cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3094
Views
5
Helpful
8
Replies

IPSEC Tunnel between Cisco FTD and Umbrella SIG

Marc0
Level 1
Level 1

Hello

I'm trying to establish a IPSEC tunnel between FTD 2130 and Umbrella SIG either using Policy Base our Routing Base tunnels, and neither of them are working for me. My FTD is on code 7.0.1.1

I am seeing on Umbrella documentation that their is no mentioned of how to set up a Firepower FTD, only an ASA but, on the Umbrella portal when creating a network tunnel, the dropdown option has FTD as an option.

Has anyone managed to setup a successful connection, and able to point me in the right direction, please

1 Accepted Solution

Accepted Solutions

@Marc0 there is a SIG guide to connect a VPN using FTD, with options for either a Policy Based or Route Based VPN.

https://docs.umbrella.com/umbrella-user-guide/docs/configure-tunnels-with-cisco-firepower-threat-defense-ftd

This has worked for me in the past, just ensure you read the guide thoroughly and ensure you specify the correct IKE/IPSec settings as required.

 

View solution in original post

8 Replies 8

@Marc0 there is a SIG guide to connect a VPN using FTD, with options for either a Policy Based or Route Based VPN.

https://docs.umbrella.com/umbrella-user-guide/docs/configure-tunnels-with-cisco-firepower-threat-defense-ftd

This has worked for me in the past, just ensure you read the guide thoroughly and ensure you specify the correct IKE/IPSec settings as required.

 

Thanks Rob, it was weird as this document was not showing previously but its now been most helpful in knowing how the setup should be. I have gone through this a couple of times and for some reason that I cant put my finger on, the connection is failing to establish.

The error I am seeing in the FMC VPN troubleshooting is as follows:

Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= CSM_REDCENTRIC-INTERNET_map. Map Sequence Number = 1.

When doing some research on this, it states that the either a issue with the IKE configuration or at times a issue with the crypto map. I have set all recommended IPSEC parameters as well as the non recommended ones just to see if i can get anything working, but no joy.

Supported IPsec Parameters (umbrella.com)

@Marc0 can you turn on IKE debugging from the CLI of the FTD and provide the output for review please.

debug crypto condition peer <peer ip>
debug crypto ikev2 platform|protocol

From the CLI of the FTD if you run "show run crypto" and provide this output please

 

@Rob See attached the crypto config. Ive also managed to turn on the debug and captured them also. Ive obscured my address for security reasons

@Marc0 are you doing this through the NHS HSCN network or does the FTD have another ISP connection?

I assume the debugs are for multiple tunnels on the same firewall?

The error that stands out is that "IKEv2 negotiation.......Failed to find a matching policy". though your IKEv2 policies certainly look like they should match Umbrella's supported IKEv2 protocols. 

I was hoping for the debugs from the CLI as it should provide more information. If you use the condition provided you can filter on just the peer IP address. Can you provide that information?

@Rob Ingram No, I am doing this over the Internet, but sods law, as soon as I wrote my previous post, the tunnel had finally established to Umbrella. I had read somewhere on a Umbrella document, that once a change is made it can take upto 10 mins for the tunnel to be established, so maybe i needed to be patient.

Plus, as I have 2 separate internet connections with one being used as the main outbound traffic, I had to also add the Umbrella London DC IP Address to route out of the correct ISP.

Marc0
Level 1
Level 1

Hi

So, new issue. With the tunnel established, we have been trying to get more that one device to work over the tunnel but keep failing. Struggling to see where the fault can be as we can see the traffic on Umbrella SIG activity logs but just no return on the devices. 

We are using Policy based VPN with Extended ACL and No-NAT, on code 7.0.5. 

Anyone else having any joy or in fact using this setup method? 

Marc0
Level 1
Level 1

Hi

We have found the resolution. After speaking with TAC, they confirmed that Cisco Umbrella only supports site-2-site VPN tunnel with VTI and not PBR

So with us being on FMC/FTD code 7.0.5 we were able to build a VTI s2s tunnel using  flex-config to set and push route-map policy. 

It was a hard struggle but we got there in the end 

Review Cisco Networking for a $25 gift card