Connect 2 Cisco FirePower 1010 via IPSEC

Lev Afanasyev · ‎02-15-2021

In our enterprise we use 2 Cisco FirePower 1010s connected via gateways over the Internet (500, 4500, UDP ports are open). We have configured IPSEC, but both Cisco are in connection standby mode. How to initiate a connection from one to the other?

Richard Burts · ‎02-15-2021

I am not clear what you are describing. Am I correct in understanding that there is a site to site vpn configured between the 2 Firepower? I am not clear what you are describing as connection standby mode. Can you clarify?

As a first step in investigating this can you verify that there is IP connectivity between the Firepower using the IP addresses configured as peers on each Firepower?

Does each Firepower in its configuration have a set peer statement that specifies the IP address of the remote peer? Or does one Firepower set the peer as 0.0.0.0 (most commonly used when one peer has a dynamic IP address)? If both Firepower specifies the address of the remote peer then the vpn can be initiated from either peer. If one Firepower has a dynamic address then the vpn must be initiated from the peer with the dynamic address. In general you initiate the vpn by having a device connected to one Firepower with an IP address that matches the definition of interesting traffic for vpn to send something to a device connected to the peer Firepower with an IP address that matches the definition of interesting traffic.

If you have verified IP connectivity between the peer Firepower and if attempts to initiate the vpn were not successful then probably the next step is to run debug crypto isakmp, make an attempt to initiate the vpn, and post any debug output.

HTH

Rick

Lev Afanasyev · ‎02-16-2021

Thank you for your answer.

Both Firepowers already have static IP adresses and configured as peers. Also, we have Microtic/Keenetic routers and IPSEC between them works well. But it doesnt work with FirePower to FirePower.

I try to use command debug crypto isakmp in Firepower Device Manager (in CLI console), but its says "This command is not supported."

Giuseppe Larosa · ‎02-17-2021

Hello @Lev Afanasyev ,

what version of firepower firmware is running on your Firepower 1010 ?

Firepower Device Manager supports site to site VPN only from version 6.2 not before.

For executing debug commands you need to SSH directly to the firepower instead of going via FDM. This is possible and you use the same credentials as with the GUI.

Seeing the output of debug commands in some cases requires an additional command that is different from the traditional terminal monitor is something similar to diagnostic-cli

system support diagnostic-cli

Your Access Control Policy needs to have a rule with allow action for interesting traffic that has to go over the IPSEC tunnel.

Hope to help

Giuseppe

Lev Afanasyev · ‎02-18-2021

Please see my anwser below. I try to analyze results of iskamp sa command

Georg Pauwen · ‎02-17-2021

Hello,

in addition to the other posts, since you are using FDM, have a look at the link below, double check if you missed something when you set the VPN up:

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215513-configure-site-to-site-vpn-on-ftd-manage.html#anc4

Lev Afanasyev · ‎02-18-2021

> show isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote             
                                     Status         Role
 57645049 192.168.15.252/4500                                 212.124.XX.XXX/4500
                                      READY    RESPONDER
      Encr: AES-CBC, keysize: 192, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth v
erify: PSK
      Life/Active Time: 86400/11061 sec
Child sa: local selector  192.168.11.0/0 - 192.168.11.255/65535
          remote selector 192.168.0.0/0 - 192.168.0.255/65535
          ESP spi in/out: 0xe33a0fdc/0xc7d28402  

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote             
                                     Status         Role
 49360577 192.168.15.252/4500                                 212.124.XX.XXX/4500
                                      READY    RESPONDER
      Encr: AES-CBC, keysize: 192, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth v
erify: PSK
      Life/Active Time: 86400/11061 sec
Child sa: local selector  192.168.11.0/0 - 192.168.11.255/65535
          remote selector 192.168.3.0/0 - 192.168.3.255/65535
          ESP spi in/out: 0x66746eff/0xc3cb4a53  
> show ipsec sa
interface: outside
    Crypto map tag: s2sCryptoMap, seq num: 2, local addr: 192.168.15.252

      access-list |s2sAcl|30efda8f-5b18-11eb-99cd-058e62f5aa47 extended permit ip
 192.168.11.0 255.255.255.0 192.168.0.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
      current_peer: 212.124.XX.XXX


      #pkts encaps: 79425, #pkts encrypt: 79425, #pkts digest: 79425
      #pkts decaps: 70535, #pkts decrypt: 70535, #pkts verify: 70535
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 79425, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.15.252/4500, remote crypto endpt.: 212.124.XX.
XXX/4500
      path mtu 1500, ipsec overhead 86(52), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: C7D28402
      current inbound spi : E33A0FDC

    inbound esp sas:
      spi: 0xE33A0FDC (3812233180)
         SA State: active
         transform: esp-aes-192 esp-sha-256-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv2, }
         slot: 0, conn_id: 3, crypto-map: s2sCryptoMap
         sa timing: remaining key lifetime (kB/sec): (4136017/17008)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xC7D28402 (3352462338)
         SA State: active
         transform: esp-aes-192 esp-sha-256-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv2, }
         slot: 0, conn_id: 3, crypto-map: s2sCryptoMap
         sa timing: remaining key lifetime (kB/sec): (4078282/17008)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

    Crypto map tag: s2sCryptoMap, seq num: 1, local addr: 192.168.15.252

      access-list |s2sAcl|a55d9163-5b17-11eb-99cd-adad4ba8560f extended permit ip
 192.168.11.0 255.255.255.0 192.168.3.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
      current_peer: 212.124.XX.XXX


      #pkts encaps: 592, #pkts encrypt: 592, #pkts digest: 592
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 592, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.15.252/4500, remote crypto endpt.: 212.124.XX.
XXX/4500
      path mtu 1500, ipsec overhead 86(52), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: C3CB4A53
      current inbound spi : 66746EFF

    inbound esp sas:
      spi: 0x66746EFF (1718906623)
         SA State: active
         transform: esp-aes-192 esp-sha-256-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv2, }
         slot: 0, conn_id: 2, crypto-map: s2sCryptoMap
         sa timing: remaining key lifetime (kB/sec): (4147200/17008)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xC3CB4A53 (3284879955)
         SA State: active
         transform: esp-aes-192 esp-sha-256-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv2, }
         slot: 0, conn_id: 2, crypto-map: s2sCryptoMap
         sa timing: remaining key lifetime (kB/sec): (4101058/17008)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

The problem is that both FirePower have status RESPONDER but not INITIATOR (that is what I named connection standby mode). They are connected to each other via geteways in routers.