cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
88369
Views
135
Helpful
65
Replies

Route-based VPN (VTI) for ASA finally here!

Michael Muenz
Level 5
Level 5

I just read over the release notes for the new 9.7.1 release and stumbled upon this:

Virtual Tunnel Interface (VTI) support for ASA VPN module

The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.

We introduced the following commands: crypto ipsec profile, interface tunnel, responder-only, set ikev1 transform-set, set pfs, set security-association lifetime, tunnel destination, tunnel mode ipsec, tunnel protection ipsec profile, tunnel source interface.

Finally a dream becomes true! Thank you Cisco! :)

Michael Please rate all helpful posts
65 Replies 65

Nathan,

Your config for the VTI approach is correct. You should use the VTI IP addresses for peering and as next-hop just like you did.

hey Nathan, Thomas, and husycisco, this is super helpful. I found myself in a situation where I need mutiple cisco ASAs at different sites to connect to a single Azure VNet.

How does one go about finding the INNER Tunnel BGP Peering IP?

I too have the same issue where if I route to the azure public vpn gateway ip I cannot pass traffic through, although tunnel is established. I am unsure where to find the BGP peering ip from Azure though..

edit////i found how to get this...it is usually the last ip address on the vpn gateway itself per the docs here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview

also you can just run the command in Azure to find it: . Get-AzureRmVirtualNetworkGateway -ResourceGroupName <yourResourceGroupName>

it is up and running and passing traffic...very nice!!!

thanks!

This is an incorrect use of the VTI approach.

I tried this config on our ASA but the azure dynamic tunnel didn't come up. The debugging logs showing the following error "

"All IPSec SA proposals found unacceptable" Error processing payload:1. Can anyone please tell me what could be wrong with my setup? 

Thanks. MS

Hi,Guys

Does VTI work with IOS or asa peer?I tried ASAv connect ASAv or ASAv connect IOS,both solution were failed.I move the tunnel mode ipsec and protection.

the VTI interface IP address can not ping successful.Why?

ASAv to ASAv can work only with an IKEv1 version of the instructions. IKEv2 support will come with 9.8.1 which keeps bricking my virtual appliance so I am waiting for it.

I successfully made VTIs work both ASAv to ASAv and ASAv to CSR.

Pinging the interface itself must be some sort of a bug but if you run a packet capture you will see that echo reply is coming back. For now, avoid testing the connectivity with direct VTI interface pings, try pinging some network behind.

Husycisco,

Have you had any luck with IKEV2 VTI with BGP Routing? I am trying to create a site to site mesh topography and I would like to use BGP across it for failover and finding the fastest paths.

I can not get them to peer. I found this great blog on doing it over IKEV1, but it didn't working for me. FYI I think he got is BGP ASN's backwards. 

Cisco ASA VTI (9.7) Route Based VPN with load-balancing and failover - Setup Guide - Techstat

It looks like on all the research I've done the BGP neighbors are always going to be the VTI interface's ip addresses of the opposite sites.

This is an older article showing a router using BGP over VTI tunnels. 

http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/118977-config-ebgp-00.html

In this article Cisco adds a route map to redirect to the public ip peer of the remote site for the next hop. 

The Cisco 9.8 release claims BGP can work over VTI. Is this only for IKEV1 and not IKEV2? What are your thoughts?

Hi Husycisco,

 

I am also testing VTI in ASA5515(9.7(1)4) and other end is ASR1000 (03.16.06b.S) but my VTI is not coming up any expert comment would be appreciated if anything i am missing.

 

Config at both ends as per below.

 

asa# show interface tunnel 100
Interface Tunnel100 "vti", is down, line protocol is down
Hardware is Virtual Tunnel MAC address N/A, MTU 1500
IP address 192.168.1.10, subnet mask 255.255.255.252
Traffic Statistics for "vti":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Tunnel Interface Information:
Source interface: outside IP address: 192.165.0.2
Destination IP address: 192.165.0.1
Mode: ipsec ipv4 IPsec profile: PROFILE1
asa#

 

Router:

ASR#show interfaces tunnel100
Tunnel100 is up, line protocol is down
Hardware is Tunnel
Internet address is 192.168.1.9/30
MTU 10000 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation down - linestate protection reg down
Tunnel source 192.165.0.1, destination 192.165.0.2
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1500 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "PROFILE1")
Last input never, output never, output hang never
Last clearing of "show interface" counters 2d19h
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
ASR#

 

Config at ASR:-

crypto ipsec ikev1 transform-set SET1 esp-aes esp-sha-hmac
crypto ipsec profile PROFILE1
set ikev1 transform-set SET1
set security-association lifetime kilobytes 102400
set security-association lifetime seconds 900

interface Tunnel100
nameif vti
ip address 192.168.1.10 255.255.255.252
tunnel source interface outside
tunnel destination 192.165.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE1

 

Router Config:-

crypto ipsec transform-set SET1 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROFILE1
set security-association lifetime kilobytes 102400
set security-association lifetime seconds 900
set transform-set SET1
!

interface Tunnel100
ip address 192.168.1.9 255.255.255.252
tunnel source 192.165.0.1
tunnel mode ipsec ipv4
tunnel destination 192.165.0.2
tunnel protection ipsec profile PROFILE1

 

Physical interfaces ping from both sides

ASA# ping 192.165.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.165.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA#

ASR#ping 192.165.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.165.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASR#

Thomas,

Have you guys had any luck with IKEV2 VTI with BGP Routing? I am trying to create a site to site mesh topography and I would like to use BGP across it for failover and finding the fastest paths.

