We have a big project involving the deployment of hundred of firewall in different locations: HQ and shops. Each shop was connected to the regional HQ via VPN, either EasyVPN or static L2L (the latter case, when the shop has two Internet lines).
Currently, all location use ASA devices, which are going to be migrated/replaced with FTDs, centrally managed by FMC.
The implementation already started but we found several limitations in the current implementation of the VPN, compared to what was possible with the ASA:
- on the HQ hub, concetrating the VPNs from the shops, it's not possible to impose an order among the crypto-maps;
- it's not possible to configure a backup peer IP address in hub&spoke VPNs (unless you resort to contorted configurations);
- VTI tunnels - which would be absolutely welcome - are not supported: you can configure almost every aspect using FlexConfig, but not "nameif" and "ip address" command under the Tunnel if;
- it's not possible to associate a filter ACL to a VPN.
We would like to know if these four issues are included in the roadmap for the next upgrade; in particular, the VTI vpn is of particular interest for us: we see that there're a couple "enhancement request bugs" (CSCvf75938, CSCvj24040), acting as placeholders for the fact that VTI should be supported, but without any clue about when that will happen.
Thanks in advance.
I also have no timeline. But I'm pretty sure that Cisco is very aware of the fact that many customers (including me) are eagerly waiting for these features (and many more) in FTD. I'm hoping to see some more in the next bigger releases.
I would suggest you make sure your Cisco account manager is aware of your need for these enhancements. It will carry more weight via that path than via your posting here.
anybody knows if this vti feature is coming to ftd anytime soon?
i also have a large deployment with vti and dynamic routing that the feature is holding back migration to higher model firewalls
If you have a Cisco account manager you can request they submit an enhancement request on your behalf. Internally it's known as a "Firestarter" request. The more customers that request a given feature, the higher priority it gets within the development team.
Unfortunately they don't consider postings here as a customer request.
You Cisco account manager should be familiar with it. If they aren't, they can contact their cybersecurity SE covering the account.
Meanwhile I have heard (at Cisco Live Barcelona) that VTIs are coming this fall with Firepower 6.7
@Marvin Rhoads we are deploying FTD and already using ASA VTI. i have escalated this to my cisco account manger as Firestarter" request. thank you for the tip/way to escalate this to cisco firewall team.
My account manager at Cisco direct me to speak with a system engineer. This nice guy assured me it is escalated internally he the issue will be fixed in coming next release.
So I don’t no when it will be out. It is frustrating no FTD vti and no tunnels to AWS as we heavily based on site to site VPN’s
Funny you mention AWS as this was the same reason I was looking into VTI on FTD. That said, you can absolutely do a policy-based VPN to AWS. In fact AWS even has instructions on the VPN setup section on how to do this, the trick is you (obviously) cannot do BGP routing, so the config example only shows up if you configure the VPN on AWS with static routing. The only limitation with a policy based VPN to AWS is you can only have a single SA and I don't think you can have the SA do 0.0.0.0/0 so if you wanted to have a vpn from 192.168.0.1/24 and 10.1.0.0/24 there is no way to make it work. If all of your networks are inside of 10.0.0.0/16 then no problem, just use the /16 and you will be good.
Now, with all of that said, I think the main reason that FTD doesn't have VTI yet is that quite frankly you shouldn't be doing these types of VPNs on FTD. The modern day replacement for a "VPN Concentrator" is the ISR 4K or ASR routers. IOS XE has EXCELLENT ipsec support, and that is my device of choice for this type of application. I'm even considering the CSR 1000v for this too. I just wish the pricing for CSR was a bit better, especially for the higher throughput versions.