Create a Site-to-Site VPN Between On-Premises Firewall Management Center-Managed Threat Defense Devices

Procedure


Step 1

In the navigation pane, choose VPN > Site-to-Site VPN.

Step 2

Click the create tunnel () button on the top-right corner and click Site-to-Site VPN with the FMC Managed Device / ASA label.

Step 3

In the Configuration Name field, enter a name for the site-to-site VPN configuration you create.

Step 4

Click the Route Based radio button.

Step 5

In the Peer Devices area, provide the following information:

  1. Device: From the Device drop-down list for Peer 1, choose on-premises management center-managed threat defense device and then click Select. The device type is FMC FTD. Repeat this step for Peer 2.

  2. VPN Access Interface: Choose the virtual tunnel interfaces of both peers. The devices use the selected interfaces for their connection with each other.

    Note

    Security Cloud Control does not provide the functionality to create virtual tunnel interfaces for the on-premises management center-managed threat defense devices, instead it only displays pre-existing interfaces of the on-premises management center. Therefore, you must configure them from the on-premises management center before creating a tunnel in Security Cloud Control.

  3. LAN Interfaces: Choose the LAN interfaces of both peers that control the LAN subnets. You can select multiple interfaces.

    The networks attached to the selected LAN interfaces will be added to the routing policy access list. The traffic matching the routing policy access list will be encrypted/decrypted by the VPN tunnel.

  4. Routing: Click Add Network and choose protected networks from each peer to create a site-to-site tunnel between them.

  5. Click Next.

Step 6

In the IKE Settings area, choose the IKE versions to use during Internet Key Exchange (IKE) negotiations and specify the privacy configurations: For more information on the IKE policies, see Configuring the Global IKE Policy.

Based on the configuration made by the user, Security Cloud Control suggests the IKE settings. You can either continue with the recommended IKE configuration settings or define a new one.

Note

Enabling both IKE versions is not allowed for route-based VPN.

  1. Enable any one IKE version that you want.

    By default, the IKEV Version 2 is enabled.

    Note

    Enabling both IKE versions is not allowed for route-based VPN.

  2. To configure IKE Version 2, enable IKE Version 2 and click Add IKEv2 Policies to select the policies you want. The IKEv2 policies must be selected for both peers.

    Security Cloud Control generates a default Pre-Shared Key for peer 1. This is a secret key string that is configured on the peers. IKE uses this key during the authentication phase. It is used to verify each other when establishing a tunnel between the peers.

  3. To configure IKE Version 1, enable IKE Version 1 and click Add IKEv1 Policies to select the policies you want. The IKEv1 policies must be selected for both peers.

    Security Cloud Control generates a default Pre-shared Key which can be modified.

  4. Click Next.

Step 7

In the IPSec Settings area, provide the following information:

  1. Click Add IKE IPSec Proposals to select the IKE IPSec configuration. The proposals are available depending on the selection that is made in the IKE Settings step. The IKEv2 IPSec proposals policies must be selected for both peers. For more information, see Configuring IPSec Proposals.

  2. (Optional) Choose the Diffie-Hellman Group for Perfect Forward Secrecy. For more information, see Encryption and Hash Algorithms Used in VPN

  3. Click Next.

Step 8

In the Finish area, read the configuration and continue further only if you’re satisfied with your configuration.

Step 9

Click Submit.

The configurations are automatically pushed from Security Cloud Control to on-premises management center.

Step 10

Perform the following steps to deploy configurations manually to an on-premises management center-managed threat defense device.

  1. Login to the on-premises management center and choose Devices > VPN > Site To Site. You can see the same VPN topology that was configured in Security Cloud Control.

  2. Deploy these changes to your threat defense. See Configuration Deployment in the Cisco Secure Firewall Management Center Device Configuration Guide for more information.