Create a Site-to-Site VPN Between Cloud-delivered Firewall Management Center-Managed Threat Defense and Multicloud Defense

Use the following procedure to create a VPN tunnel between a cloud-delivered Firewall Management Center-managed threat defense device and Multicloud Defense from the CDO dashboard:

Before you begin

Ensure that the following prerequisites are met:

The cloud-delivered Firewall Management Center-managed threat defense device must not have any pending changes.
The Multicloud Defense must be onboarded to CDO. See Connect Cloud Account.
The Multicloud Defense Gateway must be in the Active state.
The Multicloud Defense Gateway must be VPN enabled. See Enable VPN within the gateway.
Read the Multicloud Defense Gateway prerequisites and limitations for more information.

Procedure

Step 1	In the left pane, choose VPN > Site-to-Site VPN.
Step 2	Click the create tunnel () icon on the top right corner and click Site-to-Site VPN with Multicloud Defense label.
Step 3	In the Configuration Name field, enter a name enter a name for the site-to-site VPN configuration you create.
Step 4	In the peer devices area, provide the following information: Device 1: From the drop-down list, click the FTD tab and select the threat defense device you want. Device 2: From the drop-down list, click the Multicloud Defense tab and select the gateway you want. VPN Access Interface: Select the threat defense interface to be used for connecting to the Multicloud Defense. Public IP (optional): Specify the public IP address of the NAT that maps to the outside interface of the selected threat defense. Routing : Click Add Networks and select one or more protected networks from threat defense to create a site-to-site tunnel between the selected networks and the Multicloud Defense Gateway
Step 5	Click Next.
Step 6	In the Tunnel Details area, provide the following information: Virtual Tunnel Interface IP: Specify the addresses for the new Virtual Tunnel Interfaces on the peers. You can assign any unused IP address that is currently not used on this device. Autonomous System Number: Specify the autonomous system number of the network.
Step 7	Click Next.
Step 8	In the IKE Settings area, click Add IKEv2 and add the IKE version for the Internet Key Exchange (IKE) negotiations and specify the privacy configurations. CDO generates a default Pre-Shared Key. This is a secret key string that is configured on the peers. IKE uses this key during the authentication phase. It is used to verify each other when establishing a tunnel between the peers.
Step 9	Click Next.
Step 10	In the IPSec Settings area, click Add IKEv2 IPSec Proposals and select the IKE IPSec configuration. The proposals are available depending on the selection that is made in the IKE Settings step. See Configuring IPSec Proposals.
Step 11	Click Next.
Step 12	In the Finish area, review the configuration and continue further only if you’re satisfied with the configuration.
Step 13	Click Submit. The configurations are pushed to the Multicloud Defense Gateway.
Step 14	Perform the following steps to deploy the configuration to a cloud-delivered Firewall Management Center-managed threat defense device: Choose Tools & Services > Firewall Management Center. Ensure the check box corresponding to Cloud-Delivered FMC is checked and in the Actions pane on the right, click Deployment. Select the device participating in the site-to-site VPN configuration and click Deploy. Choose Devices > VPN > Site To Site. You can see the same VPN topology that was configured in CDO.