I can not get them to peer. I found this great blog on doing it over IKEV1, but it didn't working for me. FYI I think he got is BGP ASN's backwards. 

Cisco ASA VTI (9.7) Route Based VPN with load-balancing and failover - Setup Guide - Techstat

It looks like on all the research I've done the BGP neighbors are always going to be the VTI interface's ip addresses of the opposite sites.

This is an older article showing a router using BGP over VTI tunnels. 

http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/118977-config-ebgp-00.html

In this article Cisco adds a route map to redirect to the public ip peer of the remote site for the next hop. 

The Cisco 9.8 release claims BGP can work over VTI. Is this only for IKEV1 and not IKEV2? What are your thoughts?

Hello all,

Thomas, please specify, ip addresses 169.254.2.1 and 169.254.2.2 - Why did you use these ip addresses? Is it necessary to assign IP address from this range on the equipment from Azure side?

 

interface Tunnel1
  nameif VPN-AZURE
  ip address 169.254.2.1 255.255.255.0 standby 169.254.2.2 

 

Thank you in advance

I've been trying to do similar things to build connections from ASA to Palo Alto (which only does VTI, doesn't like Cisco crypto-map.)

The advice I found on the net said "Your ASA is really only using those addresses to decide what interface to send outgoing packets on; the other end doesn't actually need to be configured for it, and vice versa, so just use any /30 or /31, here's an example with a 169.254."

On my 5525, that worked. On my 2100, it gave me an error message when I tried to configure it, because apparently some of the internal connections from the FXOS side to the ASA side must be using 169.254, so I changed it to 10.x.x.0/31 and 10.x.x.1/31 and the tunnel came up fine.

 

Nathan Brock
Level 1
Level 1

I have successfully gotten my Cisco ASA to Connect to my Azure Gateway with BGP ikev2 put after about 12-24 hours my connections stop and I have to change the VTI interface IP to any random value. Once I change it the tunnels come back up (pinging) even though the debug still show everything up and connected on both the ASA and Azure Gateway Status.

Any ideas what is causing comm to stop and why it restarts when I change the VTI Interface IP to a different value?

Odd. 

Thanks!

You need to check the lifetimes for the ikev2 and ipsec settings, and make sure they're compatible so everything rekeys correctly. Some of them default to 8 hours or 24 hours.

Nathan Brock
Level 1
Level 1

We have upgraded our ASAs to IOS Version 9.8(1). I currently have issues with two 5516-X FIREPOWER Services. I have successfully moved to Route Based VPN for our Site-To-Site connectivity. Everything works well with a static route, but we are looking to create resilient mesh by using BGP routing over VTI.

We are using IKEV2, AES256, Sha1, 86400 Lifetime, and so on. The tunnel comes up perfectly and WILL pass traffic within a virtual tunnel interface.

We are looking to get support to get the BGP routing working over these tunnel interfaces (VTI) with IKEV2 IPSEC.

I tried this blog with no luck (IT DOES USE IKEV1)
https://techstat.net/cisco-asa-9-7-route-based-vpn-load-balancing-failover-setup-guide/

I tried this Cisco Doc for VTI / BGP on a Cisco router (DOESN'T WORK ON ASA 9.8)
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/118977-config-ebgp-00.html

I can get the BGP Peers to see the remote VTI IP Address inside the tunnel, but it will only stay IDLE or ACTIVE and no messages will pass between the two BGP Peers to exchange route information.

Please advise. Any technical documentation or example configuration file for Cisco ASA 9.8(1) for BGP over VTI for ASA to ASA connectivity while using IKEV2 would be extremely helpful.

Thanks!
Nate

d.lachapelle
Level 1
Level 1

I'm really loving the VTIs on ASA and have been waiting a long time for this.  The only issue I've run into so far was how to put ACLs on these tunnels without doing a filter.  When I entered the no sysopt connection permit-vpn command to get it to have to hit the interface ACL.  I had entered the appropriate ACLs to permit the traffic on the outside interface but when the command above was entered it gave me a bunch of errors like this, in green:

"Inbound TCP connection denied from x.x.x.x/port to x.x.x.x/port flags SYN on interface Tunnel4"

"Inbound TCP connection denied from x.x.x.x/port to x.x.x.x/port flags RST on interface Tunnel4"

"Deny inbound UDP from x.x.x.x/port to x.x.x.x/53 due to DNS Query"

So I went to try to take the ACLs from the outside interface and put them on the ACL for the Tunnel4 interface...only to see I couldn't.  It does not show up in the GUI as an interface I can create an ACL on.

Is the technology too new for this and I have to do filters to do ACLs?  I would love to just apply the ACLs to the actual interface.  Anyone have any luck with this type of setup?