cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
939
Views
5
Helpful
6
Replies

IPSEC Tunnel between Cisco FTD and Umbrella SIG

Marc0
Beginner
Beginner

Hello

I'm trying to establish a IPSEC tunnel between FTD 2130 and Umbrella SIG either using Policy Base our Routing Base tunnels, and neither of them are working for me. My FTD is on code 7.0.1.1

I am seeing on Umbrella documentation that their is no mentioned of how to set up a Firepower FTD, only an ASA but, on the Umbrella portal when creating a network tunnel, the dropdown option has FTD as an option.

Has anyone managed to setup a successful connection, and able to point me in the right direction, please

1 Accepted Solution

Accepted Solutions

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Marc0 there is a SIG guide to connect a VPN using FTD, with options for either a Policy Based or Route Based VPN.

https://docs.umbrella.com/umbrella-user-guide/docs/configure-tunnels-with-cisco-firepower-threat-defense-ftd

This has worked for me in the past, just ensure you read the guide thoroughly and ensure you specify the correct IKE/IPSec settings as required.

 

View solution in original post

6 Replies 6

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Marc0 there is a SIG guide to connect a VPN using FTD, with options for either a Policy Based or Route Based VPN.

https://docs.umbrella.com/umbrella-user-guide/docs/configure-tunnels-with-cisco-firepower-threat-defense-ftd

This has worked for me in the past, just ensure you read the guide thoroughly and ensure you specify the correct IKE/IPSec settings as required.

 

Thanks Rob, it was weird as this document was not showing previously but its now been most helpful in knowing how the setup should be. I have gone through this a couple of times and for some reason that I cant put my finger on, the connection is failing to establish.

The error I am seeing in the FMC VPN troubleshooting is as follows:

Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= CSM_REDCENTRIC-INTERNET_map. Map Sequence Number = 1.

When doing some research on this, it states that the either a issue with the IKE configuration or at times a issue with the crypto map. I have set all recommended IPSEC parameters as well as the non recommended ones just to see if i can get anything working, but no joy.

Supported IPsec Parameters (umbrella.com)

@Marc0 can you turn on IKE debugging from the CLI of the FTD and provide the output for review please.

debug crypto condition peer <peer ip>
debug crypto ikev2 platform|protocol

From the CLI of the FTD if you run "show run crypto" and provide this output please

 

@Rob See attached the crypto config. Ive also managed to turn on the debug and captured them also. Ive obscured my address for security reasons

@Marc0 are you doing this through the NHS HSCN network or does the FTD have another ISP connection?

I assume the debugs are for multiple tunnels on the same firewall?

The error that stands out is that "IKEv2 negotiation.......Failed to find a matching policy". though your IKEv2 policies certainly look like they should match Umbrella's supported IKEv2 protocols. 

I was hoping for the debugs from the CLI as it should provide more information. If you use the condition provided you can filter on just the peer IP address. Can you provide that information?

@Rob Ingram No, I am doing this over the Internet, but sods law, as soon as I wrote my previous post, the tunnel had finally established to Umbrella. I had read somewhere on a Umbrella document, that once a change is made it can take upto 10 mins for the tunnel to be established, so maybe i needed to be patient.

Plus, as I have 2 separate internet connections with one being used as the main outbound traffic, I had to also add the Umbrella London DC IP Address to route out of the correct ISP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers