Submit Search
Upload
EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf
•
0 likes
•
4 views
J
jawed29
Follow
Networking stuffs
Read less
Read more
Science
Report
Share
Report
Share
1 of 38
Download now
Download to read offline
Recommended
The Data Center Network Evolution
The Data Center Network Evolution
Cisco Canada
CISCO DCNM.pdf
CISCO DCNM.pdf
JulianBelisario1
P&G BT Global Services - LLD Final Revision Year 2008.
P&G BT Global Services - LLD Final Revision Year 2008.
Kapil Sabharwal
2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL
dgoodell
Wan Technologies
Wan Technologies
AKLI
CCNAv5 - S4: Chapter 4 Frame Relay
CCNAv5 - S4: Chapter 4 Frame Relay
Vuz Dở Hơi
Cn instructor ppt_chapter4_final
Cn instructor ppt_chapter4_final
Leoo Romo
ENSA_Module_10.pptx
ENSA_Module_10.pptx
SkyBlue659156
Recommended
The Data Center Network Evolution
The Data Center Network Evolution
Cisco Canada
CISCO DCNM.pdf
CISCO DCNM.pdf
JulianBelisario1
P&G BT Global Services - LLD Final Revision Year 2008.
P&G BT Global Services - LLD Final Revision Year 2008.
Kapil Sabharwal
2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL
dgoodell
Wan Technologies
Wan Technologies
AKLI
CCNAv5 - S4: Chapter 4 Frame Relay
CCNAv5 - S4: Chapter 4 Frame Relay
Vuz Dở Hơi
Cn instructor ppt_chapter4_final
Cn instructor ppt_chapter4_final
Leoo Romo
ENSA_Module_10.pptx
ENSA_Module_10.pptx
SkyBlue659156
Introduction to Segment Routing
Introduction to Segment Routing
MyNOG
Presentation cisco data center security deep dive
Presentation cisco data center security deep dive
xKinAnx
BRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdf
BRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdf
HarryH11
Network Enhancements on BitVisor for BitVisor Summit 12
Network Enhancements on BitVisor for BitVisor Summit 12
cjchen22
Ccna 4 Chapter 8 V4.0 Answers
Ccna 4 Chapter 8 V4.0 Answers
ccna4discovery
CCNAv5 - S4: Chapter3 Point to-point Connections
CCNAv5 - S4: Chapter3 Point to-point Connections
Vuz Dở Hơi
Поиск и устранение неисправностей в вычислительной системе Cisco UCS
Поиск и устранение неисправностей в вычислительной системе Cisco UCS
Cisco Russia
ENSA_Module_8.pptx
ENSA_Module_8.pptx
SkyBlue659156
NetBox as the Source of Truth for Cisco NSO Configurations
NetBox as the Source of Truth for Cisco NSO Configurations
Hank Preston
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
SDNRG ITB
PLNOG14: Application Centric Infrastructure Introduction - Nick Martin
PLNOG14: Application Centric Infrastructure Introduction - Nick Martin
PROIDEA
CCNA_RSE_Chp10.pptx
CCNA_RSE_Chp10.pptx
HugoGamez7
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANs
Fab Fusaro
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Canada
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Cohesive Networks
Vpn
Vpn
Jose Rivera
Presentation data center partner technical
Presentation data center partner technical
xKinAnx
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
Robb Boyd
GREAT MINDS
GREAT MINDS
Sione Taukinukufili
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Odinot Stanislas
fundamental of entomology all in one topics of entomology
fundamental of entomology all in one topics of entomology
DrAnita Sharma
CELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdf
Nistarini College, Purulia (W.B) India
More Related Content
Similar to EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf
Introduction to Segment Routing
Introduction to Segment Routing
MyNOG
Presentation cisco data center security deep dive
Presentation cisco data center security deep dive
xKinAnx
BRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdf
BRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdf
HarryH11
Network Enhancements on BitVisor for BitVisor Summit 12
Network Enhancements on BitVisor for BitVisor Summit 12
cjchen22
Ccna 4 Chapter 8 V4.0 Answers
Ccna 4 Chapter 8 V4.0 Answers
ccna4discovery
CCNAv5 - S4: Chapter3 Point to-point Connections
CCNAv5 - S4: Chapter3 Point to-point Connections
Vuz Dở Hơi
Поиск и устранение неисправностей в вычислительной системе Cisco UCS
Поиск и устранение неисправностей в вычислительной системе Cisco UCS
Cisco Russia
ENSA_Module_8.pptx
ENSA_Module_8.pptx
SkyBlue659156
NetBox as the Source of Truth for Cisco NSO Configurations
NetBox as the Source of Truth for Cisco NSO Configurations
Hank Preston
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
SDNRG ITB
PLNOG14: Application Centric Infrastructure Introduction - Nick Martin
PLNOG14: Application Centric Infrastructure Introduction - Nick Martin
PROIDEA
CCNA_RSE_Chp10.pptx
CCNA_RSE_Chp10.pptx
HugoGamez7
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANs
Fab Fusaro
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Canada
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Cohesive Networks
Vpn
Vpn
Jose Rivera
Presentation data center partner technical
Presentation data center partner technical
xKinAnx
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
Robb Boyd
GREAT MINDS
GREAT MINDS
Sione Taukinukufili
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Odinot Stanislas
Similar to EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf
(20)
Introduction to Segment Routing
Introduction to Segment Routing
Presentation cisco data center security deep dive
Presentation cisco data center security deep dive
BRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdf
BRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdf
Network Enhancements on BitVisor for BitVisor Summit 12
Network Enhancements on BitVisor for BitVisor Summit 12
Ccna 4 Chapter 8 V4.0 Answers
Ccna 4 Chapter 8 V4.0 Answers
CCNAv5 - S4: Chapter3 Point to-point Connections
CCNAv5 - S4: Chapter3 Point to-point Connections
Поиск и устранение неисправностей в вычислительной системе Cisco UCS
Поиск и устранение неисправностей в вычислительной системе Cisco UCS
ENSA_Module_8.pptx
ENSA_Module_8.pptx
NetBox as the Source of Truth for Cisco NSO Configurations
NetBox as the Source of Truth for Cisco NSO Configurations
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
PLNOG14: Application Centric Infrastructure Introduction - Nick Martin
PLNOG14: Application Centric Infrastructure Introduction - Nick Martin
CCNA_RSE_Chp10.pptx
CCNA_RSE_Chp10.pptx
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANs
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Vpn
Vpn
Presentation data center partner technical
Presentation data center partner technical
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
GREAT MINDS
GREAT MINDS
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Recently uploaded
fundamental of entomology all in one topics of entomology
fundamental of entomology all in one topics of entomology
DrAnita Sharma
CELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdf
Nistarini College, Purulia (W.B) India
Green chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptx
RajatChauhan518211
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Diwakar Mishra
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
PirithiRaju
VIRUSES structure and classification ppt by Dr.Prince C P
VIRUSES structure and classification ppt by Dr.Prince C P
PRINCE C P
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
Sérgio Sacani
Nanoparticles synthesis and characterization
Nanoparticles synthesis and characterization
kaibalyasahoo82800
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Sérgio Sacani
DIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSS
LeenakshiTyagi
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Sheetal Arora
Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptx
UmerFayaz5
Physiochemical properties of nanomaterials and its nanotoxicity.pptx
Physiochemical properties of nanomaterials and its nanotoxicity.pptx
AArockiyaNisha
Forensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdf
rohankumarsinghrore1
Natural Polymer Based Nanomaterials
Natural Polymer Based Nanomaterials
AArockiyaNisha
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
Sérgio Sacani
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
PirithiRaju
Isotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on Io
Sérgio Sacani
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
Areesha Ahmad
Biological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdf
muntazimhurra
Recently uploaded
(20)
fundamental of entomology all in one topics of entomology
fundamental of entomology all in one topics of entomology
CELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdf
Green chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptx
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
VIRUSES structure and classification ppt by Dr.Prince C P
VIRUSES structure and classification ppt by Dr.Prince C P
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
Nanoparticles synthesis and characterization
Nanoparticles synthesis and characterization
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
DIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSS
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Hire 💕 9907093804 Hooghly Call Girls Service Call Girls Agency
Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptx
Physiochemical properties of nanomaterials and its nanotoxicity.pptx
Physiochemical properties of nanomaterials and its nanotoxicity.pptx
Forensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdf
Natural Polymer Based Nanomaterials
Natural Polymer Based Nanomaterials
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Isotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on Io
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
Biological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdf
EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf
1.
Javier Ortega Palacios,
Mateusz Grzesiak, Paweł Cecot, Tomasz Kmieć, Wojciech Brzyszcz EMEAR CX - Kraków 22 September 2021 IPSec Site-to-Site VPNs on FTD Best Practices and Troubleshooting
2.
2 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Meet the Team Mateusz Grzesiak Krakow VPN Team Leader Wojciech Brzyszcz Technical Consulting Engineer Paweł Cecot Technical Leader Tomasz Kmieć Technical Consulting Engineer Javier Ortega Palacios Technical Consulting Engineer
3.
Agenda IPSec Site-to-Site VPNs
on FTD Overview 2 IPSec Site-to-Site VPNs on FTD and 3rd Party Cloud Integration 3 Troubleshooting IPSec Site-to-Site VPNs on FTD 4 Integration with IOS-XE multi-SA VTI 1
4.
Agenda IPSec Site-to-Site VPNs
on FTD Overview 2 IPSec Site-to-Site VPNs on FTD and 3rd Party Cloud Integration 3 Troubleshooting IPSec Site-to-Site VPNs on FTD 4 Integration with IOS-XE multi-SA VTI 1
5.
6 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Site-to-site IPSec VPNs on Firepower Threat Defense • A site-to-site IPSec VPN securely connects networks in different geographic locations. • Site-to-site tunnels are built using the Internet Protocol Security (IPsec) protocol suite and IKEv1 or IKEv2. • You can create site-to-site IPsec connections between managed devices, and between managed devices and other Cisco or third-party peers that comply with all relevant standards. • These peers can have any mix of inside and outside IPv4 and IPv6 addresses. FTD IPSec VPN FTD / Cisco / 3rd -party / Cloud IPv4/IPv6
6.
7 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Supported IPSec Site-to-Site VPNs on FTD • Policy Based (Crypto Map) - Point to Point - Hub and Spoke (Dynamic Crypto Map) - Full Mesh • Route Based (VTI) - Point to Point • Static Routing • BGP
7.
8 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Policy-based IPSec VPN Policy-based VPN – encrypts and encapsulates traffic according to a defined policy (ACL). Inside Interface Outside Interface LAN Forwarding Engine access-list VPN permit ip 10.20.10.0/24 10.10.10.0/24 access-list VPN permit ip 10.20.10.0/24 10.10.20.0/24 access-list VPN permit ip 10.20.10.0/24 10.10.30.0/24 WAN Encryption Determined by NAT or routing Crypto Map VPN is down by default. The tunnel is formed only if there is interesting traffic.
8.
9 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Route-based IPSec VPN Route-based VPN – makes use of a virtual interface; whatever traffic is sent through that interface gets encrypted (according to the routing information). Inside Interface Outside Interface Tunnel1 (VTI) Forwarding Engine LAN WAN Overlay Underlay Forwarding Engine Encryption route Tunnel1 10.10.10.0 255.255.255.0 169.254.100.2 route Tunnel1 10.10.20.0 255.255.255.0 169.254.100.2 route Tunnel1 10.10.30.0 255.255.255.0 169.254.100.2 IP address of the remote end’s VTI VTI VPN is up by default.
9.
10 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential FTD VTI Benefits • Crypto Map based VPNs require tracking of all remote subnets and inluding them in the the crypto ACL. • For VTI with BGP all the changes are automatically propageted. • VTI interface can be configured as part of a Security Zone: - Advantage to easily classify and/or differentiate VPN traffic from clear text traffic. - Ability to provide access-control for VPN traffic across different tunnels. 10.10.10.0/24 10.20.20.0/24 10.130.130.0/24 10.220.220.0/24 LAN permit ip 10.10.10.0/24 192.168.10.0/24 permit ip 10.10.10.0/24 192.168.20.0/24 permit ip 10.20.20.0/24 192.168.10.0/24 permit ip 10.20.20.0/24 192.168.20.0/24 permit ip 10.130.130.0/24 192.168.10.0/24 permit ip 10.130.130.0/24 192.168.20.0/24 permit ip 10.220.220.0/24 192.168.10.0/24 permit ip 10.220.220.0/24 192.168.20.0/24 Crypto ACL New Subnet Added Site A Site B permit ip 192.168.10.0/24 10.10.10.0/24 permit ip 192.168.20.0/24 10.10.10.0/24 permit ip 192.168.10.0/24 10.20.20.0/24 permit ip 192.168.20.0/24 10.20.20.0/24 permit ip 192.168.10.0/24 10.130.130.0/24 permit ip 192.168.20.0/24 10.130.130.0/24 permit ip 192.168.10.0/24 10.220.220.0/24 permit ip 192.168.20.0/24 10.220.220.0/23 Crypto ACL 192.168.10.0/24 192.168.20.0/24 LAN Misconfiguration Site A Site B
10.
IPSec Site-to-Site VPN Licensing
& Ciphers
11.
12 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential VPN Licensing – Strong Encryption • There is no specific licensing for enabling Firepower Threat Defense IPSec Site-to-Site VPN; it is available by default. • If you are using the evaluation license, or you did not enable export-controlled functionality, you cannot use strong encryption. If the checkbox is not selected, strong crypto (i/e encryption algorithms greater than DES) will not be available.
12.
13 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Upgrade from evaluation to smart license with export-controlled functionality • The tunnel will continue to work, however on first deploy we will get an error. Check and update your encryption algorithms for stronger encryption and for the VPNs to work properly. DES based encryptions are no longer supported on 6.7+.
13.
14 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Encryption/Hashing/DH Algorithms Selection • The following less secure ciphers have been removed or deprecated in FTD 6.7 onwards: - Diffie-Hellman groups: 2, 5, and 24 (Group 5 is considered insecure and deprecated in FTD 6.7 and will be removed in a later version). - Encryption algorithms: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES continues to be supported (and is the only option) for users who do not satisfy export controls or use evaluation mode. - Hash algorithms: MD5.
14.
15 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential FMC – algorithm pre-check before upgrade to FTD 6.7+ • On 6.5 and 6.6 when using deprecated ciphers: • Upgrade to 6.7 and higher will be blocked unless supported ciphers are used:
15.
Configuration Caveats
16.
17 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential FTD Packet Processing – VPN • NAT is performed before encryption. • Permitting traffic in prefilter policy will bypass Snort engine completely • same-security-traffic permit intra-interface implicitly enabled (hairpinning capable).
17.
18 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Site-to-Site VPN Configuration
18.
19 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Guided Configuration Workflows - FMC
19.
20 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential
20.
21 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Next step, routing…
21.
22 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Common IPSec VPN configuration problems • For managed VPN endpoints (FMC) many configuration problems such as pre-shared key mismatch, algorithms mismatch, crypto ACL mismatch are not seen anymore. • Common configiration problems that exists or configuration which is missed: - Access Control Policy - NAT - Routing
22.
23 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Access Control Policy for VPN Traffic • Ensure the protected networks are allowed by access control policy of each device. • We need to permit the VPN traffic in both directions (unless sysopt permit-vpn is used for incoming traffic). • This is also the place in which we can be more granular in terms of what traffic is allowed. • If backup VTI is used, ensure to include the backup tunnel to the same security zone as that of the primary VTI.
23.
24 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential NAT Exempt / Static Identity NAT • It is common that LAN traffic is subject to dynamic address translation • Because NAT is performed before encryption, usually we need to exempt the VPN traffic. nat (in,out) source dynamic LAN1 interface nat (in,out) source static LAN1 LAN1 destination static LAN2 LAN2 no-proxy-arp route-lookup
24.
25 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Routing – Crypto Map Reverse Route Injection (RRI) • For Crypto Map the RRI is enabled by default • The routing entry is in the table independent from the tunnel status: FTD1# sh route (…) V 192.168.2.0 255.255.255.0 connected by VPN (advertised), outside crypto map CSM_outside_map 1 match address CSM_IPSEC_ACL_1 crypto map CSM_outside_map 1 set peer 10.0.0.200 crypto map CSM_outside_map 1 set ikev2 ipsec-proposal CSM_IP_2 crypto map CSM_outside_map 1 set reverse-route crypto map CSM_outside_map interface outside
25.
26 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Routing – Crypto Map Dynamic RRI • Since 6.7 we can enable Dynamic RRI • The prefix will be placed in the routing table only if the tunnel is up. crypto map CSM_outside_map 1 match address CSM_IPSEC_ACL_1 crypto map CSM_outside_map 1 set peer 10.0.0.200 crypto map CSM_outside_map 1 set ikev2 ipsec-proposal CSM_IP_2 crypto map CSM_outside_map 1 set reverse-route dynamic crypto map CSM_outside_map interface outside FTD1# debug rri 7 debug rri enabled at level 7 FTD1# RRI Routing Info(6): RRI route DB add for Interface:outside, Nw:192.168.2.0/255.255.255.0 PeerIP:10.0.0.200 (advertise) Dynamic RRI Routing Notify(5): Added route to table id:0 Interface:outside Nw:192.168.2.0/255.255.255.0 PeerIP:10.0.0.200 (advertise) Dynamic FTD1# sh route (…) V 192.168.2.0 255.255.255.0 connected by VPN (advertised), outside
26.
27 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Routing – VTI • Static Routing - Configure static routing on both the devices (both the ends) to route the traffic flow between the devices over the VTI tunnel. - If backup tunnel is configured for the VPN, configure a static route with a different metric to handle the failover of the traffic flow over the backup tunnel. • BGP Dynamic Routing - IPv6 BGP is not supported over VTI. IP address of the remote end’s VTI
27.
IPSec Site-to-Site VPN Redundancy
28.
29 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Designing Fault-Tolerant IPSec VPNs • The design depends on what faults the VPN needs to be able to withstand. • From the fault-tolerance perspective, the design can be broken down into: - Transport Network – connectivity between IPSec Gateways - Access Link – link/device that connects the IPSec gateway to the Transport Network - IPSec Gateway VPN Peer VPN Peer
29.
30 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential High Availability Options – Failover FTD - Active FTD - Standby • Stateful IPSec failover • Both control plane and data plane are replicated. IPSec Gateway failure
30.
31 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential High Availability Options – Failover • Stateful IPSec failover • Both control plane and data plane are replicated. IPSec Gateway failure FTD - Active FTD - Standby
31.
32 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential High Availability Options – Single FTD, Dual ISP FTD ISP1 ISP2 FTD ISP1 ISP2 VTI1 VTI2 Crypto Map ISP failure
32.
33 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential High Availability Options – FTD, Dual ISP Crypto Map FTD ISP1 ISP2 • Only one tunnel can by up at a time • SLA tracking • Slow convergance • https://www.cisco.com/c/en/us/support/docs/security-vpn/security-vpn/216709-configure-failover-for-ipsec- site-to-sit.html VPN Peer (can be a failover pair) CSCuy65371 – unable to configure crypto map on mulitple interfaces Workaround: configure additonal topology with the same settings but different interface
33.
34 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential High Availability Options – dual ISP at both ends 10.1.1.1/30 Tunnel1 (over ISP A) 10.1.1.2/30 10.1.2.1/30 Tunnel2 (over ISP B) 10.1.2.2/30 Internet ISP A ISP A ISP B ISP B 192.168.1.0/24 192.168.2.0/24 FTD-Left FTD-Right (can be a failover pair) (can be a failover pair) VTI • Configure a static route with a different metric to handle the failover of the traffic flow over the backup tunnel.
34.
35 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Internet Backup VTI – ISP backup at only one peer ISP A ISP ISP B 192.168.1.0/24 192.168.2.0/24 FTD-Left FTD-Right (can be a failover pair) (can be a failover pair) VTI
35.
36 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential FTD Site-Site IPSec VPN Scalability • Scalability should be considered from the “hub” perspective. • Static crypto map and VTI does not scale well. • Dynamic crypto map scales better, however: - The scale is defined by a single platform limits. - It is a policy based VPN solutions with all the drawbacks. - HA is limited and slow in terms of convergence. For large scale, use IOS/IOS-XE routers at the “hub” location. DMVPN / FlexVPN. Spoke Hub1 Hub2 Hub3 SLB
36.
IPSec Site-to-Site VPN Feature
Availability
37.
38 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Site-to-Site IPSec VPN feature support Feature FTD Version Backup virtual tunnel interfaces (VTI) for route-based site-to-site VPN (not FDM) 7.0 Enhance the number of VTI from 100 per interface to 1024 per device 7.0 IPv6 Support (not FDM) 7.0 Removal and deprecation of weak ciphers 6.7 Dynamic RRI support 6.7 Virtual Tunnel Interface (VTI) and route-based site-to-site VPN. 6.7 Backup peer for site-to-site VPN (not FDM) 6.6 Deprecated support for less secure DH groups, and encryption and hash algorithms. 6.6
38.
39 © 2021 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential Key Takeaways • Route Based (VTI) VPN allows for easier traffic classification and control and is less prone to errors compared to Policy Based (Crypto Map). • Common configuration problems: - Access Control Policy - NAT - Routing • Assess the need for redundancy and always test it.
Download now