01-21-2019 10:05 AM - edited 02-21-2020 08:40 AM
Hello, I'm migrating 33 IPsec tunnels from a 5520 to a 2110 FTD. I ran into couple issues:
1-Trying to do a hub and spoke topology but there's a limitation with the pre-shared key that it should be the same across all the spokes. Why is that
2-I have few spokes with dynamic IPs but FMC gives only the option to chose either static or dynamic
3-If I decided to create 33 point-to-point tunnels, how can I allow spoke to spoke traffic, and how would I configure the dynamic tunnels? In my lab I tried creating a wildcard for the dynamic tunnels but they didn't come up.
Thanks
Solved! Go to Solution.
01-22-2019 05:57 AM
If you don't want to or are unable to use the same PSK, you will need to create all of the site-site VPNs separately.
Spoke to spoke traffic will have to flow through the hub and must be allowed by the crypto map(s) and any NAT exemptions will need to take it into account.
Unfortunately the FTD platform doesn't offer anything like DMVPN or such as is available on IOS-based routers.
01-22-2019 05:57 AM
If you don't want to or are unable to use the same PSK, you will need to create all of the site-site VPNs separately.
Spoke to spoke traffic will have to flow through the hub and must be allowed by the crypto map(s) and any NAT exemptions will need to take it into account.
Unfortunately the FTD platform doesn't offer anything like DMVPN or such as is available on IOS-based routers.
01-22-2019 08:11 AM
Thanks Marvin, what about the dynamic tunnels?
01-22-2019 09:44 AM
01-22-2019 01:48 PM
Not when you create p2p tunnels.
01-22-2019 09:52 PM
01-23-2019 07:28 AM
01-26-2019 01:58 PM - edited 01-26-2019 02:00 PM
We configured all tunnels as S2S and the dynamic ones as hub and spoke with a wild card(0.0.0.0) for remote peers. Spoke to spoke communication is allowed by checking a check box within the hub and spoke topology.
For spoke to spoke communication through the hub between the S2S tunnels, we summarized all the spoke networks and entered it on each spoke S2S in the hub protected networks.
In addition we had to configure an access rule from outside to outside to allow the spoke to spoke communication.
Not to forget the NAT exemptions.
Thanks for your help on this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide