Last year i got the assigment to research BGP because we where going to use this in a new datacenter for one of our customers. They where moving to a dual datacenter setup, with an 1GB fiber connection between them. Because we wanted to create an active/active datacenter setup we had to use BGP to connect to the ISP and get access to the internet. Since i had to set that up i have been obsessed with using BGP and learning how to use it in an production environment.
Recently i had been trying to setup BGP routing over an ipsec site to site tunnel but i could not get this to work properly until i found out about virtual tunnel interfaces. Since ios 9.8 cisco ASA’s have the ability to configure an virtual interface which is connected directly to another peer, this way you have a direct connection between 2 firewalls. With these interfaces you can use BGP to distribute the routes to the other peer.
My current setup consists out of 2 cisco ASA’s that each have 4 internal netwerks and 1 external one. Because this is within my gns3 lab the outside interfaces are directly connected using a simple L2 switch. To start we first need to create an ikev2 ipsec proposal, for this lab i will be using AES-256
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
Using this we can now create an ipsec profile:
crypto ipsec profile vtiprofile
set ikev2 ipsec-proposal AES256
Now that we have the profile and proposal created we can create our tunnel interface. Cisco ASA’s currently support up to 100 virtual tunnel interfaces starting with 1 up to 100. Here we will just use tunnel 1:
int tunnel 1
nameif vti
ip add <tunnel ip> <tunnel ip subnetmask>
tunnel source int outside
tunnel destination <WAN ip of peer>
tunnel mode ipsec ipv4
tunnel protection ipsec profile vtiprofile
Next create an group-policy:
group-policy tunnelGP internal
group-policy tunnelGP attributes
vpn-tunnel-protocol ikev2
And the tunnel group for our peer:
tunnel-group <WAN ip of peer> type ipsec-l2l
tunnel-group <WAN ip of peer> ipsec-attributes
ikev2 remote-auth pre-shared-key password
ikev2 local-auth pre-shared-key password
tunnel-group <WAN ip of peer> general-attributes
default-group-policy tunnelGP
We now only have to create an ikev2 policy and enable it on the outside interface:
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 14
prf sha
crypto ikev2 enable outside
Copy this config to the other ASA but change the ip addresses and you should have a working vpn tunnel. Before we are going to setup BGP try to ping the ip address of the tunnel interface of the other ASA to check if the tunnel is active and working.
If the vpn tunnel is working correctly we can setup bgp routing to distribute our networks to the other peer:
router bgp 64512
address-family ipv4 unicast
neighbor <Tunnel ip of peer> remote-as 64513
neighbor <Tunnel ip of peer> next-hop-self
neighbor <Tunnel ip of peer> activate
network mask
maximum-paths 2
bgp graceful-restart
Below you will find the configuration that i have used for the 2 sites in my lab. The first one is for site A and the second one is for site B. Site A:
#### IPSEC profile ####
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec profile vtiprofile
set ikev2 ipsec-proposal AES256
#### Tunnel interface ####
int tunnel 1
nameif vti
ip add
tunnel source int outside
tunnel destination
tunnel mode ipsec ipv4
tunnel protection ipsec profile vtiprofile
#### Tunnel group ####
group-policy tunnelGP internal
group-policy tunnelGP attributes
vpn-tunnel-protocol ikev2
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
ikev2 remote-auth pre-shared-key password
ikev2 local-auth pre-shared-key password
tunnel-group general-attributes
default-group-policy tunnelGP
#### IKEv2 policy ####
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 14
prf sha
crypto ikev2 enable outside
#### BGP setup ####
router bgp 64513
address-family ipv4 unicast
neighbor remote-as 64512
neighbor next-hop-self
network mask
neighbor activate
maximum-paths 2
bgp graceful-restart
Site B:
#### IPSEC profile ####
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec profile vtiprofile
set ikev2 ipsec-proposal AES256
#### Tunnel interface ####
int tunnel 1
nameif vti
ip add
tunnel source int outside
tunnel destination
tunnel mode ipsec ipv4
tunnel protection ipsec profile vtiprofile
#### Tunnel group ####
group-policy tunnelGP internal
group-policy tunnelGP attributes
vpn-tunnel-protocol ikev2
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
ikev2 remote-auth pre-shared-key password
ikev2 local-auth pre-shared-key password
tunnel-group general-attributes
default-group-policy tunnelGP
#### IKEv2 policy ####
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 14
prf sha
crypto ikev2 enable outside
#### BGP setup ####
router bgp 64513
address-family ipv4 unicast
neighbor remote-as 64512
neighbor next-hop-self
network mask
neighbor activate
maximum-paths 2
bgp graceful-restart