Solved: Re: FTD Dynamic L2L VPNs

babalao · ‎10-21-2025

Hello,

We want to have a FTD (with static public IP) and several Cisco routers (with dynamic IP) connected with IPSEC IKEv2 L2L VPNs with different PSKs for each VPN.

We dont find on the FTD how to check the receiving ID that the router would send to match the correct tunnel.

Looking at this doc: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.html

In the doc in ASA part the ID sent by the router with dynamic IP is matched by tunnel-group name, I need to do something similar but with FTD...instead of and ASA.

FTD v7.6.2 (managed with FMC).

Please any guidance would be appreciated.

Regards

Rob Ingram · ‎11-09-2025

@babalao I don't believe there is an elegant solution natively in the GUI, but you can use FlexConfig to deploy a tunnel-group that matches on the Key ID sent from the spoke router.

In the example below, TEST is the key ID configured as the identity on the spoke router, the FTD has a tunnel-group named TEST.

"TEST" is the key ID as specified as the local identity on the spoke router

# ROUTER

crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 1.1.1.1 255.255.255.255
 identity local key-id TEST

From the FTD, you can confirm the connection request matches the correct tunnel-group (connection profile) using the command show vpn-sessiondb l2l

#FTD DVTI HUB

FTD77# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : TEST
Index : 86 IP Addr : 2.2.2.1
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES-GCM-256 IPsec: (1)AES-GCM-256
Hashing : IKEv2: (1)none IPsec: (1)none
Bytes Tx : 180 Bytes Rx : 192
Login Time : 16:01:07 UTC Sun Nov 9 2025
Duration : 0h:00m:20s
Tunnel Zone : 0

HTH

View solution in original post

babalao · ‎10-23-2025

Hello,

please, any ideas on this?

Thank you

Rob Ingram · ‎11-09-2025

@babalao I don't believe there is an elegant solution natively in the GUI, but you can use FlexConfig to deploy a tunnel-group that matches on the Key ID sent from the spoke router.

In the example below, TEST is the key ID configured as the identity on the spoke router, the FTD has a tunnel-group named TEST.

"TEST" is the key ID as specified as the local identity on the spoke router

# ROUTER

crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 1.1.1.1 255.255.255.255
 identity local key-id TEST

From the FTD, you can confirm the connection request matches the correct tunnel-group (connection profile) using the command show vpn-sessiondb l2l

#FTD DVTI HUB

FTD77# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : TEST
Index : 86 IP Addr : 2.2.2.1
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES-GCM-256 IPsec: (1)AES-GCM-256
Hashing : IKEv2: (1)none IPsec: (1)none
Bytes Tx : 180 Bytes Rx : 192
Login Time : 16:01:07 UTC Sun Nov 9 2025
Duration : 0h:00m:20s
Tunnel Zone : 0

HTH

babalao · ‎11-10-2025

Hello Rob.

do you mean I would configure from GUI with de wizard and then edit it via flexconfig or I should configure from scratch with flexconfig?

And if the first option, can I edit a already created tunnel-group name?

Thank you for the reply.

Rob Ingram · ‎11-10-2025

@babalao create a FlexConfig object with the new tunnel-group from scratch, as per the example above and deploy to the FTD.

If there is no specific tunnel-group name that matches the sent key ID, then the connection would match the default L2L tunnel group.