Saturday, July 27, 2019

Cisco ASA - VTI IPSec Assistance

Hello,

I'm trying to setup an IPSec tunnel between two Cisco ASA's in a lab using VTI interfaces. I cannot however seem the get the tunnel interfaces to come up on the ASA's or the IPSec tunnel to work...

This is so that I can run dynamic routing protocols across the VTI interfaces.

The VTI interfaces just show as down/down and I cannot figure out why...

Any assistance would be greatly appreciated.

Here is the configuration:

Site A:

crypto ikev2 policy 10

encryption aes-256

integrity sha512

group 14

prf sha512

lifetime seconds 86400

!

crypto ikev2 enable OUTSIDE

!

crypto ipsec ikev2 ipsec-proposal PROPOSAL

protocol esp encryption aes-256

protocol esp integrity sha512

!

crypto ipsec profile IPSECPROFILE

set ikev2 ipsec-proposal PROPOSAL

!

group-policy 192.168.1.2 internal

group-policy 192.168.1.2 attributes

vpn-tunnel-protocol ikev2

!

tunnel-group 192.168.1.2 type ipsec-l2l

tunnel-group 192.168.1.2 general-attributes

default-group-policy 192.168.1.2

tunnel-group 192.186.1.2 ipsec-attributes

ikev2 local-authentication pre-shared-key CISCO123

ikev2 remote-authentication pre-shared-key CISCO456

!

interface tunnel 10

nameif VTI

ip address 172.16.2.1 255.255.255.0

tunnel source interface OUTSIDE

tunnel destination 192.168.1.2

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSECPROFILE

!

Site B:

crypto ikev2 policy 10

encryption aes-256

integrity sha512

group 14

prf sha512

lifetime seconds 86400

!

crypto ikev2 enable OUTSIDE

!

crypto ipsec ikev2 ipsec-proposal PROPOSAL

protocol esp encryption aes-256

protocol esp integrity sha512

!

crypto ipsec profile IPSECPROFILE

set ikev2 ipsec-proposal PROPOSAL

!

group-policy 192.168.1.1 internal

group-policy 192.168.1.1 attributes

vpn-tunnel-protocol ikev2

!

tunnel-group 192.168.1.1 type ipsec-l2l

tunnel-group 192.168.1.1 general-attributes

default-group-policy 192.168.1.1

tunnel-group 192.186.1.1 ipsec-attributes

ikev2 local-authentication pre-shared-key CISCO123

ikev2 remote-authentication pre-shared-key CISCO456

!

interface tunnel 10

nameif VTI

ip address 172.16.2.2 255.255.255.0

tunnel source interface OUTSIDE

tunnel destination 192.168.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSECPROFILE

!

There is then a static route on both ASA's for the VTI interface to route from LAN subnet A <--> LAN subnet B.



No comments:

Post a Comment