Configuring Site-to-Site VPN for Firepower Threat Defense

In this article we will take a look at how to configure site-to-site virtual private networks (VPN) on Firepower Threat Defense (FTD) managed devices.

Note: This demonstration assumes that managed devices are licensed appropriately.
 
In this demonstration, the site-to-site VPN will be configured using IKEv2. One Firepower device is configured as a standalone and will be configured using the Firepower Device Manager (FDM) and the other is configured to be managed using the Firepower Management Center (FMC).
 
The underlying network is already configured and will NOT be covered as part of this demonstration.
 
Configuring Firepower S2S VPN using FDM
 
Access the FDM GUI and login to the Firepower appliance
 
 
From the device summary page, scroll to the bottom of the page and click on Site to Site VPN
 
 
Click on ‘Create Site-to-Site Connection’
 
Configure the following settings relevant to your environment:
  • Connection Profile Name
  • Local VPN Access Interface
  • Local Network for interesting VPN traffic
  • Remote Site IP Address
  • Remote Site Network for interesting VPN traffic
 
Click ‘Next’ to configure the IKE policy. As mentioned at the start of the article, we will focus on configuring IKEv2.
 
The following IKEv2 policy is configured for this demonstration. Modify your policy as best suited to your organisation.
 
 
Configure the IPsec Proposal settings and complete the configuration by specifying the Pre-shared key (PSK) for both the local and remote peers.
 
Note: There is no need for NAT exception in this demonstration however please consider this in your environment if required.
 
 
 
Click ‘Next’ and verify the configuration before proceeding by pressing the ‘Finish’ button to complete the S2S configuration.
 
 
 
The last step is to create an access control policy to permit the interesting traffic across the VPN.
 
On the menu bar click ‘Policies’ and proceed to create an access rule to permit the local sites interesting traffic.
 
 
The last step is to deploy the configuration. Navigate to ‘Deployment’, check the items that will be deployed and proceed with the deployment to apply the configuration changes to the device.
 
Note: If on a production network, this change should be performed as part of a change window.
 
 
Configuring Firepower S2S VPN using the FMC
 
To configure S2S VPN using the FMC navigate to Devices > VPN > Site to Site and click ‘Firepower Threat Defense Device’.
 
On the Endpoints tab, configure the following settings relevant to your environment:
  • Connection Profile Name
  • Local VPN Access Interface
  • Local Network for interesting VPN traffic
  • Remote Site IP Address
  • Remote Site Network for interesting VPN traffic
 
 
Once the Endpoint tab has been configured, click on the ‘IKE’ tab and configure the IKEv2 settings, ensuring that they match the peer device.
 
 
Click on the IPsec tab and ensure the configuration is mutual to the peer device.
 
Once complete, click ‘Save’ (The Advanced tab is beyond the scope of this article).
 
 
The VPN configuration is now complete. Please ensure that you’ve configured any Access Control Lists relevant for interesting traffic as well as NAT configuration if required.
 
Once satisfied with the configuration, proceed to deploy the configuration to the managed device by navigating to ‘Deploy’.
 
Once the configuration has been deployed, you should be ready to test the VPN connection. The best way to do this is to establish connectivity between interesting networks. You can also verify that the VPN has come up using the following commands.
 
show crypto ikev2 sa
show vpn-sessiondb
 
 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: