[c-nsp] Multi-homed ASA with a virtual interface for IPSec termination

[Jason Lixfeld]

Hey all,

I want to use BGP to multi-home an ASA that is to be configured as a P2P IPSec head-end.  The eBGP stuff is trivial, but what I’m not sure of is how to anchor a /32 that is to be used as the IPSec destination IP that the remote tunnels will point to.  Last I looked, ASA didn’t support the concept of a loopback interface, and my review of VTI seems to suggest that it requires a VTI on both sides, which is a non-starter here because I don’t control the clients that will be connecting to this head-end.

Come to think of it, thinking aloud, if I recall (it’s been a long time since I’ve touched an ASA) creating a NAT entry with reverse-route injection enabled will inject the IP attached to that NAT entry into the ASA routing table, so I guess that should in turn get advertised at that point, so that could be used by the remote tunnels as the head-end IP?  Does that sound familiar to anyone as something that may work?  If not, anything else that may do what I’m after?

Thanks!