BGP routing over vpn using virtual tunnel interfaces

By Mikey StolzNetworking

Last year i got the assigment to research BGP because we where going to use this in a new datacenter for one of our customers. They where moving to a dual datacenter setup with 2 42u racks in different locations, with an 1GB fiber connection between them. Because we wanted to create an active/active datacenter setup we had to use BGP to connect to the ISP and get access to the internet. Since i had to set this up i have been obsessed with using BGP and learning how to use it in an production environment.

Recently i had been trying to setup BGP routing over an ipsec site to site tunnel but i could not get this to work properly until i found out about virtual tunnel interfaces. Since ios 9.8 cisco ASA's have te ability to configure an virtual interface which is connected directly to another peer, this way you have a direct connection between 2 firewalls. With these interfaces you can use BGP to distribute the needed routers to the other peers.

My current setup consists out of 2 cisco ASA's that each have 4 internal netwerks and 1 external one. Because this is within my gns3 lab the outside interfaces are directly connected using a simple L2 switch. To start we first need to create an ikev2 ipsec proposal, for this lab i am using ASES-256

crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5

Using this we can now create an ipsec profile:

crypto ipsec profile vtiprofile
set ikev2 ipsec-proposal AES256

Now that we have the profile and proposal created we can create our tunnel interface. Cisco ASA's currently support up to 100 virtual tunnel interfaces starting with 1 up to 100. Here we will just use tunnel 1:

int tunnel 1
nameif vti
ip add <tunnel ip> <tunnel ip subnetmask>
tunnel source int outside
tunnel destination <WAN ip of peer>
tunnel mode ipsec ipv4
tunnel protection ipsec profile vtiprofile

Next create an group-policy:

group-policy tunnelGP internal
group-policy tunnelGP attributes
vpn-tunnel-protocol ikev2

And the tunnel group for our peer:

tunnel-group <WAN ip of peer> type ipsec-l2l
tunnel-group <WAN ip of peer> ipsec-attributes
ikev2 remote-auth pre-shared-key password
ikev2 local-auth pre-shared-key password
tunnel-group <WAN ip of peer> general-attributes
default-group-policy tunnelGP

We now only have to create an ikev2 policy and enable it on the outside interface:

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 14
prf sha

crypto ikev2 enable outside

Copy this config to the other ASA but change the ip addresses and you should have a working vpn tunnel. Before we are going to setup BGP try to ping the ip address of the tunnel interface of the other ASA to check if the tunnel is active and working.

If the vpn tunnel is working correctly we can setup bgp routing to distribute our networks to the other peer:

router bgp 64512
address-family ipv4 unicast
neighbor <Tunnel ip of peer> remote-as 64513
neighbor <Tunnel ip of peer> next-hop-self
neighbor <Tunnel ip of peer> activate
network 192.168.2.0 mask 255.255.255.0
maximum-paths 2
exit-address-family
bgp graceful-restart

To prevent random vpn drops from happening you can set this setting on both sites of the vpn tunnel.

Below you will find the configuration that i have used for the 2 sites in my lab. The first one is for site A and the second one is for site B.
Site A:

#### IPSEC profile ####
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5

crypto ipsec profile vtiprofile
set ikev2 ipsec-proposal AES256

#### Tunnel interface ####
int tunnel 1
nameif vti
ip add 50.0.0.1 255.255.255.128
tunnel source int outside
tunnel destination 10.10.10.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile vtiprofile

#### Tunnel group ####
group-policy tunnelGP internal
group-policy tunnelGP attributes
vpn-tunnel-protocol ikev2

tunnel-group 10.10.10.3 type ipsec-l2l
tunnel-group 10.10.10.3 ipsec-attributes
ikev2 remote-auth pre-shared-key password
ikev2 local-auth pre-shared-key password
tunnel-group 10.10.10.3 general-attributes
default-group-policy tunnelGP

#### IKEv2 policy ####
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 14
prf sha

crypto ikev2 enable outside

#### BGP setup ####
router bgp 64513
address-family ipv4 unicast
neighbor 50.0.0.2 remote-as 64512
neighbor 50.0.0.2 next-hop-self
network 192.168.20.0 mask 255.255.255.0
neighbor 50.0.0.2 activate
maximum-paths 2
exit-address-family
bgp graceful-restart

Site B:

#### IPSEC profile ####
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5

crypto ipsec profile vtiprofile
set ikev2 ipsec-proposal AES256

#### Tunnel interface ####
int tunnel 1
nameif vti
ip add 50.0.0.2 255.255.255.128
tunnel source int outside
tunnel destination 10.10.10.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile vtiprofile

#### Tunnel group ####
group-policy tunnelGP internal
group-policy tunnelGP attributes
vpn-tunnel-protocol ikev2

tunnel-group 10.10.10.2 type ipsec-l2l
tunnel-group 10.10.10.2 ipsec-attributes
ikev2 remote-auth pre-shared-key password
ikev2 local-auth pre-shared-key password
tunnel-group 10.10.10.2 general-attributes
default-group-policy tunnelGP

#### IKEv2 policy ####
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 14
prf sha

crypto ikev2 enable outside

#### BGP setup ####
router bgp 64513
address-family ipv4 unicast
neighbor 50.0.0.1 remote-as 64512
neighbor 50.0.0.1 next-hop-self
network 192.168.20.0 mask 255.255.255.0
neighbor 50.0.0.1 activate
maximum-paths 2
exit-address-family

bgp graceful-restart

Source: https://techstat.net/cisco-asa-9-7-route-based-vpn-load-balancing-failover-setup-guide/