Configure Route Based VPN with Static Route on FTD Managed by FDM

Available Languages

Download Options

  • PDF     (4.2 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (4.4 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.9 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 1, 2025
Document ID:223198

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure a static route-based site to site VPN tunnel on a FTD managed by FDM.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Basic understanding of how a VPN tunnel works.
    • Prior knowledge of navigating through the Firepower Device Manager(FDM).

    Components Used

    The information in this document is based on these software versions:

    • Cisco Firepower Threat Defense (FTD) version 7.0 managed by Firepower Device Manager(FDM).

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Route-based VPN allows determination of interesting traffic to be encrypted, or sent over VPN tunnel, and use traffic routing instead of policy/access-list as in Policy-based or Crypto-map based VPN. The encryption domain is set to allow any traffic which enters the IPsec tunnel. IPsec Local and remote traffic selectors are set to 0.0.0.0/0.0.0.0. This means that any traffic routed into the IPsec tunnel is encrypted regardless of the source/destination subnet.

    This document focuses on Static Virtual Tunnel Interface (SVTI) configuration.

    note-icon

    Note: No additional licensing is needed, Route Based VPN can be configured in Licensed as well as Evaluation Modes. Without crypto compliance (Export Controlled Features Enabled), only DES can be used as an encryption algorithm.

    Configuration Steps on FDM

    Step 1. Navigate to Device > Site To Site.

    FDM DashboardFDM Dashboard

    Step 2. Click on the + icon to add a new site to site connection.

    Add S2S ConnectionAdd S2S Connection

    Step 3.  Provide a Topology Name and select the Type of VPN as Route Based (VTI).

    Click on Local VPN Access Interface, and then click Create new Virtual Tunnel Interface or select one from the list that exists.

    Add Tunnel InterfaceAdd Tunnel Interface

    Step 4. Define the parameters of the New Virtual Tunnel Interface. Click Ok.

    VTI ConfigVTI Config

    Step 5. Choose the newly created VTI or a VTI that exists under Virtual Tunnel Interface.Provide the Remote IP address.

    Add Peer IPAdd Peer IP

    Step 6. Choose the IKE Version and choose the Edit button to set the IKE and IPsec parameters as shown in the image.

    Configure IKE VersionConfigure IKE Version

    Step 7a. Choose the  IKE Policy button as shown in the image and click on ok button or Create New IKE Policy, if you like to create a new policy.

    Choose IKE PolicyChoose IKE Policy

    Config of IKE PolicyConfig of IKE Policy

    Step 7b. Choose the  IPSec Policy button as shown in the image and click on ok button or Create New IPsec Proposal, if you like to create a new proposal.

    Select IPsec ProposalSelect IPsec Proposal

    Config of IPsec ProposalConfig of IPsec Proposal

    Step 8a. Select the Authentication Type. If Pre-shared Manual Key is used, provide the Local and Remote Pre-shared Key.

    Step 8b. (Optional) Choose the Perfect Forward Secrecy settings. Configure the IPsec Lifetime Duration and Lifetime Size, and then click on next.

    PSK and Lifetime ConfigPSK and Lifetime Config

    Step 9. Review the configuration and click on Finish.

    Configuration SummaryConfiguration Summary


    Step 10a. Navigate to Objects > Security Zones and then click on + icon.

    Add a Security ZoneAdd a Security Zone


    Step 10b. Create a zone, and select the VTI interface as shown below.

    Config of Security ZoneConfig of Security Zone

    Step 11a. Navigate to Objects > Networks, click on + icon.

    Add Network ObjectsAdd Network Objects


    Step 11b. Add a host object, and create a gateway with tunnel ip of peer end.

    Configure VPN GatewayConfigure VPN Gateway


    Step 11c. Add the remote subnet and the local subnet.

    Remote IP ConfigRemote IP Config

    Local IP ConfigLocal IP Config


    Step 12. Navigate to Device > Policies, and configure the Access Control Policy.

    Add Access Control PolicyAdd Access Control Policy

    Step 13a. Add the routing over the VTI tunnel. Navigate to Device > Routing.

    Select RoutingSelect Routing

    Step 13b. Navigate to Static Route under the Routing tab. Click + icon.

    Add RouteAdd Route

    Step 13c. Provide the Interface, choose the Network, provide the Gateway. Click OK.

    Configure Static RouteConfigure Static Route

    Step 14. Navigate to Deploy. Review the changes then click on Deploy Now.

    Deploy the ConfigDeploy the Config

    Verify

    Once the deployment is complete, you can verify the tunnel status on CLI by using commands:

    1. show crypto ikev2 sa
    2. show crypto ipsec sa <peer-ip>

    Show CommandsShow Commands

    Related Information

    For further information regarding Site-to-Site VPNs on the FTD managed by FDM, you can find the full configuration guide here:

    FTD Managed by FDM Configuration Guide

    Revision History

    Revision Publish Date Comments
    1.0
    01-Jul-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Rashmi Singh
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products