Create a Site-to-Site VPN Between On-Prem Firewall Management Center-Managed Threat Defense and Extranet

You can configure a site-to-site VPN tunnel between the on-prem management center-managed threat defense device onboarded to CDO and an extranet device. The extranet can be non-Cisco devices or Cisco devices that CDO does not manage.

Before you begin

The site-to-site VPN tunnel configurations must be applied manually to the extranet devices.

Procedure

Step 1

In the navigation pane, choose VPN > Site-to-Site VPN.

Step 2

Click the create tunnel () button on the top-right corner and click Site-to-Site VPN with FMC Managed Device / ASA label.

Step 3

In the Configuration Name field, enter a name for the site-to-site VPN configuration you create.

Step 4

Click the Route Based radio button.

Step 5

In the Peer Devices area, provide the following information:

  1. Peer 1: From the Device drop-down list, choose an on-prem management center-managed threat defense device and then click Select. The device type is FMC FTD.

  2. Peer 2: Enable Extranet and enter an IP address for the static interface.

  3. VPN Access Interface: Choose the virtual tunnel interface of peer 1. The extranet device uses the selected interface to connect with on-prem management center-managed threat defense.

    Note

    CDO does not provide the functionality to create virtual tunnel interfaces for the on-prem management center-managed threat defense devices, instead it only displays pre-existing interfaces of the on-prem management center. Therefore, you must configure them from the on-prem management center before creating a tunnel in CDO.

  4. Click Next.

Step 6

In the IKE Settings area, choose the IKE versions to use during Internet Key Exchange (IKE) negotiations and specify the privacy configurations: For more information on the IKE policies, see Configuring the Global IKE Policy.

Based on the configuration made by the user, CDO suggests the IKE settings. You can either continue with the recommended IKE configuration settings or define a new one.

Note

Enabling both IKE versions is not allowed for route-based VPN.

  1. Enable any one IKE version that you want.

    By default, the IKEV Version 2 is enabled.

  2. To configure IKE Version 2, enable IKE Version 2 and click Add IKEv2 Policies to select the policies you want.

    CDO generates a default Pre-Shared Key for peer 1. This is a secret key string that is configured on the peers. IKE uses this key during the authentication phase. It is used to verify each other when establishing a tunnel between the peers.

  3. To configure IKE Version 1, enable IKE Version 1 and click Add IKEv1 Policies to select the policies you want.

    CDO generates a default Pre-shared Key which can be modified.

  4. Click Next.

Step 7

In the IPSec Settings area, perform the following:

  1. Click Add IKE IPSec Proposals to select the IKE IPSec configuration. The proposals are available depending on the selection that is made in the IKE Settings step. For more information, see Configuring IPSec Proposals.

  2. (Optional) Choose the Diffie-Hellman Group for Perfect Forward Secrecy. For more information, see Encryption and Hash Algorithms Used in VPN

  3. Click Next.

Step 8

In the Finish area, read the configuration and continue further only if you’re satisfied with your configuration.

Step 9

Click Submit.

The configurations are pushed automatically to the on-prem management center after clicking Submit.

Step 10

Perform the following steps to deploy the configuration to an on-prem management center-managed threat defense device.

  1. Login to the on-prem management center and choose Devices > VPN > Site To Site. You can see the same VPN topology that was configured in CDO.

  2. Deploy these changes to your threat defense. See Configuration Deployment in the Cisco Secure Firewall Management Center Device Configuration Guide for more information.