topic Re: Do i need licenses in FTDs in order to implement a site to site VP in Network Security

Do i need licenses in FTDs in order to implement a site to site VPN?

Ditter — Wed, 07 Feb 2024 14:26:35 GMT

Hi to all,

i am trying to implement a site to site IPSec VPN between an FTD-HA pair and a cisco 2821.

Till now i haven't succeeded in doing so , but before starting to dig dipper i would like to ask you if there are needed any special licenses for this.

Currently we have the licenses you can see in the picture attached.

Thanks,

Ditter

Re: Do i need licenses in FTDs in order to implement a site to site VP

Rob Ingram — Wed, 07 Feb 2024 15:02:25 GMT

@Ditter you just need strong crypto enabled.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/215838-fmc-and-ftd-smart-license-registration-a.html#toc-hId-408311610

Re: Do i need licenses in FTDs in order to implement a site to site VP

Aref Alsouqi — Wed, 07 Feb 2024 14:42:56 GMT

No additional licenses are required for the S2S VPN. What issues are you running into?

Re: Do i need licenses in FTDs in order to implement a site to site VP

Aref Alsouqi — Wed, 07 Feb 2024 14:43:44 GMT

Hey Rob, I think you pasted the link of this thread by mistake? (smiley face)

Re: Do i need licenses in FTDs in order to implement a site to site VP

Ditter — Wed, 07 Feb 2024 14:44:37 GMT

Thanks Rob, but i can see that there even older implementations supported in FTD , for example DES.

Re: Do i need licenses in FTDs in order to implement a site to site VP

Rob Ingram — Wed, 07 Feb 2024 14:58:33 GMT

@Aref Alsouqi just checking you were paying attention. Amended the link

Re: Do i need licenses in FTDs in order to implement a site to site VP

Ditter — Wed, 07 Feb 2024 15:00:14 GMT

Hi Aref ,

thanks for the concern.

My implementation is fairly simple.

The 2821 has the following config:

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 14
crypto isakmp key ***** address 192.168.64.17
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode transport
!
crypto map vpn-to-hq 10 ipsec-isakmp
set peer 192.168.64.17
set transform-set TS
match address VPN-TRAFFIC

Router#sh ip access-lists
Extended IP access list VPN-TRAFFIC
10 permit ip 192.168.105.176 0.0.0.15 any (2000 matches)

and

interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address dhcp
crypto map vpn-to-hq

Equivalent config in the FTD side.

Do you see any mistake in the 2821 config?

In addition to the FTD i have permitted via the ACP the traffic from everywhere to the interface of the FTD where the vpn listes (192.168.64.17)

Thanks,

Ditter

Re: Do i need licenses in FTDs in order to implement a site to site VP

Aref Alsouqi — Wed, 07 Feb 2024 15:39:41 GMT

The only two things that I can think of are:

1) The mode under the crypto ipsec transform-set should be "tunnel" instead of "transport".

2) Not sure how your NAT configs look like, if there is NAT then you should exemption the VPN traffic on the devices?

Re: Do i need licenses in FTDs in order to implement a site to site VP

Aref Alsouqi — Wed, 07 Feb 2024 15:40:13 GMT

@Rob Ingram I had enough coffee today : D

Re: Do i need licenses in FTDs in order to implement a site to site VP

Ditter — Wed, 07 Feb 2024 20:52:17 GMT

Thanks , i did change to tunnel mode but what made the difference and the tunnel came up was to change the 2821 side from dynamic IP to static.

So the problem is why the ipsec tunnel does not come up when the 2821 IP is set to dynamic.

Please refer to the screenshot.

Thanks,

Ditter

Re: Do i need licenses in FTDs in order to implement a site to site VP

Aref Alsouqi — Thu, 08 Feb 2024 14:28:05 GMT

Not sure, sorry. I would need to see the full config to trying to give an answer 🙂

Re: Do i need licenses in FTDs in order to implement a site to site VP

Ditter — Sun, 11 Feb 2024 13:10:02 GMT

Hi Aref,

i have ended in a strange situation where when i initiate the IPSEC-VPN from the FTD it initiates the iSAKMP as well as the IPSec phase with the cisco vpn router , but when i initiate the tunnel from the cisco vpn router the isakmp phase does not initiate.

There is no firewall issue as the source interface of the router is permitted as ip in the ACP policy. I even tried to permit ip any any in the firewall with no luck either.

In between the cisco vpn router and the firewall there are no other firewalls or ACLs.

And in the FTD i have permitted the initiation of vpn from both directions. Please refer to the screenshot.

The interesting traffic tries to go through the tunnel because i see matches in the ACL which corresponds to interesting traffic but the isakmp does not initiate.

Any clues of why i can not inititiate the VPN from the cisco router?

Thanks

Ditter

Re: Do i need licenses in FTDs in order to implement a site to site VP

MHM Cisco World — Sun, 11 Feb 2024 13:16:07 GMT

Sure there is'

The dynamic peer can initiate the VPN IPsec since it config with staitc IP toward the static Peer

The static Peer can not initiate the VPN since the Peer IP in unknown.

