01-26-2018 05:57 AM - edited 03-12-2019 04:57 AM
I am trying to build a VPN tunnel, and it is not working. I've build hundreds of tunnels, but mostly on older ASA firewalls, so my skills may be rusty.
On my side, I have an ASR1001-X running 15.5(3)S5. There are several tunnels already on the router, connecting using IKEv2/IPSEC, with "interface TunnelX" set up. Some of the Tunnel interfaces are unnumbered, while others have IP addresses assigned. All work as expected.
Now I am trying to set up a VPN to a 3rd party's ASA 5525. They just upgraded to v9.7 because we couldn't get the tunnel to work with their previous load, v8.3.
They wanted me to stop using Tunnel interfaces and put the encryption directly on my WAN interface, but Cisco TAC and my fellow engineers agree that would break our other tunnels.
Now they are trying to use VTI on their side. There is a good bit of miscommunication and I'm not certain they know how to use VTI correctly. Not being familiar with VTI myself, I have some questions:
Would this work? Does anyone have a working example of a VPN tunnel between an ASR using Tunnel interfaces and an ASA using VTI interfaces?
What version of IKE is supported? We've been bouncing back and forth on IKEv1 and IKEv2, but some of the documentation I've seen leads me to think that ASA's using VTI interfaces can't use IKEv2. Is that correct?
There's confusion over the need for IP addresses on the Tunnel interface on the ASR side and on the VTI interface on the ASA side. Does VTI support an "unnumbered" interface tied to the IP address of the outside interface, the way my ASR's Tunnel interface ties to the IP address of my WAN interface?
If anyone has a working script example, that would be great. Thanks.
Solved! Go to Solution.
01-26-2018 06:34 AM
01-26-2018 06:34 AM
01-26-2018 06:39 AM
Thanks for the IKEv2 info.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide