Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1022
Views
10
Helpful
3
Replies

ike policy mismach migration ASA to FTD

mateens
Level 1
Level 1

‎08-13-2020 12:50 AM

Hi, 

I am migrating a context which have many site to site vpn tunnels ( preshared key ) from ASA to FTD. I cannot find the same options in FTD to match the config. 

 

1- Encryption algorithms > Ikev1 and v2 policy. In ASA there are many policies selected but in FTD i can only select one.

2- How can i match the config in ACL manager on ASA to FTD ?

3- IPsec Enabling > group policy ? The options do not match in ASA ans FTD

4- There is a command in ASA running config "sysopt permit-vpn". So should i check "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" on FTD for every tunnel ?

5- crypto maps in FTD ?

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎08-13-2020 01:13 AM

Hi,
How are you managing the FTD? FDM (local), FMC (central) or CDO (cloud managed).

All of what you mention are possible, follow the SIte-to-Site VPN wizard will allow you to add or create IKEv1/IKEv2 and IPSec policies to select the algorithms to use.

When configuring the VPN you select the "Protected Networks" which relates to the ASA's ACL used to define the interesting traffic to be encrypted.

The Group Policies attributes are similar between ASA and FTD, the GUI is not.

Instead of bypassing traffic, just define rules in the Access Control Policy to permit/deny traffic.

The FTD currently only supports Crypto Maps, so when you run the wizard to configure a VPN, that is the type of VPN that is configured.

HTH

mateens
Level 1
Level 1
In response to Rob Ingram

‎08-13-2020 11:40 PM

-I am using FMC. IKEv1/IKEv2 policies i have option to choose only one profile but in ASA there are multiple. I read that this would not be an issue as the two sides negotiate policy one by one and select whatever matches in the list.
-How to assign the group policy to a tunnel ?
- i have around 50 tunnels that are configured on ASA. Their configuration is just under Tunnel Groups. How to migrate those ?
0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to mateens

‎08-14-2020 01:26 AM

Hi,

Regarding having more than one policy, this is known limitation in fmc. If
you need more policies, cisco approach is to configure them using
flexconfig.

I am not sure about a tool to migrate the 50 tunnels. You might need to do
them manually or script them through api.

**** please remember to rate useful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents