Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1820
Views
0
Helpful
7
Replies

IPsec migration From ASA to FTD

Go to solution
NETAD
Level 4
Level 4

‎01-21-2019 10:05 AM - edited ‎02-21-2020 08:40 AM

Hello, I'm migrating 33 IPsec tunnels from a 5520 to a 2110 FTD. I ran into couple issues:

 

1-Trying to do a hub and spoke topology but there's a limitation with the pre-shared key that it should be the same across all the spokes. Why is that

2-I have few spokes with dynamic IPs but FMC gives only the option to chose either static or dynamic

3-If I decided to create 33 point-to-point tunnels, how can I allow spoke to spoke traffic, and how would I configure the dynamic tunnels? In my lab I tried creating a wildcard for the dynamic tunnels but they didn't come up.

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-22-2019 05:57 AM

If you don't want to or are unable to use the same PSK, you will need to create all of the site-site VPNs separately.

 

Spoke to spoke traffic will have to flow through the hub and must be allowed by the crypto map(s) and any NAT exemptions will need to take it into account.

 

Unfortunately the FTD platform doesn't offer anything like DMVPN or such as is available on IOS-based routers.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-22-2019 05:57 AM

If you don't want to or are unable to use the same PSK, you will need to create all of the site-site VPNs separately.

 

Spoke to spoke traffic will have to flow through the hub and must be allowed by the crypto map(s) and any NAT exemptions will need to take it into account.

 

Unfortunately the FTD platform doesn't offer anything like DMVPN or such as is available on IOS-based routers.

0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Marvin Rhoads

‎01-22-2019 08:11 AM

Thanks Marvin, what about the dynamic tunnels?

0 Helpful

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni
In response to NETAD

‎01-22-2019 09:44 AM

Hi,
Dynamic crypto can be able to configure in FTD.
0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Abheesh Kumar

‎01-22-2019 01:48 PM

Not when you create p2p tunnels.

0 Helpful

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni
In response to NETAD

‎01-22-2019 09:52 PM

Hi.
You can configure dynamic cryptomap for L2L tunnels. scenario like the spoke have a dynamic IP and HUB have static IP. But you need to share the same shared secret across all the dynamic spokes.
As Marvin said you can allow spoke to spoke traffic via HUB.

Hope This Helps
Abheesh
0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Abheesh Kumar

‎01-23-2019 07:28 AM

ok but how do you exactly do that? Through a wildcard within the P2P topology?
0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Abheesh Kumar

‎01-26-2019 01:58 PM - edited ‎01-26-2019 02:00 PM

We configured all tunnels as S2S and the dynamic ones as hub and spoke with a wild card(0.0.0.0) for remote peers. Spoke to spoke communication is allowed by checking a check box within the hub and spoke topology.

 

For spoke to spoke communication through the hub between the S2S tunnels, we summarized all the spoke networks and entered it on each spoke S2S in the hub protected networks.

 

In addition we had to configure an access rule from outside to outside to allow the spoke to spoke communication.

 

Not to forget the NAT exemptions.

 

Thanks for your help on this.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card