cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
88372
Views
135
Helpful
65
Replies

Route-based VPN (VTI) for ASA finally here!

Michael Muenz
Level 5
Level 5

I just read over the release notes for the new 9.7.1 release and stumbled upon this:

Virtual Tunnel Interface (VTI) support for ASA VPN module

The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.

We introduced the following commands: crypto ipsec profile, interface tunnel, responder-only, set ikev1 transform-set, set pfs, set security-association lifetime, tunnel destination, tunnel mode ipsec, tunnel protection ipsec profile, tunnel source interface.

Finally a dream becomes true! Thank you Cisco! :)

Michael Please rate all helpful posts
65 Replies 65

nwtimberlake75
Level 1
Level 1

I was able to get this tested and working using an ASA5506 and an ISR4331. I thought someone looking might find this configuration helpful to get started.

 

ROUTER CONFIGURATIONS FOR VTI VPN

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 86400

crypto isakmp key cisco1234 address 1.1.1.1

crypto ipsec transform-set SET1 esp-3des esp-sha-hmac
mode tunnel

crypto ipsec profile MY_PROFILE
set transform-set SET1

interface Tunnel0
ip address 10.1.1.2 255.255.255.0
tunnel source 1.1.1.2
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile MY_PROFILE

****************************************************************************************************************************

ASA CONFIGURATIONS FOR VTI VPN

interface Tunnel1
nameif TUNNEL1
ip address 10.1.1.1 255.255.255.0
tunnel source interface outside
tunnel destination 1.1.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MY_PROFILE


crypto ipsec ikev1 transform-set SET1 esp-3des esp-sha-hmac
crypto ipsec profile MY_PROFILE
set ikev1 transform-set SET1
responder-only

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco1234

It looks like sVTI is supported.  I am trying to run remote-access vpn, does asa 9.8.1 support running dVTI ?  

shivakumarg06
Level 1
Level 1

Hello, 

I would like to configure Route Based VPN with Cisco ASA 5505 to Azure, 

 

I have referred the multiple blogs and tutorial, but I was not successful, 

 

if any buddy has an idea, about the configuration, request you to please share.

 

I have created a tutorial based on what i found in this thread, and I have a working Route based site2site tunnel with Azure, from a ASA5506-X (With asa 9.8.2) to a Azure VPN gateway

Link: https://kasperk.it/cisco/asa/cisco-asa-route-based-site-to-site-vpn-to-azure

Hello ,



Thanks for your replay, I found the solution and I have completed the tasks
2 months back.






TheSlyOne
Level 1
Level 1

If they add GRE tunnels and Loopback interfaces and VRF's, I might start using ASA's for IPSEC.  Currently I much prefer the FlexVPN on IOS.