Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​Site to Site VPN - IOS Router to FTDv with Crypto Map and PSK

Picture



R3
crypto isakmp policy 9
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key cisco123 address 0.0.0.0        
!
crypto ipsec transform-set IKEV1_TSET_DES_MD5 esp-des esp-md5-hmac 
 mode tunnel
!
crypto map CMAP 30 ipsec-isakmp 
 set peer 111.0.0.11
 set transform-set IKEV1_TSET_DES_MD5 
 match address VPN_TO_SW3
!
ip access-list extended VPN_TO_SW3
 permit ip 10.1.0.0 0.0.255.255 10.3.11.0 0.0.0.255



FTD relevant configuration - must be configured via GUI and not CLI

crypto ikev1 enable outside
!
crypto ikev1 policy 1
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
!
crypto ipsec ikev1 transform-set CSM_TS_1 esp-des esp-md5-hmac
!
access-list SW4_TO_VPN extended permit object-group ProxySG_ExtendedACL_4294971437 object SW3_NETWORK object HQ_SUBNETS log
!
object network SW3_NETWORK
 subnet 10.3.11.0 255.255.255.0
object network HQ_SUBNETS
 subnet 10.1.0.0 255.255.0.0
!
crypto map CSM_outside_map 1 match address SW4_TO_VPN
crypto map CSM_outside_map 1 set peer 103.0.0.3
crypto map CSM_outside_map 1 set ikev1 transform-set CSM_TS_1
crypto map CSM_outside_map 1 set reverse-route
crypto map CSM_outside_map interface outside
Picture
Navigate to Devices > VPN > Site to Site then click the + and add FTD VPN
Name it appropriately, define the topology and choose the IKE version to use.
The endpoints need to be added.
Add the first endpoint, the local device.
Add the second endpoint, the remote device.
Picture
On the IKE tab, you'll have to define the PSK and the phase 1 policy.
The evaluation license only seems to allow older and weaker algorithms, so I created a policy. The parameters used are listed in the CLI section, less screen shots..... do you blame me?
Picture
The same logic applies for the Phase 2 portion, the attributes used are listed above.
Picture
The finished configuration looks like this, all you need to do is deploy it.



IOSv14#ping 10.3.11.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.11.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 33/47/69 ms




​> show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 103.0.0.3
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs
> show crypto ipsec sa
interface: outside
    Crypto map tag: CSM_outside_map, seq num: 1, local addr: 111.0.0.11

      access-list SW4_TO_VPN extended permit ip 10.3.11.0 255.255.255.0 10.1.0.0 255.255.0.0 log
      local ident (addr/mask/prot/port): (10.3.11.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
      current_peer: 103.0.0.3


      #pkts encaps: 79, #pkts encrypt: 79, #pkts digest: 79
      #pkts decaps: 79, #pkts decrypt: 79, #pkts verify: 79
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 79, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 111.0.0.11/0, remote crypto endpt.: 103.0.0.3/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: A1B4FA25
      current inbound spi : DA749927

    inbound esp sas:
      spi: 0xDA749927 (3665074471)
         SA State: active
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 2, crypto-map: CSM_outside_map
         sa timing: remaining key lifetime (kB/sec): (4373997/627)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x0000003F 0xFFFFFFFF
    outbound esp sas:
      spi: 0xA1B4FA25 (2712992293)
         SA State: active
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 2, crypto-map: CSM_outside_map
         sa timing: remaining key lifetime (kB/sec): (4373997/627)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001




R3#show crypto isa sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
111.0.0.11      103.0.0.3       QM_IDLE           1070 ACTIVE
103.0.0.3       110.0.0.10      QM_IDLE           1071 ACTIVE
108.0.0.8       103.0.0.3       QM_IDLE           1032 ACTIVE
102.0.0.2       103.0.0.3       QM_IDLE           1069 ACTIVE




​R3#show crypto ipsec sa peer 111.0.0.11

interface: GigabitEthernet0/0
    Crypto map tag: CMAP, local addr 103.0.0.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.3.11.0/255.255.255.0/0/0)
   current_peer 111.0.0.11 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100
    #pkts decaps: 100, #pkts decrypt: 100, #pkts verify: 100
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 103.0.0.3, remote crypto endpt.: 111.0.0.11
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xA677B6B9(2792863417)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x94C7BFCB(2496118731)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 125, flow_id: SW:125, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4238283/3478)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA677B6B9(2792863417)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 126, flow_id: SW:126, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4238283/3478)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto