Hey Rob, I think you pasted the link of this thread by mistake? (smiley face)

@Aref Alsouqi just checking you were paying attention. Amended the link

@Rob Ingram  I had enough coffee today : D

Thanks Rob, but i can see that there even older implementations supported in FTD , for example DES.

Hi Aref ,

thanks for the concern. 

My implementation is fairly simple. 

The 2821 has the following config:

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 14
crypto isakmp key ***** address 192.168.64.17
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode transport
!
crypto map vpn-to-hq 10 ipsec-isakmp
set peer 192.168.64.17
set transform-set TS
match address VPN-TRAFFIC

Router#sh ip access-lists
Extended IP access list VPN-TRAFFIC
10 permit ip 192.168.105.176 0.0.0.15 any (2000 matches)

and 

interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address dhcp
crypto map vpn-to-hq

Equivalent config in the FTD side.

Do you see any mistake in the 2821 config?

In addition to the FTD i have permitted via the ACP the traffic from everywhere to the interface of the FTD where the vpn listes (192.168.64.17)

Thanks,

Ditter

The only two things that I can think of are:

1) The mode under the crypto ipsec transform-set should be "tunnel" instead of "transport".

2) Not sure how your NAT configs look like, if there is NAT then you should exemption the VPN traffic on the devices?

Thanks , i did change to tunnel mode but what made the difference and the tunnel came up was to change the 2821 side from dynamic IP to static.

So the problem is why the ipsec tunnel does not come up when the 2821 IP is set to dynamic.

Please refer to the screenshot.

Thanks,

Ditter

Not sure, sorry. I would need to see the full config to trying to give an answer

Hi Aref, 

i have ended in a strange situation where when i initiate the IPSEC-VPN from the FTD it initiates the iSAKMP as well as the IPSec phase with the cisco vpn router , but when i initiate the tunnel from the cisco vpn router the isakmp phase does not initiate. 

There is no firewall issue as the source interface of the router is permitted as ip in the ACP policy.    I even tried to permit ip any any in the firewall with no luck either.

In between the cisco vpn router and the firewall there are no other firewalls or ACLs. 

And in the FTD i have permitted the initiation of vpn from both directions. Please refer to the screenshot.

The interesting traffic tries to go through the tunnel because i see matches in the ACL which corresponds to interesting traffic but the isakmp does not initiate.

Any clues of why i can not inititiate the VPN from the cisco router?

Thanks 

Ditter

Sure there is'

The dynamic peer can initiate the VPN IPsec since it config with staitc IP toward the static Peer 

The static Peer can not initiate the VPN since the Peer IP in unknown.

So you need to make dynamic peer always initiate the traffic' this can done by config ip sla (LAN to LAN) to make VPN tunnel UP.

MHM

Thanks for the reply , but forgot to mention that because of the issues i had with the dynamic peer in one side , i changed both sides to static.

So they are both static (cisco vpn router as well as the ftd).