cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
542
Views
20
Helpful
6
Replies
Highlighted
Beginner

Firewall FTD site to site vpn with AWS

Hi,

I am going to set up site to site vpn between my company and  client company.

My company uses Cisco FTD.

My client company uses AWS. AWS uses two gateways when setting a tunnel as default.

Can we set up vpn from FTD to two AWS gateways?

Thanks

Loc

6 REPLIES 6
Highlighted
VIP Mentor

Hi @Loc Nguyen 

With FTD version 6.6 you can define multiple IKEv2 peers. So in your configuration you define a primary peer address and a backup peer, which is used if the primary fails.

 

Alternatively you can setup 2 individual crypto maps as normal.

 

If you needed VTI's, they are not supported on FTD until version 6.7 which is out Oct/Nov 2020.

HTH

Highlighted
VIP Rising star

Loc, good to see around man. As Rob mentioned, as of now, FTD does not support route based VPN. If I remember correctly from my back days at RackSpace, AWS would not support policy based VPN, this means you would need to configure your VPN tunnel with one single SA, therefore, one single encryption domain. If you have multiple local encryption domains that should be protected by the tunnel, again if memory serves :), we used to use any as the local encryption domains on the crypto ACL.

Highlighted

Yeah, good to see you again. Thanks for the answer.

Highlighted

Hi,

I can initiate a traffic from ASA and bring up the tunnel.

I could not find a way to make/setup AWS to  initiate traffic to bring the tunnel up. 

Could you advise?

Thanks

Loc

Highlighted
Beginner

Just adding to Aref's comments. 

 

That's right, we should use any as the source traffic for policy-based VPNs. 

If we want to use VTIs without BGP, AWS support recommends to shutdown the backup tunnel (odd). I have had many issues with Cisco ASA-AWS where the return traffic arrives on the backup tunnel time to time. 

Highlighted

Thanks!

Content for Community-Ad