topic Re: IPsec migration From ASA to FTD in Network Security

IPsec migration From ASA to FTD

NETAD — Fri, 21 Feb 2020 16:40:58 GMT

Hello, I'm migrating 33 IPsec tunnels from a 5520 to a 2110 FTD. I ran into couple issues:

1-Trying to do a hub and spoke topology but there's a limitation with the pre-shared key that it should be the same across all the spokes. Why is that

2-I have few spokes with dynamic IPs but FMC gives only the option to chose either static or dynamic

3-If I decided to create 33 point-to-point tunnels, how can I allow spoke to spoke traffic, and how would I configure the dynamic tunnels? In my lab I tried creating a wildcard for the dynamic tunnels but they didn't come up.

Thanks

Re: IPsec migration From ASA to FTD

Marvin Rhoads — Tue, 22 Jan 2019 13:57:29 GMT

If you don't want to or are unable to use the same PSK, you will need to create all of the site-site VPNs separately.

Spoke to spoke traffic will have to flow through the hub and must be allowed by the crypto map(s) and any NAT exemptions will need to take it into account.

Unfortunately the FTD platform doesn't offer anything like DMVPN or such as is available on IOS-based routers.

Re: IPsec migration From ASA to FTD

NETAD — Tue, 22 Jan 2019 16:11:23 GMT

Thanks Marvin, what about the dynamic tunnels?

Re: IPsec migration From ASA to FTD

Abheesh Kumar — Tue, 22 Jan 2019 17:44:40 GMT

Hi,
Dynamic crypto can be able to configure in FTD.

Re: IPsec migration From ASA to FTD

NETAD — Tue, 22 Jan 2019 21:48:28 GMT

Not when you create p2p tunnels.

Re: IPsec migration From ASA to FTD

Abheesh Kumar — Wed, 23 Jan 2019 05:52:43 GMT

Hi.
You can configure dynamic cryptomap for L2L tunnels. scenario like the spoke have a dynamic IP and HUB have static IP. But you need to share the same shared secret across all the dynamic spokes.
As Marvin said you can allow spoke to spoke traffic via HUB.

Hope This Helps
Abheesh

Re: IPsec migration From ASA to FTD

NETAD — Wed, 23 Jan 2019 15:28:28 GMT

ok but how do you exactly do that? Through a wildcard within the P2P topology?

Re: IPsec migration From ASA to FTD

NETAD — Sat, 26 Jan 2019 22:00:18 GMT

We configured all tunnels as S2S and the dynamic ones as hub and spoke with a wild card(0.0.0.0) for remote peers. Spoke to spoke communication is allowed by checking a check box within the hub and spoke topology.

For spoke to spoke communication through the hub between the S2S tunnels, we summarized all the spoke networks and entered it on each spoke S2S in the hub protected networks.

In addition we had to configure an access rule from outside to outside to allow the spoke to spoke communication.

Not to forget the NAT exemptions.

Thanks for your help on this.