#CiscoLive

Route Based VPNs

With Secure Firewall

Jeff Fanelli, Principal Architect

@jefanell
BRKSEC-3058

#CiscoLive
Cisco Webex App

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here

4 Enter messages/questions in the Webex space

Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-3058

by the speaker until June 17, 2022.

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
 • IPSec VPN Solutions Overview
• VPN Tunnel Interfaces and types
Scalable VPN with FTD Integration
Agenda
•
Deployment Example
• IPSec VPN Best Practices
• Conclusion

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Me
Jeff Fanelli
• [email protected]
• Principal Architect
• 16 years @ Cisco
• 30+ CiscoLive! Presenter
• Husband + father
• Private pilot
• Slave to three wiener dogs

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Platform names and abbreviations
• Cisco Secure Firewall – Product line name
• Cisco Secure Firewall ASA
• Adaptive Security Appliance “ASA” (software platform)
• Cisco Secure Firewall Threat Defense
• Firepower Threat Defense “FTD” (software platform)
• Catalyst 8000 Edge – Product line name
• Internet Operating System “IOS” (or IOS-XE) (software platform)

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
VPN Technology
Overview
Underlay & Overlay

Underlay Network
Overlay Network

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Underlay & Overlay

VPN

Underlay Network
Overlay Network

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
VPNs per platform
Cisco IPSec VPNs

Overlay IPSec VPNs Tunnel-less Encryption

Site-Site, Any-to-Any
Remote-Access Site-Site
(GETVPN)

** Limited integration is possible

GRE over IPSec
Crypto Map EZVPN VTI DMVPN FlexVPN
w/ Crypto Map

IOS/IOS-XE Yes Yes Yes Yes Yes Yes

ASA Yes No Yes Yes No No**

FTD Yes No Yes Yes No No**

Not recommended Session Focus! IOS Only

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
 Crypto Map
• First implementation of IPSec VPNs used on Cisco devices.
• Traffic to be encrypted is defined by an ACL (crypto ACL).
• Configuration nightmare:
• Mismatched ACLs crypto isakmp policy 10
encr aes
• ACL update requirements. authentication pre-share
group 2

crypto map outside_map 10 ipsec-isakmp crypto isakmp key cisco123 address 172.16.1.1
set peer 172.16.1.1 !
set transform-set TS crypto ipsec transform-set TS esp-aes esp-sha-hmac
match address 110 mode tunnel
! !
interface GigabitEthernet0/0 access-list 110 permit ip 10.20.10.0/24 10.10.10.0/24
ip address 172.17.1.1 255.255.255.0 access-list 110 permit ip 10.20.10.0/24 10.10.20.0/24
crypto map outside_map access-list 110 permit ip 10.20.10.0/24 10.10.30.0/24

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Dynamic Crypto Map
• Dynamically accepts remote (initiating) peer’s IP address.
• Any proposed traffic selector will be accepted from authenticate peer.
• The DVTI technology replaces dynamic crypto maps as a dynamic
hub-and-spoke method for establishing tunnels.
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto dynamic-map dynamic_map 10
set transform-set TS
reverse-route
!
crypto map outside_map 10 ipsec-isakmp dynamic dynamic_map
!
interface GigabitEthernet0/0
ip address 172.17.1.1 255.255.255.0
crypto map outside_map

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
VPN Tunnel
Interfaces
Tunnel Interface
Overlay Underlay

TUNNEL
INTERFACE

• Tunnel Interface interconnects underlay and overlay network.

• Supports various encapsulation types – GRE IPv4/IPv6, Native
IPSec IPv4/IPv6
• Main building block for IOS IPSec VPNs – mGRE (DMVPN),
Static/Dynamic (FlexVPN) also supported on ASA / FTD

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
IPSec Virtual Tunnel Interface

IPSec VTI

• Provides a virtual routable interface for terminating IPsec tunnels.

• Simplifies the configuration of IPsec for protection of remote links
• Supports multicast and simplifies network management (IOS only).
• The VTI tunnel is always up (does not need “interesting traffic”)

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
 IOS Tunnel Interface – Packet Flow
LAN WAN
Overlay Underlay interface Tunnel <>
vrf forwarding blue Overlay VRF (IVRF)
RIB/FIB RIB/FIB
ip address <> Overlay IP address
tunnel mode gre ipv6 Tunnel encap type
tunnel source <> Underlay src IP address
tunnel vrf green Underlay VRF (FVRF)
tunnel destination <> Underlay dst IP address
Eth0/0 Tunnel1 Eth0/1

IP Private L4 Data IP Public GRE IP Private L4 Data

interface Eth0/0 interface Eth0/1

LAN WAN vrf forwarding green
vrf forwarding blue
ip address <> ip address <>

Interface feature (NAT, PBR, QoS, NetFlow, ...)

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
 IOS Tunnel Interface – Packet Flow
LAN WAN
Overlay Underlay interface Tunnel <>
Pre-encapsulation interface
output features vrf forwarding blue
Tunnel encapsulation Overlay VRF (IVRF)
RIB/FIB RIB/FIB
(apply to cleartext packet) & optional protection
ip address <> Overlay IP address
tunnel mode gre ipv6 Tunnel encap type
tunnel source <> Underlay IP address
tunnel vrf green Underlay VRF (FVRF)
tunnel destination <>
Post-encapsulation Underlay dst IP address
Interface input features
Eth0/0 Eth0/1
Tunnel1 interface output features
(apply to cleartext packet)
(apply to encrypted packet)

IP Private L4 Data IP Public GRE IP Private L4 Data

interface Eth0/0 interface Eth0/1

LAN WAN vrf forwarding green
vrf forwarding blue
ip address <> ip address <>

Interface feature (NAT, PBR, QoS, NetFlow, ...)

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Virtual Interface Types

GRE over IPSec IPsec Native CLI

Dynamic Virtual-Template Virtual-Template interface Tunnel <>

Virtual-Access Virtual-Access
Dynamic GRE/IPSec DVTI
DVTI Multi-SA
Static Tunnel interface Tunnel Interface interface Virtual-Template <>
Static GRE/IPSec SVTI
SVTI Multi-SA

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
IPSec Tunnel Interface Types - Static
• Static Tunnel Interface
interface Tunnel1
nameif tunnel-to-dc (ASA/FTD only)
Tu0 Tu0 ip unnumbered Loopback1 (ASA 9.19+ FTD 7.3+)
10.0.0.1 10.0.0.2 tunnel source GigabitEthernet2
tunnel mode gre ipv4
tunnel destination 10.0.0.2
Tu Static Tunnel
tunnel protection ipsec profile default

VT
#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
 IPSec Tunnel Interface Types - Dynamic
interface Virtual-Template1 type tunnel
• Dynamic Tunnel Interface nameif tunnel-to-dc (ASA/FTD only)

VT1 ip unnumbered Loopback1 (ASA 9.19+ FTD 7.3+)

tunnel source GigabitEthernet2
Tu0 VA1
Tu0
tunnel protection ipsec profile default
Spoke 10.0.0.1 10.0.0.2 Hub

Virtual Access interface Virtual-Access1

Tu Static Tunnel VT Virtual Template VA
ip unnumbered Loopback1
tunnel source GigabitEthernet2
Dynamic Tunnel Interfaces tunnel destination 10.0.0.1
(DVTI) are introduced in ASA tunnel protection ipsec profile default
9.19 and FTD 7.3 no tunnel protection ipsec initiate

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
 IKEv2 Dynamic VTI – Configuration
Va1: 192.168.1.1/32 Tu1: 192.168.1.2/32

