Firepower Dynamic VTI and Hub-Spoke VPN

-

 

DVTI Hub Supports from FTD 7.3 and ASA 9.19


1. Create loopback interface 
    can be /32


2. Create dynamic VTI



After click OK:




3 Create a S2S  VPN, add Hub




after click Save





4. Add VPN spoke


After click OK:



5. Add bidirectional ACP 



6. Add static route or Dynamic route
    ASAv spoke needs 9.19 + to support interface route injection (IKEv2 route learning). Because FTD dVTI borrows IP from loopback interface, without this peer VTI host route, FTD will route peer VTI IP to loopback, never be able to reach it via VPN tunnel. This is important when run OSPF or BGP to reach next hop.
       tunnel-group x.x.x.x ipsec-attributes
            ikev2 route set interface

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKSEC-3058.pdf

    When configure OSPF, DVI uses borrowed IP from Loopback interface. Directly configured DVI IP seems not working.

After spoke is configured, the first VPN is up:



CLI:
FTD72# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                     fvrf/ivrf     Status         Role
  3652171 203.0.113.69/500                                    203.0.113.182/500                       Global/Global      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/538 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 0.0.0.0/0 - 255.255.255.255/65535
          ESP spi in/out: 0x15a0a104/0xb6b79b0b
FTD72#

FTD72# sh crypto ipsec sa
interface: dVTI_va1
    Crypto map tag: dVTI_vtemplate_dyn_map, seq num: 1, local addr: 203.0.113.69

      Protected vrf (ivrf): Global
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 203.0.113.182


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 203.0.113.69/500, remote crypto endpt.: 203.0.113.182/500
      path mtu 1500, ipsec overhead 78(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: B6B79B0B
      current inbound spi : 15A0A104

    inbound esp sas:
      spi: 0x15A0A104 (362848516)
         SA State: active
         transform: esp-aes-256 esp-sha-256-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
         slot: 0, conn_id: 1, crypto-map: dVTI_vtemplate_dyn_map
         sa timing: remaining key lifetime (kB/sec): (4008960/28244)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xB6B79B0B (3065486091)
         SA State: active
         transform: esp-aes-256 esp-sha-256-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
         slot: 0, conn_id: 1, crypto-map: dVTI_vtemplate_dyn_map
         sa timing: remaining key lifetime (kB/sec): (4331520/28243)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

FTD72#


FTD72# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       Outside                203.0.113.69    255.255.255.0   CONFIG
GigabitEthernet0/1       Inside                 10.1.3.254      255.255.255.0   CONFIG
GigabitEthernet0/2       DMZ                    192.168.1.254   255.255.255.0   CONFIG
GigabitEthernet0/3       Outside2               192.0.2.69      255.255.255.0   CONFIG
Management0/0            diagnostic             192.168.2.68    255.255.255.0   CONFIG
Loopback1                Lo0                    172.16.32.1     255.255.255.0   manual
Virtual-Access1          dVTI_va1               172.16.32.1     255.255.255.0   CONFIG
Virtual-Template1        dVTI                   172.16.32.1     255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       Outside                203.0.113.69    255.255.255.0   CONFIG
GigabitEthernet0/1       Inside                 10.1.3.254      255.255.255.0   CONFIG
GigabitEthernet0/2       DMZ                    192.168.1.254   255.255.255.0   CONFIG
GigabitEthernet0/3       Outside2               192.0.2.69      255.255.255.0   CONFIG
Management0/0            diagnostic             192.168.2.68    255.255.255.0   CONFIG
Loopback1                Lo0                    172.16.32.1     255.255.255.0   manual
Virtual-Access1          dVTI_va1               172.16.32.1     255.255.255.0   CONFIG
Virtual-Template1        dVTI                   172.16.32.1     255.255.255.0   CONFIG
FTD72#

FTD72# sh int Virtual-Access1
Interface Virtual-Access1 "dVTI_va1", is up, line protocol is up
  Hardware is Virtual Access    MAC address N/A, MTU 1422
        IP address 172.16.32.1, subnet mask 255.255.255.0
  Vaccess Interface Information:
        Source IP address: 203.0.113.69
        Destination IP address: 203.0.113.182
        Vaccess cloned from template 1
        Mode: ipsec ipv4        IPsec profile: FMC_IPSEC_PROFILE_1
        IPsec MTU Overhead : 78
FTD72#



After the 2nd spoke is up

FTD72# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                     fvrf/ivrf     Status         Role
  3652171 203.0.113.69/500                                    203.0.113.182/500                       Global/Global      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/2199 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 0.0.0.0/0 - 255.255.255.255/65535
          ESP spi in/out: 0x15a0a104/0xb6b79b0b

IKEv2 SAs:

Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                     fvrf/ivrf     Status         Role
  6249513 203.0.113.69/500                                    203.0.113.183/500                       Global/Global      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/51 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 0.0.0.0/0 - 255.255.255.255/65535
          ESP spi in/out: 0xc325d547/0xbb55eaf3
FTD72#
FTD72#


FTD72# sh crypto ipsec sa
interface: dVTI_va1
    Crypto map tag: dVTI_vtemplate_dyn_map, seq num: 1, local addr: 203.0.113.69

      Protected vrf (ivrf): Global
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 203.0.113.182


      #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
      #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 203.0.113.69/500, remote crypto endpt.: 203.0.113.182/500
      path mtu 1500, ipsec overhead 78(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: B6B79B0B
      current inbound spi : 15A0A104

    inbound esp sas:
      spi: 0x15A0A104 (362848516)
         SA State: active
         transform: esp-aes-256 esp-sha-256-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
         slot: 0, conn_id: 1, crypto-map: dVTI_vtemplate_dyn_map
         sa timing: remaining key lifetime (kB/sec): (4008959/26545)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000007FF
    outbound esp sas:
      spi: 0xB6B79B0B (3065486091)
         SA State: active
         transform: esp-aes-256 esp-sha-256-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
         slot: 0, conn_id: 1, crypto-map: dVTI_vtemplate_dyn_map
         sa timing: remaining key lifetime (kB/sec): (4331519/26545)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

interface: dVTI_va2
    Crypto map tag: dVTI_vtemplate_dyn_map, seq num: 1, local addr: 203.0.113.69

      Protected vrf (ivrf): Global
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 203.0.113.183


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 203.0.113.69/500, remote crypto endpt.: 203.0.113.183/500
      path mtu 1500, ipsec overhead 78(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: BB55EAF3
      current inbound spi : C325D547

    inbound esp sas:
      spi: 0xC325D547 (3274036551)
         SA State: active
         transform: esp-aes-256 esp-sha-256-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
         slot: 0, conn_id: 2, crypto-map: dVTI_vtemplate_dyn_map
         sa timing: remaining key lifetime (kB/sec): (4147200/28692)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xBB55EAF3 (3142970099)
         SA State: active
         transform: esp-aes-256 esp-sha-256-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, VTI, }
         slot: 0, conn_id: 2, crypto-map: dVTI_vtemplate_dyn_map
         sa timing: remaining key lifetime (kB/sec): (4193280/28692)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

FTD72#

FTD72# sh int virtual-access2
Interface Virtual-Access2 "dVTI_va2", is up, line protocol is up
  Hardware is Virtual Access    MAC address N/A, MTU 1422
        IP address 172.16.32.1, subnet mask 255.255.255.0
  Vaccess Interface Information:
        Source IP address: 203.0.113.69
        Destination IP address: 203.0.113.183
        Vaccess cloned from template 1
        Mode: ipsec ipv4        IPsec profile: FMC_IPSEC_PROFILE_1
        IPsec MTU Overhead : 78
FTD72#


Devices > VPN >  Site-to-Site page does show multiple spokes tunnels if spokes are extranet. If spokes are FMC managed FTD, all of them will be listed.





We need go to the following page to see Virtual_Access interfaces







Appendix:

Firepower OSPF Configuration

Area tab:
Add all networks to advertise in OSPF




Interface tab:

Add the VTI interface which sends OSPF Hello




























https://www.youtube.com/watch?v=vWDdtat4Uc4












































Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more