Configure IPsec tunnels

Configure primary and secondary tunnels on the Cisco ASA/FTD device using the details from Analyze > Tunnels > Setup Info in Forcepoint ONE SSE.

Steps

  1. Configure an access-list to allow port 80 and 443 traffic from specific subnets or traffic types to the tunnel: 
    access-list FP extended permit tcp <internal_subnet> <subnet_mask> any4 eq www
access-list FP extended permit tcp <internal_subnet> <subnet_mask> any4 eq https
  2. Configure the IPsec encryption algorithm: 
    crypto ipsec ikev2 ipsec-proposal <ipsec-proposal_name>
protocol esp encryption <supported_IPsec_algorithm>
protocol esp integrity <supported_algorithm>
    Note: If AES-GCM is configured as the ESP encryption algorithm, then the integrity must be set as NULL.
  3. Configure an IKE encryption algorithm and DH group: 
    crypto ikev2 policy 1
encryption <supported_ike_algorithm>
group <supported_dh_group>
  4. Configure a tunnel-group for the primary tunnel: 
    tunnel-group <primary_destination_address> type ipsec-l2l
tunnel-group <primary_destination_address> ipsec-attributes
ikev2 remote-authentication pre-shared-key <pre-shared-key>
ikev2 local-authentication pre-shared-key <pre-shared-key>
  5. Configure a tunnel-group for the secondary tunnel: 
    tunnel-group <secondary_destination_address> type ipsec-l2l
tunnel-group <secondary_destination_address> ipsec-attributes
ikev2 remote-authentication pre-shared-key <pre-shared-key>
ikev2 local-authentication pre-shared-key <pre-shared-key>
  6. Enable the IKE protocol on the egress interface: 
    crypto ikev2 enable <outgoing_interface>
  7. Configure the IKE ID.
    • If using the egress IP address as the IKE ID:
      crypto isakmp identity address
    • If using the device hostname as the IKE ID:
      crypto isakmp identity hostname
    Note: Cisco ASA/FTD will send the device hostname as the IKE ID if a valid domain is not configured on the device. For example, if domain-name is not configured and the hostname of the device is ASA1, the device will send ASA1 as the IKE ID. Forcepoint ONE SSE recommends you configure a valid domain on your device. For example, if the domain-name is fp.com, the device will automatically send ASA1.fp.com as the IKE ID. Ensure the same fully qualified domain name is configured for the device in the Forcepoint ONE SSE.

Next steps

On Cisco ASA/FTD devices, establish the IPsec tunnel failover using Virtual Tunnel Interfaces (VTI) method.