10.0.1.0/24 10.0.2.0/24
Hub Spoke
Gi2: 10.0.12.1/24 Gi2: 10.0.23.2/24
Hub Spoke
crypto ikev2 authorization policy default crypto ikev2 authorization policy default
route set remote ipv4 10.0.0.0 255.0.0.0 route set remote ipv4 10.0.2.0 255.255.255.0
! !
crypto ikev2 profile default crypto ikev2 profile default
match identity remote any match identity remote address 10.0.12.1
authentication remote pre-share key cisco authentication remote pre-share key cisco
authentication local pre-share key cisco authentication local pre-share key cisco
aaa authorization group psk list flex default aaa authorization group psk list flex default
local local
virtual-template 1 !
! interface Tunnel1
interface Virtual-Template1 type tunnel ip address 192.168.1.2 255.255.255.255
ip unnumbered Loopback1 tunnel source GigabitEthernet2
ip ospf 1 area 1 tunnel mode ipsec ipv4
tunnel source GigabitEthernet2 tunnel destination 10.0.12.1
tunnel mode ipsec ipv4 tunnel protection ipsec profile default
tunnel protection ipsec profile default !
interface GigabitEthernet2
ip address 10.0.23.2 255.255.255.0
BRKSEC-3058
BRKSEC-3629 21
IKEv2 Multi-SA Static VTI
• By default, the traffic selector for an SVTI is set to ‘any any’.
• From Cisco IOS XE 16.12.1 we can define and associate an ACL
with an SVTI.
• Supported in ASA 9.19+ and FTD 7.3+
• IPSec SAs are created for each non-any-any traffic selector, and
thus, multiple SAs are attached to an SVTI.

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
 IKEv2 Multi-SA SVTI - Configuration
Tu1: 192.168.1.1/32 Tu1: 192.168.1.2/32

172.16.1.0/24 172.30.3.0/24
172.16.2.0/24 172.30.4.0/24
Router1 Router2
Gi2: 10.0.12.1/24 Gi2: 10.0.23.2/24
Router1 Router2
crypto ikev2 profile default crypto ikev2 profile default
match identity remote 10.0.23.2 match identity remote 10.0.12.1
authentication remote pre-share key cisco authentication remote pre-share key cisco
authentication local pre-share key cisco authentication local pre-share key cisco
aaa authorization group psk list flex default local aaa authorization group psk list flex default local
! !
crypto ipsec profile default crypto ipsec profile default
reverse-route reverse-route
! !
ip access-list extended SVTI_ACL ip access-list extended SVTI_ACL
permit ip 172.16.1.0 0.0.0.255 172.30.3.0 0.0.0.255 permit ip 172.30.3.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.16.2.0 0.0.0.255 172.30.4.0 0.0.0.255 permit ip 172.30.4.0 0.0.0.255 172.16.2.0 0.0.0.255
! !
interface Tunnel1 interface Tunnel1
ip address 192.168.1.1 255.255.255.252 ip address 192.168.1.2 255.255.255.252
tunnel source GigabitEthernet2 tunnel source GigabitEthernet2
tunnel mode ipsec ipv4 tunnel mode ipsec ipv4
tunnel destination 10.0.23.2 tunnel destination 10.0.12.1
tunnel protection ipsec policy ipv4 SVTI_ACL tunnel protection ipsec policy ipv4 SVTI_ACL
tunnel protection ipsec profile default tunnel protection ipsec profile default
#CiscoLive BRKSEC-3058
BRKSEC-3629
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
23
Secure Firewall
VPN Design
New ASA and FTD Features ahead!
These features are in ASA and These capabilities are coming in
FTD code right NOW: the ASA 9.19 / FTD 7.3 release:
• Static VTI Tunnels • Loopback interfaces
• BGP routing support • IKEv2 config-exchange for
peer interface sharing over
• Per-peer IKEv2 custom identity
tunnel (simplifies BGP peering)
attributes
• Dynamic VTI support on
Configs shown will be ASA CLI.
ASA/FTD for VPN “hub”. Can
(identical to FTD deployed
also use IOS for VPN hub now.
configuration)

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Example Design Requirements and Assumptions
• Scaled Deployment / hub-and-spoke topology
• Provide security using cryptographically protected
tunnels.
• Headend redundancy with 15 seconds convergence
• Branches can include ASA / FTD …

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
High Level Design – Topology
Hub-and-spoke + Large Scale

Cluster 1
….. Cluster 4

HA or
FTD1 FTD2
Cluster

Hub1 Hub2 Hub4

Hub3

Spoke1 ….. Spoke10000

Spoke1
Spoke10000
Spoke2 Spoke2
#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
BGP routing considerations
Headend redundancy with 15 seconds convergence
• Two tunnels primary and secondary. S 172.16.1.1 is directly connected, Virtual-Access1
B 192.168.102.0/24 [200/0] -> 172.16.1.7
• Decrease BGP timers for fast
convergence. Virtual-Access1
172.16.1.253/32 Hub1
10.0.0.254
• For the BGP neighborship we need IKEv2 iBGP
routing to exchange the addresses that will 10.0.0.1
be used for peering. Tunnel1
172.16.1.1/32Spoke1

• BGP listen range on Hub. S 172.16.1.253/32 -> Tunnel1

B 192.168.0.0/16 [200/0] -> 172.16.1.254

• Route reflector between Hubs.

• Summary advertised to spokes.

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
 Single / Double Hub & Spoke design using VTI
Hubs can be IOS, ASA 9.19+ or FTD 7.3+

B 192.168.102.0/24 [200/0] -> 172.16.1.7

interface Virtual-Access1 S 172.16.1.7 is directly connected, Virtual-Access1
172.16.254.1/24
ip unnumbered Loopback0
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 10.0.0.1
tunnel protection ipsec profile default Hub1 Hub2
no tunnel protection ipsec initiate 172.16.1.254/32 172.16.1.253/32
(only Hub 1 config shown)

B 192.168.0.0/16 [200/0] -> 172.16.1.253

S 172.16.1.253/32 -> Tunnel1
B 192.168.0.0/16 [200/0] -> 172.16.1.254 S 172.16.1.254/32 -> Tunnel2
S 172.16.1.254/32 -> Tunnel1
S 172.16.1.253/32 -> Tunnel2 Spoke2
Spoke1 192.168.102.0/24
192.168.101.0/24

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
FTD Routed mode on a stick
IPS inspection for the spoke-to-spoke traffic using FTD
Cluster 1
FTD
interface Virtual-Access2
ip unnumbered Loopback0
ip policy route-map FW
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4 2
tunnel destination 10.0.0.1 inside / 172.16.254.254/24
tunnel protection ipsec profile default
no tunnel protection ipsec initiate
3 2.
172.16.254.1/24
B 192.168.102.0/24 [200/0] ->Hub2172.16.1.7
Hub1 S 172.16.1.7 is directly connected, Virtual-Access1
172.16.1.254/32 172.16.1.253/32

1 4

B 192.168.0.0/16 [200/0] -> 172.16.1.254

S 172.16.1.254/32 -> Tunnel1
S 172.16.1.253/32 -> Tunnel2 Spoke2
Spoke1 192.168.102.0/24
192.168.101.0/24
BRKSEC-3058 30
 Spoke router configuration – IOS Example
crypto ikev2 profile default
match identity remote fqdn domain hub
identity local fqdn Spoke1.router FTD
authentication local pre-share key <PSK>
authentication remote pre-share key <PSK>
aaa authorization group psk list FlexVPN default local
! inside / 172.16.1.1/24
interface Tunnel101
ip unnumbered Loopback101
tunnel source GigabitEthernet2
tunnel destination 10.0.0.253 172.16.1.253/24 172.16.1.254/24
tunnel protection ipsec profile default Primary Tunnel
! Hub2
Hub1
interface Tunnel102
ip unnumbered Loopback101
tunnel source GigabitEthernet2 10.0.0.253
tunnel destination 10.0.0.254 10.0.0.254
tunnel protection ipsec profile default Secondary Tunnel
10.0.0.1
!
router bgp 65000
timers bgp 5 15 Reduced BGP 10.0.0.2
neighbor 172.16.1.253 remote-as 65000 timers for faster
neighbor 172.16.1.254 remote-as 65000 Spoke1 (Router)
convergence Spoke3
! 192.168.101.0/24
address-family ipv4 192.168.103.0/24
Spoke2 (ASA)
network 192.168.101.0 mask 255.255.255.0
(…) 192.168.102.0/24

