We tried to use ASA's for this scenario too, but ended up adding Routers as BGP was too buggy, that was 18 months ago though.
Sent from my Motorola mr1 > On 25/03/2017, at 5:56 AM, Catalin Dominte <[email protected]> wrote: > > Hi everyone, > > I've been pulling my hair yesterday with a VPN between an ASA (local) and > Telefonica (remote) with the encryption domains as /32 Local Inside IP, and > /32 Remote Loopback IP. > > On top of this I configured BGP across the VPN, but ASA has no concept of BGP > Source Interface (yet) so their docs suggest configuring identity NAT (used > to be NONAT) to fix this and bring BGP up. > > Tunnel comes up, and I can see the packets coming in nicely but nothing is > being sent out. > > I am sure the configuration is correct, because there is another SA on the > same VPN session and I have two way connectivity across that. > > I suspect it is because my BGP process is not sourcing the session from the > Inside IP, and therefore the traffic sent to the peer does not match the > encryption domain, therefore it means 0 encryption. > > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 > #pkts decaps: 339, #pkts decrypt: 339, #pkts verify: 339 > > Has anyone got any ideas on how or if it is possible indeed to make BGP > source the traffic from the Inside interface IP? Or shall I just ditch the > ASA and get a proper router? > > Telefonica say VTI VPN is not possible on their side, although I am 100% it > is with the kit they have. But I understand their procedures and business > side of things, so I am not disputing that. > > Sorry for this long email on a beautiful Friday afternoon. > > Catalin > > > > -- > This message has been scanned for viruses and dangerous content by > E.F.A. Project, and is believed to be clean. > Click here to report this message as spam.
