ASA VPN Loopback

Cisco ASA version 9.19(1) introduced support for loopback interfaces. Loopback interfaces can be use with VPNs as the Tunnel Source and to use IP unnumbered on the tunnel interface.

When the loopback interface is configured as the source interface for VTI, it inherits the tunnel IP address instead of statically configuring tunnel interface IP address. The loopback interface helps to overcome path failures, because loopbacks are always up and can be advertised through dynamic routing protocols such as BGP, they provide a stable endpoint that remains reachable even if a physical interface fails, traffic simply re-routes to the loopback via an alternate path.

Additionally, the loopback can be used to lend the IP address to a tunnel interface, which simplifies and scales VPN designs by eliminating the need for per-tunnel IP addressing. This reduces IP consumption and simplifies management.

This post covers configuring a loopback interface for tunnel source and IP unnumbered.

Software

The information in this post is based on software versions: –

  • Cisco ASA virtual 9.20.2(2)

Configuration

Initial Configuration

The configuration below represents the initial configuration of the ASA, with a working tunnel that does not yet use the loopback interface.

crypto ikev2 policy 5
 encryption aes-gcm-256 aes-gcm-192 aes-gcm
 integrity null
 group 21 20 19
 prf sha256
 lifetime seconds 86400
!
crypto ikev2 enable OUTSIDE
!
crypto ipsec ikev2 ipsec-proposal TSET
 protocol esp encryption aes-gcm-256
 protocol esp integrity sha-256
!
crypto ipsec profile IPSEC-PROFILE
 set ikev2 ipsec-proposal TSET
 set pfs group19
!
tunnel-group 3.3.3.1 type ipsec-l2l
tunnel-group 3.3.3.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.250.1 255.255.255.252
!
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface Tunnel1
 nameif TUNNEL1
 ip address 10.5.0.1 255.255.255.0
 tunnel source interface OUTSIDE
 tunnel destination 3.3.3.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROFILE

Using a Loopback for the Tunnel Source

In this example, the loopback IP address will be used as the source for a VTI, instead of the outside interface IP address.

NOTE – You cannot assign an IP address from the same network as the outside interface; the loopback interface must be an IP address from a different network and routable to the outside interface of the ASA. You would receive the following error message: –

ASA1(config-if)# ip address 1.1.1.5 255.255.255.0
ERROR: Failed to apply IP address to interface Loopback2, as the network overlaps with interface.

Configure the loopback interface, assigning a routable IP address and a nameif.

interface Loopback1
 description VPN 1 tunnel source
 nameif SOURCE-LOOP
 ip address 2.2.2.1 255.255.255.0

Amend the configuration of the tunnel interface and specify the tunnel source as the nameif of the Loopback interface.

interface Tunnel1
 nameif TUNNEL1
 ip address 10.5.0.1 255.255.255.0
 tunnel source interface SOURCE-LOOP
 tunnel destination 3.3.3.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROFILE

Run show ip, this will confirm the IP address of the physical OUTSIDE interface is 1.1.1.1 and the Loopback1 IP address is 2.2.2.1.

ASA1(config)# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       INSIDE                 192.168.250.1   255.255.255.252 manual
GigabitEthernet0/1       OUTSIDE                1.1.1.1         255.255.255.0   manual
Loopback1                SOURCE-LOOP            2.2.2.1         255.255.255.0   manual
Tunnel1                  TUNNEL1                10.5.0.1        255.255.255.0   manual

Run the command show crypto ikev2 sa detail, from the output below we can confirm the tunnel is established and the Local ID: 2.2.2.1, which is the IP address of Loopback1.

ASA1(config)# show crypto ikev2 sa detail

IKEv2 SAs:

Session-id:42, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                                     fvrf/ivrf     Status         Role
94650751 2.2.2.1/500                                         3.3.3.1/500                                                             Global/Global      READY    INITIATOR
Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/939 sec
Session-id: 42
Status Description: Negotiation done
Local spi: 9BA73A3D00EABDE9       Remote spi: 9DEF11782054BA00
Local id: 2.2.2.1
Remote id: 3.3.3.1
Local req mess id: 94             Remote req mess id: 0
Local next mess id: 94            Remote next mess id: 0
Local req queued: 94              Remote req queued: 0
Local window: 1                   Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes
VTI Interface: TUNNEL1 / Tunnel1
Parent SA Extended Status:
Delete in progress: FALSE
Marked for delete: FALSE
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x4132eeb3/0x5b5f28fa
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-GCM, keysize: 256, esp_hmac: N/A
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

Run the command show interface TUNNEL1, from the output we can determine the Source Interface: VPN1-LOOP.

ASA1(config)# show int TUNNEL1

Interface Tunnel1 "TUNNEL1", is up, line protocol is up
Hardware is Virtual Tunnel    MAC address N/A, MTU 1445
IP address 10.5.0.1, subnet mask 255.255.255.0
Tunnel Interface Information:
Source interface: SOURCE-LOOP     IP address: 2.2.2.1
Destination IP address: 3.3.3.1
IPsec MTU Overhead : 55
Mode: ipsec ipv4        IPsec profile: IPSEC-PROFILE

Unnumbered IP

In this example, the VTI interface will “borrow” the IP address from a loopback interface using the ip unnumbered command.

  • IKEv2 routing is required for the peers to send the tunnel interface IP address during IKEv2 exchanges, this enables unicast reachability between the VTI interfaces for BGP to work over the tunnel.
  • When using BGP you must specify the loopback nameif as the source

Configure a loopback, defining the ip address and nameif.

interface Loopback2
 nameif TUNNEL-LOOP
 ip address 10.5.100.1 255.255.255.255

Instead of configuring ip address configure ip unnumbered <NAMEIF>

interface Tunnel1
 nameif TUNNEL1
 ip unnumbered TUNNEL-LOOP
 tunnel source interface SOURCE-LOOP
 tunnel destination 3.3.3.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROFILE

The command ikev2 route set interface configured under the tunnel-group will send the tunnel IP address as part of the IKEv2 exchange.

tunnel-group 3.3.3.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
 ikev2 route set interface

When using ip unnumbered on the tunnel interface and eBGP for dynamic routing, you need to specify the source interface using the command neighbor <ip address> update-source <nameif of loopback>, otherwise BGP adjacency will fail.

If using a numbered IP address for the tunnel IP address  then you do not need to specify the source.

router bgp 65000
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 10.5.100.2 remote-as 65001
  neighbor 10.5.100.2 update-source TUNNEL-SOURCE
  neighbor 10.5.100.2 activate
  no auto-summary
  no synchronization
 exit-address-family

Without using IKEv2 routing using the ikev2 route set interface command sending the loopback (tunnel) IP address, the ASA will see the tunnel network (10.5.100.0/24) as connected to the loopback interface (TUNNEL-LOOP) and not the tunnel interface (TUNNEL1).

ASA1# show route | i 10.5.100
C        10.5.100.0 255.255.255.0 is directly connected, TUNNEL-LOOP
L        10.5.100.1 255.255.255.255 is directly connected, TUNNEL-LOOP

And thus, there will be no communication between the peers’.

ASA1# ping 10.5.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.100.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

With IKEv2 routing configured, the ASA will have a VPN (V) route for the peer’s tunnel IP address connected to the tunnel interface (TUNNEL1).

ASA1# show route | i 10.5.100
C        10.5.100.0 255.255.255.0 is directly connected, TUNNEL-LOOP
L        10.5.100.1 255.255.255.255 is directly connected, TUNNEL-LOOP
V        10.5.100.2 255.255.255.255 connected by VPN (advertised), TUNNEL1
ASA1#
ASA1# ping 10.5.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/58/190 ms

The command show crypto ikev2 sa detail will display the active IKEv2 SA and confirm the Remote Subnets which is the tunnel IP address of the peer’s tunnel IP address.

ASA1# show crypto ikev2 sa detail

IKEv2 SAs:
Session-id:29, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local                                               Remote                                     fvrf/ivrf     Status         Role
121792649 2.2.2.1/500                                         3.3.3.1/500                             Global/Global      READY    INITIATOR
Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/103 sec
Session-id: 29
Status Description: Negotiation done
Local spi: 7EA6E50F8457579E       Remote spi: 7FF5EEFD03CF8FC5
Local id: 2.2.2.1
Remote id: 3.3.3.1
Local req mess id: 4              Remote req mess id: 9
Local next mess id: 4             Remote next mess id: 9
Local req queued: 4               Remote req queued: 9
Local window: 1                   Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes
VTI Interface: TUNNEL1 / Tunnel1
      Remote subnets:
        10.5.100.2 255.255.255.255
Parent SA Extended Status:
Delete in progress: FALSE
Marked for delete: FALSE
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x7086d941/0x2ce3bd36
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-GCM, keysize: 256, esp_hmac: N/A
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

Run show route bgp and confirm BGP routes received from the peer via the peer tunnel IP address.

ASA1# show route bgp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 1.1.1.2 to network 0.0.0.0

B        10.20.0.1 255.255.255.255 [20/11] via 10.5.100.2, 00:12:30
B        10.20.1.1 255.255.255.255 [20/11] via 10.5.100.2, 00:12:30
B        192.168.251.0 255.255.255.0 [20/0] via 10.5.100.2, 00:12:30

Key Points

Summary of the key points when using loopback interfaces.

  • The loopback IP address must be reachable by the peer and be routed by the service provider.
  • You cannot use an IP address from the same network as configured on another interface; the network must be unique.
  • When using IP unnumbered enable IKEv2 routing.
  • When using IP unnumbered with BGP, specify the loopback as the source, otherwise adjacency will not be established.

 

Tags: , , , , , ,

Leave a Reply