Cisco Secure Firewall ASA version 9.19 introduces the Dynamic Virtual Tunnel Interfaces (DVTI) route-based VPN, which is an alternative to a policy-based VPN (crypto map). VTI is always up, unlike a policy-based VPN which requires interesting traffic in order for the VPN to be established. Once the VTI is up, dynamic (OSPF, EIGRP or BGP) or static routes are used to route traffic over the VPN. Adding additional networks just need to be advertised into the routing protocol for the VPN peers to learn the networks, no modifications to the VPN settings required. Using a Dynamic VTI allows for a Hub and Spoke topology, not full mesh. For spokes to communicate with each other, all traffic must traverse the Hub ASA.
This post will cover the steps to configure a hub and spoke topology on ASA firewalls, with a DVTI on the Hub ASA and static VTI on the spoke ASA.
Configuration
The diagram below represents the topology used.
Hub
The following represents the configuration of a Dynamic VTI on an ASA.
Configure the IKEv2 Policy and IPSec Proposal.
crypto ikev2 policy 5 encryption aes-gcm-256 integrity null group 20 prf sha256 lifetime seconds 86400 ! crypto ipsec ikev2 ipsec-proposal PROP protocol esp encryption aes-gcm-256
Configure an IPSec Profile, reference the IKEv2 IPSec proposal and configure PFS (optional).
crypto ipsec profile IPSEC-PROFILE set ikev2 ipsec-proposal PROP set pfs group20
Configure and group-policy and specify the allowed tunnel protocols, although not entirely necessary as the Default Group Policy would already permit IKEV2.
group-policy DVTI-POLICY internal group-policy DVTI-POLICY attributes vpn-tunnel-protocol ikev2
Create a loopback interface, this will be used as the tunnel IP address.
interface Loopback1 description Tunnel Interface nameif LOOPBACK ip address 172.21.0.1 255.255.255.0
Configure a virtual template interface and specify the following settings:
- Define a nameif
- Use the loopback interface as the tunnel IP address.
- Specify the tunnel source as the OUTSIDE interface.
- Set the tunnel mode as ipsec ipv4
- Define the IPSec Profile
interface Virtual-Template1 type tunnel nameif TUNNEL ip unnumbered LOOPBACK tunnel source interface OUTSIDE tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC-PROFILE
Configure a tunnel-group for each peer IP address of the spoke ASAs, define the Pre-Shared Key (PSK), reference the group-policy and configure the command ikev2 route set interface, this will send the tunnel IP address to the remote peer. The virtual-template is explictly referenced under the tunnel-group.
tunnel-group 2.2.2.1 type ipsec-l2l tunnel-group 2.2.2.1 general-attributes default-group-policy DVTI-POLICY tunnel-group 2.2.2.1 ipsec-attributes virtual-template 1 ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ikev2 route set interface ! tunnel-group 3.3.3.1 type ipsec-l2l tunnel-group 3.3.3.1 general-attributes default-group-policy DVTI-POLICY tunnel-group 3.3.3.1 ipsec-attributes virtual-template 1 ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ikev2 route set interface
Configure EIGRP routing protocol (OSPF, BGP and EIGRP are now supported).
router eigrp 1 network 172.21.0.0 255.255.255.0
Spokes
The following configuration can be used for either spoke ASA, the configuration is identical other than the loopback interface IP address must be unique per spoke.
Configure the same IKEv2 Policy and IPSec Proposal as used on the Hub ASA.
crypto ikev2 policy 5 encryption aes-gcm-256 integrity null group 20 prf sha256 lifetime seconds 86400 ! crypto ipsec ikev2 ipsec-proposal PROP protocol esp encryption aes-gcm-256 protocol esp integrity sha-256
Configure an IPSec Profile, reference the IKEv2 IPSec proposal and configure PFS (optional), which should match the PFS group used on the hub ASA.
crypto ipsec profile IPSEC-PROFILE set ikev2 ipsec-proposal PROP set pfs group20
Configure a tunnel-group for the peer IP address of the Hub ASA, define the Pre-Shared Key (PSK), reference the group-policy and configure the command ikev2 route set interface, this will send the tunnel IP address to the remote peer.
tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ikev2 route set interface
Create a loopback interface, with a unique IP address per spoke, this will be used as the tunnel IP address.
interface Loopback1 description Tunnel Interface nameif LOOPBACK ip address 172.21.0.2 255.255.255.0
Create a static VTI interface, with the following settings:
- Define a nameif
- Use the loopback interface as the tunnel IP address
- Define the tunnel source as the OUTSIDE interface
- Specify the tunnel destination IP address of the Hub ASA
- Set the tunnel mode as ipsec ipv4
- Define the IPSec Profile
interface Tunnel1 nameif TUNNEL ip unnumbered LOOPBACK tunnel source interface OUTSIDE tunnel destination 1.1.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC-PROFILE
Configure EIGRP routing protocol to advertise the local networks.
router eigrp 1 network 172.21.0.0 255.255.255.0 network 10.20.0.0 255.255.255.0
Verification
Hub
With a route-based VPN a tunnel will automatically be establish without generating interesting traffic (assuming the configuration is correct) so the tunnels should already be established.
From the Hub ASA run show crypto ikev2 sa to confirm IKEv2 SA’s have been established for both peer spoke ASAs. The output below confirms IKEv2 SA established for both peers (2.2.2.1 and 3.3.3.1)
Run show interface ip brief. From the output below we can confirm two virtual-access interfaces have been dynamically created, one for each peer.
Run show crypto ikev2 sa detail. You can confirm which virtual-access interface is used by which peer (remote id).
Run show ip route static. The V routes are dynamic VPN related routes of the remote peer’s tunnel IP address, these are sent by the remote ASA during the IKEv2 exchange and relate to the command ikev2 set route interface configured under the tunnel-group. This is option enables unicast reachability between the VTI interface for BGP to work over the tunnel.
NOTE – the command ikev2 set route interface is available on in ASA version 9.19. Pre ASA 9.19 a static route can be used instead.
From the Hub ASA run the show route eigrp. From the output below we can confirm the local networks is received from the spokes, with the next hop IP address as the peer tunnel IP address.
Spoke
From the CLI of Spoke1’s ASA run show crypto ikev2 sa detail. From the output below, we can confirm the IKEv2 SA to the hub has been established using the static VTI interface – Tunnel1.
From the CLI of Spoke1’s run show route eigrp. From the output below you can determine the the Hub route (10.10.0.0) and Spoke2’s networks are routed via the VTI tunnel, which has the next hop IP address of the Hub (172.21.0.1).
From the LAN behind the Spoke1 ASA (10.20.1.1), we will traceroute to spoke2 LAN (10.30.1.1). From the output below, notice there is only one hop.
Traffic is NOT routed directly from Spoke1 to Spoke2, the VPN is a Hub and Spoke topology, all traffic is routed via the Hub. Traffic is routed over the VPN from Spoke1 to the Hub and from the Hub to Spoke2. It appears to be routed directly because by default the ASA does not decrement the TTL, so the ASA would not appear in the traceroute.
To make the ASA appear as a hop in the traceroute and confirm traffic flow, configure the global_policy to decrement the TTL. Configure the following on all the ASAs.
class-map TTL match any ! policy-map global_policy class TTL set connection decrement-ttl
Run traceroute from spoke1 LAN to spoke2 LAN again. From the output below we can confirm traffic is routed to Spoke1 ASA (inside interface), then Hub ASA (tunnel interface), then Spoke2 ASA (tunnel interface) and finally reaches the destination again.
Summary
Configuration of a DVTI on a Hub ASA and VTI on spoke ASA’s is straight forward, anyone familiar with FlexVPN will notice similarities in commands and operations.
From Cisco Secure Firewall FTD version 7.3 DVTI has also been introduced.