Enable Distributed Site-to-Site VPN

Enable distributed site-to-site VPN to take advantage of the scalability of clustering for VPN sessions. This procedure requires CLI access to the control node.

Before you begin

Configure site-to-site VPN according to Site-to-Site VPNs.
Apply the Carrier license to the control node.

Procedure

Step 1	Add a Spanned-EtherChannel-mode cluster according to Create a Cluster, including all data nodes.
Step 2	After the cluster is formed and stable, remove each of the data nodes according to Disable Clustering, and then remove the control node. Clustering needs to be disabled to change the VPN mode. The bootstrap configuration remains intact, as well as the last configuration synched from the control node, so that you can later re-add the nodes without losing your configuration.
Step 3	Connect to the control node CLI. See Log Into the Command-Line Interface on the Device. View the cluster on Devices > Device Management to see which device is the control node.
Step 4	Enable distributed site-to-site VPN on the control node. cluster vpn-mode distributed To disable distributed site-to-site VPN, use the cluster vpn-mode centralized command. Example: `> cluster vpn-mode distributed Cryptochecksum: ce4b0bbd 6b9252a5 7e19463d e179067d 5778 bytes copied in 0.70 secs >`
Step 5	In the Firewall Management Center, reenable clustering on the control node and then for each data node. See Rejoin the Cluster. The VPN mode is synched to the data nodes.