Friday, January 3, 2020

Configuring Cisco FTD Site-to-Site VPN via FDM

For this scenario, I reconfigured the FTD G0/0 Outside Interface under Device > Interface > click Enabled.


Under G0/0 Outside > hover under Actions > Edit (pencil icon).


Select Type: Static 


Type the IP address and Subnet Mask  (200.1.1.1/24) > click OK.


Notice the G0/0 Outside "Static" IP address was displayed


You'll also need to configure routing to reach the remote subnet. To configure a static route in FTD, go to Device > Routing > Create the first static route.


Click the Add (plus icon on the right).


Leave the default Protocol: IPv4 > Gateway > Create New Network.


Type a Name (R1-VPN-PEER) > leave the default Type: Host > type the Host IP (200.1.1.2) > click OK.


Select the newly created Network Object (R1-VPN-PEER).


Under Interface > select outside.


Leave the default Metric: 1 > under Networks > click Add (plus icon) > Create New Network.


Type a Name (R1-LAN) > leave the default Type: Network > type Network: 192.168.2.0/24 > click OK.


Select the newly created Network Object > click OK.


Click OK again to exit.



To configure Site-to-Site VPN on FTD, go to Device > Site to Site VPN > View Configuration.


Click Create Site-to-Site Connection and this will run a setup wizard.


The first step is to Define Endpoints > type a Connection Profile Name (R1-S2S-VPN).


Under Local VPN Access Interface > select outside > type Remote IP Address: 200.1.1.2 > under Local Network > click Add (plus icon) > INSIDE-NET > click OK > under Remote Network > click Add (plus icon) > R1-LAN > click OK.


Click Next.


The second step is to configure Privacy Configuration.


In this case I disabled IKE Version 2 (click/toggle to gray) and enabled IKE Version 1 (click/toggle to blue) > under IKE Policy > Globally applied > click Edit.


Only the SHA-DES-GROUP5-PRE_SHARE is available in FTD Eval mode while stronger encryption such as SHA-AES-GROUP5-PRE_SHARE, SHA-AES192-GROUP5-PRE_SHARE and SHA-AES256-GROUP5-PRE_SHARE are available in Full license mode.

I tried enabling one of the SHA-AES IKEv1 Policy but encountered the error: Usable cryptography types are currently restricted by the licensing status of the device.
 

Under IPSec Proposal > click Edit > click Add (plus icon).


Notice the ESP_SHA_HMAC_ESP_DES-TUNNEL is used in the Default Set > select ESP_SHA_HMAC_ESP_DES-TUNNEL > click OK.

DES is already considered a weak encryption and it's only useful in a lab scenario. It's recommended to use stronger encryption algorithm such AES in a production environment.
 

Type a Pre-Shared Key > skip NAT Exempt and Diffie-Hellman Group (for PFS) > click Next.


Step 3 is a Site-to-Site VPN configuration Summary.


Click Finish.



Click Deployment > Deploy Now.




These are the IKE (Version 1) Phase 1 and Phase 2 policies configured on my Cisco 1921 lab router.


There are no options in the FTD GUI for monitoring IPSec VPN Security Association (SA) in FTD 6.2.3 as of this writing.

This is the Event Connection that triggered the Site-to-Site VPN interesting traffic defined in the crypto ACL.


Under Device, notice a 1 connection under Site to Site VPN. Click View Configuration.


Hover under Actions > Edit.


Notice the Site-to-Site VPN Connectivity from Local Network to Remote Network is established/green.


You can alternatively use FTD CLI commands to view Site-to-Site VPN SA and traffic statistics.

> show running-config crypto
crypto ipsec ikev1 transform-set ESP_SHA_HMAC-ESP_DES-TUNNEL esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map s2sCryptoMap 1 match address |s2sAcl|b203ce56-b98a-11e9-bfd1-438d602ea8c6
crypto map s2sCryptoMap 1 set peer 200.1.1.2
crypto map s2sCryptoMap 1 set ikev1 transform-set ESP_SHA_HMAC-ESP_DES-TUNNEL
crypto map s2sCryptoMap interface outside
crypto ca trustpool policy
crypto ikev2 policy 100
 encryption des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 160
 authentication pre-share
 encryption des
 hash sha
 group 5
 lifetime 86400


> show isakmp
  |      Output modifiers
  sa     Show ISAKMP sas
  stats  Show IKEv1 and IKEv2 statistics
  <cr>

 > show isakmp

There are no IKEv1 SAs

There are no IKEv2 SAs

Global IKEv1 Statistics
  Active Tunnels:              0
  Previous Tunnels:            0
  In Octets:                   0
  In Packets:                  0
  In Drop Packets:             0
  In Notifys:                  0
  In P2 Exchanges:             0
  In P2 Exchange Invalids:     0
  In P2 Exchange Rejects:      0
  In P2 Sa Delete Requests:    0
  Out Octets:                  0
  Out Packets:                 0
  Out Drop Packets:            0
  Out Notifys:                 0
  Out P2 Exchanges:            0
  Out P2 Exchange Invalids:    0
  Out P2 Exchange Rejects:     0
  Out P2 Sa Delete Requests:   0
  Initiator Tunnels:           0
  Initiator Fails:             0
  Responder Fails:             0
  System Capacity Fails:       0
  Auth Fails:                  0
  Decrypt Fails:               0
  Hash Valid Fails:            0
  No Sa Fails:                 0

IKEV1 Call Admission Statistics
  Max In-Negotiation SAs:                 50
  In-Negotiation SAs:                      0
  In-Negotiation SAs Highwater:            0
  In-Negotiation SAs Rejected:             0

Global IKEv2 Statistics
  Active Tunnels:                          0
  Previous Tunnels:                        0
  In Octets:                               0
  In Packets:                              0
  In Drop Packets:                         0
  In Drop Fragments:                       0
  In Notifys:                              0
  In P2 Exchange:                          0
  In P2 Exchange Invalids:                 0
  In P2 Exchange Rejects:                  0
  In IPSEC Delete:                         0
  In IKE Delete:                           0
  Out Octets:                              0
  Out Packets:                             0
  Out Drop Packets:                        0
  Out Drop Fragments:                      0
  Out Notifys:                             0
  Out P2 Exchange:                         0
  Out P2 Exchange Invalids:                0
  Out P2 Exchange Rejects:                 0
  Out IPSEC Delete:                        0
  Out IKE Delete:                          0
  SAs Locally Initiated:                   0
  SAs Locally Initiated Failed:            0
  SAs Remotely Initiated:                  0
  SAs Remotely Initiated Failed:           0
  System Capacity Failures:                0
  Authentication Failures:                 0
  Decrypt Failures:                        0
  Hash Failures:                           0
  Invalid SPI:                             0
  In Configs:                              0
  Out Configs:                             0
  In Configs Rejects:                      0
  Out Configs Rejects:                     0
  Previous Tunnels:                        0
  Previous Tunnels Wraps:                  0
  In DPD Messages:                         0
  Out DPD Messages:                        0
  Out NAT Keepalives:                      0
  IKE Rekey Locally Initiated:             0
  IKE Rekey Remotely Initiated:            0
  Locally Initiated IKE Rekey Rejected:    0
  Remotely Initiated IKE Rekey Rejected:   0
  CHILD Rekey Locally Initiated:           0
  CHILD Rekey Remotely Initiated:          0

IKEV2 Call Admission Statistics
  Max Active SAs:                   No Limit
  Max In-Negotiation SAs:                500
  Cookie Challenge Threshold:            250
  Active SAs:                              0
  In-Negotiation SAs:                      0
  Incoming Requests:                       0
  Incoming Requests Accepted:              0
  Incoming Requests Rejected:              0
  Outgoing Requests:                       0
  Outgoing Requests Accepted:              0
  Outgoing Requests Rejected:              0
  Rejected Requests:                       0
  Rejected Over Max SA limit:              0
  Rejected Low Resources:                  0
  Rejected Reboot In Progress:             0
  Cookie Challenges:                       0
  Cookie Challenges Passed:                0
  Cookie Challenges Failed:                0

Global IKEv1 IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0


> show isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs


> show ipsec
  df-bit         Show IPsec DF policy
  fragmentation  Show IPsec fragmentation policy
  policy         Show IPSec SS-API security policies
  sa             Show IPsec SAs
  stats          Show IPsec global statistics

> show ipsec sa

There are no ipsec sas



> show isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 200.1.1.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs


> show ipsec sa
interface: outside
    Crypto map tag: s2sCryptoMap, seq num: 1, local addr: 200.1.1.1

      access-list |s2sAcl|b203ce56-b98a-11e9-bfd1-438d602ea8c6 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 200.1.1.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 200.1.1.1/0, remote crypto endpt.: 200.1.1.2/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 381B7529
      current inbound spi : CD70796A

    inbound esp sas:
      spi: 0xCD70796A (3446700394)
         SA State: active
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 1, crypto-map: s2sCryptoMap
         sa timing: remaining key lifetime (kB/sec): (3914999/3581)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x381B7529 (941323561)
         SA State: active
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 1, crypto-map: s2sCryptoMap
         sa timing: remaining key lifetime (kB/sec): (3915000/3581)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


> show isakmp stats

IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 1
Inbound
    Bytes: 400
    Decompressed bytes: 400
    Packets: 4
    Dropped packets: 0
    Replay failures: 0
    Authentications: 4
    Authentication failures: 0
    Decryptions: 4
    Decryption failures: 0
    TFC Packets: 0
    Decapsulated fragments needing reassembly: 0
    Valid ICMP Errors rcvd: 0
    Invalid ICMP Errors rcvd: 0
Outbound
    Bytes: 0
    Uncompressed bytes: 0
    Packets: 0
    Dropped packets: 0
    Authentications: 0
    Authentication failures: 0
    Encryptions: 0
    Encryption failures: 0
    TFC Packets: 0
    Fragmentation successes: 0
        Pre-fragmentation successses: 0
        Post-fragmentation successes: 0
    Fragmentation failures: 0
        Pre-fragmentation failures: 0
        Post-fragmentation failures: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
Inbound SA delete requests: 0
Outbound SA delete requests: 0
Inbound SA destroy calls: 0
Outbound SA destroy calls: 0


> show ipsec stats

Global IKEv1 Statistics
  Active Tunnels:              1
  Previous Tunnels:            0
  In Octets:                 936
  In Packets:                  6
  In Drop Packets:             0
  In Notifys:                  1
  In P2 Exchanges:             1
  In P2 Exchange Invalids:     0
  In P2 Exchange Rejects:      0
  In P2 Sa Delete Requests:    0
  Out Octets:                852
  Out Packets:                 5
  Out Drop Packets:            0
  Out Notifys:                 2
  Out P2 Exchanges:            0
  Out P2 Exchange Invalids:    0
  Out P2 Exchange Rejects:     0
  Out P2 Sa Delete Requests:   0
  Initiator Tunnels:           0
  Initiator Fails:             0
  Responder Fails:             0
  System Capacity Fails:       0
  Auth Fails:                  0
  Decrypt Fails:               0
  Hash Valid Fails:            0
  No Sa Fails:                 0

IKEV1 Call Admission Statistics
  Max In-Negotiation SAs:                 50
  In-Negotiation SAs:                      0
  In-Negotiation SAs Highwater:            1
  In-Negotiation SAs Rejected:             0

Global IKEv2 Statistics
  Active Tunnels:                          0
  Previous Tunnels:                        0
  In Octets:                               0
  In Packets:                              0
  In Drop Packets:                         0
  In Drop Fragments:                       0
  In Notifys:                              0
  In P2 Exchange:                          0
  In P2 Exchange Invalids:                 0
  In P2 Exchange Rejects:                  0
  In IPSEC Delete:                         0
  In IKE Delete:                           0
  Out Octets:                              0
  Out Packets:                             0
  Out Drop Packets:                        0
  Out Drop Fragments:                      0
  Out Notifys:                             0
  Out P2 Exchange:                         0
  Out P2 Exchange Invalids:                0
  Out P2 Exchange Rejects:                 0
  Out IPSEC Delete:                        0
  Out IKE Delete:                          0
  SAs Locally Initiated:                   0
  SAs Locally Initiated Failed:            0
  SAs Remotely Initiated:                  0
  SAs Remotely Initiated Failed:           0
  System Capacity Failures:                0
  Authentication Failures:                 0
  Decrypt Failures:                        0
  Hash Failures:                           0
  Invalid SPI:                             0
  In Configs:                              0
  Out Configs:                             0
  In Configs Rejects:                      0
  Out Configs Rejects:                     0
  Previous Tunnels:                        0
  Previous Tunnels Wraps:                  0
  In DPD Messages:                         0
  Out DPD Messages:                        0
  Out NAT Keepalives:                      0
  IKE Rekey Locally Initiated:             0
  IKE Rekey Remotely Initiated:            0
  Locally Initiated IKE Rekey Rejected:    0
  Remotely Initiated IKE Rekey Rejected:   0
  CHILD Rekey Locally Initiated:           0
  CHILD Rekey Remotely Initiated:          0

IKEV2 Call Admission Statistics
  Max Active SAs:                   No Limit
  Max In-Negotiation SAs:                500
  Cookie Challenge Threshold:            250
  Active SAs:                              0
  In-Negotiation SAs:                      0
  Incoming Requests:                       0
  Incoming Requests Accepted:              0
  Incoming Requests Rejected:              0
  Outgoing Requests:                       0
  Outgoing Requests Accepted:              0
  Outgoing Requests Rejected:              0
  Rejected Requests:                       0
  Rejected Over Max SA limit:              0
  Rejected Low Resources:                  0
  Rejected Reboot In Progress:             0
  Cookie Challenges:                       0
  Cookie Challenges Passed:                0
  Cookie Challenges Failed:                0

No comments:

Post a Comment