{"id":2841,"date":"2026-01-12T22:29:00","date_gmt":"2026-01-12T22:29:00","guid":{"rendered":"https:\/\/www.balajibandi.com\/?p=2841"},"modified":"2026-01-31T12:52:09","modified_gmt":"2026-01-31T12:52:09","slug":"91-days-to-ccie-sec-v6-1-lab","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=2841","title":{"rendered":"91 Days to CCIE SEC v6.1 Lab"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Cisco Site to Site VPN (using FTD or ASA)<\/mark><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Establishing a Site-to-Site (S2S) IPSec VPN is a core skill for any network security engineer. While the fundamental IKE (Internet Key Exchange) concepts remain the same, the deployment steps vary significantly between the GUI-driven\u00a0<strong>Cisco Firepower Threat <\/strong>Defence (FTD)\u00a0and the CLI-centric\u00a0Cisco ASA using ASDM. <strong>Cisco ASA and Firepower Threat Defense (FTD)<\/strong> devices are still heavily used in enterprise environments.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Core Technical Concepts<\/mark><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Before configuring, it is essential to understand the two negotiation phases:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Phase 1 (IKEv1\/IKEv2):<\/strong>\u00a0Establishes a secure management tunnel between the two firewall public IPs. This involves negotiating encryption (AES), hashing (SHA), and Diffie-Hellman (DH) groups.<\/li>\n\n\n\n<li><strong>Phase 2 (IPSec):<\/strong>\u00a0Establishes the data tunnel for actual user traffic. It defines &#8220;interesting traffic&#8221; (what subnets to encrypt) using a\u00a0<strong>Crypto Map<\/strong>\u00a0(Policy-Based) or a\u00a0<strong>Virtual Tunnel Interface<\/strong>\u00a0(Route-Based).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">1. The Classic Approach: IKEv1<\/mark><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">IKEv1 splits its work into two distinct phases. Think of Phase 1 as building the &#8220;secure room&#8221; and Phase 2 as the &#8220;business&#8221; conducted inside that room.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Phase 1: Establishing the Management Tunnel<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The goal here is to create an ISAKMP SA (Security Association). This can happen in two ways:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Main Mode (MM): The Secure Choice (6 Messages)<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>MM1 &amp; MM2:<\/strong>\u00a0The peers agree on the &#8220;Five Horsemen&#8221;: Hash (SHA\/MD5), Encryption (AES\/3DES), Authentication (PSK\/Cert), DH Group, and Lifetime.<\/li>\n\n\n\n<li><strong>MM3 &amp; MM4:<\/strong>\u00a0The Diffie-Hellman key exchange happens. Encryption keys are now generated.<\/li>\n\n\n\n<li><strong>MM5 &amp; MM6:<\/strong>\u00a0The peers identity themselves (IP addresses) and authenticate. Because these are sent\u00a0<em>after<\/em>\u00a0the keys are exchanged, identities remain encrypted and hidden from eavesdroppers.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Aggressive Mode (AM): The Fast Choice (3 Messages)<\/strong>\n<ul class=\"wp-block-list\">\n<li>AM packs everything into three messages. It&#8217;s faster but transmits identities in\u00a0<strong>cleartext<\/strong>, making it less secure and less flexible than Main Mode.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Phase 2: The Data Tunnel (Quick Mode)<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once the management tunnel is ready,&nbsp;<strong>Quick Mode (QM)<\/strong>&nbsp;kicks in. It uses a 3-message exchange to establish two unidirectional IPsec SAs (one for sending, one for receiving).<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>PFS (Perfect Forward Secrecy):<\/strong>\u00a0An optional but highly recommended feature. It forces the firewall to generate new keys for Phase 2 that aren&#8217;t derived from Phase 1, ensuring that if one key is compromised, the others remain safe.