Re: Firewall FTD site to site vpn with AWS

Loc Nguyen · ‎10-26-2020

Hi,

I am going to set up site to site vpn between my company and client company.

My company uses Cisco FTD.

My client company uses AWS. AWS uses two gateways when setting a tunnel as default.

Can we set up vpn from FTD to two AWS gateways?

Thanks

Loc

Rob Ingram · ‎10-26-2020

Hi @Loc Nguyen

With FTD version 6.6 you can define multiple IKEv2 peers. So in your configuration you define a primary peer address and a backup peer, which is used if the primary fails.

Alternatively you can setup 2 individual crypto maps as normal.

If you needed VTI's, they are not supported on FTD until version 6.7 which is out Oct/Nov 2020.

HTH

Aref Alsouqi · ‎10-26-2020

Loc, good to see around man. As Rob mentioned, as of now, FTD does not support route based VPN. If I remember correctly from my back days at RackSpace, AWS would not support policy based VPN, this means you would need to configure your VPN tunnel with one single SA, therefore, one single encryption domain. If you have multiple local encryption domains that should be protected by the tunnel, again if memory serves :), we used to use any as the local encryption domains on the crypto ACL.

Loc Nguyen · ‎11-05-2020

Yeah, good to see you again. Thanks for the answer.

Loc Nguyen · ‎12-01-2020

Hi,

I can initiate a traffic from ASA and bring up the tunnel.

I could not find a way to make/setup AWS to initiate traffic to bring the tunnel up.

Could you advise?

Thanks

Loc

vsurresh · ‎10-29-2020

Just adding to Aref's comments.

That's right, we should use any as the source traffic for policy-based VPNs.

If we want to use VTIs without BGP, AWS support recommends to shutdown the backup tunnel (odd). I have had many issues with Cisco ASA-AWS where the return traffic arrives on the backup tunnel time to time.

Loc Nguyen · ‎11-05-2020

Thanks!