Configure a Policy-based Site-to-Site VPN

Procedure

Step 1

Choose Devices > Site To Site. Then click + Site To Site VPN, or edit a listed VPN topology.

Step 2

Enter a unique Topology Name. We recommend naming your topology to indicate that it is a threat defense VPN, and its topology type.

Step 3

Click Policy Based (Crypto Map) to configure a site-to-site VPN.

Step 4

Choose the Network Topology for this VPN.

Step 5

Choose the IKE versions to use during IKE negotiations. IKEv1 or IKEv2.

Default is IKEv2. Select either or both options as appropriate; select IKEv1 if any device in the topology doesn’t support IKEv2.

You can also configure a backup peer for point-to-point extranet VPNs. For more information, see Threat Defense VPN Endpoint Options.

Step 6

Add Endpoints for this VPN deployment by clicking Add (add icon) for each node in the topology.

Configure each endpoint field as described in Threat Defense VPN Endpoint Options.

  • For Point to point, configure Node A and Node B.

  • For Hub and Spoke, configure a Hub Node and Spoke Nodes

  • For Full Mesh, configure multiple Nodes

Step 7

(Optional) Specify non-default IKE options for this deployment as described in Threat Defense VPN IKE Options

Step 8

(Optional) Specify non-default IPsec options for this deployment as described in Threat Defense VPN IPsec Options

Step 9

(Optional) Specify non-default Advanced options for this deployment as described in Threat Defense Advanced Site-to-site VPN Deployment Options.

Step 10

Click Save.

The endpoints are added to your configuration.

What to do next

Deploy configuration changes.

Note

Some VPN settings are validated only during deployment. Be sure to verify that your deployment was successful.

If you get an alert that your VPN tunnel is inactive even when the VPN session is up, follow the VPN troubleshooting instructions to verify and ensure that your VPN is active. .