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">2. The Modern Standard: IKEv2<\/mark><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">IKEv2 was built to fix the complexities and inefficiencies of its predecessor. It does away with the &#8220;Modes&#8221; and uses a simple&nbsp;<strong>Request\/Response<\/strong>&nbsp;architecture.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The Streamlined Exchange<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While IKEv1 requires&nbsp;<strong>9 messages<\/strong>&nbsp;(6 for MM + 3 for QM) to get traffic flowing, IKEv2 does it in just&nbsp;<strong>4 messages<\/strong>:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>IKE_SA_INIT:<\/strong>\u00a0Negotiates crypto and performs the DH exchange in one round trip.<\/li>\n\n\n\n<li><strong>IKE_AUTH:<\/strong>\u00a0Authenticates the session and creates the first &#8220;Child SA&#8221; (the IPsec data tunnel).<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">3. Why Upgrade? IKEv2 Improvements<\/mark><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If your hardware supports it, IKEv2 is the clear winner for several reasons:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Efficiency:<\/strong>\u00a0Fewer messages mean faster tunnel establishment and less bandwidth overhead.<\/li>\n\n\n\n<li><strong>Asymmetric Authentication:<\/strong>\u00a0One side can use a Certificate while the other uses a Pre-Shared Key\u2014perfect for B2B setups with different security policies.<\/li>\n\n\n\n<li><strong>Next-Gen Encryption (NGE):<\/strong>\u00a0Native support for\u00a0<strong>ECDSA-SIG<\/strong>\u00a0(Elliptic Curve) for stronger security with shorter keys.<\/li>\n\n\n\n<li><strong>Mobile Friendly:<\/strong>\u00a0Native support for\u00a0<strong>EAP<\/strong>\u00a0(Extensible Authentication Protocol) makes it the industry standard for remote-access VPNs.<\/li>\n\n\n\n<li><strong>Resilience:<\/strong>\u00a0Includes\u00a0<strong>Anti-DoS<\/strong>\u00a0features to protect the firewall&#8217;s CPU during a flood of connection requests.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><strong> FTD to FTD (via Management Center\/FMC)<\/strong> you can also use <strong>FDM onbox Manamgenet tools<\/strong><\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cisco FTD is typically managed via the&nbsp;<strong>Secure Firewall Management Center (FMC)<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>1. Define the Topology<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Navigate to\u00a0<strong>Devices > VPN > Site to Site<\/strong>.<\/li>\n\n\n\n<li>Click\u00a0<strong>Add VPN > Firepower Threat Defense Device<\/strong>.<\/li>\n\n\n\n<li>Choose\u00a0<strong>Point to Point<\/strong>\u00a0and select\u00a0<strong>IKEv2<\/strong>\u00a0(industry standard).<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>2. Configure Endpoints (Nodes)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Node A (FTD1):<\/strong>\u00a0Select the device and the outside interface. Add a\u00a0<strong>Network Object<\/strong>\u00a0for its local protected subnet (e.g.,\u00a0<code>10.1.1.0\/24<\/code>).<\/li>\n\n\n\n<li><strong>Node B (FTD2):<\/strong>\u00a0Repeat the process for the second FTD and its subnet (e.g.,\u00a0<code>10.2.2.0\/24<\/code>).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>3. Phase 1 &amp; 2 Parameters<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IKE Tab:<\/strong>\u00a0Create an IKE Policy. Use\u00a0<code>AES-256<\/code>,\u00a0<code>SHA-256<\/code>, and\u00a0<code>DH Group 14<\/code>.<\/li>\n\n\n\n<li><strong>IPSec Tab:<\/strong>\u00a0Create an IPSec Proposal (Transform Set). Ensure it matches the IKE settings (e.g.,\u00a0<code>ESP-AES-256<\/code>\u00a0and\u00a0<code>ESP-SHA-256<\/code>).<\/li>\n\n\n\n<li><strong>Authentication:<\/strong>\u00a0Select\u00a0<strong>Pre-shared Manual Key<\/strong>\u00a0and enter a complex password.