Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
2
Replies

Dynamic S2S VPN between Cisco FTD & Draytek

paultribe
Level 1
Level 1

‎08-22-2023 06:11 AM

We have a situation where:

1) Customer is replacing their Headend Firewall / VPN device (SonicWall); with FTD 1000 using FTD.
2) They have several Dynamic S2S VPNs on Draytek routers.
3) In testing we found out that the Headend FTD when using dynamic S2S VPNs had to use the same PSK for all dynamic sites for tunnels to establish.
4) The customer does not want to use same PSK on all VPNs, this would be a "downgrade" in their current security, which we agree.
5) This was referred this to TAC who offered a flex-config solution where we would have to add 80 lines of config to stipulate the tunnel-groups with local and remote PSKs. When we tested in a lab and with the customer this did not work very well. I feel it would be OK for a couple of VPNs but gets messy with a lot. For example it seemed we had remove and re-add flex config if we made a change to any operational VPNs, so seemed like it could cause issues.
6) We asked TAC if RSA keys would work and TAC said it should, we thought this more elegant as no flex config. We needed the remote routers (Draytek), to support RSA certificates which they do.
7) The Drayteks fail to authenticate using RSA but the FTD seems to accept the certificate. We found this from debugs on FTD and Syslogs on Draytek.


I just wandered if anyone can suggest a solution as I have spent hours / days trying to get something working and hitting a brick wall. The customer purchased FTD as a premium product and to them its just like the FTD cannot even do what the Sonicwall and Drayteks could do.


We do have ticket open with Draytek but they are not very responsive as the customer does not have premium support, they simply work in the current solution so the customer just replaces them if they get a hardware failure.

Labels:
0 Helpful
2 Replies 2

Pavan Gundu
Cisco Employee
Cisco Employee

‎08-30-2023 02:05 PM

If you could post the debugs you see on the FTD and the Draytek, it would be easier for the community to look into it and maybe give you some things to try out.

0 Helpful

paultribe
Level 1
Level 1
In response to Pavan Gundu

‎08-30-2023 11:56 PM

I can get the debugs posted as I have replicated the issue in a lab environment with FTDv and a real Draytek of the same model. The issue seems to be with the Draytek rather than the FTD when it comes to using RSA sigs; so we are waiting for them to contact us. I was really only seeing if anyone had successfully done this before. I think I mentioned that the PKI debugs show the FTD “accepts” the cert as good but the Draytek syslog shows an error - I will try and post in next 24 hours; thanks for your time and remarks
0 Helpful
Customers Also Viewed These Support Documents