vSRX

Expand all | Collapse all

Route-based IPsec VPN between ASAv and vSRX

Jump to Best Answer
  • 1.  Route-based IPsec VPN between ASAv and vSRX

    Posted 11-17-2017 03:40

    I configured a hub and spokes environment using three IPsec tunnels. vsrx-milan is my hub, vsrx-turin, fort-venice and asav-rome are the spokes:

     

    my GNS3 lab topoloymy GNS3 lab topoloy

     

    all tunnels works except the IPsec tunnel between vsrx-milan and asav-rome. can you help me to undestand where is the problem? following some show outputs:

    --------------------------------------------------------------------

    root@vsrx-milan> show interfaces terse
    Interface Admin Link Proto Local Remote
    ...
    st0.1 up up inet 172.16.0.1/30
    st0.2 up up inet 172.16.0.5/30
    st0.3 up down inet 172.16.0.10/30 <----- INTERFACE DOWN!

    --------------------------------------------------------------------
    root@vsrx-milan> show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    1049430 UP 6ec393bec2de3ee4 141b8b0ad7034f65 Main 93.12.12.23
    1049436 DOWN ebf671cafe171d22 0000000000000000 Main 93.12.12.33
    1049431 UP 85c3f656680265c0 058fec42c952aec7 Main 93.12.12.13

    --------------------------------------------------------------------

     

    I'm sure that the asav-rome configurateion is ok, because I replaced the vsrx with another vASA and the IPsec tunnel between them worked. attached the vsrx-milan and asav-rome configurations.

     

    NOTE: my ASAv uses a VTI interface to implement the IPsec tunnel. it doesn't use a security policy to define what traffic must be encrypted, it doesn't implement a policy-based IPsec VPN, it uses a route-based logic just a Juniper SRX.

    Attachment(s)

    txt
    vsrx-milan.txt   11K 1 version
    txt
    asav-rome.txt   9K 1 version


  • 2.  RE: Route-based IPsec VPN between ASAv and vSRX
    Best Answer

     
    Posted 11-17-2017 07:01

    Probably the external interface:

     

    IKE_GATEWAY_UBI_ROME external-interface st0.3

     

    Please change it to GE. 



  • 3.  RE: Route-based IPsec VPN between ASAv and vSRX

    Posted 11-17-2017 07:32

    you are right! finally my lab is completated! thank you, it was not so difficult problem after all..



  • 4.  RE: Route-based IPsec VPN between ASAv and vSRX

     
    Posted 11-17-2017 08:09

    You are welcome.. and glad that you are all set! Smiley Happy