VTIs with ASA

Share on:

I've been stuck in more ways then one this year...working from home indefinitely seems to be the status quo right now, and I'm in "tunnel" mode for most part. Most of these projects I'm working on all of common theme.. connect on-premise to more cloud resources! One way to do that is using VTIs. (Virtual Tunnel Interfaces) VTIs which are not new...been around for a bit, Cisco IOS had the feature available like 10+ years ago! We only got introduced into this technology with ASA when version 9.7 (2017) and above arrived....

In the old days, which wasn't that long ago.... We were stuck with cryptomaps to interfaces and dealing with "interesting" traffic when working with ASAs...Well time for change no more defining interesting traffic, we route these bits instead! Any traffic we want to go over the tunnel is routed over, we can apply ACLs on the inbound interface just like we do with physical interfaces, so simple...

Here is the topology I'm working with:

This is a pretty standard setup, basically we have two sites and want a tunnel between them. We can setup a VTI Tunnel and route via the next hop address. You can also run a routing protocol over this so this can scale out easy.

In this example I got two Cisco ASAs using version 9.12(2), just like the old days, things have to match in order to get a tunnel up. In this example I'm using IKEv2 this policy has to match on both ends:

1crypto ikev2 policy 1
2 encryption 3des
3 integrity sha
4 group 2
5 prf sha
6 lifetime seconds 86400

:!: Please use a higher encryption than what I have, this is just for demonstration. :) I also found out that NIST will not allow 3DES starting in 2024. More Information about the 3DES and history

We got match a group policy this is configured on both ends, (name could be different)

1group-policy P2P-VPN internal
2group-policy P2P-VPN attributes
3 vpn-idle-timeout 30
4 vpn-session-timeout none
5 vpn-filter none
6 vpn-tunnel-protocol ikev2 
7 periodic-authentication certificate none

Next we we create the IPSEC part of the tunnel, again these have to match on both ends:

1crypto ipsec ikev2 ipsec-proposal VPN-P2P
2 protocol esp encryption aes-256
3 protocol esp integrity sha-256

Phase Two of the tunnel for IPSEC Proposal, match them on both ends ;)

1crypto ipsec profile VPN-P2P-IPSEC
2 set ikev2 ipsec-proposal VPN-P2P
3 set pfs group2
4 set security-association lifetime seconds 84600

On the site one we create a tunnel group to site two. (preshared keys have to match) In this example I'm using local and remote keys, just like you would expect remote key would match the local key on the remote end, and vise versa.

1tunnel-group 203.0.113.2 type ipsec-l2l
2tunnel-group 203.0.113.2 general-attributes
3 default-group-policy P2P-VPN
4tunnel-group 203.0.113.2 ipsec-attributes
5 ikev2 remote-authentication pre-shared-key *****
6 ikev2 local-authentication pre-shared-key *****

On site two we do the same thing, flipping the IP addresses.

1tunnel-group 198.51.100.2 type ipsec-l2l
2tunnel-group 198.51.100.2 general-attributes
3 default-group-policy P2P-VPN
4tunnel-group 198.51.100.2 ipsec-attributes
5 ikev2 remote-authentication pre-shared-key *****
6 ikev2 local-authentication pre-shared-key *****

Tunnel is created but in order to bring it up and use we need to create VTI interface on the ASA's. Here is how site one looks for the the tunnel interface. (tunnel source interface is the direction of how to get to the other site, in this case I'm using the internet)

1interface Tunnel80
2 nameif VPN-P2P
3 ip address 10.15.161.253 255.255.255.252 
4 tunnel source interface ISP
5 tunnel destination 203.0.113.2
6 tunnel mode ipsec ipv4
7 tunnel protection ipsec profile VPN-P2P-IPSEC

If we jump over to site two for that tunnel interface configuration (tunnel interfaces don't have to match in this case)

1interface Tunnel80
2 nameif VPN-P2P
3 ip address 10.15.161.254 255.255.255.254 
4 tunnel source interface ISP
5 tunnel destination 198.51.100.2
6 tunnel mode ipsec ipv4
7 tunnel protection ipsec profile VPN-P2P-CPHX-IPSEC

We can see that we created a little point to point network within the tunnel and if we wanted traffic over this tunnel a simple route statement is all we need :)

1route VPN-P2P 172.22.1.0 255.255.255.0 10.15.161.254 1

A simple show command verifies that the tunnel is up (show crypto isakmp)

 1There are no IKEv1 SAs
 2
 3IKEv2 SAs:
 4
 5Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
 6
 7Tunnel-id Local                                               Remote                                                  Status         Role
 8  3991227 198.51.100.2/500                                    203.0.113.2/500                                          READY    INITIATOR
 9      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
10      Life/Active Time: 86400/3180 sec
11Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
12          remote selector 0.0.0.0/0 - 255.255.255.255/65535
13          ESP spi in/out: 0x8e25a2bf/0x90b25811 

Just like that you got yourself a flexible tunnel interface that you can send routes down it, don't need to deal with crypto maps anymore put those next to the history of 3DES ;) These VTIs make it a breeze to configure.

The World Keeps Turning and we'll continue to navigate the times as technology plays such a critical piece in making sure communication between people and or systems goes uninterrupted. We as engineers are right in the middle of it... like always I hope this information is helpful, stay calm and carry on!