Thursday, June 10, 2021

Firepower VTI to AWS

I have setup an IPSEC VPN to AWS on a Firewpower device using VTI tunnels. With AWS you can only initiate VPNs from the customer side (not the AWS side) Normally with other vendors like Juniper etc you have the option to "establish-tunnels-immediately" or similar where it will automatically try and bring up the VPN.

How does this work from a VTI point of view because the route to AWS is via the VTI interface but because the VTI interface is down it means the route is not in the route table. It's a chicken and egg scenario.. So if you try and initiate traffic to go over the VPN it never even tries. This is confirmed if you run a packet-tracer, it just shows the packet going out the outside interface.

If you do a debug on the Firepower there is zero logs for VPN traffic.

Thanks



No comments:

Post a Comment