Addressing corner cases using 3rd party VPN devices with Aviatrix

There are very specific use cases where all the current available Aviatrix NAT features cannot address. I ran in one of few those where one of the possible solution was to use a 3rd party Firewall (ASAv) to terminate site-2-site VPN connections. The proposed design for lab-ing purposes looks like the one below:

The design relies on the feature called BGP over LAN that allows transit gateways to communicate with instances in different VNets in Azure without running any tunneling protocol such as IPsec or GRE.

The configuration workflow can be found at https://docs.aviatrix.com/HowTos/azure_bgpolan_multi_peer.html?highlight=bgpolan.

VNETs Creation

I’ll create three new VNETs for this lab:

Transit, “vnet” where i’m going to deploy an ASAv instance, and a spoke for testings.

Transit Deployment

The size of the VM depends on the number of interfaces required and capped to the current Azure limit of 8:

ASAv Deployment

ASAv is deployed from the marketplace and “injected” into the “asa-vnet”:

VNET Peering

BGPoLAN

The BGPoLAN is configured under Multi-Cloud Transit -> External Connection -> External Device -> BGP -> LAN:

Once the configuration is applied, the remote config can be downloaded from the Site2Cloud menu:

ASAv Configuration

interface GigabitEthernet0/0
 nameif external
 security-level 0
 ip address 172.16.41.20 255.255.255.240
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.16.41.36 255.255.255.240
!
route internal 172.16.31.0 255.255.255.0 172.16.41.33 1
!
router bgp 65533
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 172.16.31.116 remote-as 65534
  neighbor 172.16.31.116 ebgp-multihop 255
  neighbor 172.16.31.116 timers 60 180
  neighbor 172.16.31.116 activate
  redistribute connected
  maximum-paths 4
  no auto-summary
  no synchronization
 exit-address-family

Checking

The ASAv learns the spoke route (172.16.31.0/24):

Spoke 30 learns the ASA advertised routes (172.16.41.0, 16, and 32):

Testing

ASAv at Aviatrix:

crypto ikev2 enable management
!
crypto ikev2 policy 1 
 encryption aes
 integrity sha
 group 14
 lifetime seconds 28800
!
crypto ipsec ikev2 ipsec-proposal SET1
 protocol esp encryption aes
 protocol esp integrity sha-1
!
crypto ipsec profile PROFILE1
 set ikev2 ipsec-proposal SET1
 set security-association lifetime seconds 27000
 set security-association lifetime kilobytes unlimited
 set pfs none
!
tunnel-group 52.168.138.163 type ipsec-l2l
tunnel-group 52.168.138.163 ipsec-attributes
 ikev2 local-authentication pre-shared-key cisco
 ikev2 remote-authentication pre-shared-key cisco
!
interface tunnel 100
 nameif vti
 ip address 169.254.0.1 255.255.255.252
 tunnel source interface management
 tunnel destination 52.168.138.163
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROFILE1
!
route vti 10.4.2.0 255.255.255.0 169.254.0.2

Remote ASAv:

crypto ikev2 enable management 
crypto ikev2 policy 1 
 encryption aes
 integrity sha
 group 14
 lifetime seconds 28800
!
crypto ipsec ikev2 ipsec-proposal SET1
 protocol esp encryption aes
 protocol esp integrity sha-1
!
crypto ipsec profile PROFILE1
 set ikev2 ipsec-proposal SET1
 set security-association lifetime seconds 27000
 set security-association lifetime kilobytes unlimited
 set pfs none
!
tunnel-group 13.68.220.32 type ipsec-l2l
tunnel-group 13.68.220.32 ipsec-attributes
 ikev2 local-authentication pre-shared-key cisco
 ikev2 remote-authentication pre-shared-key cisco
!
interface tunnel 100
 nameif vti
 ip address 169.254.0.2 255.255.255.252
 tunnel source interface management
 tunnel destination 13.68.220.32
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROFILE1
!
route vti 172.16.51.0 255.255.255.0 169.254.0.1

References

https://docs.aviatrix.com/HowTos/azure_bgpolan_multi_peer.html?highlight=bgpolan

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214230-configure-policy-based-and-route-based-v.html

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

Leave a Reply