02-07-2024 06:26 AM
Hi to all,
i am trying to implement a site to site IPSec VPN between an FTD-HA pair and a cisco 2821.
Till now i haven't succeeded in doing so , but before starting to dig dipper i would like to ask you if there are needed any special licenses for this.
Currently we have the licenses you can see in the picture attached.
Thanks,
Ditter
02-07-2024 06:37 AM - edited 02-07-2024 07:02 AM
02-07-2024 06:43 AM
Hey Rob, I think you pasted the link of this thread by mistake? (smiley face)
02-07-2024 06:58 AM
@Aref Alsouqi just checking you were paying attention. Amended the link
02-07-2024 07:40 AM
@Rob Ingram I had enough coffee today : D
02-07-2024 06:44 AM
02-07-2024 06:42 AM
No additional licenses are required for the S2S VPN. What issues are you running into?
02-07-2024 07:00 AM
Hi Aref ,
thanks for the concern.
My implementation is fairly simple.
The 2821 has the following config:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 14
crypto isakmp key ***** address 192.168.64.17
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode transport
!
crypto map vpn-to-hq 10 ipsec-isakmp
set peer 192.168.64.17
set transform-set TS
match address VPN-TRAFFIC
Router#sh ip access-lists
Extended IP access list VPN-TRAFFIC
10 permit ip 192.168.105.176 0.0.0.15 any (2000 matches)
and
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address dhcp
crypto map vpn-to-hq
Equivalent config in the FTD side.
Do you see any mistake in the 2821 config?
In addition to the FTD i have permitted via the ACP the traffic from everywhere to the interface of the FTD where the vpn listes (192.168.64.17)
Thanks,
Ditter
02-07-2024 07:39 AM
The only two things that I can think of are:
1) The mode under the crypto ipsec transform-set should be "tunnel" instead of "transport".
2) Not sure how your NAT configs look like, if there is NAT then you should exemption the VPN traffic on the devices?
02-07-2024 12:52 PM
02-08-2024 06:28 AM
Not sure, sorry. I would need to see the full config to trying to give an answer
02-11-2024 05:10 AM
Hi Aref,
i have ended in a strange situation where when i initiate the IPSEC-VPN from the FTD it initiates the iSAKMP as well as the IPSec phase with the cisco vpn router , but when i initiate the tunnel from the cisco vpn router the isakmp phase does not initiate.
There is no firewall issue as the source interface of the router is permitted as ip in the ACP policy. I even tried to permit ip any any in the firewall with no luck either.
In between the cisco vpn router and the firewall there are no other firewalls or ACLs.
And in the FTD i have permitted the initiation of vpn from both directions. Please refer to the screenshot.
The interesting traffic tries to go through the tunnel because i see matches in the ACL which corresponds to interesting traffic but the isakmp does not initiate.
Any clues of why i can not inititiate the VPN from the cisco router?
Thanks
Ditter
02-11-2024 05:16 AM
Sure there is'
The dynamic peer can initiate the VPN IPsec since it config with staitc IP toward the static Peer
The static Peer can not initiate the VPN since the Peer IP in unknown.
So you need to make dynamic peer always initiate the traffic' this can done by config ip sla (LAN to LAN) to make VPN tunnel UP.
MHM
02-11-2024 07:43 AM
Thanks for the reply , but forgot to mention that because of the issues i had with the dynamic peer in one side , i changed both sides to static.
So they are both static (cisco vpn router as well as the ftd).
02-11-2024 07:46 AM - edited 02-11-2024 07:50 AM
But even with ip sla the problem is that the cisco --> FTD IPSec tunnel does not come up. IP SLA would be useful if i wanted to keep the ipsec tunnel up even if no interesting traffic went through. But in my case tge vpn does not come up when initiated fro cisco router side
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide