Create a Site-to-Site VPN Between On-Prem Firewall Management Center-Managed Threat Defense and Cloud-delivered Firewall Management Center-Managed Threat Defense

Procedure

Step 1

In the navigation pane, choose VPN > Site-to-Site VPN.

Step 2

Click the create tunnel () icon on the top-right corner and click Site-to-Site VPN with the FMC Managed Device / ASA label.

Step 3

In the Configuration Name field, enter a name for the site-to-site VPN configuration you create.

Step 4

Click the Route Based radio button.

Step 5

In the Peer Devices area, provide the following information:

  1. Peer 1: From the Device drop-down list, choose an on-prem management center-managed threat defense device. The device type is FMC FTD.

  2. Peer 2: From the Device drop-down list, choose a cloud-delivered Firewall Management Center-managed threat defense device. The device type is FTD.

  3. VPN Access Interface: Choose the virtual tunnel interfaces of both peers. The peer 2 (cloud-delivered Firewall Management Center-managed threat defense) connects peer 1 (on-prem management center for threat defense) through the VPN access interface of peer 1. Similarly, peer 1 (on-prem management center-managed threat defense) connects peer 2 (cloud-delivered Firewall Management Center-managed threat defense) through the VPN access interface of peer 2.

    Note

    CDO does not provide the functionality to create virtual tunnel interfaces for the on-prem management center-managed threat defense devices, instead it only displays pre-existing interfaces of the on-prem management center. Therefore, you must configure them from the on-prem management center before creating a tunnel in CDO.

  4. LAN Interfaces: Choose the LAN interfaces of both peers that control the LAN subnets. You can select multiple interfaces.

    The networks attached to the selected LAN interfaces will be added to the routing policy access list. The traffic matching the routing policy access list will be encrypted/decrypted by the VPN tunnel.

  5. Routing: Click Add Network and choose protected networks from each peer to create a site-to-site tunnel between them.

  6. Click Next.

Step 6

In the IKE Settings area, choose the IKE versions to use during Internet Key Exchange (IKE) negotiations and specify the privacy configurations: For more information on the IKE policies, see Configuring the Global IKE Policy.

Based on the configuration made by the user, CDO suggests the IKE settings. You can either continue with the recommended IKE configuration settings or define a new one.

Note

Enabling both IKE versions is not allowed for route-based VPN.

  1. Enable any one IKE version that you want.

    By default, the IKEV Version 2 is enabled.

    Note

    Enabling both IKE versions is not allowed for route-based VPN.

  2. To configure IKE Version 2, enable IKE Version 2 and click Add IKEv2 Policies to select the policies you want. The IKEv2 policies must be selected for both peers.

    CDO generates a default Pre-Shared Key for peer 1. This is a secret key string that is configured on the peers. IKE uses this key during the authentication phase. It is used to verify each other when establishing a tunnel between the peers.

  3. To configure IKE Version 1, enable IKE Version 1 and click Add IKEv1 Policies to select the policies you want. The IKEv1 policies must be selected for both peers.

    CDO generates a default Pre-shared Key which can be modified.

  4. Click Next.

Step 7

In the IPSec Settings area, provide the following information:

  1. Click Add IKE IPSec Proposals to select the IKE IPSec configuration. The proposals are available depending on the selection that is made in the IKE Settings step. The IKEv2 IPSec proposals policies must be selected for both peers. For more information, see Configuring IPSec Proposals.

  2. (Optional) Choose the Diffie-Hellman Group for Perfect Forward Secrecy. For more information, see Encryption and Hash Algorithms Used in VPN

  3. Click Next.

Step 8

In the Finish area, read the configuration and continue further only if you’re satisfied with your configuration.

Step 9

Click Submit.

Step 10

Perform the following steps to deploy the configuration to a cloud-delivered Firewall Management Center-managed threat defense device:

  1. Choose Tools & Services > Firewall Management Center.

  2. Ensure the check box corresponding to Cloud-Delivered FMC is checked and in the Actions pane on the right, click Deployment.

  3. Select the device participating in the site-to-site VPN configuration and click Deploy.

  4. Choose Devices > VPN > Site To Site. You can see the same VPN topology that was configured in CDO.

Step 11

Perform the following steps to deploy the configuration to an on-prem management center-managed threat defense device.

  1. Login to the on-prem management center and choose Devices > VPN > Site To Site. You can see the same VPN topology that was configured in CDO.

  2. Deploy these changes to your threat defense. See Configuration Deployment in the Cisco Secure Firewall Management Center Device Configuration Guide for more information.