Create a Site-to-Site VPN Between On-Prem Firewall Management Center-Managed Threat Defense Devices

Step 1

In the navigation pane, choose VPN > Site-to-Site VPN.

Step 2

Click the create tunnel () button on the top-right corner and click Site-to-Site VPN with the FMC Managed Device / ASA label.

Step 3

In the Configuration Name field, enter a name for the site-to-site VPN configuration you create.

Step 4

Click the Route Based radio button.

Step 5

In the Peer Devices area, provide the following information:

1. Device: From the Device drop-down list for Peer 1, choose on-prem management center-managed threat defense device and then click Select. The device type is FMC FTD. Repeat this step for Peer 2.

2. VPN Access Interface: Choose the virtual tunnel interfaces of both peers. The devices use the selected interfaces for their connection with each other.

   Note

   CDO does not provide the functionality to create virtual tunnel interfaces for the on-prem management center-managed threat defense devices, instead it only displays pre-existing interfaces of the on-prem management center. Therefore, you must configure them from the on-prem management center before creating a tunnel in CDO.

3. LAN Interfaces: Choose the LAN interfaces of both peers that control the LAN subnets. You can select multiple interfaces.

   The networks attached to the selected LAN interfaces will be added to the routing policy access list. The traffic matching the routing policy access list will be encrypted/decrypted by the VPN tunnel.

4. Routing: Click Add Network and choose protected networks from each peer to create a site-to-site tunnel between them.

5. Click Next.

Step 6

In the IKE Settings area, choose the IKE versions to use during Internet Key Exchange (IKE) negotiations and specify the privacy configurations: For more information on the IKE policies, see Configuring the Global IKE Policy.

1. Enable any one IKE version that you want.

   By default, the IKEV Version 2 is enabled.

   Note	Enabling both IKE versions is not allowed for route-based VPN.

2. To configure IKE Version 2, enable IKE Version 2 and click Add IKEv2 Policies to select the policies you want. The IKEv2 policies must be selected for both peers.

   CDO generates a default Pre-Shared Key for peer 1. This is a secret key string that is configured on the peers. IKE uses this key during the authentication phase. It is used to verify each other when establishing a tunnel between the peers.

3. To configure IKE Version 1, enable IKE Version 1 and click Add IKEv1 Policies to select the policies you want. The IKEv1 policies must be selected for both peers.

   CDO generates a default Pre-shared Key which can be modified.

4. Click Next.

Step 7

In the IPSec Settings area, provide the following information:

1. Click Add IKE IPSec Proposals to select the IKE IPSec configuration. The proposals are available depending on the selection that is made in the IKE Settings step. The IKEv2 IPSec proposals policies must be selected for both peers. For more information, see Configuring IPSec Proposals.

2. (Optional) Choose the Diffie-Hellman Group for Perfect Forward Secrecy. For more information, see Encryption and Hash Algorithms Used in VPN

3. Click Next.

Step 8

In the Finish area, read the configuration and continue further only if you’re satisfied with your configuration.

Step 9

Click Submit.

Step 10

Perform the following steps to deploy configurations manually to an on-prem management center-managed threat defense device.

1. Login to the on-prem management center and choose Devices > VPN > Site To Site. You can see the same VPN topology that was configured in CDO.

2. Deploy these changes to your threat defense. See Configuration Deployment in the Cisco Secure Firewall Management Center Device Configuration Guide for more information.