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>4. Crucial Final Steps: NAT &amp; Access Control<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>NAT Exempt:<\/strong>\u00a0You must create a\u00a0Manual NAT rule\u00a0that tells the FTD\u00a0<em>not<\/em>\u00a0to perform PAT on traffic destined for the remote VPN subnet.<\/li>\n\n\n\n<li><strong>Access Control (ACP):<\/strong>\u00a0Create a rule allowing traffic from\u00a0<code>Local_Subnet<\/code>\u00a0to\u00a0<code>Remote_Subnet<\/code>\u00a0and vice-versa.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><strong>ASA to ASA (via CLI or we can also use ASDM)<\/strong> <\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The ASA uses a structured CLI approach. Configuration must be mirrored on both sides.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 1: Define Interesting Traffic (ACL)<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>access-list VPN-ACL extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 2: Phase 1 (IKEv2 Policy)<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>crypto ikev2 policy 10\n encryption aes-256\n integrity sha256\n group 14\n prf sha256\n lifetime seconds 86400\ncrypto ikev2 enable outside\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 3: Phase 2 (IPSec Transform Set &amp; Crypto Map)<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>crypto ipsec ikev2 ipsec-proposal MY-PROPOSAL\n protocol esp encryption aes-256\n protocol esp integrity sha-256\n\ncrypto map OUTSIDE-MAP 10 match address VPN-ACL\ncrypto map OUTSIDE-MAP 10 set peer 192.168.100.10  <em># Remote Public IP<\/em>\ncrypto map OUTSIDE-MAP 10 set ikev2 ipsec-proposal MY-PROPOSAL\ncrypto map OUTSIDE-MAP interface outside\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 4: Tunnel Group (Authentication)<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tunnel-group 192.168.100.10 type ipsec-l2l\ntunnel-group 192.168.100.10 ipsec-attributes\n ikev2 local-authentication pre-shared-key MySecretKey\n ikev2 remote-authentication pre-shared-key MySecretKey\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 5: NAT Exemption<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>nat (inside,outside) source static LOCAL-NET LOCAL-NET destination static REMOTE-NET REMOTE-NET\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Verification Commands<\/mark><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To confirm the tunnel is active, use these CLI commands on either platform:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>show crypto ikev2 sa<\/code>: Verifies if Phase 1 is &#8220;Ready&#8221; or &#8220;Up&#8221;.<\/li>\n\n\n\n<li><code>show crypto ipsec sa<\/code>: Verifies if Phase 2 is encrypting\/decrypting packets.<\/li>\n\n\n\n<li><code>packet-tracer<\/code>: Use the\u00a0Cisco Packet Tracer tool\u00a0to simulate a packet and see where it hits a drop or an encryption phase.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">IKEv1 Troubleshooting Logs<\/mark><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">IKEv1 uses specific states to indicate where the negotiation is failing.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>MM_WAIT_MSG2<\/code>\u00a0(Initiator stuck):<\/strong>\u00a0The firewall sent the first packet (Phase 1 policy) but got no response.\n<ul class=\"wp-block-list\">\n<li><strong>Cause:<\/strong>\u00a0Routing issues, peer is down, or a firewall is blocking\u00a0<strong>UDP 500\/4500<\/strong>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><code>MM_WAIT_MSG6<\/code>\u00a0(Authentication):<\/strong>\u00a0The tunnel fails at the final step of Phase 1.\n<ul class=\"wp-block-list\">\n<li><strong>Cause:<\/strong>\u00a0Almost always a\u00a0<strong>Pre-Shared Key (PSK)<\/strong>\u00a0mismatch.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><code>NO_PROPOSAL_CHOSEN<\/code>:<\/strong>\u00a0The local and remote firewalls don&#8217;t have matching encryption or hash settings.