09-04-2023 02:13 AM
Hello Family,
Hope you are well.
Is it possible to migrate IPsec Configs between two FTDs in different sites, managed by the same FMC.
If yes, kindly provide an insight on how to achieve it.
Thank you
09-04-2023 03:18 AM
@fmugambi if the FMC manages both FTD's then just create a Point-to-Point VPN topology, define Node A as the first FTD and select it's local networks for the protected networks. Define Node B as the second FTD and select it's local networks.
Either use automatic pre-shared key or certificates and select your IKE/IPSec settings.
Create Access Control Policy rules to permit the traffic over the VPN.
Configure NAT exemption rules between the networks to ensure the traffic is not unintentially translated.
Deploy policy to both devices.
FMC configuration guide for VPN - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/vpn-s2s.html
This example is similar, just don't define Node B as an "extranet" just select Node B as the second FTD from the drop-down list, then configure the rest of the settings as per the guide.
09-04-2023 03:22 AM
@Rob Ingram , my concern was, FTD A has specific IPsecs connected to clients, I would wish to move these IPsec VPNs to FTD B, such that say FTD A is down, the IPsecs are on FTD B, then now I work on routing appropriately on FTD B. is there a way to do this, rather than manually creating all the IPsec VPNs on FTD B?
09-04-2023 03:37 AM
@fmugambi ok, for the remote sites configuration define a backup peer (FTD B ip address). If FTD A is down, the remote sites will connect to FTD B.
09-04-2023 03:55 AM
is this just limited to route-based VPNs, if I have policy-based VPNs what happens?
09-04-2023 04:37 AM
@fmugambi I think only if the remote peer is defined as an extranet device.
"You can now add a backup peer to a site-to-site VPN connection, for IKEv1 and IKEv2 point-to-point extranet and hub-and-spoke topologies. Previously, you could only configure backup peers for IKEv1 point-to-point topologies.
New/modified pages: Devices > VPN > Site to Site > add or edit a point to point or hub and spoke FTD VPN topology > add endpoint > IP Address field now supports comma-separated backup peers"
09-04-2023 04:48 AM
But my worry is, this backup peer I have configured where? on FTD A? what happens if FTD A is not reachable for any reason?
09-04-2023 05:16 AM
@fmugambi are your remote devices managed by the FMC or are they extranet (unmanaged) devices? If they are managed by the FMC then I think the only option for a backup peer VPN is using VTI (as per link already provided). If using FMC/FTD 7.3 you can use DVTI to simplify the hub configuration.
09-06-2023 02:31 AM
yeah, the two devices are managed by one same FMC.
09-07-2023 10:46 PM
As well remember each FTD has a different Public IP address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide