Re: Ipsec Config migration between FTDs managed by FMC

fmugambi · ‎09-04-2023

Hello Family,

Hope you are well.

Is it possible to migrate IPsec Configs between two FTDs in different sites, managed by the same FMC.

If yes, kindly provide an insight on how to achieve it.

Thank you

Rob Ingram · ‎09-04-2023

@fmugambi if the FMC manages both FTD's then just create a Point-to-Point VPN topology, define Node A as the first FTD and select it's local networks for the protected networks. Define Node B as the second FTD and select it's local networks.

Either use automatic pre-shared key or certificates and select your IKE/IPSec settings.

Create Access Control Policy rules to permit the traffic over the VPN.

Configure NAT exemption rules between the networks to ensure the traffic is not unintentially translated.

Deploy policy to both devices.

FMC configuration guide for VPN - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/vpn-s2s.html

This example is similar, just don't define Node B as an "extranet" just select Node B as the second FTD from the drop-down list, then configure the rest of the settings as per the guide.

fmugambi · ‎09-04-2023

@Rob Ingram , my concern was, FTD A has specific IPsecs connected to clients, I would wish to move these IPsec VPNs to FTD B, such that say FTD A is down, the IPsecs are on FTD B, then now I work on routing appropriately on FTD B. is there a way to do this, rather than manually creating all the IPsec VPNs on FTD B?

Rob Ingram · ‎09-04-2023

@fmugambi ok, for the remote sites configuration define a backup peer (FTD B ip address). If FTD A is down, the remote sites will connect to FTD B.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/vpn-s2s.html#Cisco_Reference.dita_73dac582-5114-4643-9536-fc4e2de1f1c4

fmugambi · ‎09-04-2023

is this just limited to route-based VPNs, if I have policy-based VPNs what happens?

Rob Ingram · ‎09-04-2023

@fmugambi I think only if the remote peer is defined as an extranet device.

"You can now add a backup peer to a site-to-site VPN connection, for IKEv1 and IKEv2 point-to-point extranet and hub-and-spoke topologies. Previously, you could only configure backup peers for IKEv1 point-to-point topologies.

New/modified pages: Devices > VPN > Site to Site > add or edit a point to point or hub and spoke FTD VPN topology > add endpoint > IP Address field now supports comma-separated backup peers"

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/relnotes/firepower-release-notes-660/features.html

fmugambi · ‎09-04-2023

But my worry is, this backup peer I have configured where? on FTD A? what happens if FTD A is not reachable for any reason?

Rob Ingram · ‎09-04-2023

@fmugambi are your remote devices managed by the FMC or are they extranet (unmanaged) devices? If they are managed by the FMC then I think the only option for a backup peer VPN is using VTI (as per link already provided). If using FMC/FTD 7.3 you can use DVTI to simplify the hub configuration.

fmugambi · ‎09-06-2023

yeah, the two devices are managed by one same FMC.

fmugambi · ‎09-07-2023

As well remember each FTD has a different Public IP address.