10-09-2011 11:31 AM
Hi All,
I need to connect some routers to an ASA using IPSec tunnels. The goal is to get netflow traffic from the routers to a collector behide an ASA using IPSec tunnels.
Recently I found out (locally orginated) netflow isn't properly encrypted when send through an IPSec tunnel (http://www.plixer.com/blog/network-traffic-analysis/sending-netflow-over-ipsec-tunnels/. The workaround seems to be using flexible netflow (which my collector doesn't support) or using a real tunnel interface on the router.
This implies I need to use:
- IPSec/GRE
- EzVPN with DVTI
- SVTI...?
Since GRE is not supported on the ASA and I want the tunnel to be always active, implementing static VTI tunnels might be a good idea. So I would like to use something like this on the router.
interface Tunnel0
ip unnumberd loopback0
tunnel source x.x.x.x
tunnel destination y.y.y.y
tunnel mode ipsec ipv4
!
My question is, does anybody know if you can build an IPSec tunnel between an ASA and a router, using a SVTI interface on the router? A code sample for the ASA and the router would be more than welcome.
Regards
10-09-2011 01:40 PM
Hielke,
Assuming you could... this still does not scale for you, at all.
VTIs are using "any any" as traffic selectors, which works OK in case of router and logical interfaces (tunnel), but it would not work on ASA, since ASA does not support logical interface.
You can only say "any any" once on ASA.
Marcin
10-10-2011 01:32 PM
Hi Marcin,
Thanks for you answer.
So are you saying that even if you could somehow match the ipsec settings, the traffic selector would still mesh up things on the ASA ?
Hielke
10-10-2011 02:13 PM
Hi Hielke ,
if you managed to match the SAs proposed by the router when using SVTI which is any to any , and you will do this on the ASA using a crypto map access-list as follow :
access-list crypto VPN permit ip any any
then all traffic leaving the interface where the crypto map is applied will be subject to encryption , which is not practical in most cases .you may use different interface (on the ASA) to this tunnel with the SVTI as it will use any any and that traffic is different than the one leaving the outside interface .
so as Marcin this will not scale for you
HTH
Mohammad.
10-10-2011 11:53 PM
Oke got it, thanks for your help
Regards
Hielke
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide