cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2603
Views
290
Helpful
36
Replies
Highlighted
Cisco Employee

Re: Ask Me Anything- VPN Configuration and Troubleshooting on Firepower and ASA

Hi,

 

Traditionally, an end-entity that participates in IKE receives a single ID certificate from a CA. The same CA or another CA issues an ID certificate to the peer IKE device. As long as a mutual trust exists between the IKE devices and the CAs, a successful IKE authentication occurs.

 

An end-entity can receive two certificates from a single CA or from two different CAs, and each of these certificates is used for a unique purpose, such as authentication of two different IKE sessions. The current configuration mechanism fails to provide the required outcome.

 

The chain validation between multiple subordinate CAs in different Virtual Routing and Forwarding (VRF) tables that lead to a single root-CA also contribute to the complication.

 

For these reasons, behavior changes have been incorporated into the Cisco IOS in order to make the use of multi-tier PKI hierarchy in IKEv1 feasible. 

 

The two new enhancements include:

 

  • The responder defers the CERT selection until after it processes the MM5 stage, which is when the responder locks the correct ISAKMP profile based on the match identity or match certificate <certificate-map> statement. Now the best match refers to the selection of the first signing certificate from the list of ca trust-point statements under the matched ISAKMP profile.

  • The initiator adds the extra security measure while it processes the certificate payload in the MM6 stage, where it authorizes the responder certificate against the certificate map that is configured under the ISAKMP profile.

 

Could you please provide more details on the type of VPN you're running so I can assist you with the sample configuration.

 

Regards,

Puneesh

 

Please share helpful posts

Highlighted
Beginner

Re: Ask Me Anything- VPN Configuration and Troubleshooting on Firepower and ASA

Thak you very much for response. I'm using IPsec tunnel mode.

Highlighted
Beginner

Simple GRE vpn

can we establish gre tunnel or vpn between these two LAN i.e 192.168.1.0 and 192.168.2.0 followed by public ip

if its possible then

1 how we can make connectivity between these LAN because there is isp involved and isp just do static ip

2 please provide me the steps to make reach ability i mean 192.168.1.1 can ping to 192.168.2.1 passing throughout isp.

3 I have already configured NAT,DHCP,Default route and redistribute default route in to eigrp.

4 but these can reach me to 2.0.0.2 network and forward of this cannot succes.

LAB PIC.jpg 

Highlighted
Cisco Employee

Re: Simple GRE vpn

Hi Wajib,

 

We may need to check hop by hop where exactly are the packets being dropped.

 

Could you share the output of the traceroute command from the source to the destination?

 

This seems simply a config issue. We may need to ensure proper destination routing is configured on all the intermediate devices or they must be in a state to forward those packets.

 

If that does not work try taking packet captures on the devices as well. This would help you to understand if the packets are even hitting the ingress interface of that device. 

 

 

Regards,

 

Aditya

Highlighted

Re: Ask Me Anything- VPN Configuration and Troubleshooting on Firepower and ASA

Hi,

 

What is the packet flow in case of VPN traffic detected and encrypted by ASA/FTD.

Highlighted
Cisco Employee

Re: Ask Me Anything- VPN Configuration and Troubleshooting on Firepower and ASA

Hi Subin,

 

There are no major changes except the packet is subjected to crypto engine checks.

 

If the crypto engine is able to encrypt/decrypt the traffic (depending on the rules) it will forward the packet for normal checks (like L4/L3 checks) but first the packet has to be decrypted to find the actual payload/packet.

 

Regards,

 

Aditya

 

 

Highlighted
Community Manager

Re: Ask Me Anything- VPN Configuration and Troubleshooting on Firepower and ASA

Dear @Aditya Ganjoo and @Puneesh Chhabra thank you so much sharing your knowledge and for assisting all queries on this session. Thanks to you many will be able to maintain their business/network secure