little stupid standing up a free strongswan VM just to connect to Azure when I have this nice, expensive ASA mounted into my rack which should be able to handle it.

+1 for IKEv2 support added next!!!

Seems that the new 9.8.1 supports also IKEv2 but haven't checked yet.

Michael Please rate all helpful posts