cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
619
Views
0
Helpful
3
Replies

IPSEC tunnel, ftp to 4451, second tunnel between devices

brian.cuttler
Level 1
Level 1

I am running FTD-ha under FMC, all current 7.x.

I have an "extranet" Cisco 4451, internal to my network but at a remote site.

 

I have established a new ipsec data tunnel between the two, as I am migrating of the on-site 4451 to the FTD.

I am trying to bring up a second ipsec tunnel between the same two end points. The remote side has a second

IP address for tunnel source, but local side has only the one IP address, don't know if that is the root of the issue

but from 4451 to 4451 we had unique IPs on both sides, each tunnel unique addresses.

Using same IPsec security and transforms, key, etc, but FMC tunnel status shows

there are no ipsec sa peer <ip>

4451 log shows 

Feb 9 14:59:07.504: ISAKMP: (29430):purging node 2760651084
Feb 9 14:59:10.705: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
Feb 9 14:59:10.705: IPSEC:(SESSION ID = 24475) (recalculate_mtu) reset sadb_root 7EFC5A4A52F0 mtu to 1430
Feb 9 14:59:10.705: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.48.33.3:500, remote= 10.48.7.19:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Feb 9 14:59:10.706: ISAKMP: (0):SA request profile is (NULL)
Feb 9 14:59:10.706: ISAKMP: (0):Created a peer struct for 10.48.7.19, peer port 500
Feb 9 14:59:10.706: ISAKMP: (0):New peer created peer = 0x7EFC5F0EAD50 peer_handle = 0x80007D25
Feb 9 14:59:10.706: ISAKMP: (0):Locking peer struct 0x7EFC5F0EAD50, refcount 1 for isakmp_initiator
Feb 9 14:59:10.706: ISAKMP: (0):local port 500, remote port 500
Feb 9 14:59:10.706: ISAKMP: (0):set new node 0 to QM_IDLE
Feb 9 14:59:10.706: ISAKMP: (0):insert sa successfully sa = 7EFC5F1643C8
Feb 9 14:59:10.706: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
Feb 9 14:59:10.706: ISAKMP: (0):found peer pre-shared key matching 10.48.7.19
Feb 9 14:59:10.706: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
Feb 9 14:59:10.706: ISAKMP: (0):constructed NAT-T vendor-07 ID
Feb 9 14:59:10.706: ISAKMP: (0):constructed NAT-T vendor-03 ID
Feb 9 14:59:10.706: ISAKMP: (0):constructed NAT-T vendor-02 ID
Feb 9 14:59:10.706: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Feb 9 14:59:10.706: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1

 

How can I establish this second ipsec tunnel - or is there are more supportable/elegant way to maintain separation of traffic in the same tunnel?

 

thanks in advance,

Brian

 

2 Accepted Solutions

Accepted Solutions

brian.cuttler
Level 1
Level 1

Resolved by adding a static route for the remote tunnel IP.

Closing this question out as it is resolved.

View solution in original post

Hello,

 

I was just about to say, you could use a hub and spoke, as described in the document below:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_threat_defense_site_to_site_vpns.pdf/index.html

 

But apparently you have already figured it out....

View solution in original post

3 Replies 3

brian.cuttler
Level 1
Level 1

Resolved by adding a static route for the remote tunnel IP.

Closing this question out as it is resolved.

Hello,

 

I was just about to say, you could use a hub and spoke, as described in the document below:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_threat_defense_site_to_site_vpns.pdf/index.html

 

But apparently you have already figured it out....

brian.cuttler
Level 1
Level 1

Georg,
In truth hub and spoke might have been a better solution, we are routing individual tunnels between three sites, so for my data tunnels that would have been a good solution, but we are modeling based on the prior tunnel system.

Also I'm not certain that it completely answers the issue I was having, as I'd have probably looked to create a second hub-and-spoke for the security data, as we run desktop data in different tunnels from our security network data.

Its good to have that guide in hand, but the missing static route resolved the issue and I now have two independent tunnels between sites 1 and 2, and shortly will have new tunnels between sites 1 and 3. The tunnels between sites 2 and 3 not being affected as those routers will remain in place, unlike the router at site 1.
thank you - Brian

 

Review Cisco Networking for a $25 gift card