Guidelines for configuring site-to-site VPN in Secure Firewall Threat Defense devices

General guidelines

• Site-to-site VPN supports ECMP zone interfaces.

• Configure all nodes in a topology with either crypto ACL or a protected network. You cannot configure a topology with crypto ACL on one node and protected network on another.

• Configure a VPN connection across domains by using an extranet peer for the endpoint not in the current domain.

• You can backup Firewall Threat Defense VPNs using the Cloud-Delivered Firewall Management Center backup.

• Configure unique local IKE identity for all tunnels across all your VPN topologies.

• Ensure that IKE ports 500 and 4500 are not already in use and that no active PAT translations exist on those ports before configuring a site-to-site VPN. Configuring a site-to-site VPN on ports that are already in use will cause the service to fail to start.

• When configuring a site-to-site VPN between two devices managed by the same Cloud-Delivered Firewall Management Center, do not configure the devices as backup peers. Instead, configure one of the peer devices in the topology as an extranet device.