Solved: Site To Site Threat Defense Tunnels

keithcclark71 · ‎06-22-2022

I am creating new Site to Site Tunnels as a mesh for 4 Sites (At least I hope I am lol) . Anyways when I start the process it ask if i wish to do Firepower Device or Threat Defense. All tunnels that are in place that I am attempting to bring over are IKE 1 specified. I thought I read somewhere that in order to use Threat Defense type that only IKE2 is supported. However, when I create the Threat Defense Tunnel it gives me Ike1 Ike2 or both as an option so I assume I can create using threat defense type??? It sounds better so that is what i would like to do I guess as I have no idea the difference betweehn the two types here or as another question why would you need to select IKE1 and Ike2 for a tunnel together

Rob Ingram · ‎06-22-2022

@keithcclark71 the "Firepower Device" option is for the old legacy Firepower hardware. You more than likely want to select "Threat Defense" as this is for ASA or the newer Firepower devices (1000, 2100 etc) running the FTD image.

You would usually select one or the other IKE option (recommended IKEv2), but selecting both may be useful in a migration scenario, where you need to support the older IKEv1 for some peers and IKEv2 for others in the same topology.

View solution in original post

Rob Ingram · ‎06-22-2022

@keithcclark71 the "Firepower Device" option is for the old legacy Firepower hardware. You more than likely want to select "Threat Defense" as this is for ASA or the newer Firepower devices (1000, 2100 etc) running the FTD image.

You would usually select one or the other IKE option (recommended IKEv2), but selecting both may be useful in a migration scenario, where you need to support the older IKEv1 for some peers and IKEv2 for others in the same topology.