BRKSEC-3058 31
 Spoke ASA config – Pre ASA 9.19.1 / FTD 7.3
hostname Spoke2 interface Tunnel1
domain-name Spoke2 nameif VTI Primary Tunnel
! IKE Identity ip address 172.16.1.5 255.255.255.254
crypto isakmp identity hostname tunnel source interface outside
! tunnel destination 10.0.0.253
crypto ikev2 policy 10 tunnel mode ipsec ipv4
encryption aes-256 tunnel protection ipsec profile VTI
integrity sha384 IKEv2 and IPSec !
group 19 algorithms interface Tunnel2
prf sha384 nameif VTI2 Secondary Tunnel
crypto ikev2 enable outside ip address 172.16.1.7 255.255.255.254
! tunnel source interface outside
crypto ipsec ikev2 ipsec-proposal IPSEC_PROP tunnel destination 10.0.0.254
protocol esp encryption aes tunnel mode ipsec ipv4
protocol esp integrity sha-1 tunnel protection ipsec profile VTI
! pre-shared-keys !
crypto ipsec profile VTI route VTI 172.16.1.253 255.255.255.255 172.16.1.253 1
set ikev2 ipsec-proposal IPSEC_PROP route VTI2 172.16.1.254 255.255.255.255 172.16.1.254 1
! !
tunnel-group 10.0.0.253 type ipsec-l2l router bgp 65000 Instead of IKEv2
tunnel-group 10.0.0.253 ipsec-attributes timers bgp 5 15 0 routing
ikev2 remote-authentication pre-shared-key cisco address-family ipv4 unicast
ikev2 local-authentication pre-shared-key cisco neighbor 172.16.1.253 remote-as 65000
! neighbor 172.16.1.253 activate
tunnel-group 10.0.0.254 type ipsec-l2l neighbor 172.16.1.254 remote-as 65000
tunnel-group 10.0.0.254 ipsec-attributes neighbor 172.16.1.254 activate
ikev2 remote-authentication pre-shared-key cisco redistribute connected
ikev2 local-authentication pre-shared-key cisco
BRKSEC-3058 32
 Spoke ASA config – ASA 9.19.1+ / FTD 7.3+
crypto ikev2 policy 10 interface Tunnel1
encryption aes-256 No change to IKE nameif VTI Primary Tunnel
integrity sha384 identity, IKEv2, IPSec ip address 172.16.1.5 255.255.255.254
group 19 algorithms tunnel source interface outside
prf sha384 tunnel destination 10.0.0.253
crypto ikev2 enable outside tunnel mode ipsec ipv4
! tunnel protection ipsec profile VTI
crypto ipsec ikev2 ipsec-proposal IPSEC_PROP !
protocol esp encryption aes interface Tunnel2
protocol esp integrity sha-1 nameif VTI2 Secondary Tunnel
! ip address 172.16.1.7 255.255.255.254
crypto ipsec profile VTI tunnel source interface outside
set ikev2 ipsec-proposal IPSEC_PROP tunnel destination 10.0.0.254
! tunnel mode ipsec ipv4
tunnel-group 10.0.0.253 type ipsec-l2l tunnel protection ipsec profile VTI
tunnel-group 10.0.0.253 ipsec-attributes !
ikev2 remote-authentication pre-shared-key cisco route VTI 172.16.1.253 255.255.255.255 172.16.1.253 1
ikev2 local-authentication pre-shared-key cisco route VTI2 172.16.1.254 255.255.255.255 172.16.1.254 1
ikev2 route set interface !
! IKEv2 Route router bgp 65000
tunnel-group 10.0.0.254 type ipsec-l2l learning timers bgp 5 15 0 Static VTI routes no
tunnel-group 10.0.0.254 ipsec-attributes address-family ipv4 unicast longer needed with
ikev2 remote-authentication pre-shared-key cisco IKE2 route learning
neighbor 172.16.1.253 remote-as 65000
ikev2 local-authentication pre-shared-key cisco neighbor 172.16.1.253 activate
ikev2 route set interface neighbor 172.16.1.254 remote-as 65000
neighbor 172.16.1.254 activate
redistribute connected

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
 Spoke ASA config – ASA 9.19.1+ / FTD 7.3+
“ip unnumbered” interface Tunnel1
Loopback support nameif VTI Primary Tunnel
support on tunnel
including /32 masks interfaces
ip unnumbered loop1
tunnel source interface outside
tunnel destination 10.0.0.253
tunnel mode ipsec ipv4
interface Loopback1 tunnel protection ipsec profile VTI
nameif loop1 !
ip address 172.16.1.5 255.255.255.255 interface Tunnel2
! nameif VTI2 Secondary Tunnel
interface Loopback2 ip unnumbered loop2
nameif loop2 tunnel source interface outside
ip address 172.16.1.7 255.255.255.255 tunnel destination 10.0.0.254
! tunnel mode ipsec ipv4
tunnel-group 10.0.0.253 type ipsec-l2l tunnel protection ipsec profile VTI
tunnel-group 10.0.0.253 ipsec-attributes !
ikev2 remote-authentication pre-shared-key cisco router bgp 65000
ikev2 local-authentication pre-shared-key cisco timers bgp 5 15 0
ikev2 route set interface address-family ipv4 unicast
! IKEv2 Route neighbor 172.16.1.253 remote-as 65000
tunnel-group 10.0.0.254 type ipsec-l2l learning neighbor 172.16.1.253 activate
tunnel-group 10.0.0.254 ipsec-attributes neighbor 172.16.1.254 remote-as 65000
ikev2 remote-authentication pre-shared-key cisco neighbor 172.16.1.254 activate
ikev2 local-authentication pre-shared-key cisco redistribute connected
ikev2 route set interface

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
 Hub’s IKEv2 profile selection
crypto ikev2 name-mangler extract-domain
crypto ikev2 profile router fqdn domain
match identity remote fqdn domain router
authentication remote pre-share key cisco
crypto ikev2 authorization policy router
authentication local pre-share key cisco
route set interface
aaa authorization group psk list FlexVPN name-mangler extract-domain
virtual-template 1 mode auto
crypto ikev2 name-mangler extract-host
crypto ikev2 profile firewall
fqdn hostname
match identity remote fqdn domain firewall
authentication remote pre-share key cisco
authentication local pre-share key cisco crypto ikev2 authorization policy Spoke2
aaa authorization group psk list FlexVPN name-mangler extract-host route set local ipv4 172.16.1.5
virtual-template 1 mode auto 255.255.255.255
no config-exchange request
Store it on
Hub1 an external
AAA server

Required only if we want to

terminate ASA/FTD versions pre
9.19/7.3 because they do not Spoke2.firewall
support IKEv2 config exchange Spoke1.router

* VTI for FTD on 6.7 roadmap #CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
 Hub router configuration - with PBR
aaa new-model interface Virtual-Template1 type tunnel
aaa authorization network FlexVPN local ip unnumbered Loopback1
! ip policy route-map FW
access-list 123 permit ip 192.168.0.0 0.0.255.255 any tunnel protection ipsec profile default
! !
route-map FW permit 10 router bgp 65000
match ip address 123 bgp listen range 172.16.1.0/24 peer-group Flex
set ip next-hop 172.16.254.254 PBR bgp listen limit 10000
! timers bgp 5 15
crypto ikev2 profile router neighbor Flex peer-group
match identity remote fqdn domain router neighbor Flex remote-as 65000
authentication remote pre-share key cisco !
authentication local pre-share key cisco address-family ipv4
aaa authorization group psk list FlexVPN name-mangler redistribute connected
extract-domain neighbor Flex activate
virtual-template 1 mode auto neighbor Flex route-reflector-client
! neighbor Flex next-hop-self all
crypto ikev2 profile firewall exit-address-family
match identity remote fqdn domain firewall
authentication remote pre-share key cisco
authentication local pre-share key cisco
aaa authorization group psk list FlexVPN name-mangler
Separate IKEv2 profiles
extract-domain
virtual-template 1 mode auto for routers and firewalls iBGP with listen range
no config-exchange request

