Create a Site-to-Site VPN Between On-Prem Management Center-Managed Threat Defense and Multicloud Defense Gateway

You can create site-to-site IPsec connections between an on-prem management center-managed threat defense and a Multicloud Defense Gateway that complies with all relevant standards. After the VPN connection is established, the hosts behind the firewall can connect to the hosts behind the gateway through the secure VPN tunnel.

Multicloud Defense currently supports Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), and Oracle OCI cloud accounts.

Before you begin

Ensure that the following prerequisites are met:

Procedure

Step 1

In the left pane, choose VPN > Site-to-Site VPN.

Step 2

Click the create tunnel () icon on the top right corner and click Site-to-Site VPN with Multicloud Defense label.

Step 3

In the Peer Devices section, provide the following information:

  1. Configuration Name: Enter a name for the site-to-site VPN configuration.

  2. Peer 1: From the Device 1 drop-down list, click FMC FTD tab and choose an on-prem management center-managed threat defense.

  3. Peer 2: From the Device 2 drop-down list, click Multicloud Defense tab and choose a Multicloud Defense Gateway.

  4. VPN Access Interface: Choose the virtual tunnel interface (VTI) of peer 1 (on-prem management center-managed threat defense). The peer 2 (Multicloud Defense Gateway) uses the selected virtual access interface to connect with peer 1 (on-prem management center-managed threat defense).

    Note

    CDO does not provide the functionality to create virtual tunnel interfaces for the on-prem management center-managed threat defense devices, instead it only displays pre-existing interfaces of the on-prem management center. Therefore, you must configure them from the on-prem management center before creating a tunnel in CDO.

  5. Public IP (optional):

  6. Routing: Click Add Network and choose protected networks from peer 1 to create a site-to-site tunnel between peers.

Step 4

In the Tunnel Details section, provide the following information:

  1. Virtual Interface Tunnel IP: : CDO assigns an IP address to the virtual tunnel interface of on-prem management center-managed threat defense, which cannot be changed. You must enter an IP address for the Multicloud Defense Gateway's virtual tunnel interface.

  2. Autonomous System Number: Enter the autonomous system numbers to uniquely identify the networks the peers manage.

  3. Select a threat defense managed using an on-prem management center.

  4. Click Next.

Step 5

In the IKE Settings section, click Add IKEv2 Policies to select the policies you want.

CDO generates a default Pre-Shared Key for peer 1. This is a secret key string that is configured on the peers. IKE uses this key during the authentication phase. It is used to verify each other when establishing a tunnel between the peers.

For more information on the IKE policies, see Configuring the Global IKE Policy

Step 6

Click Next.

Step 7

In the IPSec Settings section, click Add IKE IPSec Proposals to select the IKE IPSec configuration. The proposals are available depending on the selection that is made in the IKE Settings step.

For more information, see Configuring IPSec Proposals.

Step 8

Click Next.

Step 9

In the Finish section, read the configuration and continue further only if you’re satisfied with your configuration.

Step 10

Click Submit.

The configurations are pushed automatically to the on-prem management center after clicking Submit.

What to do next

Ensure you manually deploy these changes to your threat defense devices on your on-prem management center. See Configuration Deployment in the Cisco Secure Firewall Management Center Device Configuration Guide for more information.