Posts Cisco FTD Site-to-Site IKEv2
Post
Cancel

Cisco FTD Site-to-Site IKEv2

Posted Jun 14, 2022 2022-06-14T12:15:00+02:00 by Jure Veraja

ftd_s2s_topo

Here we will see how to configure simple Site-to-Site Hub and Spoke IPsec tunnel between Cisco Firepower Threat Defense NGFW and a Router at remote sites. I configure the FTD by using FMC in separate MGMT network.

Difference between IKEv1 and IKEv2

Let’s first clear out some differences between IKEv1 and IKEv2 and mention a few of them.

IKEv2 is a little better and advanced version. While IKEv1 had exchange modes (Main,Aggressive), Aggressive basically reduced the number of messages needed to be sent to establish the VPN (6 messages) while the Main mode was 8 messages. IKEv2 uses only 4 messages in total.

IKEv1 used symmetric authentication, meaning both sides had to use same authentication method.

In IKEv2 you can use different authentication methods.

IKEv1 used lifetimes for SA (security associations) and had to be agreed between peers. IKEv2 doesn’t care anybody can delete SA when they want by exchanging DELETE payload.

In IKEv2 NAT-T and DPD is supported by default, while in IKEv1 it was an extension that you had to define.

IKEv1 is not reliable like IKEv2 because in IKEv2 all messages are defined as Request/Respond pairs and communication is much more defined along with the procedure to delete SA and procedure to retransmit messages.

FTD Configuration:

Interfaces are configured:

ftd_interfaces

After that we’re moving onto the VPN configuration by going to VPN->Site to Site tab.

ftd_endpoints

Here you go to Add VPN and choose the topology for the VPN and IKE version. In this example we’re using Hub and Spoke with IKEv2. Add the HUB node with your OUTSIDE facing interface along with the Protected networks that you want to encrypt and send across the tunnel. You can use ACL for this also, I’ve created an object and used that.

After finishing the HUB nodes, add the SPOKE nodes along with the remote networks that will traverse the tunnel. When choosing devices that are not FTD and are not managed by your FMC, you have to choose external device like it shows in the endpoint example for Site1.

ftd_endpointspoke

After you’re done with the Endpoints tab, move to the IKE tab and configure you’re encryption,hash, DH group along with PRF for IKEv2 policy. I’ve used DES and SHA1 because this FTD version is evaluation and it doesn’t allow strong encryption.

ftd_ike_politika

Next is the IPSEC tab where you also define the policy parameters where it is also chosen DES and SHA1. The rest is left at the default values.

ftd_ipsec_politika

And we’re done with the VPN configuration. One thing you must not forget is how your traffic flow through the FTD and if you have any NAT/ACP rules. We have to allow traffic through the FTD for particular tunnel traffic. So adding the rules in ACP as follows:

ftd_policy

Im not using any NAT in this example. Don’t forget to deploy the configuration.

Router Configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

Site1(config)#crypto ikev2 proposal IKEV2PROPOSAL
Site1(config-ikev2-proposal)#encryption des
Site1(config-ikev2-proposal)# integrity sha1
Site1(config-ikev2-proposal)# group 14
Site1(config-ikev2-proposal)#prf sha1
---------------------------------------------------------------------------
Site1(config)#crypto ikev2 policy IKEV2POLICY 
Site1(config-ikev2-policy)# proposal IKEV2PROPOSAL
------------------------------------------------------------------------------
Site1(config)#crypto ikev2 profile IKEV2PROFILE
Site1(config-ikev2-profile)# match identity remote address 192.90.90.1 255.255.255.255
Site1(config-ikev2-profile)# identity local address 192.91.91.1
Site1(config-ikev2-profile)# authentication local pre-share key cisco
Site1(config-ikev2-profile)# authentication remote pre-share key cisco
----------------------------------------------------------------------------------
Site1(config)#crypto ipsec transform-set TSET esp-des esp-sha-hmac
-----------------------------------------------------------------------------------
Site1(config)#ip access-list extended VPN
Site1(config-ext-nacl)#permit ip 172.16.1.0 0.0.0.255 10.10.1.0 0.0.0.255
-----------------------------------------------------------------------------------
Site1(config)#crypto map CRYMAP 10 ipsec-isakmp 
Site1(config-crypto-map)# set peer 192.90.90.1
Site1(config-crypto-map)# set transform-set TSET 
Site1(config-crypto-map)# set ikev2-profile IKEV2PROFILE
Site1(config-crypto-map)# match address VPN
-----------------------------------------------------------------------------------
Site1(config)#interface GigabitEthernet1
Site1(config-if)# crypto map CRYMAP

Now we initiate traffic from LAN host in 172.16.1.0/24 network:

1
2
3

SITE1-LAN#ping 10.10.1.2  
Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:
.!!!!

IKEv2 SA verification

1
2
3
4
5
6
7
8
9

Site1#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         192.91.91.1/500       192.90.90.1/500       none/none            READY  
      Encr: DES, PRF: SHA1, Hash: SHA96, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4 sec

 IPv6 Crypto IKEv2  SA

Thanks for reading!

networking
This post is licensed under CC BY 4.0 by the author.
Contents

DMVPN Phase3 Dual HUB Single Cloud

-