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
 Hub ASA / FTD configuration
interface Loopback101 New loopback support supporting /32 mask and Virtual-
nameif lo101 Template (DVTI) support for “hub” support on ASA/FTD
ip address 172.16.10.1 255.255.255.255
!
interface Virtual-Template101 type tunnel
nameif dVTI101 router bgp 65000
ip unnumbered lo101 bgp log-neighbor-changes
tunnel source interface outside timers bgp 5 15 0 !
tunnel mode ipsec ipv4 address-family ipv4
tunnel protection ipsec profile IPSEC_PROFILE redistribute connected
neighbor 172.16.10.2 remote-as 65000
crypto ipsec ikev2 ipsec-proposal AES-256 neighbor 172.16.10.2 activate
protocol esp encryption aes-256 neighbor 172.16.10.3 remote-as 65000
protocol esp integrity sha-256 Crypto neighbor 172.16.10.3 activate
crypto ipsec profile IPSEC_PROFILE proposals must no auto-summary
set ikev2 ipsec-proposal AES-256 match.. no synchronization exit-address-family
set ikev2 local-identity address!

tunnel-group spoke1 type ipsec-l2l iBGP configuration requires neighbor entry for every
tunnel-group spoke1 ipsec-attributes ASA/FTD/IOS peer (no peer-group support)
virtual-template 101
ikev2 remote-authentication pre-shared-key ***** Peer spoke tunnel-group peer name should match
ikev2 local-authentication pre-shared-key ***** what peer is providing via IKEv2 identity
ikev2 route set interface
”route set interface” enables hub to learn spoke
interface IP via IKEv2 config exchange* (new)

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Interface and routing verification
Hub1# show derived-config interface Virtual-Access 1
Building configuration...

Derived configuration : 197 bytes

!
interface Virtual-Access1 Virtual-Access1
Derived from the
ip unnumbered Loopback1 172.16.1.253/32 Hub1
Virtual-Template
ip policy route-map FW 10.0.0.254
(show command
tunnel source GigabitEthernet2 not available on
tunnel destination 10.0.0.1 ASA/FTD)
tunnel protection ipsec profile default 10.0.0.1
no tunnel protection ipsec initiate Tunnel1
172.16.1.1/32Spoke1

Hub1# show ip route

S 172.16.1.1/32 is directly connected, Virtual-Access1 192.168.101.0/24
B 192.168.101.0/24 [200/0] via 172.16.1.1, 00:25:06

Spoke1# show ip route

S 172.16.1.254/32 is directly connected, Tunnel1
S 172.16.1.253/32 is directly connected, Tunnel2
B 192.168.0.0/16 [200/0] via 172.16.1.254, 00:07:27

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Conclusions!
DO’s for ASA/FTD VPNs: DON’Ts for ASA/FTD VPNs:
• Use VTI interfaces as default • Don’t forget to lock down
choice for all site-to-site tunnel interface(s) with Access
tunnels (including Cloud IaaS) Control List (ASA) or Access
Control Policy (FTD)
• Static or (BGP) routing protocol
for VTI tunnel route peering • Don’t forget to lock down
IPSec Profiles for peers with
• Upgrade to ASA 9.19 or FTD
complex, unique passwords
7.3 for DVTI HUB support! (IOS
and / or additional unique IKE
can be used today).
identifiers.

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Technical Session Surveys
• Attendees who fill out a minimum of four
session surveys and the overall event
survey will get Cisco Live branded socks!

• Attendees will also earn 100 points

in the Cisco Live Game for every
survey completed.

