Configure failover using VTI interfaces

Establish the IPsec tunnel failover using Virtual Tunnel Interfaces (VTI).

This technique relies on using policy-based routing over VTI interfaces and creating dummy subnets that are used to force web traffic to be routed into the appropriate tunnel interface.

The dummy subnets need to be a minimum of /30 in size to provide two usable interface addresses. One address is allocated to the VTI interface and the other is used in the policy-based routing configuration to represent the Forcepoint ONE SSE data center at the other end of the IPsec tunnel. For example, assume that 192.168.254.0/30 and 192.168.254.4/30 are two unused /30 blocks within your internal address plan. This would allow the following addressing to be used on the ASA:

  • dummy_subnet1_ip1 — 192.168.254.1
  • dummy_subnet1_ip2 — 192.168.254.2
  • dummy_subnet2_ip1 — 192.168.254.5
  • dummy_subnet2_ip2 — 192.168.254.6

Steps

  1. Create an IPsec profile and associate the IKEv2 profile and set SA lifetime.
    1. Enter an IPsec profile name for the IPsec tunnels: 
      crypto ipsec profile <IPsec profile Name>
    2. Enter the IKEv2 IPsec proposal name you configured for the IPsec tunnels: 
      set ikev2 ipsec-proposal <ipsec-proposal_name>
    3. Set security-association lifetime for the IPsec tunnels: 
      set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 28800
  2. Create primary tunnel interface, configure the tunnel source and destination IP addresses, and associate the IPsec profile:
    1. Create your primary tunnel interface with an ID: 
      interface <Primary Tunnel Interface>
nameif vti
    2. Enter a local IP address for the interface: 
      ip address <dummy_subnet1_ip1> 255.255.255.252
    3. Set the tunnel source interface, that is the egress interface name of the edge device. 
      tunnel source interface <outgoing_interface>
    4. Set the tunnel destination IP address of the primary data center, which you can find in tunnel Setup Info dialog: 
      tunnel destination <Primary_destination_address>
    5. Define the tunnel mode: 
      tunnel mode ipsec ipv4
    6. Enter the profile name you configured for the IPsec tunnels: 
      tunnel protection ipsec profile <IPsec Profile Name>
  3. Create secondary tunnel interface, configure the tunnel source and destination IP addresses, and associate the IPsec profile:
    1. Create your secondary tunnel interface with an ID: 
      interface <secondary Tunnel Interface>
nameif vti_backup
    2. Enter a local IP address for the interface. 
      ip address <dummy_subnet2_ip1> 255.255.255.252
    3. Set the tunnel source interface, that is the egress interface name of the edge device. 
      tunnel source interface <outgoing_interface>
    4. Set the tunnel destination IP address of the secondary data center, which you can find in tunnel Setup Info dialog: 
      tunnel destination <Secondary_destination_address>
    5. Define the tunnel mode: 
      tunnel mode ipsec ipv4
    6. Enter the profile name you configured for the IPsec tunnels: 
      tunnel protection ipsec profile <IPsec Profile Name>
  4. Create a route-map and specify the tunnel next-hop during failover.
    1. Define a route map to match traffic against: 
      route-map <Route Map Name> permit 10
    2. Assign the access-list to the route map you created: 
      match ip address <access_list_name>
    3. Set IP next-hop: 
      set ip next-hop <dummy_subnet1_ip2> <dummy_subnet2_ip2>