\n<ul class=\"wp-block-list\">\n<li><strong>Solution:<\/strong>\u00a0Compare Phase 1 policies (AES, SHA, DH Group) and ensure at least one matches perfectly.\u00a0<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">IKEv2 Troubleshooting Logs<\/mark><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">IKEv2 is more streamlined but uses &#8220;Notify&#8221; codes to signal errors.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>AUTHENTICATION_FAILED<\/code>:<\/strong>\u00a0The peers couldn&#8217;t verify each other.\n<ul class=\"wp-block-list\">\n<li><strong>Cause:<\/strong>\u00a0Mismatched PSKs or a mismatch in the\u00a0<strong>IKE ID<\/strong>\u00a0(e.g., one side expects an IP, the other sends a hostname).<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><code>TS_UNACCEPTABLE<\/code>\u00a0(Traffic Selector):<\/strong>\u00a0Phase 1 is up, but the data tunnel (Phase 2) failed.\n<ul class=\"wp-block-list\">\n<li><strong>Cause:<\/strong>\u00a0The local protected network does not match the remote&#8217;s &#8220;interesting traffic&#8221; ACL. If you use\u00a0<code>10.1.1.0\/24<\/code>, the peer must have a mirror rule for\u00a0<code>10.1.1.0\/24<\/code>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><code>INVALID_ID_INFORMATION<\/code>:<\/strong>\u00a0A failure during the Phase 2 negotiation.\n<ul class=\"wp-block-list\">\n<li><strong>Cause:<\/strong>\u00a0Often caused by\u00a0<strong>Proxy ID<\/strong>\u00a0(subnet) mismatches between different vendors (e.g., ASA to Palo Alto).\u00a0<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>General &#8220;Standard&#8221; Errors (Both Versions)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>Peer is not responsive - Declaring peer dead<\/code>:<\/strong>\u00a0The tunnel was up but dropped.\n<ul class=\"wp-block-list\">\n<li><strong>Cause:<\/strong>\u00a0DPD (Dead Peer Detection) timed out due to ISP instability or the remote device rebooting.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><code>NAT-T<\/code>\u00a0Errors:<\/strong>\u00a0If the firewall is behind a NAT device, ensure\u00a0<strong>UDP 4500<\/strong>\u00a0is open.<\/li>\n\n\n\n<li><strong><code>QM_IDLE<\/code>\u00a0(IKEv1 only):<\/strong>\u00a0This is the\u00a0<strong>success<\/strong>\u00a0state. If you see this, Phase 1 is perfect and the issue is likely in Phase 2 or routing.\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Top Verification Commands<\/mark><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Run these in the CLI to see real-time status:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong><code>show crypto ikev2 sa<\/code><\/strong>\u00a0(or\u00a0<code>isakmp sa<\/code>\u00a0for v1): Check if the state is\u00a0<code>READY<\/code>\u00a0or stuck.<\/li>\n\n\n\n<li><strong><code>show crypto ipsec sa<\/code><\/strong>: Look for &#8220;pkts encaps\/decaps.&#8221; If one is 0, traffic is one-way.<\/li>\n\n\n\n<li><strong><code>debug crypto ike-common 10<\/code><\/strong>: High-level debugging to see the handshake fail in real-time<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Happy Labinggggggggggggggg &#8230;!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cisco Site to Site VPN (using FTD or ASA) Establishing a Site-to-Site (S2S) IPSec VPN is a core skill for any network security engineer. While the fundamental IKE (Internet Key Exchange) concepts remain the same, the deployment steps vary significantly between the GUI-driven\u00a0Cisco Firepower Threat Defence (FTD)\u00a0and the CLI-centric\u00a0Cisco ASA using ASDM. Cisco ASA and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[],"class_list":["post-2841","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2841","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2841"}],"version-history":[{"count":1,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2841\/revisions"}],"predecessor-version":[{"id":2842,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2841\/revisions\/2842"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}