Configure Endpoints for a Point to Point Topology

Configure the following parameters to configure endpoints for a route-based site-to-site VPN for the Point to Point topology nodes:

Before you begin

Configure the basic parameters for a point-to-point topology in a route-based VPN as described in Create a Route-based Site-to-Site VPN and click the Endpoints tab.

Procedure

Step 1

Under Node A, in the Device drop-down menu, select the name of the registered device (threat defense) or extranet as the first endpoint of your VTI tunnel.

For an extranet peer, specify the following parameters:

Specify the name of the device.
Enter the primary IP address in the Endpoint IP address field. If you configure a backup VTI, add a comma and, specify the backup IP address.
Click OK.

After configuring the above parameters for the extranet hub, specify the pre-shared key for the extranet in the IKE tab.

Note	The AWS VPC has AES-GCM-NULL-SHA-LATEST as the default policy. If the remote peer connects to AWS VPC, select AES-GCM-NULL-SHA-LATEST from the Policy drop-down list to establish the VPN connection without changing the default value in AWS.

Step 2

For a registered device, you can specify the VTI interface for Node A from the Virtual Tunnel Interface drop-down list.

The selected tunnel interface is the source interface for Node A and the tunnel destination for Node B.

If you want to create a new interface on Node A, click the + icon and configure the fields as described in Add a VTI Interface.

If you want to edit the configuration of an existing VTI, select the VTI in the Virtual Tunnel Interface drop-down field and click Edit VTI.

Step 3

If your Node A device is behind a NAT device, check the Tunnel Source IP is Private check box. In the Tunnel Source Public IP Address field, enter the tunnel source public IP address.

Step 4

Send Local Identity to Peers—Select this option to send local identity information to the peer device. Select one of the following Local Identity Configuration from the list and configure the local identity:

IP address—Use the IP address of the interface for the identity.
Auto—Use the IP address for pre-shared key and Cert DN for certificate-based connections.
Email ID—Specify the email ID to use for the identity. The email ID can be up to 127 characters.
Hostname—Use the fully qualified hostname.
Key ID—Specify the key-id to use for the identity. The key ID must be fewer than 65 characters.

The local identity is used to configure a unique identity per IKEv2 tunnel, instead of a global identity for all the tunnels. The unique identity allows threat defense to have multiple IPsec tunnels behind a NAT to connect to a Cisco Umbrella Secure Internet Gateway (SIG).

For information about configuring a unique tunnel ID on Umbrella, see Cisco Umbrella SIG User Guide.

Step 5

(Optional) Click Add Backup VTI to specify an extra VTI as the backup interface and configure the parameters.

Note

Ensure that both peers of the topology do not have the same tunnel source for the backup VTI. A device cannot have two VTIs with the same tunnel source and tunnel destination; hence, configure a unique tunnel source and tunnel destination combination.

Though the virtual tunnel interface is specified under Backup VTI, the routing configuration determines which tunnel to be used as primary or backup.

Step 6

Expand Advance Settings to configure additional configurations for the device. For more information, see Advanced Configurations for a Point to Point Topology in a Route-based VPN.

Step 7

Repeat the above procedure for Node B.

Step 8

Click OK.

What to do next

(Optional) Specify the IKE options for the deployment as described in Threat Defense VPN IKE Options.
(Optional) Specify the IPsec options for the deployment as described in Threat Defense VPN IPsec Options.
(Optional) Specify the Advanced options for the deployment as described in Threat Defense Advanced Site-to-site VPN Deployment Options.
Click Save.

To route traffic to the VTI, choose Devices > Device Management, edit the threat defense device and click the Routing tab.

You can configure the static routes, or use BGP, OSPF v2/v3, or EIGRP for routing the VPN traffic.
To permit VPN traffic, choose Policies > Access Control.. Add a rule specifying the security zone of the VTI. For a backup VTI, ensure that you include the backup VTI in the same security zone as that of the primary VTI.