So you need to make dynamic peer always initiate the traffic' this can done by config ip sla (LAN to LAN) to make VPN tunnel UP.

MHM

Re: Do i need licenses in FTDs in order to implement a site to site VP

Ditter — Sun, 11 Feb 2024 15:43:19 GMT

Thanks for the reply , but forgot to mention that because of the issues i had with the dynamic peer in one side , i changed both sides to static.

So they are both static (cisco vpn router as well as the ftd).

Re: Do i need licenses in FTDs in order to implement a site to site VP

Ditter — Sun, 11 Feb 2024 15:50:39 GMT

But even with ip sla the problem is that the cisco --> FTD IPSec tunnel does not come up. IP SLA would be useful if i wanted to keep the ipsec tunnel up even if no interesting traffic went through. But in my case tge vpn does not come up when initiated fro cisco router side

Re: Do i need licenses in FTDs in order to implement a site to site VP

Rob Ingram — Sun, 11 Feb 2024 15:54:25 GMT

@Ditter What was the source of the traffic when you attempt to establish the tunnel from the router? Did you have the ike debugs enabled and nothing was generated? Do you have NAT configured on the router? Is the router the default gateway for the devices behind the router? Is PFS configured on one peer but not the other? Provide your full router configuration and screenshots from the FMC or even the crypto, tunnel-group running configuration of the FTD.

Re: Do i need licenses in FTDs in order to implement a site to site VP

Ditter — Sun, 11 Feb 2024 15:57:03 GMT

Just did one more retry from the cisco side to FTD :

The debug output is the following:

ping 192.168.90.60 source fastEthernet 0/1

where on fastethernet 0/1 exists the vpn policy.

Feb 11 15:53:34.030: ISAKMP:(0): Phase 1 negotiation failed with DPD active; deleting IKE/IPSec SAs
Feb 11 15:53:34.030: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 192.168.64.17)
Feb 11 15:53:34.030: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_negotiating since it's already 0.
Feb 11 15:53:34.030: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 192.168.64.17)

Re: Do i need licenses in FTDs in order to implement a site to site VP

Ditter — Sun, 11 Feb 2024 16:30:42 GMT

Please see my thread right after your reply as far as the source of the traffic. Debugs are the ones i sent .

No NAT configured.

No PFS is configured (at least at the ftd side is not checked).

Cisco remote site VPN config:

crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key <omitted> address 192.168.64.17
crypto isakmp keepalive 30
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto map vpn-to-hq 10 ipsec-isakmp
set peer 192.168.64.17
set transform-set TS
match address VPN-TRAFFIC

!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.64.53 255.255.255.252
crypto map vpn-to-hq
!

interface FastEthernet0/1
ip address 192.168.105.177 255.255.255.240
duplex auto
speed auto

ip route 0.0.0.0 0.0.0.0 192.168.64.54

The interesting traffic should go through 192.168.64.17
ip route 192.168.90.32 255.255.255.224 192.168.64.17
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.105.176 0.0.0.15 192.168.90.32 0.0.0.31

FTD Side

crypto ipsec ikev1 transform-set CSM_TS_1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map CSM_vlan_26_map 2 match address from_90_32_to_105_176
crypto map CSM_vlan_26_map 2 set peer 192.168.64.53
crypto map CSM_vlan_26_map 2 set ikev1 phase1-mode aggressive group5
crypto map CSM_vlan_26_map 2 set ikev1 transform-set CSM_TS_1
crypto map CSM_vlan_26_map 2 set security-association lifetime seconds 86400
crypto map CSM_vlan_26_map 2 set reverse-route
crypto map CSM_vlan_26_map interface vlan_26
crypto ca trustpool policy
revocation-check crl none
no crypto isakmp nat-traversal
crypto ikev1 enable vlan_26
crypto ikev1 policy 20
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

group-policy .DefaultS2SGroupPolicy internal
group-policy .DefaultS2SGroupPolicy attributes
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 192.168.64.53 type ipsec-l2l
tunnel-group 192.168.64.53 general-attributes
default-group-policy .DefaultS2SGroupPolicy
tunnel-group 192.168.64.53 ipsec-attributes
ikev1 pre-shared-key *****

Till now : The tunnel comes up when traffic is initiated from a client behind FTD in 192.168.90.0/24 network towards cisco vpn router at 192.168.105.176 network but no icmp reply returns back.

When the ping starts from a client behind the cisco route at 192.168.105.176 255.255.255.240 network to 192.168.90.32/27 the tunnel does not come up and off course no ping reply gets back.

Any ideas to try most welcome....!!!

Ditter

Re: Do i need licenses in FTDs in order to implement a site to site VP

MHM Cisco World — Sun, 11 Feb 2024 16:47:16 GMT

We return to same point'

Are you use PPPoE or DHCP in WAN interface of FTD ?

Re: Do i need licenses in FTDs in order to implement a site to site VP

Rob Ingram — Sun, 11 Feb 2024 16:47:55 GMT

@Ditter why have you got this route below, traffic should be routed to the next hop 192.168.64.54 and it should route onward.

ip route 192.168.90.32 255.255.255.224 192.168.64.17

Remove it.