Skip to main content

 

 

Cisco Defense Orchestrator

Create a Site-To-Site VPN

You can create a site-to-site VPN by following one of the two methods: simple configuration and advanced configuration. If both or any one of the devices is in the extranet, you will have to use the advanced configuration to set up the site-to-site VPN. Extranet devices do not support simple configuration. For this release, only PTP topology is supported, containing one or more VPN tunnels. Point-to-point (PTP) deployments establish a VPN tunnel between two endpoints.

Create a Site-To-Site VPN using the Simple Configuration

  1. On the navigation bar, choose VPN.
  2. Click the blue plus blue_cross_button.png button to create a VPN Tunnel.

Note: Alternatively, you can create the Site-to-Site VPN connection from the Devices & Services page.

  1. On the navigation bar, click Devices & Services.
  2. Select two FTD devices that you want to configure.
  3. In the right-page, under Device Actions click Create Site-to-Site VPN.
  1. Enter a unique topology Configuration Name.  We recommend naming your topology to indicate that it is an FTD VPN, and its topology type.
  2. Choose the endpoint devices for this VPN deployment from Devices.
  3. Choose the VPN Access Interface for the for the endpoint devices.
  4. Click the blue plus blue_cross_button.png button to add the Protected Networks for the participating devices.
  5. (Optional) Select NAT Exempt to exempt the VPN traffic from NAT policies on the local VPN access interface. It must be configured manually for individual peers. 
    If you do not want NAT rules to apply to the local network, select the interface that hosts the local network. This option works only if the local network resides behind a single routed interface (not a bridge group member).
    If the local network is behind more than one routed interface or one or more bridge group members, you must manually create the NAT exempt rules. For information on manually creating the required rules, see Exempting Site-to-Site VPN Traffic from NAT.
  6. Click Create VPN, and then click Finish.
  7. Perform the additional mandatory configuration. See Configure networking for protected traffic between the Site-To-Site Peers.

The Site-To-Site VPN is configured.

Create a Site-To-Site VPN using the Advanced Configuration

  1. On the navigation bar, choose VPN.
  2. Click the blue plus blue_cross_button.png button to create a VPN Tunnel.
  3. In the Peer Devices section, specify the following device configurations:
    1. Enter a unique topology Configuration Name.  We recommend naming your topology to indicate that it is an FTD VPN, and its topology type.
    2. Choose the endpoint devices for this VPN deployment from Devices. If you select an extranet device, specify the extranet device’s IP address.
    3. Choose the VPN Access Interface for the endpoint devices.
    4. Click the blue plus  blue_cross_button.png button to add the Protected Networks for the participating devices.
    5. Click Advanced.
  4. In the IKE Settings section, choose the IKE versions to use during Internet Key Exchange (IKE) negotiations and specify the privacy configurations:
    For more information on the IKE policies, see the Configuring the Global IKE Policy.
    Note: IKE policies are global to a device and apply to all VPN tunnels associated with it. Therefore, adding or deleting policies affect all VPN tunnels in which this device is participating.
    • Select either or both options as appropriate. 
      Note: By default, IKEV Version 2 is enabled and the IKEV2 POLICIES.
    • Click the blue plus blue_cross_button.png button and select the IKEv2 policies.
      Click Create New IKEv2 Policy to create new IKEv2 policies. Alternatively, you can go to the CDO navigation bar and click Objects > Create Object blue_cross_button.png > IKEv2 Policy.  For more information about creating new IKEv2 policies, see the Configuring IKEv2 Policies.
      To delete an existing IKEv2 Policy, hover-over the selected policy and click the x icon. 
    • Click IKE Version 1 to enable it.
    • Click the blue plus blue_cross_button.png button and select the IKEv1 policies.
      Click Create New IKEv1 Policy to create new IKEv1 policies. Alternatively, you can go to the CDO navigation bar and click Objects > Create Object blue_cross_button.png > IKEv1 Policy.  For more information about creating new IKEv1 policies, see the Configuring IKEv1 Policies.
      To delete an existing IKEv1 Policy, hover-over the selected policy and click the x icon. 
    • Enter the Pre-Shared Key for the participating devices. Preshared keys are secret key strings configured on each peer in the connection. These keys are used by IKE during the authentication phase.
       
      • (IKEv2) Peer 1 Pre-shared Key, Peer 2 Pre-shared Key: For IKEv2, you can configure unique keys on each peer. Enter the Pre-shared Key. You can click the Show Override button and enter the appropriate pre-shared for the peer. The key can be 1-127 alphanumeric characters. The following table describes the purpose of the pre-shared key for both peers.
         
          Local Pre-shared Key Remote Peer Pre-shared Key
        Peer 1 Peer 1 Pre-shared Key Peer 2 Pre-shared Key
        Peer 2 Peer 2 Pre-shared Key Peer 1 Pre-shared Key
      • (IKEv1) Pre-shared Key: For IKEv1, you must configure the same preshared key on each peer. The key can be 1-127 alphanumeric characters. In this scenario, Peer 1 and Peer 2 use the same pre-shared key to encrypt and decrypt data.
    • Click Next.
       
