Solved: Set up OpenVPN tunnel with Cisco FTD/ASA

loc.nguyen · ‎04-07-2022

Hi,

Cisco FTD/ASA can set up IPsec VPN site to site for sure.

Is it possible that Cisco FTD/ASA set up OpenVPN tunnel ?

A company wants to set up a site to site vpn with my company. They only support OpenVPN tunnel. I am not sure if we can support it. We will use FTD firewall to set up.

Thanks

Loc

Flavio Miranda · ‎04-07-2022

Hi

I used to use OpenVPN between Linux server in a Site-to-Site topology. And I think is possible to stablish with ASA as well.

To stablish a VPN tunnel both sides must match some requirements. No big deal. For example:

IKE (Phase 1)
Encryption: AES256
Hash: SHA348

IPsec (Phase 2)
Encryption: AES256
Hash: SHA384

If both sides agree on this setup, the tunnel will be up and running. On the link below is an example of stablish VPN with Azure. You will never know what they are using on their side. Maybe they are using OpenVPN and we dont know.

As long as the parameters match, there will be VPN.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto

View solution in original post

Flavio Miranda · ‎04-07-2022

Hi

I used to use OpenVPN between Linux server in a Site-to-Site topology. And I think is possible to stablish with ASA as well.

To stablish a VPN tunnel both sides must match some requirements. No big deal. For example:

IKE (Phase 1)
Encryption: AES256
Hash: SHA348

IPsec (Phase 2)
Encryption: AES256
Hash: SHA384

If both sides agree on this setup, the tunnel will be up and running. On the link below is an example of stablish VPN with Azure. You will never know what they are using on their side. Maybe they are using OpenVPN and we dont know.

As long as the parameters match, there will be VPN.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto

loc.nguyen · ‎04-07-2022

Flavio,

The link you sent, it seem to be about IPsec VPN.

My understanding: as long as both sites using IPsec VPN and have same parameters, it should be good to go.

I never set up OpenVPN before, does it use parameters like IPsec Phase 1 and Phase 2 ?

Thanks

Loc

Flavio Miranda · ‎04-07-2022

This is standard for site to site VPN. End you, IP sec VPN. We also have SSL VPN but it is not the case. The link I share is just to give an example of multi platform VPN construction.

loc.nguyen · ‎04-25-2022

Hi,

I just got reply from my vendor. They said they did not do IPsec VPN. They requests that my cisco firewall to accept their remote access OpenVPN.

My questions now is:

- Does cisco FTD firewall support remote access Open VPN at all?

- If yes, which port/how we set up to support that?

Thanks

Loc

Georg Pauwen · ‎04-25-2022

Hello,

FTD does support SSL VPNs, so Open VPN should work. Have a look at the video linked below (at about the 10 minute marker it starts with the SSL configuration)...

https://www.youtube.com/watch?v=zV574RryYFk

loc.nguyen · ‎04-25-2022

It looks like the link is for AnyConnect VPN not Open VPN. I watched the whole video.

loc.nguyen · ‎04-25-2022

I don't think FMC has an option to choose non-Anyconnect.

I guess you did not set up OpenVPN with FTD before.