S2S VPN after PBR via FlexConfig

Herald Sison · ‎06-02-2022

Hi everyone,

i have a problem with my site to site vpn after i have split the traffic of my inside interface to pass through 2 outside interfaces of my FTD. Only outside2 can communicate to the peer and outside1 cannot. The weird thing is that the peer device which is ASA can ping all subnets inside my LAN even if i already split the traffice of my FTD using PBR via FlexConfig, i am using FMC for my FTD and ASDM for my ASA

I tried creating 2 S2S VPN config for each outside interface but still only 1 can get through.

MHM Cisco World · ‎06-02-2022

one FTD with two ISP - one ASA one ISP ? are this is your config ?

Herald Sison · ‎06-02-2022

Yes sir thats correct.

i tried adding the 2 ip address in the tunnel group in ASA it says ikev2 does not allow multi peer which is odd for me.

MHM Cisco World · ‎06-02-2022

so ASA build only one IPSec to FTD other IPSec VPN will never be UP and use.
so can you try VTI instead of IPSec.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/216276-configure-route-based-site-to-site-vpn-t.html

Herald Sison · ‎06-02-2022

do you mean i will configure policy based crypto map to outside1 and route based VTI to outside2 and also on the ASA side?

Sheraz.Salim · ‎06-02-2022

ASA does not support the IKEv2 tunnel with multiple peer there is enchancement request Cisco CSCud22276

if you want to have two tunnels in that case you can lower down to IKEv1 with strong encryption (Phase1 and Phase2).

VTI FTD is supported on-wared Version 6.7. However there are so many bugs in 6.7 so the recommand version is 7.0.x. I have no idea which FTD/FMC version you on.

EDIT: Correction. Just found Cisco As of ASA version 9.14 this feature is now supported on IKEv2. Multi-peer crypto map allows the configuration of up to a maximum of 10 peer addresses Here and Here

please do not forget to rate.