Hi everyone,
I've been pulling my hair yesterday with a VPN between an ASA (local) and
Telefonica (remote) with the encryption domains as /32 Local Inside IP, and
/32 Remote Loopback IP.
On top of this I configured BGP across the VPN, but ASA has no concept of
BGP Source Interface (yet) so their docs suggest configuring identity NAT
(used to be NONAT) to fix this and bring BGP up.
Tunnel comes up, and I can see the packets coming in nicely but nothing is
being sent out.
I am sure the configuration is correct, because there is another SA on the
same VPN session and I have two way connectivity across that.
I suspect it is because my BGP process is not sourcing the session from the
Inside IP, and therefore the traffic sent to the peer does not match the
encryption domain, therefore it means 0 encryption.
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 339, #pkts decrypt: 339, #pkts verify: 339
Has anyone got any ideas on how or if it is possible indeed to make BGP
source the traffic from the Inside interface IP? Or shall I just ditch the
ASA and get a proper router?
Telefonica say VTI VPN is not possible on their side, although I am 100% it
is with the kit they have. But I understand their procedures and business
side of things, so I am not disputing that.
Sorry for this long email on a beautiful Friday afternoon.
Catalin
