Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1349
Views
0
Helpful
2
Replies

FTD IPSEC tunnel NAT.

Networking101
Level 1
Level 1

‎11-24-2021 02:44 AM

Hello,

 

I'm having an issue with sending the correct "Responder ID" when creating a tunnel with IKEv2/IPSEC;

 

Local side;

FTD 1120 v7.0.1 - FMC managed. FTD is behind an external firewall and is using a private IP on it's outgoing interface in the 172.16.x.x range. Incoming AWS to the external FW public IP is natted and then routed to the internal FW, the internal FW does not do any nat.

 

We are not allowed to terminate the tunnel on the external firewall so can't setup the endpoint there.

 

On my side, show crypto isakmp, ipsec and vpn-sessiondb appear to show a valid tunnel, so nat and routing are working.... but AWS side (not under my control), shows no tunnel. Logs obtained by AWS VPC admin show tunnel is rejected due to mismatch in IDR, the firewall is sending the private IP as IDR instead of the public IP which has been specified in the VTI configuration.

 

I have ticked the "Tunnel Source IP is Private" and specified the Tunnel Source Public IP Address. "Identity Sent to Peers" under VPN, Advanced is set to ipAddress.

 

Is this scenario supported? Incoming tunnel to a natted FTD (v7.0.1), using VTI on external interface and expecting to send public IP as IDR?

 

If so, any pointers to where I need to correct the setup for AWS to see the public IP in the IPSEC negotiations?

 

Thanks.

 

Labels:
0 Helpful
2 Replies 2

Networking101
Level 1
Level 1

‎11-25-2021 04:25 AM

 

Anyone?

 

I have obviously missed a step somewhere, how do I get the FTD to send the public ip from VTI instead of the private ip on the physical interface as the IDR?

 

I think this configuration is supported from v6.7 and upwards.

 

Thanks.

0 Helpful

Networking101
Level 1
Level 1
In response to Networking101

‎11-25-2021 02:57 PM

This diagram may help to explain the setup a bit better, tunnel traffic is expected to land on the dedicated internal fw and then routed out to the partner network. Traffic is of sensitive nature and as none of it is intended for internal network we can't land it on the external fw.

 

AWS peer rejects the ipsec negotiation when 172.16.1.1 ip is sent as the id, it should be sending 1.1.1.1 which has been specified.... This setup should be supported in FTD v6.7, this fw is on v7.0.1.

 

Configuration examples I've seen either use ASA devices or don't mention anything about nat'd firewalls.

 

 

Tunnel.jpg

0 Helpful
Customers Also Viewed These Support Documents