Example IPsec configuration for Cisco ASA/FTD

This topic provides example IPsec configurations that needs to done on Cisco ASA/FTD to route http and https traffic to Forcepoint ONE SSE via IPsec tunnels.

access-list FP extended permit tcp 192.168.122.0 0.0.0.255 any4 eq www
access-list FP extended permit tcp 192.168.122.0 0.0.0.255 any4 eq https

crypto ipsec ikev2 ipsec-proposal FONE_proposal
protocol esp encryption AES-GCM-256
protocol esp integrity null

crypto ikev2 policy 1
encryption aes-256
group 19

tunnel-group 3.141.173.255 type ipsec-l2l
tunnel-group 3.141.173.255 ipsec-attributes
ikev2 remote-authentication pre-shared-key N3Sp6T9CaTB6BolmyUnPJv1ci7fmfPzq
ikev2 local-authentication pre-shared-key N3Sp6T9CaTB6BolmyUnPJv1ci7fmfPzq

tunnel-group 3.21.66.23 type ipsec-l2l
tunnel-group 3.21.66.23 ipsec-attributes
ikev2 remote-authentication pre-shared-key N3Sp6T9CaTB6BolmyUnPJv1ci7fmfPzq
ikev2 local-authentication pre-shared-key N3Sp6T9CaTB6BolmyUnPJv1ci7fmfPzq

crypto ikev2 enable outside

If using the egress IP address as the IKE ID:
crypto isakmp identity address
If using the device hostname as the IKE ID:
crypto isakmp identity hostname

crypto ipsec profile FONE_IPsec_Profile
set ikev2 ipsec-proposal FONE_proposal  
set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 28800

interface Tunnel0
nameif vti
ip address 192.168.254.1 255.255.255.252
tunnel source interface 200
tunnel destination 3.141.173.255
tunnel mode ipsec ipv4
tunnel protection ipsec profile FONE_IPsec_Profile

interface Tunnel1
nameif vti_backup
ip address 192.168.254.5 255.255.255.252
tunnel source interface 200
tunnel destination 3.21.66.23
tunnel mode ipsec ipv4
tunnel protection ipsec profile FONE_IPsec_Profile

route-map toVTI permit 10
match ip address FP
set ip next-hop 192.168.254.2 192.168.254.6