Site to Site VPN FTD to ASA

rob1456657 · ‎04-28-2021

I have followed a Cisco document for creating a VPN Tunnel between an ASA (9.2) and FTD 1010 (6.4).

I have existing ASA IKEv1 Tunnels and enabled IKEv2 and created the necessary tunnel-group and crypto map. I have created the configuration on the FTD but for the life of me the tunnel will not come up. Has any one encountered this before and perhaps I missing something real simple?

I use the following ASA Config example (replacing my IP ranges - also this is only in a test environment):

Create the IKEv2 Policy that defines the same parameters configured on the FTD:

Crypto ikev2 policy 1
Encryption aes-256
Integrity sha256
Group 14
Prf sha256
Lifetime seconds 86400

3. Create a group-policy allowing the ikev2 protocol:

Group-policy FTD_GP internal
Group-policy FTD_GP attributes
Vpn-tunnel-protocol ikev2

4. Create a tunnel group for the peer FTD public IP address. Reference the group-policy and specify the pre-shared-key:

Tunnel-group 172.16.100.20 type ipsec-l2l
Tunnel-group 172.16.100.20 general-attributes
Default-group-policy FTD_GP
Tunnel-group 172.16.100.20 ipsec-attributes
ikev2 local-authentication pre-shared-key cisco123
ikev2 remote-authentication pre-shared-key cisco123

5. Create an access-list that defines the traffic to be encrypted: (FTDSubnet 10.10.113.0/24) (ASASubnet 10.10.110.0/24)

Object network FTDSubnet
Subnet 10.10.113.0 255.255.255.0
Object network ASASubnet
Subnet 10.10.110.0 255.255.255.0
Access-list ASAtoFTD extended permit ip object ASASubnet object FTDSubnet

6. Create an ikev2 ipsec-proposal referencing the algorithms specified on the FTD:

Crypto ipsec ikev2 ipsec-proposal FTD
Protocol esp encryption aes-gcm-256

7. Create a crypto map entry that ties together the configuration:

Crypto map outside_map 10 set peer 172.16.100.20
Crypto map outside_map 10 match address ASAtoFTD
Crypto map outside_map 10 set ikev2 ipsec-proposal FTD
Crypto map outside_map 10 interface outside

8. Create a NAT exemption statement that will prevent the VPN traffic from being NATTED by the firewall:

Nat (inside,outside) 1 source static ASASubnet ASASubnet destination static FTDSubnet FTDSubnet no-proxy-arp route-lookup

The FTD Configuration is also setup in the reverse with the same Pre-shared key and encryption methods.

I can ping from one firewall to the other via the Outside interface so I know traffic can flow between the two WAN interfaces.

Any advice would be appreciated as I really need this to work.

Thanks.

Rob Ingram · ‎04-28-2021

@rob1456657

A Policy Based VPN doesn't establish until you generate interesting traffic from the networks defined in the ACL.

How are you testing the VPN?

I don't see the command "crypto ikev2 enable outside", is that configured on the ASA?

rob1456657 · ‎04-28-2021

Standard ping to a host on the remote site.

Rob Ingram · ‎04-28-2021

From what source IP address?

Run packet-tracer twice from CLI and provide the output.

Is IKEv2 enabled on outside interface?

rob1456657 · ‎04-28-2021

Here is my simple test configuration:

SITE-A-WAN (ASA) = 192.168.10.2

SITE-B-WAN (FTD) = 192.168.10.3

Ping from ASA to FTD via outside interface is a success:

Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Performing the reciprocal test is also a success:

Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Yes, IKEv2 is enabled on the outside interface.

Which is why I'm not understanding why this is not working. I know it has to be something simple.

Rob Ingram · ‎04-28-2021

@rob1456657 I am asking if you are pinging from a source IP address to a destination IP address as defined in the ACL, that identifies the interesting traffic to establish the VPN.

So are you pinging from a host in 10.10.113.x to a host in 10.10.110.x? - NOT from or to the firewalls themselves

rob1456657 · ‎04-28-2021

Yes, that is correct.

The ping from the outside interface was to verify I could communicate with the remote Firewall.

rob1456657 · ‎04-28-2021

You know what it just hit me that I have both WAN on the same IP Scope. Re-configuring one of the units.

rob1456657 · ‎04-28-2021

This also the first FTP appliance I have ever worked on. Do I need to create static routes?

rob1456657 · ‎04-28-2021

Does anyone have a simple ASA config and FTD setup that works that I can peek a look at?

That would be the easiest way to resolve this.

Rob Ingram · ‎04-28-2021

Example

What about the packet-tracer output previously asked for?

Turn on ikev2/ipsec debugs and provide the output

rob1456657 · ‎04-28-2021

Does the FTD require an additional license(s) for Site to Site VPN?

rschlayer · ‎05-03-2021

No. S2S VPN is included.

rob1456657 · ‎05-03-2021

Hi All,

I was able to resolve the issue. I reset the ASA and the FTD and then started from scratch. The ASA is what kept things from working correctly. I use the ASA for so much testing something got mucked up! By resetting it and then reconfiguring each device, and verifying each had internet access, and then setting up the S2S VPN it all worked like a charm.

I successfully got the FTD and ASA tunnel up and could ping the interesting traffic on either side.