FTD Multiple IKEv1 Policy Selection

CNM88 · ‎09-18-2018

Configuring site-to-site IPSEC VPN. In ASA, you're able to have multiple IKE policies but I don't see that option in FTD. It appears that you can only select one at a time.

I see the following text from the FTD 6.2 Configuration Guide:

"IKE policies contain a single set of algorithms and a modulus group. Unlike IKEv1, in an IKEv2 policy, you can select multiple algorithms and modulus groups from which peers can choose during the Phase 1 negotiation. It is possible to create a single IKE policy, although you might want different policies to give higher priority to your most desired options. For site-to-site VPNs, you can create a single IKE policy."

Perhaps I'm missing something here but it seems to me that if you have to select a particular policy, then that is the only policy that is used during phase 1 negotiation. Can anyone clarify this? Running FTD 6.2.3 & FMC 6.2.3.3.

Rob Ingram · ‎09-18-2018

Hi,
I am running the same versions of FMC and FTD as you. I've checked and yes it looks like you can only select the 1 IKEv1 Policy or if you use IKEv2 then you can specify mutliple algorithms. I see no option to allow multiple IKEv1 algoithms unlike IKEv2, so therefore I can assume you can only use the 1 IKEv1 policy defined.

Any reason why you do use IKEv2?

CNM88 · ‎09-18-2018

Thanks, RJI. This particular project I'm just migrating a bunch of existing tunnels from ASA to FTD so we aren't making any changes to the tunnels themselves. We don't have control over the other end of the tunnels so no guarantee they even support IKEv2.

CNM88 · ‎09-19-2018

Anyone able to confirm this or not?

Roy Harrington · ‎09-20-2018

Hey there,

You cannot apply more than one policy to a crypto map through "point and click" options. As a workaround until the function is built-in you can do what is called a flex config.

To do this you can use the exact same cli commands by copy and pasting if you have an old configuration HOWEVER!!FOR CRYTPO RELATED FLEX CONFIGS YOU MUST ALWAYS USE "CRYPT" NOT "CRYPTO" for example if I want to add the following ikev1 policy:

crypto ikev1 policy 1

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

I MUST CHANGE THE FIRST LINE TO SAY THIS ELSE IT WILL FAIL TO DEPLOY:

crypt ikev1 policy 1

Flex config is never recommended unless you MUST have the functionality as some flex configs can cause issues with network performance.

Here is the order of creating the flex configs:

1.)Go to Devices>Flexconfig>New policy. Make a name and drag the device you want the policy on into the right column and save (IMG003)

2.) click the edit icon on the right for the policy you just made then click "flex config object".Create the flex config as show below.(IMG005)

3.) Save. Your new flex config object will be under the “user defined” tab on the left. Click the flexconfig you made then the arrow in the center to move your flex config to the “selected append flexconfigs” section as shown below(IMG006)

4.Once the object is in the bottom box click save in the top right then preview config (IMG019)

5.Select the device you want to preview the config for then wait for the device to generate the config it will send the device. If you do not see the config under the bottom section “Flex-config Append CLI” or is displayed wrong you will need to fix it as the text under “Flex-config Append CLI” is exactly what the FMC will be sending to the FTD.