Hello,
I'm trying to setup an IPSec tunnel between two Cisco ASA's in a lab using VTI interfaces. I cannot however seem the get the tunnel interfaces to come up on the ASA's or the IPSec tunnel to work...
This is so that I can run dynamic routing protocols across the VTI interfaces.
The VTI interfaces just show as down/down and I cannot figure out why...
Any assistance would be greatly appreciated.
Here is the configuration:
Site A:
crypto ikev2 policy 10
encryption aes-256
integrity sha512
group 14
prf sha512
lifetime seconds 86400
!
crypto ikev2 enable OUTSIDE
!
crypto ipsec ikev2 ipsec-proposal PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha512
!
crypto ipsec profile IPSECPROFILE
set ikev2 ipsec-proposal PROPOSAL
!
group-policy 192.168.1.2 internal
group-policy 192.168.1.2 attributes
vpn-tunnel-protocol ikev2
!
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 general-attributes
default-group-policy 192.168.1.2
tunnel-group 192.186.1.2 ipsec-attributes
ikev2 local-authentication pre-shared-key CISCO123
ikev2 remote-authentication pre-shared-key CISCO456
!
interface tunnel 10
nameif VTI
ip address 172.16.2.1 255.255.255.0
tunnel source interface OUTSIDE
tunnel destination 192.168.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSECPROFILE
!
Site B:
crypto ikev2 policy 10
encryption aes-256
integrity sha512
group 14
prf sha512
lifetime seconds 86400
!
crypto ikev2 enable OUTSIDE
!
crypto ipsec ikev2 ipsec-proposal PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha512
!
crypto ipsec profile IPSECPROFILE
set ikev2 ipsec-proposal PROPOSAL
!
group-policy 192.168.1.1 internal
group-policy 192.168.1.1 attributes
vpn-tunnel-protocol ikev2
!
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 general-attributes
default-group-policy 192.168.1.1
tunnel-group 192.186.1.1 ipsec-attributes
ikev2 local-authentication pre-shared-key CISCO123
ikev2 remote-authentication pre-shared-key CISCO456
!
interface tunnel 10
nameif VTI
ip address 172.16.2.2 255.255.255.0
tunnel source interface OUTSIDE
tunnel destination 192.168.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSECPROFILE
!
There is then a static route on both ASA's for the VTI interface to route from LAN subnet A <--> LAN subnet B.
No comments:
Post a Comment