Introduction
This document describes how to configure a redundant site-to-site (LAN-to-LAN) IPSec IKE Version 1 (IKEv1) VPN using Virtual Tunnel Interface (VTI) between two Cisco ASA. ASA VPN module was enhanced with this logical interface in version 9.7(1) and is used to create a VPN tunnel to a peer, supports route based VPN using profiles attached to VTI interfaces. More details can be found on Release Notes for ASA software 9.7(1).
Objective
Traffic between HQ and DR should pass across primary IPSec tunnel using ISP A. In the case the link through ISP A fails, traffic between sites should failover to the secondary link (ISP B) using backup tunnel.
Components used:
- Cisco ASAv version 9.7(1);
- vPC
Configuration
This article is using network topology shown bellow:

HQ ASA Configuration
First, we have to add IPSec configuration for Phase 1 and 2:
crypto ikev1 enable primary
crypto ikev1 enable backup
!
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set SET1 esp-aes esp-sha-hmac
!
crypto ipsec profile PROFILE1
set ikev1 transform-set SET1
set pfs group2
!
tunnel-group 20.20.20.1 type ipsec-l2l
tunnel-group 20.20.20.1 ipsec-attributes
ikev1 pre-shared-key cisco123
isakmp keepalive threshold 10 retry 10
!
tunnel-group 40.40.40.1 type ipsec-l2l
tunnel-group 40.40.40.1 ipsec-attributes
ikev1 pre-shared-key cisco123
isakmp keepalive threshold 10 retry 10
for VTI interfaces configuration we are using a new feature introduced in version 9.7(1), 31-bit Subnet Mask (“For routed interfaces, you can configure an IP address on a 31-bit subnet for point-to-point connections.”, more information on Release Notes):
interface Tunnel10
description PRIMARY_VTI
nameif primary_vti
ip address 10.0.0.1 255.255.255.254
tunnel source interface primary
tunnel destination 20.20.20.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE1
!
interface Tunnel20
description BACKUP_VTI
nameif backup_vti
ip address 10.0.0.3 255.255.255.254
tunnel source interface backup
tunnel destination 40.40.40.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE1
to check connectivity to primary interface of our peer we use IP SLA and a track object:
sla monitor 1
type echo protocol ipIcmpEcho 20.20.20.1 interface primary
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
then, add routes to destination networks/addresses:
route primary_vti 172.16.10.0 255.255.255.0 10.0.0.2 1 track 1
route backup_vti 172.16.10.0 255.255.255.0 10.0.0.4 5
route primary 20.20.20.1 255.255.255.255 10.10.10.2 1
route backup 40.40.40.1 255.255.255.255 30.30.30.2 1
DR ASA Configuration
For DR ASA configuration is similar to HQ ASA, only ip addresses are changed:
crypto ikev1 enable primary
crypto ikev1 enable backup
!
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set SET1 esp-aes esp-sha-hmac
!
crypto ipsec profile PROFILE1
set ikev1 transform-set SET1
set pfs group2
!
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
ikev1 pre-shared-key cisco123
isakmp keepalive threshold 10 retry 10
!
tunnel-group 30.30.30.1 type ipsec-l2l
tunnel-group 30.30.30.1 ipsec-attributes
ikev1 pre-shared-key cisco123
isakmp keepalive threshold 10 retry 10
!
interface Tunnel10
description PRIMARY_VTI
nameif primary_vti
ip address 10.0.0.2 255.255.255.254
tunnel source interface primary
tunnel destination 10.10.10.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE1
!
interface Tunnel20
description BACKUP_VTI
nameif backup_vti
ip address 10.0.0.4 255.255.255.254
tunnel source interface backup
tunnel destination 30.30.30.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE1
!
sla monitor 1
type echo protocol ipIcmpEcho 10.10.10.1 interface primary
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
!
route primary_vti 192.168.123.0 255.255.255.0 10.0.0.1 1 track 1
route backup_vti 192.168.123.0 255.255.255.0 10.0.0.3 5
route primary 10.10.10.1 255.255.255.255 20.20.20.2 1
route backup 30.30.30.1 255.255.255.255 40.40.40.2 1
Verifying the results
State of IKEv1 Phase 1 and Phase 2 can be checked with following commands:
HQ-ASA# show crypto ikev1 sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 40.40.40.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 20.20.20.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIV
HQ-ASA# show crypto ipsec sa
interface: primary_vti
Crypto map tag: __vti-crypto-map-5-0-10, seq num: 65280, local addr: 10.10.10.1
access-list __vti-def-acl-0 extended permit ip any any
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 20.20.20.1
#pkts encaps: 246, #pkts encrypt: 246, #pkts digest: 246
#pkts decaps: 246, #pkts decrypt: 247, #pkts verify: 247
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 246, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.10.10.1/0, remote crypto endpt.: 20.20.20.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: E93C8DB9
current inbound spi : 00AC6E39
inbound esp sas:
spi: 0x00AC6E39 (11300409)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, VTI, }
slot: 0, conn_id: 86016, crypto-map: __vti-crypto-map-5-0-10
sa timing: remaining key lifetime (kB/sec): (3914979/28492)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE93C8DB9 (3913059769)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, VTI, }
slot: 0, conn_id: 86016, crypto-map: __vti-crypto-map-5-0-10
sa timing: remaining key lifetime (kB/sec): (3914979/28491)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
interface: backup_vti
Crypto map tag: __vti-crypto-map-6-0-20, seq num: 65280, local addr: 30.30.30.1
access-list __vti-def-acl-0 extended permit ip any any
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 40.40.40.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 30.30.30.1/0, remote crypto endpt.: 40.40.40.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 446005A9
current inbound spi : 8BB0984A
inbound esp sas:
spi: 0x8BB0984A (2343606346)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, VTI, }
slot: 0, conn_id: 77824, crypto-map: __vti-crypto-map-6-0-20
sa timing: remaining key lifetime (kB/sec): (3915000/27623)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x446005A9 (1147143593)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, VTI, }
slot: 0, conn_id: 77824, crypto-map: __vti-crypto-map-6-0-20
sa timing: remaining key lifetime (kB/sec): (3915000/27623)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
HQ-ASA# show crypto ipsec stats
IPsec Global Statistics
-----------------------
Active tunnels: 2
Previous tunnels: 8
Inbound
Bytes: 410004
Decompressed bytes: 410004
Packets: 4881
Dropped packets: 0
Replay failures: 0
Authentications: 4881
Authentication failures: 0
Decryptions: 4881
Decryption failures: 0
TFC Packets: 0
Decapsulated fragments needing reassembly: 0
Valid ICMP Errors rcvd: 0
Invalid ICMP Errors rcvd: 0
Outbound
Bytes: 411012
Uncompressed bytes: 411012
Packets: 4893
Dropped packets: 0
Authentications: 4893
Authentication failures: 0
Encryptions: 4894
Encryption failures: 0
TFC Packets: 0
Fragmentation successes: 0
Pre-fragmentation successses: 0
Post-fragmentation successes: 0
Fragmentation failures: 0
Pre-fragmentation failures: 0
Post-fragmentation failures: 0
Fragments created: 0
PMTUs sent: 0
PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
Inbound SA delete requests: 17
Outbound SA delete requests: 0
Inbound SA destroy calls: 17
Outbound SA destroy calls: 6
and interfaces status:
HQ-ASA# show interface Tunnel 10
Interface Tunnel10 "primary_vti", is up, line protocol is up
Hardware is Virtual Tunnel Description: PRIMARY_VTI
MAC address N/A, MTU 1500
IP address 10.0.0.1, subnet mask 255.255.255.254
Traffic Statistics for "primary_vti":
0 packets input, 0 bytes
1 packets output, 28 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Tunnel Interface Information:
Source interface: primary IP address: 10.10.10.1
Destination IP address: 20.20.20.1
Mode: ipsec ipv4 IPsec profile: PROFILE1
HQ-ASA# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.123.1 YES CONFIG up up
GigabitEthernet0/1 10.10.10.1 YES CONFIG up up
GigabitEthernet0/2 30.30.30.1 YES CONFIG up up
GigabitEthernet0/3 unassigned YES unset administratively down up
GigabitEthernet0/4 unassigned YES unset administratively down up
GigabitEthernet0/5 unassigned YES unset administratively down up
GigabitEthernet0/6 unassigned YES unset administratively down up
Management0/0 unassigned YES unset administratively down up
Tunnel10 10.0.0.1 YES CONFIG up up
Tunnel20 10.0.0.3 YES CONFIG up up
You might also see:
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.7
I hope to be helpful.