A site-to-site VPN tunnel connects networks in different geographic locations. You can create site-to-site IPsec connections between managed devices and other Cisco or third-party peers that comply with all relevant standards. These peers can have any mix of inside and outside IPv4 and IPv6 addresses. Site-to-site tunnels are built using the Internet Protocol Security (IPsec) protocol suite and Internet Key Exchange version 2 (IKEv2). After the VPN connection is established, the hosts behind the local gateway can connect to the hosts behind the remote gateway through the secure VPN tunnel.
To create a new site-to-site VPN topology you must provide a unique name, specify a topology type, choose the IKE version that is used for IPsec IKEv1 or IKEv2, or both and authentication method. Once configured, you deploy the topology to Firepower Threat Defense devices.
ASA devices associated with an Umbrella organization utilize SASE tunnels, which combine IPsec and VTI technology and forward traffic to Umbrella Secure Internet Gateway (SIG) for protected inspection.
IPsec and IKE
In Cisco Defense Orchestrator, site-to-site VPNs are configured based on IKE policies and IPsec proposals that are assigned to VPN topologies. Policies and proposals are sets of parameters that define the characteristics of a site-to-site VPN, such as the security protocols and algorithms that are used to secure traffic in an IPsec tunnel. Several policy types may be required to define a full configuration image that can be assigned to a VPN topology.
For authentication of VPN connections, configure a pre-shared key in the topology on each device. Pre-shared keys allow a secret key, used during the IKE authentication phase, to be shared between two peers.
Virtual Tunnel Interface (VTI)
CDO supports VTI tunnels for ASA devices associated with an Umbrella organization.
CDO does not currently support the management, monitoring, or use of Virtual Tunnel Interface (VTI) tunnels on FTD devices. Devices with configured VTI tunnels can be onboarded to CDO but it ignores the VTI interfaces. If a security zone or static route references a VTI, CDO reads the security zone and static route without the VTI reference.
- Monitoring ASA, FTD, and AWS Site-to-Site Virtual Private Network
- Configuring Site-to-Site VPN for Firepower Threat Defense
- Configure a SASE Tunnel for Umbrella