Site-to-site VPN

Site-to-site VPN features

Secure Firewall Threat Defense site-to-site VPN supports these features:

• IPsec IKEv1 & IKEv2 protocols.

• Certificates and automatic or manual preshared keys for authentication.

• IPv4 & IPv6 addresses. All combinations of inside and outside are supported.

• Static and dynamic interfaces.

• HA environments for both Cloud-Delivered Firewall Management Center and Firewall Threat Defense.

• VPN alerts when the tunnel goes down and tunnel statistics.

• IKEv1 and IKEv2 back-up peer configuration for point-to-point extranet and hub-and-spoke VPNs.

• Extranet device as hub in 'Hub and Spokes' deployments.

• Dynamic IP address for a managed endpoint pairing with extranet device in 'Point to Point' deployments and for extranet device as an endpoint.

VPN topologies

VPN topology configuration requires specifying a unique name, a topology type, IKE version selection, and authentication method. The Cloud-Delivered Firewall Management Center configures site-to-site VPNs on Firewall Threat Defense devices only.

You can select from three types of topologies, containing one or more VPN tunnels:

• Point-to-point (PTP) deployments establish a VPN tunnel between two endpoints.

• Hub and Spoke deployments establish a group of VPN tunnels connecting a hub endpoint to a group of spoke nodes.

• Full Mesh deployments establish a group of VPN tunnels among a set of endpoints.

In the Cloud-Delivered Firewall Management Center, site-to-site VPNs are configured based on IKE policies and IPsec proposals that are assigned to VPN topologies. Policies and proposals are sets of parameters that define the characteristics of a site-to-site VPN, such as the security protocols and algorithms that are used to secure traffic in an IPsec tunnel. Several policy types may be required to define a full configuration image that can be assigned to a VPN topology.

For authentication of VPN connections, configure a preshared key in the topology, or a trustpoint on each device. Preshared keys allow for a secret key, used during the IKE authentication phase, to be shared between two peers. A trustpoint includes the identity of the CA, CA-specific parameters, and an association with a single enrolled identity certificate.

IPsec and IKE

In the Cloud-Delivered Firewall Management Center, site-to-site VPNs are configured based on IKE policies and IPsec proposals that are assigned to VPN topologies. Policies and proposals are sets of parameters that define the characteristics of a site-to-site VPN, such as the security protocols and algorithms that are used to secure traffic in an IPsec tunnel. Several policy types may be required to define a full configuration image that can be assigned to a VPN topology.

Authentication

For authentication of VPN connections, configure a preshared key in the topology, or a trustpoint on each device. Preshared keys allow for a secret key, used during the IKE authentication phase, to be shared between two peers. A trustpoint includes the identity of the CA, CA-specific parameters, and an association with a single enrolled identity certificate.

Extranet Devices

Each topology type can include extranet devices, devices that you don't manage in Cloud-Delivered Firewall Management Center. These include:

• Cisco devices that Cloud-Delivered Firewall Management Center supports, but for which your organization isn't responsible. Such as spokes in networks managed by other organizations within your company, or a connection to a service provider or partner's network.

• Non-Cisco devices. You can't use Cloud-Delivered Firewall Management Center to create and deploy configurations to non-Cisco devices.

Add non-Cisco devices, or Cisco devices not managed by the Cloud-Delivered Firewall Management Center, to a VPN topology as "Extranet" devices. Also specify the IP address of each remote device.