Secure Firewall Threat Defense Site-to-site VPN Guidelines and Limitations

Site-to-site VPN supports ECMP zone interfaces.

You must configure all nodes in a topology with either crypto ACL or a protected network. You cannot configure a topology with crypto ACL on one node and protected network on another.

You can configure a VPN connection across domains by using an extranet peer for the endpoint not in the current domain.

You can backup Threat Defense VPNs using the management center backup.

IKEv1 does not support CC/UCAPL-compliant devices. We recommend that you use IKEv2 for these devices.

You cannot move a VPN topology between domains.

VPN does not support network objects with a 'range' option.

Threat Defense VPNs do not currently support PDF export and policy comparison.

There is no per-tunnel or per-device edit option for threat defense VPNs, you can edit only the whole topology.

The management center does not verify the device interface address verification for transport mode when you select a crypto ACL.

There is no support for automatic mirror ACE generation. Mirror ACE generation for the peer is a manual process on either side.

With crypto ACL, the management center supports only point to point VPN and does not support tunnel health events.

Whenever IKE ports 500/4500 are in use or when there are some active PAT translations, you cannot configure a site-to-site VPN on the same ports as it fails to start the service on those ports.

Tunnel status is not updated in realtime, but at an interval of five minutes in the management center.

You cannot use the character " (double quote) as part of pre-shared keys. If you have used " in a pre-shared key, ensure that you change the character.

In a site-to-site VPN configuration with two devices managed by the same management center, you cannot configure the devices as backup peers. You must configure one of peer devices in the topology as an extranet device.