About Site-to-Site VPN

Secure Firewall Threat Defense site-to-site VPN supports the following features:

  • Both IPsec IKEv1 & IKEv2 protocols.

  • Certificates and automatic or manual preshared keys for authentication.

  • IPv4 & IPv6. All combinations of inside and outside are supported.

  • IPsec IKEv2 Site-to-Site VPN topologies provide configuration settings to comply with security certifications.

  • Static and dynamic Interfaces.

  • HA environments for both management center and threat defense.

  • VPN alerts when the tunnel goes down.

  • Tunnel statistics available using the threat defense Unified CLI.

  • IKEv1 and IKEv2 back-up peer configuration for point-to-point extranet and hub-and-spoke VPNs.

  • Extranet device as hub in 'Hub and Spokes' deployments.

  • Dynamic IP address for a managed endpoint pairing with extranet device in 'Point to Point' deployments.

  • Dynamic IP address for extranet device as an endpoint.

  • Hub as extranet in 'Hub and Spokes' deployments.

VPN Topology

To create a new site-to-site VPN topology you must, specify a unique name, a topology type, choose the IKE version that is used for IPsec IKEv1 or IKEv2, or both. Also, determine your authentication method. Once configured, you deploy the topology to threat defense devices. The Secure Firewall Management Center configures site-to-site VPNs on threat defense devices only.

You can select from three types of topologies, containing one or more VPN tunnels:

  • Point-to-point (PTP) deployments establish a VPN tunnel between two endpoints.

  • Hub and Spoke deployments establish a group of VPN tunnels connecting a hub endpoint to a group of spoke nodes.

  • Full Mesh deployments establish a group of VPN tunnels among a set of endpoints.

IPsec and IKE

In the Secure Firewall Management Center, site-to-site VPNs are configured based on IKE policies and IPsec proposals that are assigned to VPN topologies. Policies and proposals are sets of parameters that define the characteristics of a site-to-site VPN, such as the security protocols and algorithms that are used to secure traffic in an IPsec tunnel. Several policy types may be required to define a full configuration image that can be assigned to a VPN topology.

Authentication

For authentication of VPN connections, configure a preshared key in the topology, or a trustpoint on each device. Preshared keys allow for a secret key, used during the IKE authentication phase, to be shared between two peers. A trustpoint includes the identity of the CA, CA-specific parameters, and an association with a single enrolled identity certificate.

Extranet Devices

Each topology type can include extranet devices, devices that you don’t manage in management center. These include:

  • Cisco devices that Secure Firewall Management Center supports, but for which your organization isn’t responsible. Such as spokes in networks managed by other organizations within your company, or a connection to a service provider or partner's network.

  • Non-Cisco devices. You can’t use Secure Firewall Management Center to create and deploy configurations to non-Cisco devices.

Add non-Cisco devices, or Cisco devices not managed by the Secure Firewall Management Center, to a VPN topology as "Extranet" devices. Also specify the IP address of each remote device.