A site-to-site VPN tunnel connects networks in different geographic locations. You can create site-to-site IPsec connections between managed devices and between managed devices and other Cisco or third-party peers that comply with all relevant standards. These peers can have any mix of inside and outside IPv4 and IPv6 addresses. Site-to-site tunnels are built using the Internet Protocol Security (IPsec) protocol suite and Internet Key Exchange version 2 (IKEv2). After the VPN connection is established, the hosts behind the local gateway can connect to the hosts behind the remote gateway through the secure VPN tunnel.
Cisco Defense Orchestrator (CDO) supports these aspects of site-to-site VPN functionality on Firepower Threat Defense devices:
- Both IPsec IKEv1 & IKEv2 protocols are supported
- Automatic or manual pre-shared keys for authentication
- IPv4 addressing
- IPsec IKEv2 site-to-site VPN topologies provide configuration settings to comply with Security Certifications
- Static interfaces
- Support for the dynamic IP address for extranet device as an endpoint
To create a new site-to-site VPN topology you must provide a unique name, specify a topology type, choose the IKE version that is used for IPsec IKEv1 or IKEv2, or both and authentication method. Once configured, you deploy the topology to Firepower Threat Defense devices.
IPsec and IKE
In Cisco Defense Orchestrator, site-to-site VPNs are configured based on IKE policies and IPsec proposals that are assigned to VPN topologies. Policies and proposals are sets of parameters that define the characteristics of a site-to-site VPN, such as the security protocols and algorithms that are used to secure traffic in an IPsec tunnel. Several policy types may be required to define a full configuration image that can be assigned to a VPN topology.
For authentication of VPN connections, configure a pre-shared key in the topology on each device. Pre-shared keys allow a secret key, used during the IKE authentication phase, to be shared between two peers.
Each topology type can include extranet devices that you do not manage in CDO. These include:
- Cisco devices that CDO supports, but for which your organization is not responsible. Such as spokes in networks managed by other organizations within your company, or a connection to a service provider or partner's network.
- Non-managed devices. You cannot use CDO to create and deploy configurations to non-managed devices. Add non-managed devices to a VPN topology as "Extranet" devices. Also, specify the IP address of each remote device.
Firepower Threat Defense Site-to-Site VPN Guidelines and Limitations
- CDO does not support a crypto-acl to design the interesting traffic for S2S VPN. It only supports protected networks.
- Whenever IKE ports 500/4500 are in use or when there are some PAT translations that are active, the site-to-site VPN cannot be configured on the same ports as it fails to start the service on those ports.
- Transport mode is not supported only tunnel mode. IPsec tunnel mode encrypts the entire original IP datagram which becomes the payload in a new IP packet. Use tunnel mode when the firewall is protecting traffic to and from hosts positioned behind a firewall. Tunnel mode is the normal way regular IPsec is implemented between two firewalls (or other security gateways) that are connected over an untrusted network, such as the Internet.
- For this release, only PTP topology is supported, containing one or more VPN tunnels. Point-to-point (PTP) deployments establish a VPN tunnel between two endpoints.
- The Cisco Defense Orchestrator configures site-to-site VPNs only on FTD devices.