  5. In the IPSec Settings section, specify the IPSec configurations. The corresponding IKEV proposals are available depending on the selection that is made in the IKE Settings step.
    For more information on the IPSec settings, see the Configuring IPSec Proposals.
    1. Click the blue plus  blue_cross_button.png button and select the IKEv2 proposals. To delete an existing IKEv2 Proposal, hover-over the selected proposal and click the x icon.
      Note: Click Create New IKEv2 Proposal to create new IKEv2 proposals. Alternatively, you can go to the CDO navigation bar and click ObjectsCreate Object blue_cross_button.png > IKEv2 IPSec Proposal
      For more information about creating new IKEv2 policies, see the Configuring IPSec Proposals for IKEv2
    2. Choose the Diffie-Hellman Group for Perfect Forward Secrecy. For more information, see Deciding Which Diffie-Hellman Modulus Group to Use.
    3. Click Create VPN
    4. Read the configuration and then click Finish if you’re satisfied.
    5. Perform the additional mandatory configuration. See Configure networking for protected traffic between the Site-To-Site Peers.

Configure Networking for Protected Traffic Between the Site-To-Site Peers

After completing the configuring of the Site-To-Site connection, make sure that you perform the following configuration for VPN to function on all targeted devices.

  1. Configure AC policies:
    Configure AC policies for permitting bidirectional traffic between the protected networks behind both peers. These policies help the packets to traverse to the intended destination without being dropped.

    Note: You must create AC policies for incoming and outgoing traffic on both peers. 
     
    1. In the CDO navigation bar at the left, click Policies and select the option that you want.
    2. Create policies for incoming and outgoing traffic on both peers. For more information on AC policy creation, see Configure the Firepower Threat Defense Access Control Policy.

      The following example shows steps for creating AC policies on both peers.

      Consider two FTD devices 'FTD_BGL_972' and 'FTD_BGL_973' with Site-To-Site VPN connection between two protected networks 'boulder-network' and 'sanjose-network' respectively. 

Creating the AC policy for permitting incoming traffic:

The policy 'Permit_incoming_VPN_traffic_from_973' is created on the 'FTD_BGL_972' device for allowing incoming traffic from the peer ('FTD_BGL_973').

AllowIncommingTraffic.JPG

  • Source Zone: Set the zone of the peer device from which the network traffic originates. In this example, the traffic is originating from FTD_BGL_973 and reaching FTD_BGL_972. 
  • Source Network: Set the protected network of the peer device from which the network traffic originates. In this example, traffic is originating from 'sanjose-network' which is the protected network behind the peer device (FTD_BGL_973).
  • Destination Network: Set the protected network of the device on which the network traffic arrives. In this example, traffic is arriving at 'boulder-network' which is the protected network behind the peer device (FTD_BGL_972).
    Note: The remaining fields can have the default value ("Any").
  • Set Action to Allow for allowing the traffic subject to the intrusion and other inspection settings in the policy.
     

Creating the AC policy for permitting outgoing traffic:

The policy 'Permit_outgoing_VPN_traffic_to_973' is created on the 'FTD_BGL_972' device for permitting outgoing traffic to the peer ('FTD_BGL_973').

AllowOutGoingTraffic.JPG

  • Source Network: Set the protected network of the peer device from which the network traffic originates. In this example, traffic is originating from 'boulder-network' which is the protected network behind the peer device (FTD_BGL_972).
  • Destination Zone: Set the zone of the peer device on which the network traffic arrives. In this example, the traffic is arriving from FTD_BGL_972 and reaching FTD_BGL_973. 
  • Destination Network: Set the protected network of the peer on which the network traffic arrives. In this example, traffic is arriving on 'sanjose-network' which is the protected network behind the peer device (FTD_BGL_972).
    Note: The remaining fields can have the default value ("Any").
  • Set Action to Allow for allowing the traffic subject to the intrusion and other inspection settings in the policy.

After creating AC policies on one device, you must create similar policies on its peer.

  1. If NAT is configured on either of the peer devices, you need to configure the NAT exempt rules manually. See Exempting Site-to-Site VPN Traffic from NAT
  2. Configure routing for receiving the return VPN traffic on each peer. For more information, see Configure Routing.
    1. Gateway-Select the network object that identifies the IP address for the gateway to the destination network. Traffic is sent to this address.
    2. Interface-Select the interface through which you want to send traffic. In this example, the traffic is sent through 'outside' interface.
    3. Destination Networks-Select one or network objects, that identify the destination network. In this example, the destination is 'sanjose-network' which is behind peer (FTD_BGL_973).

After configuring routing settings on one device, you must configure similar settings on its peer.

  • Was this article helpful?