I configured a hub and spokes environment using three IPsec tunnels. vsrx-milan is my hub, vsrx-turin, fort-venice and asav-rome are the spokes:
my GNS3 lab topoloy
all tunnels works except the IPsec tunnel between vsrx-milan and asav-rome. can you help me to undestand where is the problem? following some show outputs:
--------------------------------------------------------------------
root@vsrx-milan> show interfaces terse
Interface Admin Link Proto Local Remote
...
st0.1 up up inet 172.16.0.1/30
st0.2 up up inet 172.16.0.5/30
st0.3 up down inet 172.16.0.10/30 <----- INTERFACE DOWN!
--------------------------------------------------------------------
root@vsrx-milan> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
1049430 UP 6ec393bec2de3ee4 141b8b0ad7034f65 Main 93.12.12.23
1049436 DOWN ebf671cafe171d22 0000000000000000 Main 93.12.12.33
1049431 UP 85c3f656680265c0 058fec42c952aec7 Main 93.12.12.13
--------------------------------------------------------------------
I'm sure that the asav-rome configurateion is ok, because I replaced the vsrx with another vASA and the IPsec tunnel between them worked. attached the vsrx-milan and asav-rome configurations.
NOTE: my ASAv uses a VTI interface to implement the IPsec tunnel. it doesn't use a security policy to define what traffic must be encrypted, it doesn't implement a policy-based IPsec VPN, it uses a route-based logic just a Juniper SRX.