• These points help you get on the

leaderboard and increase your chances
of winning daily and grand prizes.

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
 Security Reference Architecture
Threat Intelligence | Malware Analytics | Actionable Intelligence | Unmatched Visibility | Collective Responses

Security Operations Managed Detection

Security, Orchestration, Automation and Response Incident Response and Remediation Services
and Response Services

(XDR) Threat Visibility & Hunting Device Insights Kenna Vuln Mgmt Secure Cloud Insights 3rd Party Integrations

User/Device Security Network Security Application Security

Cloud Edge
ZERO TRUST SECURE ACCESS SERVICE EDGE (SASE) ZERO TRUST PRIVATE CLOUD EDGE (MSP or CUSTOMER) ZERO TRUST

Adaptive MFA | Passwordless | Trust Threat Protection | Secure Access Control | Managed Remote Access Reliable | Scalable | Flexible Policy | API Security
Application Segmentation
Duo Secure Secure Run-time Application Security
Access E-mail Umbrella/Duo SDWAN
Cloud access Application Security Stack
DNS-layer Secure web L7 firewall
SASE/REMOTE WORKER ZTNA security broker/
security gateway + IPS
shadow IT APIC-DC
Unified Client | EDR | Cloud Managed SSL
Remote
Data loss
Cloud SDWAN Secure ThousandEyes Cloud
RAaaS browser malware Cloud Native Security APIC
decryption
Isolation
prevention
detection SDWAN by Viptela Firewall DDoS,WAF

On-Premises Secure Secure Application

Cisco Secure Client Workload by AppDynamics
SASE/SDWAN ZERO TRUST
VPN
Scalable | Flexible | Visibility | Comprehensive Security Segmentation | Identity and Context | Profiling | Containment | Encrypted Visibility
Posture
Security App Observability | Detection | Response
Telemetry Network
Edge SDWAN Secure Analytics
Threat by Viptela Firewall ThousandEyes and Logging Secure Firewall DuoCloud Network Hybrid Public
SDWAN SSO+IDP Gateway Private Cloud
Query
IoT/OT SECURITY
Secure Full Stack Secure Network ISE Cisco
Device Mgmt Secure Secure
Secure Critical Infrastructure | Unified IT and OT DDoS Analytics TrustSec DNA Center
Cloud Analytics Firewall
Secure Web
Appliance
ThousandEyes Meraki SM Industrial Industrial Industrial Cyber ISE Secure
(Visibility) ThousandEyes DDoS, WAF/Bot
OS, App Control Router Firewall Switch/AP Vision TrustSec

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
 Pay for Learning with
Cisco Learning Credits
Cisco Learning and Certifications (CLCs) are prepaid training
vouchers redeemed directly
From technology training and team development to Cisco certifications and learning with Cisco.
plans, let us help you empower your business and career. www.cisco.com/go/certs

Learn Train Certify

Cisco U. Cisco Training Bootcamps Cisco Certifications and
IT learning hub that guides teams Intensive team & individual automation Specialist Certifications
and learners toward their goals and technology training programs Award-winning certification
program empowers students
Cisco Digital Learning Cisco Learning Partner Program and IT Professionals to advance
Subscription-based product, technology, Authorized training partners supporting their technical careers
and certification training Cisco technology and career certifications
Cisco Guided Study Groups
Cisco Modeling Labs Cisco Instructor-led and 180-day certification prep program
Network simulation platform for design, Virtual Instructor-led training with learning and support
testing, and troubleshooting Accelerated curriculum of product,
technology, and certification courses Cisco Continuing
Cisco Learning Network Education Program
Resource community portal for Recertification training options
certifications and learning for Cisco certified individuals

Here at the event? Visit us at The Learning and Certifications lounge at the World of Solutions

#CiscoLive BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
 • Visit the Cisco Showcase
for related demos

• Book your one-on-one

Meet the Engineer meeting

• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs

your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand

BRKSEC-3058 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Thank you

#CiscoLive
#CiscoLive