VTIs with ASA

I've been stuck in more ways then one this year...working from home indefinitely seems to be the status quo right now, and I'm in "tunnel" mode for the most part. Most of these projects I'm working on, all of them have a common theme.. connect on-premise to more cloud resources! One way to do that is using VTIs. (Virtual Tunnel Interfaces) VTIs which are not new...been around for a bit, Cisco IOS had the feature available for like 10+ years ago! We only got introduced into this technology with ASA when version 9.7 (2017) and above arrived....

In the old days, which wasn't that long ago.... We were stuck with cryptomaps to interfaces and dealing with "interesting" traffic when working with ASAs...Well time for a change and no more defining interesting traffic, we route these bits instead! Any traffic we want to go over the tunnel is routed over, we can apply ACLs on the inbound interface just like we do with physical interfaces, so simple...

Here is the topology I'm working with:

This is a pretty standard setup, basically we have two sites and want a tunnel between them. We can setup a VTI Tunnel and route via the next hop address. You can also run a routing protocol over this so this can scale out easy.

In this example I got two Cisco ASAs using version 9.12(2), just like the old days, things have to match in order to get a tunnel up. In this example I'm using IKEv2 this policy has to match on both ends:

crypto ikev2 policy 1
 encryption 3des
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400

:!: Please use a higher encryption than what I have, this is just for demonstration. :) I also found out that NIST will not allow 3DES starting in 2024. More Information about the 3DES and history

We got to match a group policy this is configured on both ends, (name could be different)

group-policy P2P-VPN internal
group-policy P2P-VPN attributes
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol ikev2 
 periodic-authentication certificate none

Next we we create the IPSEC part of the tunnel, again these have to match on both ends:

crypto ipsec ikev2 ipsec-proposal VPN-P2P
 protocol esp encryption aes-256
 protocol esp integrity sha-256

Phase Two of the tunnel for IPSEC Proposal, match them on both ends ;)

crypto ipsec profile VPN-P2P-IPSEC
 set ikev2 ipsec-proposal VPN-P2P
 set pfs group2
 set security-association lifetime seconds 84600

On the site one we create a tunnel group to site two. (preshared keys have to match) In this example I'm using local and remote keys, just like you would expect remote key would match the local key on the remote end, and vise versa.

tunnel-group 203.0.113.2 type ipsec-l2l
tunnel-group 203.0.113.2 general-attributes
 default-group-policy P2P-VPN
tunnel-group 203.0.113.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

On site two we do the same thing, flipping the IP addresses.

tunnel-group 198.51.100.2 type ipsec-l2l
tunnel-group 198.51.100.2 general-attributes
 default-group-policy P2P-VPN
tunnel-group 198.51.100.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

Tunnel is created but in order to bring it up and use we need to create VTI interface on the ASA's. Here is how site one looks for the the tunnel interface. (tunnel source interface is the direction of how to get to the other site, in this case I'm using the internet)

interface Tunnel80
 nameif VPN-P2P
 ip address 10.15.161.253 255.255.255.252 
 tunnel source interface ISP
 tunnel destination 203.0.113.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-P2P-IPSEC

If we jump over to site two for that tunnel interface configuration (tunnel interfaces don't have to match in this case)

interface Tunnel80
 nameif VPN-P2P
 ip address 10.15.161.254 255.255.255.254 
 tunnel source interface ISP
 tunnel destination 198.51.100.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-P2P-CPHX-IPSEC

We can see that we created a little point to point network within the tunnel and if we wanted traffic over this tunnel a simple route statement is all we need :)

route VPN-P2P 172.22.1.0 255.255.255.0 10.15.161.254 1

A simple show command verifies that the tunnel is up (show crypto isakmp)

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
  3991227 198.51.100.2/500                                    203.0.113.2/500                                          READY    INITIATOR
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/3180 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 0.0.0.0/0 - 255.255.255.255/65535
          ESP spi in/out: 0x8e25a2bf/0x90b25811 

Just like that you got yourself a flexible tunnel interface that you can send routes down it, don't need to deal with crypto maps anymore put those next to the history of 3DES ;) These VTIs make it a breeze to configure.

The World Keeps Turning and we'll continue to navigate the times as technology plays such a critical piece in making sure communication between people and or systems goes uninterrupted. We as engineers are right in the middle of it... like always I hope this information is helpful, stay calm and carry on!