ASA Route Based VPN
The ASA only performed Policy Based VPNs prior to 9.7 code which can cause a lot of issues when connecting to other vendors. If you are running 9.7+, you will now be able to create a proper Route Based VPN which will allow you to connect to all other vendors with a lot less headache and overhead.
Route Based VPN
Route Based VPNs differ from Policy Based in the fact that you will only have one IPSec Security Association for each peer. In Policy Based, you would have multiple SAs (Phase 2s) as each tunnel had a Identifier using each Network combination of your Encryption Domain. You can force multiple SAs for the Route Based VPN but all in all, it is generally just the one SA for the entire Encryption Domain.
Basic VPN Configuration Start:
We will start by creating the basics of the Site to Site. This first part will be true whether this is a Route Based or Policy Based.
Here is our requirements for the VPN:
Remote Peer IP: 220.127.116.11
Remote Network: 10.10.0.0/16
Local Peer IP: 18.104.22.168
Local Network: 172.24.0.0/16
Phase 1 Parameters:
Encryption: AES -128
Hash Alg.: SHA1
DH Group: Group2
Phase 2 Parameters:
Encryption: AES -256
Hash Alg.: SHA1
PFS DH: Group5
To configure this on the ASA, the commands would look like the following. Please note that I am simulating as if this is my first VPN on my ASA so some commands you may not need: (Note: If you already have VPNs configured, make sure you are not overwriting your ikev1 policy.)
crypto ikev1 enable OUTSIDE crypto ikev1 policy 1 encryption aes hash sha authentication pre-share group 2 lifetime 86400 tunnel-group 22.214.171.124 type ipsec-l2l tunnel-group 126.96.36.199 ipsec-attributes ikev1 pre-shared-key Th1nkN3t$Ec crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
New Configuration for Route Based
This next bit of configuration is new and is what is needed to get the Route Based VPN completed. We will be creating an IPSec Profile to reference the settings we created prior. We will bind this to a new VTI (Virtual Tunnel Interface) on the ASA which will be used to specify the Phase 2 configuration. Notice though that we have not used the Remote Network anywhere in this configuration yet. We will configure this next after we create the VTI.
crypto ipsec profile ROUTE-BASED-PROFILE set ikev1 transform-set ESP-AES128-SHA set security-association lifetime seconds 28800 set pfs group5 interface Tunnel0 nameif ROUTE-BASED ip address 169.254.224.253 255.255.255.252 tunnel source interface OUTSIDE tunnel destination 188.8.131.52 tunnel mode ipsec ipv4 tunnel protection ipsec profile ROUTE-BASED-PROFILE
Routing Traffic over the Route Based VPN
In my use case, we will not be doing dynamic routing, but rather, static routing. The Routes will be what defines the encryption domain for the Route Based VPN. Since the ASA can not reference a interface for Routing and needs a Next-Hop, I will use an APIPA IP to simulate the Next-Hop. This APIPA does not have to be configured on the other side of the VPN. This will only be needed to trick the Local ASA and to allow for a static route to be created for the new VTI.
route ROUTE-BASED 10.10.0.0 255.255.0.0 169.254.224.254
If you would like to know more or see more articles on VPNs, please let me know. You can contact me and I will do what I can to help.