01-24-2017 06:13 AM
I just read over the release notes for the new 9.7.1 release and stumbled upon this:
Virtual Tunnel Interface (VTI) support for ASA VPN module
The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.
We introduced the following commands: crypto ipsec profile, interface tunnel, responder-only, set ikev1 transform-set, set pfs, set security-association lifetime, tunnel destination, tunnel mode ipsec, tunnel protection ipsec profile, tunnel source interface.
Finally a dream becomes true! Thank you Cisco! :)
01-24-2017 06:25 AM
Awesome, been a long time waiting for this. This saves a lot of headaches doing multi-vendor VPN tunnels.
01-24-2017 08:05 AM
Yeah its awesome that finally ASA has such function.
Was anyone lucky to configure it between 2 ASAs?
Because I was able to configure tunnel interface on both, did tunnel protection for that, but for IOS there is step with key - but these commands are missing on ASA. Seems I am missing something - some part that would make this configuration working, because tunnel is down/down on both and wont come up/up.
Also - couldn't find any configuration guide for VTI implementation at Cisco ASA.
Thanks for any input.
01-24-2017 12:13 PM
This is the official link to the configuration but I haven't tried it yet:
01-24-2017 12:19 PM
I tried this in my lab this morning, for the PSK, use the traditional tunnel-group configuration.
tunnel-group 198.51.100.1 type ipsec-l2l
tunnel-group 198.51.100.1 ipsec-attributes
ikev1 pre-shared-key *****
01-24-2017 11:18 PM
Big thanks both.
I was able to configure the tunnel correctly and now its UP/UP.
When the tunnel is UP/UP I tried to ping remote end of tunnel from ASA. Unfortunately at IOS it is working - for ASA it is not (not good for troubleshooting tho).
So I connected clients to each ASA to simulate remote subnets and configured static routes for these subnets with next hop as remote end of tunnel. Traffic going successfully through.
And now I am trying to configure OSPF through tunnel and again I have problem to configure it. At IOS its enough to configure tunnel subnet at OSPF and it will form OSPF connection. Again not working for ASA.
I found some guides how to configure OSPF for L2L at ASA and trying now to bend it for new VTI interface.
Anyone had luck with this?
01-25-2017 12:21 AM
I'm not sure if OSPF is supported since only BGP is listed in the documentation link.
01-25-2017 12:53 AM
Yes - you are correct.
I just configured BGP and seems that this one is working through tunnel.
But for routing L2L tunnel its little overkill routing protocol - but at least working as expected. :)
When I was reading guideline I read:
You can use dynamic or static routes for traffic using the tunnel interface.
So I thought that at least OSPF will be supported.
01-25-2017 12:55 AM
Try configure static neighbor adj, perhaps it doesn't support multicast yet?
01-25-2017 01:09 AM
I already tried that when I was trying to bend the config of OSPF VPN config.
With OSPF neighbor command is following problem:
ERROR: Neighbor address does not map to any interface
when 192.168.1.2 is IP address of remote end tunnel.
And when I do following:
neighbor 192.168.1.2 interface ?
router mode commands/options:
Current available interface(s):
Inside Name of interface GigabitEthernet0/1
Management Name of interface Management0/0
Outside Name of interface GigabitEthernet0/0
There are only Interfaces for Inside,Outside and Management - but no Tunnel interface. So seems that Tunnel interface is not visible for OSPF.
02-01-2017 06:04 PM
It seems that only IKEv1 is supported with VTI.
Michal, could you test if IKEv2 is usable with VTI?
02-01-2017 06:18 PM
IKEv2 is not available for the VTI IPSec profile.
ASA(config)# crypto ipsec profile TUNNELv2
ASA(config-ipsec-profile)# set ?
profile mode commands/options:
ikev1 Configure ISAKMP policy
pfs Specify pfs settings
security-association Security association duration
02-02-2017 07:57 AM
Collin, thank you.
So, no IKEv2 with route based VPNs on ASA.
It's a pity, because for example MS Azure requires only IKEv2 for route based VPNs.
Does anybody know if IKEv2 is on the roadmap? And if, then when will be available?
04-25-2017 07:29 AM
Oh no, very disappointing! I was about to post with happiness, but no IKEv2 support yet? I have been looking forward for route-based VPN functionality for ages to connect to Azure. Instead I've been hacking together workarounds to be able to handle it and I feel more than a little stupid standing up a free strongswan VM just to connect to Azure when I have this nice, expensive ASA mounted into my rack which should be able to handle it.
+1 for IKEv2 support added next!!!
05-16-2017 05:12 AM
Seems that the new 9.8.1 supports also IKEv2 but haven't checked yet.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: