Deploying IPsec Site-to-Site VPNs with FTD

ravell
9 min read

Connecting remote enterprise locations requires more than just encrypting data. While standard IPsec VPNs protect data in transit, they create a critical vulnerability if the receiving network blindly trusts the encrypted traffic. Cisco FTD eliminates this blind spot. Once the IPsec tunnel is established, FTD decrypts the incoming traffic and immediately forces the payload through its native Snort engine and Access Control Policies (ACP). This zero-trust approach ensures your secure tunnels are never exploited as a hidden pathway for malicious infiltration.

Components Used#

  • Cisco Firewall Management Center Virtual Version 10.0.1 (build 1)
  • Cisco Firepower Threat Defense Version 7.6.4.69

Topology#

image
image
For this lab we are using Cisco FTD Managed by FMC and Cisco FTD using FDM.

IP Addressing:

  • Local PC: 192.168.10.100
  • Local FTD (FDM) Outside: 203.100.113.1
  • Local FTD (FDM) VTI: 169.254.2.2
  • Peer PC: 192.168.20.100
  • Peer FTD (FMC) VTI: 169.254.2.1
  • Peer FTD (FMC) Outside: 203.100.113.9

FTD Managed by FMC Configuration#

For FTD managed by FMC, you need to configure all the required protocol from the FMC.

Interface

Go to Devices > Device Management > Choose the Firewall

Go to Interfaces > Add VTI

Fill the Name, Security Zone, Tunnel Source, IPSec Tunnel Mode & IP Address.

Check Box Enabled

image
image

📌 Note: It is recommended to use IP Address for VTI Interface that is not routable. Since it is only use as next hop for routing interface between each devices.

Click OK, Save and Deploy

Routing

Unlike legacy policy-based VPNs, Route-Based VPNs rely entirely on standard Layer 3 Virtual Tunnel Interfaces (VTIs) rather than access lists to dictate traffic flow. Therefore, explicit internal routing is mandatory to instruct the firewall exactly which subnets must be directed into the tunnel for encryption.

So there are 2 types of routing that we need to configure. First is routing to IP Public for Peer Devices and IP address of endpoint devices peer.

Go to Devices > Device Management > Choose the Firewall

Go to Routing > Static Route

Click Add Route

Fill Interface, Select Network, Gateway

image
image

📌 Note: Establishing a stable Route-Based VPN requires a highly specific host route directed at the remote peer's public IP address. This explicit instruction forces the firewall's routing engine to pinpoint the exact egress interface for the IPsec negotiation traffic before any cryptographic encapsulation occurs. Without this precise L3 path, the system risks misrouting or dropping the initial handshake packets, fundamentally preventing the tunnel from forming.

Add another route for endpoint routing. Click Add Route
image
image

Click OK, Save and Deploy

IKE Phase 1

Go to Objects > VPN > IKEv2 Policy

image
image

Click Add IKEv2 Policy

Fill the Policy name, Priority and Lifetime.

⚠️ Note: Device will choose from lower priority to higher priority.

Choose Integrity Algorithms
image
image
Choose Encryption Algorithms
image
image
Choose PRF Algorithms
image
image
Choose Diffie-Helman Group
image
image

Click Save

📌 Note: The Higher the Algorithms or Group more secure it is. However, make sure the license, hardware specification and peer device is supported.

IPSec Phase 2

Go to Objects > VPN > IKEv2 IPSec Proposal
image
image

Click Add IKEv2 IPSec Proposal Fill the Name.

Choose ESP Hash
image
image
Choose ESP Encryption
image
image

Click Save.

Site to Site Configuration

After configure Interface VTI, Routing, IKE policy and IPSec Proposal. Now we configure IPSec Site to Site.

Go to Secure Connections > Add. Fill Topology Name Choose Route Based VPN > Peer to Peer > Create

Node A:

  • Device: Your local firewall
  • Interface: Your VTI

Node B:

  • Device: Extranet
  • Endpoint IP Address: Peer IP Public

![image](/media/images/deploying-ipsec-site-to-site-vpns-with-ftd/10-fmc-sitetosite-endpoints.webp

Click IKE Scroll down to IKEv2 Settings Choose Policies, Authentication Type, Key
image
image

Click IPsec Scroll down to Transform Sets > IKEv2 IPsec Proposals Enable Perfect Forward Secrecy > Choose Modulus Group

image
image
leave Advanced menu to default settings. Click Save and Deploy

⚠️ Note: Although access control policy configuration is not shown here, you still need to allow traffic in the policy for the traffic to pass through.

Now that from FTD managed by FMC is completed, next is configuration for FTD using FDM. The configuration step is still the same, only difference is the GUI.

FTD by FDM Configuration#

Interface

Go to Device > Interfaces > Virtual Tunnel Interfaces Click + to add new interface

image
image

Routing

Go to Device > Routing > Add New Route
image
image
image
image

IKE Phase 1

Go to Objects > IKE Policies > IKEv2
image
image

IPSec Phase 2

Go to Objects > IPsec Proposals > IKEv2

image
image

Site to Site Configuration

Go to Device > Site to Site Configuration
image
image
Match the IKE Policy and IPSec Proposal with peer device.
image
image

Verification#

FTD Local (FDM)

Copy code to clipboard
Open code in new window
Disable hover highlighting
1New-HO-FTD# show crypto ikev2 sa 2 3IKEv2 SAs: 4 5Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1 6 7Tunnel-id Local Remote fvrf/ivrf Status Role 8585180605 203.100.113.1/500 203.100.113.9/500 Global/Global READY INITIATOR 9 Encr: DES, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK 10 Life/Active Time: 86400/227 sec 11Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535 12 remote selector 0.0.0.0/0 - 255.255.255.255/65535 13 ESP spi in/out: 0xc203c44f/0xe7ffa120 14New-HO-FTD#
Copy code to clipboard
Open code in new window
Disable hover highlighting
1New-HO-FTD# show crypto ipsec sa 2interface: tunnel1 3 Crypto map tag: __vti-crypto-map-Tunnel1-0-1, seq num: 65280, local addr: 203.100.113.1 4 5 Protected vrf (ivrf): Global 6 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) 7 remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) 8 current_peer: 203.100.113.9 9 10 11 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 12 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 13 #pkts compressed: 0, #pkts decompressed: 0 14 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 15 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 16 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 17 #TFC rcvd: 0, #TFC sent: 0 18 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 19 #send errors: 0, #recv errors: 0 20 21 local crypto endpt.: 203.100.113.1/500, remote crypto endpt.: 203.100.113.9/500 22 path mtu 1500, ipsec overhead 58(36), media mtu 1500 23 PMTU time remaining (sec): 0, DF policy: copy-df 24 ICMP error validation: disabled, TFC packets: disabled 25 current outbound spi: E7FFA120 26 current inbound spi : C203C44F 27 28 inbound esp sas: 29 spi: 0xC203C44F (0x00420DB1) 30 SA State: active 31 transform: esp-des esp-sha-hmac no compression 32 in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, VTI, } 33 slot: 0, conn_id: 264, crypto-map: __vti-crypto-map-Tunnel1-0-1 34 sa timing: remaining key lifetime (kB/sec): (3962880/28560) 35 IV size: 8 bytes 36 replay detection support: Y 37 Anti replay bitmap: 38 0x00000000 0x00000001 39 outbound esp sas: 40 spi: 0xE7FFA120 (0x00426429) 41 SA State: active 42 transform: esp-des esp-sha-hmac no compression 43 in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, VTI, } 44 slot: 0, conn_id: 264, crypto-map: __vti-crypto-map-Tunnel1-0-1 45 sa timing: remaining key lifetime (kB/sec): (4101120/28560) 46 IV size: 8 bytes 47 replay detection support: Y 48 Anti replay bitmap: 49 0x00000000 0x00000001 50 51New-HO-FTD#
Copy code to clipboard
Open code in new window
Disable hover highlighting
1New-HO-FTD# show route 2 3Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP 4 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 5 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 6 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN 7 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 8 ia - IS-IS inter area, * - candidate default, U - per-user static route 9 o - ODR, P - periodic downloaded static route, + - replicated route 10 SI - Static InterVRF, BI - BGP InterVRF 11Gateway of last resort is 203.100.113.2 to network 0.0.0.0 12 13S* 0.0.0.0 0.0.0.0 [1/0] via 203.100.113.2, isp-1 14C 10.0.1.0 255.255.255.252 is directly connected, inside 15L 10.0.1.2 255.255.255.255 is directly connected, inside 16C 169.254.2.0 255.255.255.252 is directly connected, tunnel1 17L 169.254.2.1 255.255.255.255 is directly connected, tunnel1 18V 169.254.2.2 255.255.255.255 connected by VPN (advertised), tunnel1 19S 192.168.10.0 255.255.255.0 [1/0] via 10.0.1.1, inside 20S 192.168.20.0 255.255.255.0 [1/0] via 169.254.2.2, tunnel1 21C 203.100.113.0 255.255.255.252 is directly connected, isp-1 22L 203.100.113.1 255.255.255.255 is directly connected, isp-1 23C 203.100.113.4 255.255.255.252 is directly connected, isp-2 24L 203.100.113.5 255.255.255.255 is directly connected, isp-2 25S 203.100.113.9 255.255.255.255 [1/0] via 203.100.113.2, isp-1 26 27New-HO-FTD#

FTD Peer (FMC)

Copy code to clipboard
Open code in new window
Disable hover highlighting
1Old-HO-FTD# show crypto ikev2 sa 2 3IKEv2 SAs: 4 5Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1 6 7Tunnel-id Local Remote fvrf/ivrf Status Role 8 34167035 203.100.113.9/500 203.100.113.1/500 Global/Global READY RESPONDER 9 Encr: DES, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK 10 Life/Active Time: 86400/32795 sec 11Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535 12 remote selector 0.0.0.0/0 - 255.255.255.255/65535 13 ESP spi in/out: 0x7f1ee8e/0xe93a4bb3 14Old-HO-FTD#
Copy code to clipboard
Open code in new window
Disable hover highlighting
1Old-HO-FTD# show crypto ipsec sa 2interface: tunnel1 3 Crypto map tag: __vti-crypto-map-Tunnel1-0-1, seq num: 65280, local addr: 203.100.113.9 4 5 Protected vrf (ivrf): Global 6 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) 7 remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) 8 current_peer: 203.100.113.1 9 10 11 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 12 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 13 #pkts compressed: 0, #pkts decompressed: 0 14 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 15 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 16 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 17 #TFC rcvd: 0, #TFC sent: 0 18 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 19 #send errors: 0, #recv errors: 0 20 21 local crypto endpt.: 203.100.113.9/500, remote crypto endpt.: 203.100.113.1/500 22 path mtu 1500, ipsec overhead 58(36), media mtu 1500 23 PMTU time remaining (sec): 0, DF policy: copy-df 24 ICMP error validation: disabled, TFC packets: disabled 25 current outbound spi: E93A4BB3 26 current inbound spi : 07F1EE8E 27 28 inbound esp sas: 29 spi: 0x07F1EE8E (0x0005CE4F) 30 SA State: active 31 transform: esp-des esp-sha-hmac no compression 32 in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, VTI, } 33 slot: 0, conn_id: 15, crypto-map: __vti-crypto-map-Tunnel1-0-1 34 sa timing: remaining key lifetime (kB/sec): (4285440/10466) 35 IV size: 8 bytes 36 replay detection support: Y 37 Anti replay bitmap: 38 0x00000000 0x00000001 39 outbound esp sas: 40 spi: 0xE93A4BB3 (0x000619DD) 41 SA State: active 42 transform: esp-des esp-sha-hmac no compression 43 in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, VTI, } 44 slot: 0, conn_id: 15, crypto-map: __vti-crypto-map-Tunnel1-0-1 45 sa timing: remaining key lifetime (kB/sec): (4239360/10466) 46 IV size: 8 bytes 47 replay detection support: Y 48 Anti replay bitmap: 49 0x00000000 0x00000001 50 51New-HO-FTD#