I am going to set up site to site vpn between my company and client company.
My company uses Cisco FTD.
My client company uses AWS. AWS uses two gateways when setting a tunnel as default.
Can we set up vpn from FTD to two AWS gateways?
Hi @Loc Nguyen
With FTD version 6.6 you can define multiple IKEv2 peers. So in your configuration you define a primary peer address and a backup peer, which is used if the primary fails.
Alternatively you can setup 2 individual crypto maps as normal.
If you needed VTI's, they are not supported on FTD until version 6.7 which is out Oct/Nov 2020.
Loc, good to see around man. As Rob mentioned, as of now, FTD does not support route based VPN. If I remember correctly from my back days at RackSpace, AWS would not support policy based VPN, this means you would need to configure your VPN tunnel with one single SA, therefore, one single encryption domain. If you have multiple local encryption domains that should be protected by the tunnel, again if memory serves :), we used to use any as the local encryption domains on the crypto ACL.
I can initiate a traffic from ASA and bring up the tunnel.
I could not find a way to make/setup AWS to initiate traffic to bring the tunnel up.
Could you advise?
Just adding to Aref's comments.
That's right, we should use any as the source traffic for policy-based VPNs.
If we want to use VTIs without BGP, AWS support recommends to shutdown the backup tunnel (odd). I have had many issues with Cisco ASA-AWS where the return traffic arrives on the backup tunnel time to time.