Configure Endpoints for a Hub and Spoke Topology

You can create a route-based site-to-site VPN using dynamic VTI only for hub and spoke topologies. The hub can use only a dynamic VTI and the spokes can use only static VTI interfaces. You can also configure an extranet device as a hub.

Configure the following parameters to configure endpoints for a route-based site-to-site VPN for the Hub and Spoke topology nodes:

Before you begin

Configure the basic parameters for a hub and spoke topology in a route-based VPN as described in Create a Route-based Site-to-Site VPN and click the Endpoints tab.

Procedure

Step 1

Under Hub Nodes:

Click + to configure the hub node in the Add Endpoint dialog box.

Choose a hub from the Device drop-down list.

Note	A threat defense device running on software version 7.2 can't be configured as a hub. It must be an extranet or a device running on software version 7.3 or later.

For an extranet hub, specify the following parameters:

Enter the name of the device.
Enter the primary IP address. If you configure a backup VTI, add a comma, and then specify the backup IP address.
Click OK.

After configuring the above parameters for the extranet hub, specify the pre-shared key for the extranet in the IKE tab.

Note	The AWS VPC has AES-GCM-NULL-SHA-LATEST as the default policy. If the remote peer connects to AWS VPC, select AES-GCM-NULL-SHA-LATEST from the Policy drop-down list to establish the VPN connection without changing the default value in AWS.

Choose a dynamic VTI from the Dynamic Virtual Tunnel Interface drop-down list.

Tunnel source configuration is mandatory for a dynamic VTI as the management center needs this information to determine the tunnel destination of the spoke.

Click + to add a new dynamic VTI. We recommend that you configure the Borrow IP for the dynamic interface from a loopback interface.

If you want to edit an existing dynamic VTI, select the interface, and click Edit VTI.
(Optional) If your endpoint device is behind a NAT device, check the Tunnel Source IP is Private check box and configure the tunnel source IP address in the Tunnel Source Public IP Address field.
Click Routing Policy to configure the routing policy for the hub.
Click AC Policy to configure the access control policy.
Expand Advance Settings to configure additional configurations on the hub. For more information, see Advanced Configurations for Hub and Spokes in a Route-based VPN.
Click OK.

Step 2

Under Spoke Nodes:

Click + to configure the spoke in the Add Endpoint dialog box.
Choose a spoke from the Device drop-down list.
For an extranet spoke, specify the following parameters:
1. Enter the name of the device.
2. Under Endpoint IP Address, choose one of the following:
  - Static: Enter the IP address of the device, and the backup IP address, if required.
  - Dynamic: Choose this option to dynamically assign the IP addresses for the extranet spokes.
3. Click OK.
Choose a static VTI from the Static Virtual Tunnel Interface drop-down list.

Click + to add a new static VTI. Tunnel IP of the static VTI is auto populated, ensure that this IP address is unique for the spoke.

If you want to edit an existing static VTI, select the interface, and click Edit VTI.
(Optional) If your endpoint device is behind a NAT device, check the Tunnel Source IP is Private check box. The management center needs the tunnel source interface address to configure the tunnel destination IP address on the spokes. In the Tunnel Source Public IP Address field, enter the tunnel source public IP address.
(Optional) Send Local Identity to Peers—Check this check box to send the local identity information to the peer device. Choose one of the following parameters from the Local Identity Configuration drop-down list and configure the local identity:
- IP address—Use the IP address of the interface for the identity.
- Auto—Use the IP address for pre-shared key and Cert DN for certificate-based connections.
- Email ID—Specify the email ID to use for the identity. The email ID can be up to 127 characters.
- Hostname—Use the fully qualified hostname.
- Key ID—Specify the key-id to use for the identity. The key ID must be less than 65 characters.
The local identity is used to configure a unique identity per IKEv2 tunnel, instead of a global identity for all the tunnels. The unique identity allows threat defense to have multiple IPsec tunnels behind a NAT to connect to the Cisco Umbrella Secure internet Gateway (SIG).

For more information about configuring a unique tunnel ID on Umbrella, see Cisco Umbrella SIG User Guide.

(Optional) Click Add Backup VTI to specify an extra VTI interface as the backup interface.

Note

Ensure that both peers of the topology do not have backup VTI configured on the same tunnel source. For instance, if Peer A is having two VTIs (primary and a backup) configured with a single tunnel source interface, say, 10.10.10.1/30, then Peer B also can’t have its 2 VTIs with a single tunnel source IP, say 20.20.20.1/30.

Though the virtual tunnel interface is specified under backup VTI, the routing configuration determines which tunnel to be used as primary or backup.

Click Routing Policy to configure the routing policy for the spoke.
Click AC Policy to configure the access control policy.
Expand Advance Settings to configure additional configurations on the spoke. For more information, see Advanced Configurations for Hub and Spokes in a Route-based VPN.
Click OK.

What to do next

(Optional) Specify the IKE options for the deployment as described in Threat Defense VPN IKE Options.
(Optional) Specify the IPsec options for the deployment as described in Threat Defense VPN IPsec Options.
(Optional) Specify the Advanced options for the deployment as described in Threat Defense Advanced Site-to-site VPN Deployment Options.
Click Save.