This document describes how to configure Site-to-Site VPN on Firepower Threat Defense (FTD) managed by FirePower Device Manager (FDM).
Contributed by Cameron Schaeffer, Cisco TAC Engineer.
Cisco recommends that you have knowledge of these topics:
Basic understanding of VPN
Experience with FDN
Experience with Adaptive Security Appliance (ASA) command line
The information in this document is based on these software and hardware versions:
Cisco FTD 6.5
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Start with the configuration on FTD with FDM.
Define Protected Networks
Navigate to Objects > Networks > Add New Network.
Configure objects for the LAN Networks from FDM GUI. Create an object for the local network behind the FDM device as shown in the image.
Create an object for the remote network behind the ASA device as shown in the image.
Configure Site-to-Site VPN
Navigate to Site-to-Site VPN > Create Site-to-Site Connection.
Go through the Site-to-Site wizard on FDM as shown in the image.
Give the Site-to-Site connection a connection profile name that is easily identifiable.
Select the correct external interface for the FTD and then select the Local network that will need to be encrypted across the site to site VPN.
Set the public interface of the remote peer. Then select the remote peers' network that will be encrypted across the Site-to-Site VPN as shown in the image.
On the next page, select the Edit button to set the Internet Key Exchange (IKE) parameters as shown in the image.
Select the Create New IKE Policy button as shown in the image.
This guide uses these parameters for the IKEv2 initial exchange:
Encryption AES-256 Integrity SHA256 DH Group 14 PRF SHA256
Once back on the main page, select the Edit button for the IPSec Proposal. Create a new IPSec Proposal as shown in the image.
This guide will use these parameters for IPSec:
Set the authentication to pre-shared key and enter the Pre-Shared Key (PSK) that will be used on both ends. In this guide, the PSK of Cisco is used as shown in the image.
Set the internal NAT Exempt interface. If there are multiple inside interfaces that will be used a manual NAT Exempt rule will need to be created under the Policies > NAT.
On the final page, a summary of the Site-to-Site connection is displayed. Ensure that the correct IP addresses are selected and the proper encryption parameters will be used and hit the finish button. Deploy the new Site-to-Site VPN.
The ASA configuration will be completed with the use of the CLI.
Enable IKEv2 on the outside interface of the ASA:
Crypto ikev2 enable outside
2. Create the IKEv2 Policy that defines the same parameters configured on the FTD:
Use this section in order to confirm that your configuration works properly.
Attempt to initiate traffic through the VPN tunnel. With access to the command line of the ASA or FTD, this can be done with the packet tracer command. When you use the packet-tracer command to bring up the VPN tunnel it must be run twice in order to verify whether the tunnel comes up. The first time the command is issued, the VPN tunnel is down so the packet-tracer command fails with VPN encrypt DROP. Do not use the inside IP address of the firewall as the source IP address in the packet-tracer as this will always fail.
This section provides information you can use in order to troubleshoot your configuration.
Initial Connectivity Issues
When you build a VPN, there are two sides negotiating the tunnel. Therefore, it is best to get both sides of the conversation when you troubleshoot any type of tunnel failure. A detailed guide on how to debug IKEv2 tunnels can be found here: How to debug IKEv2 VPNs
The most common cause of tunnel failures is a connectivity issue. The best way to determine this is to take packet captures on the device.
Use this command to take packet captures on the device:
Capture capout interface outside match ip host 172.16.100.10 host 192.168.200.10
Once the capture is in place, try to send traffic over the VPN and check for bi-directional traffic in the packet capture.
Review the packet capture with the command show cap capout.