09-18-2018 07:17 AM - edited 02-21-2020 08:15 AM
Configuring site-to-site IPSEC VPN. In ASA, you're able to have multiple IKE policies but I don't see that option in FTD. It appears that you can only select one at a time.
I see the following text from the FTD 6.2 Configuration Guide:
"IKE policies contain a single set of algorithms and a modulus group. Unlike IKEv1, in an IKEv2 policy, you can select multiple algorithms and modulus groups from which peers can choose during the Phase 1 negotiation. It is possible to create a single IKE policy, although you might want different policies to give higher priority to your most desired options. For site-to-site VPNs, you can create a single IKE policy."
Perhaps I'm missing something here but it seems to me that if you have to select a particular policy, then that is the only policy that is used during phase 1 negotiation. Can anyone clarify this? Running FTD 6.2.3 & FMC 6.2.3.3.
09-18-2018 08:01 AM
09-18-2018 08:10 AM
09-19-2018 08:44 AM
Anyone able to confirm this or not?
09-20-2018 03:58 PM - edited 10-03-2018 04:05 PM
Hey there,
You cannot apply more than one policy to a crypto map through "point and click" options. As a workaround until the function is built-in you can do what is called a flex config.
To do this you can use the exact same cli commands by copy and pasting if you have an old configuration HOWEVER!!FOR CRYTPO RELATED FLEX CONFIGS YOU MUST ALWAYS USE "CRYPT" NOT "CRYPTO" for example if I want to add the following ikev1 policy:
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
I MUST CHANGE THE FIRST LINE TO SAY THIS ELSE IT WILL FAIL TO DEPLOY:
crypt ikev1 policy 1
Flex config is never recommended unless you MUST have the functionality as some flex configs can cause issues with network performance.
Here is the order of creating the flex configs:
1.)Go to Devices>Flexconfig>New policy. Make a name and drag the device you want the policy on into the right column and save (IMG003)
2.) click the edit icon on the right for the policy you just made then click "flex config object".Create the flex config as show below.(IMG005)
3.) Save. Your new flex config object will be under the “user defined” tab on the left. Click the flexconfig you made then the arrow in the center to move your flex config to the “selected append flexconfigs” section as shown below(IMG006)
4.Once the object is in the bottom box click save in the top right then preview config (IMG019)
5.Select the device you want to preview the config for then wait for the device to generate the config it will send the device. If you do not see the config under the bottom section “Flex-config Append CLI” or is displayed wrong you will need to fix it as the text under “Flex-config Append CLI” is exactly what the FMC will be sending to the FTD.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide