EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf

Javier Ortega Palacios, Mateusz Grzesiak, Paweł Cecot, Tomasz Kmieć, Wojciech Brzyszcz
EMEAR CX - Kraków
22 September 2021
IPSec Site-to-Site VPNs on FTD
Best Practices and Troubleshooting

2
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Meet the Team
Mateusz
Grzesiak
Krakow VPN
Team Leader
Wojciech
Brzyszcz
Technical
Consulting
Engineer
Paweł Cecot
Technical
Leader
Tomasz
Kmieć
Technical
Consulting
Engineer
Javier
Ortega
Palacios
Technical
Consulting
Engineer

Agenda
IPSec Site-to-Site VPNs on FTD Overview
2
IPSec Site-to-Site VPNs on FTD and 3rd
Party Cloud Integration
3
Troubleshooting IPSec Site-to-Site VPNs
on FTD
4 Integration with IOS-XE multi-SA VTI
1

6
Site-to-site IPSec VPNs on Firepower Threat
Defense
• A site-to-site IPSec VPN securely connects networks in different geographic
locations.
• Site-to-site tunnels are built using the Internet Protocol Security (IPsec) protocol suite
and IKEv1 or IKEv2.
• You can create site-to-site IPsec connections between managed devices, and
between managed devices and other Cisco or third-party peers that comply with all
relevant standards.
• These peers can have any mix of inside and outside IPv4 and IPv6 addresses.
FTD
IPSec VPN
FTD / Cisco / 3rd
-party / Cloud
IPv4/IPv6

7
Supported IPSec Site-to-Site VPNs on FTD
• Policy Based (Crypto Map)
- Point to Point
- Hub and Spoke (Dynamic Crypto Map)
- Full Mesh
• Route Based (VTI)
- Point to Point
• Static Routing
• BGP

8
Policy-based IPSec VPN
Policy-based VPN – encrypts and encapsulates traffic according to a
defined policy (ACL).
Inside
Interface
Outside
Interface
LAN
Forwarding Engine
access-list VPN permit ip 10.20.10.0/24 10.10.10.0/24
WAN
Encryption
Determined
by NAT or
routing
Crypto Map VPN is down by
default. The tunnel is formed
only if there is interesting traffic.

9
Route-based IPSec VPN
Route-based VPN – makes use of a virtual interface; whatever traffic
is sent through that interface gets encrypted (according to the routing
information).
Inside
Interface
Outside
Interface
Tunnel1
(VTI)
Forwarding
Engine
LAN WAN
Overlay Underlay
Forwarding
Engine Encryption
route Tunnel1 10.10.10.0 255.255.255.0 169.254.100.2
route Tunnel1 10.10.20.0 255.255.255.0 169.254.100.2
route Tunnel1 10.10.30.0 255.255.255.0 169.254.100.2
IP address of
the remote
end’s VTI
VTI VPN is up by
default.

10
FTD VTI Benefits
• Crypto Map based VPNs require
tracking of all remote subnets and
inluding them in the the crypto ACL.
• For VTI with BGP all the changes are
automatically propageted.
• VTI interface can be configured as
part of a Security Zone:
- Advantage to easily classify and/or
differentiate VPN traffic from clear text
traffic.
- Ability to provide access-control for
VPN traffic across different tunnels.
10.10.10.0/24
10.20.20.0/24
10.130.130.0/24
10.220.220.0/24
LAN
permit ip 10.10.10.0/24 192.168.10.0/24
permit ip 10.10.10.0/24 192.168.20.0/24
permit ip 10.20.20.0/24 192.168.10.0/24
permit ip 10.20.20.0/24 192.168.20.0/24
permit ip 10.130.130.0/24 192.168.10.0/24
permit ip 10.130.130.0/24 192.168.20.0/24
permit ip 10.220.220.0/24 192.168.10.0/24
permit ip 10.220.220.0/24 192.168.20.0/24
Crypto
ACL
New Subnet Added
Site A
Site B
permit ip 192.168.10.0/24 10.10.10.0/24
permit ip 192.168.20.0/24 10.10.10.0/24
permit ip 192.168.10.0/24 10.20.20.0/24
permit ip 192.168.20.0/24 10.20.20.0/24
permit ip 192.168.10.0/24 10.130.130.0/24
permit ip 192.168.20.0/24 10.130.130.0/24
permit ip 192.168.10.0/24 10.220.220.0/24
permit ip 192.168.20.0/24 10.220.220.0/23
Crypto
ACL
192.168.10.0/24
192.168.20.0/24
LAN
Misconfiguration
Site A
Site B

IPSec Site-to-Site VPN
Licensing & Ciphers

12
VPN Licensing – Strong Encryption
• There is no specific licensing for enabling Firepower Threat Defense IPSec Site-to-Site
VPN; it is available by default.
• If you are using the evaluation license, or you did not enable export-controlled functionality,
you cannot use strong encryption.
If the checkbox is not selected,
strong crypto (i/e encryption
algorithms greater than DES) will
not be available.

13
Upgrade from evaluation to smart license with
export-controlled functionality
• The tunnel will continue to work, however on first deploy we will get an error.
Check and update your encryption
algorithms for stronger encryption and for
the VPNs to work properly. DES based
encryptions are no longer supported on
6.7+.

14
Encryption/Hashing/DH Algorithms Selection
• The following less secure ciphers have been removed or deprecated in FTD
6.7 onwards:
- Diffie-Hellman groups: 2, 5, and 24 (Group 5 is considered insecure and deprecated in FTD 6.7
and will be removed in a later version).
- Encryption algorithms: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES
continues to be supported (and is the only option) for users who do not satisfy export controls
or use evaluation mode.
- Hash algorithms: MD5.

15
FMC – algorithm pre-check before upgrade to
FTD 6.7+
• On 6.5 and 6.6 when using deprecated ciphers:
• Upgrade to 6.7 and higher will be blocked unless supported ciphers are
used:

17
FTD Packet Processing – VPN
• NAT is performed before encryption.
• Permitting traffic in prefilter policy will bypass Snort engine completely
• same-security-traffic permit intra-interface implicitly enabled (hairpinning
capable).

18
Site-to-Site VPN Configuration

19
Guided Configuration Workflows - FMC

20

21
Next step, routing…

22
Common IPSec VPN configuration problems
• For managed VPN endpoints (FMC) many configuration problems such as
pre-shared key mismatch, algorithms mismatch, crypto ACL mismatch are
not seen anymore.
• Common configiration problems that exists or configuration which is missed:
- Access Control Policy
- NAT
- Routing

23
Access Control Policy for VPN Traffic
• Ensure the protected networks are
allowed by access control policy of
each device.
• We need to permit the VPN traffic in
both directions (unless sysopt
permit-vpn is used for incoming
traffic).
• This is also the place in which we
can be more granular in terms of
what traffic is allowed.
• If backup VTI is used, ensure to
include the backup tunnel to the
same security zone as that of the
primary VTI.

24
NAT Exempt / Static Identity NAT
• It is common that LAN traffic is subject to
dynamic address translation
• Because NAT is performed before
encryption, usually we need to exempt the
VPN traffic.
nat (in,out) source dynamic LAN1 interface
nat (in,out) source static LAN1 LAN1 destination static LAN2 LAN2 no-proxy-arp route-lookup

25
Routing – Crypto Map Reverse Route Injection
(RRI)
• For Crypto Map the RRI is enabled by default
• The routing entry is in the table independent from the tunnel status:
FTD1# sh route
(…)
V 192.168.2.0 255.255.255.0 connected by VPN (advertised), outside
crypto map CSM_outside_map 1 match address CSM_IPSEC_ACL_1
crypto map CSM_outside_map 1 set peer 10.0.0.200
crypto map CSM_outside_map 1 set ikev2 ipsec-proposal CSM_IP_2
crypto map CSM_outside_map 1 set reverse-route
crypto map CSM_outside_map interface outside

26
Routing – Crypto Map Dynamic RRI
• Since 6.7 we can enable Dynamic RRI
• The prefix will be placed in the routing
table only if the tunnel is up.
crypto map CSM_outside_map 1 match address CSM_IPSEC_ACL_1
crypto map CSM_outside_map 1 set peer 10.0.0.200
crypto map CSM_outside_map 1 set ikev2 ipsec-proposal CSM_IP_2
crypto map CSM_outside_map 1 set reverse-route dynamic
crypto map CSM_outside_map interface outside
FTD1# debug rri 7
debug rri enabled at level 7
FTD1#
RRI Routing Info(6): RRI route DB add for Interface:outside,
Nw:192.168.2.0/255.255.255.0 PeerIP:10.0.0.200 (advertise) Dynamic
RRI Routing Notify(5): Added route to table id:0 Interface:outside
Nw:192.168.2.0/255.255.255.0 PeerIP:10.0.0.200 (advertise) Dynamic
FTD1# sh route
(…)
V 192.168.2.0 255.255.255.0 connected by VPN (advertised), outside

27
Routing – VTI
• Static Routing
- Configure static routing on both the devices
(both the ends) to route the traffic flow
between the devices over the VTI tunnel.
- If backup tunnel is configured for the VPN,
configure a static route with a different
metric to handle the failover of the traffic flow
over the backup tunnel.
• BGP Dynamic Routing
- IPv6 BGP is not supported over VTI.
IP address of the
remote end’s VTI

Redundancy

29
Designing Fault-Tolerant IPSec VPNs
• The design depends on what faults the VPN needs to be able to withstand.
• From the fault-tolerance perspective, the design can be broken down into:
- Transport Network – connectivity between IPSec Gateways
- Access Link – link/device that connects the IPSec gateway to the Transport
Network
- IPSec Gateway
VPN
Peer
VPN
Peer

30
High Availability Options – Failover
FTD - Active
FTD - Standby
• Stateful IPSec failover
• Both control plane and data plane are replicated.
IPSec Gateway failure

31
High Availability Options – Failover
• Stateful IPSec failover
• Both control plane and data plane are replicated.
IPSec Gateway failure
FTD - Active
FTD - Standby

32
High Availability Options – Single FTD, Dual ISP
FTD ISP1
ISP2
FTD ISP1
ISP2
VTI1
VTI2
Crypto Map
ISP failure

33
High Availability Options – FTD, Dual ISP
Crypto Map
FTD ISP1
ISP2
• Only one tunnel can by up at a time
• SLA tracking
• Slow convergance
• https://www.cisco.com/c/en/us/support/docs/security-vpn/security-vpn/216709-configure-failover-for-ipsec-
site-to-sit.html
VPN Peer
(can be a failover pair)
CSCuy65371 – unable to configure
crypto map on mulitple interfaces
Workaround: configure additonal
topology with the same settings but
different interface

34
High Availability Options – dual ISP at both ends
10.1.1.1/30 Tunnel1 (over ISP A) 10.1.1.2/30
10.1.2.1/30 Tunnel2 (over ISP B) 10.1.2.2/30
Internet
ISP A ISP A
ISP B ISP B
192.168.1.0/24 192.168.2.0/24
FTD-Left FTD-Right
(can be a failover pair) (can be a failover pair)
VTI
• Configure a static route with a different metric to handle the failover of the traffic flow
over the backup tunnel.

35
Internet
Backup VTI – ISP backup at only one peer
ISP A
ISP
ISP B
192.168.1.0/24 192.168.2.0/24
FTD-Left FTD-Right
(can be a failover pair) (can be a failover pair)
VTI

36
FTD Site-Site IPSec VPN Scalability
• Scalability should be considered from the “hub” perspective.
• Static crypto map and VTI does not scale well.
• Dynamic crypto map scales better, however:
- The scale is defined by a single platform limits.
- It is a policy based VPN solutions with all the drawbacks.
- HA is limited and slow in terms of convergence.
For large scale, use IOS/IOS-XE routers at the “hub”
location.
DMVPN / FlexVPN. Spoke
Hub1 Hub2 Hub3
SLB

Feature Availability

38
Site-to-Site IPSec VPN feature support
Feature FTD Version
Backup virtual tunnel interfaces (VTI) for route-based site-to-site VPN (not
FDM) 7.0
Enhance the number of VTI from 100 per interface to 1024 per device 7.0
IPv6 Support (not FDM) 7.0
Removal and deprecation of weak ciphers 6.7
Dynamic RRI support 6.7
Virtual Tunnel Interface (VTI) and route-based site-to-site VPN. 6.7
Backup peer for site-to-site VPN (not FDM) 6.6
Deprecated support for less secure DH groups, and encryption and hash
algorithms. 6.6

39
Key Takeaways
• Route Based (VTI) VPN allows for easier traffic
classification and control and is less prone to errors
compared to Policy Based (Crypto Map).
• Common configuration problems:
- Access Control Policy
- NAT
- Routing
• Assess the need for redundancy and always test it.

EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf

Recommended

Recommended

More Related Content

Similar to EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf

Similar to EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf (20)

Recently uploaded

Recently uploaded (20)

EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf