vSRX
Highlighted
vSRX

Route-based IPsec VPN between ASAv and vSRX

[ Edited ]
‎11-17-2017 03:40 AM

I configured a hub and spokes environment using three IPsec tunnels. vsrx-milan is my hub, vsrx-turin, fort-venice and asav-rome are the spokes:

 

my GNS3 lab topoloymy GNS3 lab topoloy

 

all tunnels works except the IPsec tunnel between vsrx-milan and asav-rome. can you help me to undestand where is the problem? following some show outputs:

--------------------------------------------------------------------

root@vsrx-milan> show interfaces terse
Interface Admin Link Proto Local Remote
...
st0.1 up up inet 172.16.0.1/30
st0.2 up up inet 172.16.0.5/30
st0.3 up down inet 172.16.0.10/30 <----- INTERFACE DOWN!

--------------------------------------------------------------------
root@vsrx-milan> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
1049430 UP 6ec393bec2de3ee4 141b8b0ad7034f65 Main 93.12.12.23
1049436 DOWN ebf671cafe171d22 0000000000000000 Main 93.12.12.33
1049431 UP 85c3f656680265c0 058fec42c952aec7 Main 93.12.12.13

--------------------------------------------------------------------

 

I'm sure that the asav-rome configurateion is ok, because I replaced the vsrx with another vASA and the IPsec tunnel between them worked. attached the vsrx-milan and asav-rome configurations.

 

NOTE: my ASAv uses a VTI interface to implement the IPsec tunnel. it doesn't use a security policy to define what traffic must be encrypted, it doesn't implement a policy-based IPsec VPN, it uses a route-based logic just a Juniper SRX.

Attachments

3 REPLIES 3
Highlighted
vSRX
Solution
Accepted by topic author andreaquerci
‎11-17-2017 07:32 AM

Re: Route-based IPsec VPN between ASAv and vSRX

‎11-17-2017 07:01 AM

Probably the external interface:

 

IKE_GATEWAY_UBI_ROME external-interface st0.3

 

Please change it to GE. 

Regards,
Gokul
Highlighted
vSRX

Re: Route-based IPsec VPN between ASAv and vSRX

‎11-17-2017 07:32 AM

you are right! finally my lab is completated! thank you, it was not so difficult problem after all..

Highlighted
vSRX

Re: Route-based IPsec VPN between ASAv and vSRX

‎11-17-2017 08:09 AM

You are welcome.. and glad that you are all set! Smiley Happy

Regards,
Gokul
Feedback