DVTI Hub Supports from FTD 7.3 and ASA 9.19
1. Create loopback interface
can be /32
2. Create dynamic VTI
3 Create a S2S VPN, add Hub
after click Save
4. Add VPN spoke
After click OK:
5. Add bidirectional ACP
6. Add static route or Dynamic route
ASAv spoke needs 9.19 + to support interface route injection (IKEv2 route learning). Because FTD dVTI borrows IP from loopback interface, without this peer VTI host route, FTD will route peer VTI IP to loopback, never be able to reach it via VPN tunnel. This is important when run OSPF or BGP to reach next hop.
tunnel-group x.x.x.x ipsec-attributes
ikev2 route set interface
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKSEC-3058.pdf
When configure OSPF, DVI uses borrowed IP from Loopback interface. Directly configured DVI IP seems not working.
After spoke is configured, the first VPN is up:
CLI:
FTD72# sh crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status Role
3652171 203.0.113.69/500 203.0.113.182/500 Global/Global READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/538 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x15a0a104/0xb6b79b0b
FTD72#
FTD72# sh crypto ipsec sa
interface: dVTI_va1
Crypto map tag: dVTI_vtemplate_dyn_map, seq num: 1, local addr: 203.0.113.69
Protected vrf (ivrf): Global
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 203.0.113.182
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 203.0.113.69/500, remote crypto endpt.: 203.0.113.182/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B6B79B0B
current inbound spi : 15A0A104
inbound esp sas:
spi: 0x15A0A104 (362848516)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
slot: 0, conn_id: 1, crypto-map: dVTI_vtemplate_dyn_map
sa timing: remaining key lifetime (kB/sec): (4008960/28244)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xB6B79B0B (3065486091)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
slot: 0, conn_id: 1, crypto-map: dVTI_vtemplate_dyn_map
sa timing: remaining key lifetime (kB/sec): (4331520/28243)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
FTD72#
FTD72# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 Outside 203.0.113.69 255.255.255.0 CONFIG
GigabitEthernet0/1 Inside 10.1.3.254 255.255.255.0 CONFIG
GigabitEthernet0/2 DMZ 192.168.1.254 255.255.255.0 CONFIG
GigabitEthernet0/3 Outside2 192.0.2.69 255.255.255.0 CONFIG
Management0/0 diagnostic 192.168.2.68 255.255.255.0 CONFIG
Loopback1 Lo0 172.16.32.1 255.255.255.0 manual
Virtual-Access1 dVTI_va1 172.16.32.1 255.255.255.0 CONFIG
Virtual-Template1 dVTI 172.16.32.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 Outside 203.0.113.69 255.255.255.0 CONFIG
GigabitEthernet0/1 Inside 10.1.3.254 255.255.255.0 CONFIG
GigabitEthernet0/2 DMZ 192.168.1.254 255.255.255.0 CONFIG
GigabitEthernet0/3 Outside2 192.0.2.69 255.255.255.0 CONFIG
Management0/0 diagnostic 192.168.2.68 255.255.255.0 CONFIG
Loopback1 Lo0 172.16.32.1 255.255.255.0 manual
Virtual-Access1 dVTI_va1 172.16.32.1 255.255.255.0 CONFIG
Virtual-Template1 dVTI 172.16.32.1 255.255.255.0 CONFIG
FTD72#
FTD72# sh int Virtual-Access1
Interface Virtual-Access1 "dVTI_va1", is up, line protocol is up
Hardware is Virtual Access MAC address N/A, MTU 1422
IP address 172.16.32.1, subnet mask 255.255.255.0
Vaccess Interface Information:
Source IP address: 203.0.113.69
Destination IP address: 203.0.113.182
Vaccess cloned from template 1
Mode: ipsec ipv4 IPsec profile: FMC_IPSEC_PROFILE_1
IPsec MTU Overhead : 78
FTD72#
After the 2nd spoke is up
FTD72# sh crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status Role
3652171 203.0.113.69/500 203.0.113.182/500 Global/Global READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/2199 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x15a0a104/0xb6b79b0b
IKEv2 SAs:
Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status Role
6249513 203.0.113.69/500 203.0.113.183/500 Global/Global READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/51 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0xc325d547/0xbb55eaf3
FTD72#
FTD72#
FTD72# sh crypto ipsec sa
interface: dVTI_va1
Crypto map tag: dVTI_vtemplate_dyn_map, seq num: 1, local addr: 203.0.113.69
Protected vrf (ivrf): Global
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 203.0.113.182
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 203.0.113.69/500, remote crypto endpt.: 203.0.113.182/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B6B79B0B
current inbound spi : 15A0A104
inbound esp sas:
spi: 0x15A0A104 (362848516)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
slot: 0, conn_id: 1, crypto-map: dVTI_vtemplate_dyn_map
sa timing: remaining key lifetime (kB/sec): (4008959/26545)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000007FF
outbound esp sas:
spi: 0xB6B79B0B (3065486091)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
slot: 0, conn_id: 1, crypto-map: dVTI_vtemplate_dyn_map
sa timing: remaining key lifetime (kB/sec): (4331519/26545)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
interface: dVTI_va2
Crypto map tag: dVTI_vtemplate_dyn_map, seq num: 1, local addr: 203.0.113.69
Protected vrf (ivrf): Global
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 203.0.113.183
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 203.0.113.69/500, remote crypto endpt.: 203.0.113.183/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: BB55EAF3
current inbound spi : C325D547
inbound esp sas:
spi: 0xC325D547 (3274036551)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
slot: 0, conn_id: 2, crypto-map: dVTI_vtemplate_dyn_map
sa timing: remaining key lifetime (kB/sec): (4147200/28692)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xBB55EAF3 (3142970099)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
slot: 0, conn_id: 2, crypto-map: dVTI_vtemplate_dyn_map
sa timing: remaining key lifetime (kB/sec): (4193280/28692)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
FTD72#
FTD72# sh int virtual-access2
Interface Virtual-Access2 "dVTI_va2", is up, line protocol is up
Hardware is Virtual Access MAC address N/A, MTU 1422
IP address 172.16.32.1, subnet mask 255.255.255.0
Vaccess Interface Information:
Source IP address: 203.0.113.69
Destination IP address: 203.0.113.183
Vaccess cloned from template 1
Mode: ipsec ipv4 IPsec profile: FMC_IPSEC_PROFILE_1
IPsec MTU Overhead : 78
FTD72#
Devices > VPN > Site-to-Site page does show multiple spokes tunnels if spokes are extranet. If spokes are FMC managed FTD, all of them will be listed.
We need go to the following page to see Virtual_Access interfaces
Appendix:
Firepower OSPF Configuration
Area tab:
Add all networks to advertise in OSPF
Interface tab:
Add the VTI interface which sends OSPF Hello
https://www.youtube.com/watch?v=vWDdtat4Uc4
Comments
Post a Comment