Create a Site-to-Site VPN Tunnel Between Cloud-delivered Firewall Management Center-managed Threat Defense Devices

Use the following procedure to create a site-to-site VPN tunnel between two Threat Defense devices managed by Cloud-delivered Firewall Management Center.

Before you begin

There should not be any pending deployments on the Threat Defense device.

Procedure

Step 1

In the left pane, choose Manage > Secure Connections > Network Connections > Site to Site VPN.

Step 2

Click the Create Tunnel () icon and then click Site-to-Site VPN.

Step 3

In the Peer Selection area, provide the following information:

  • Configuration Name: Enter a unique topology name.

    We recommend naming your topology to indicate that it is a Threat Defense device VPN, and its topology type.

  • Peer 1: Click the FTD tab and select a Threat Defense device.

  • Peer 2: Click the FTD tab and select a Threat Defense device.

    If you choose an extranet device, select Static and specify an IP address or select Dynamic for extranet devices with DHCP assigned IP. The IP Address displays the IP address for static interface or DHCP Assigned for the dynamic interface.

Step 4

Click Next.

Step 5

In the Peer Details area, provide the following information:

  • VPN Access Interface: Select the interface for both peer 1 and peer 2 to establish a connection between them.

  • LAN Interfaces: Select the interface for both peer 1 and peer 2 that controls the LAN subnet. You can select multiple interfaces

  • Routing: Click Add Networks and select one or more protected networks for peer 1 and peer 2 to establish a site-to-site tunnel between between them.

Step 6

Click Next.

Step 7

In the IKE Settings area, choose the IKE versions to use during Internet Key Exchange (IKE) negotiations and specify the privacy configurations: For more information on the IKE policies, see Configuring the Global IKE Policy.

Note

IKE policies are global to a device and apply to all VPN tunnels associated with it. Therefore, adding or deleting policies affect all VPN tunnels in which this device is participating.

  1. Select either or both options as appropriate.

    Note

    By default, IKEV Version 2 is enabled.

  2. Click Add IKEv2 Policies to select the IKEv2 policies for peer 1 and peer 2.

  3. The Local Pre-Shared Key and Remote Pre-Shared Key for the participating devices are auto-genreated. Preshared keys are secret key strings configured on each peer in the connection. These keys are used by IKE during the authentication phase.

  4. Click IKE Version 1 to enable it.

  5. Click Add IKEv1 Policies to select the IKEv1 policies for peer 1 and peer 2.

  6. The IPEv1 Pre-Shared Key is auto-generated.

Step 8

Click Next.

Step 9

In the IPSec Settings area, specify the IPSec configurations for peer 1 and peer 2. The corresponding IKEV proposals are available depending on the selection that is made in the IKE Settings step.

For more information on the IPSec settings, see the About IPSec Proposals.

  1. Click Add IKEv2 IPSec Proposals and select the IKEv2 proposals you want for peer 1 and peer 2.

  2. Choose the Diffie-Hellman Group for Perfect Forward Secrecy. For more information, see Encryption and Hash Algorithms Used in VPN.

  3. Click Next.

Step 10

In the Finish area, you will find a summary of the configurations you have completed.

Read the configuration and then click Submit if you're satisfied.

Step 11

Step 12

Perform the following steps to deploy the configuration to a Cloud-delivered Firewall Management Center-managed Threat Defense device:

  1. Choose Administration > Integrations > Firewall Management Center.

  2. Ensure the check box corresponding to Cloud-Delivered FMC is checked and in the Actions pane on the right, click Deployment.

  3. Select the device participating in the site-to-site VPN configuration and click Deploy.

  4. Choose Devices > VPN > Site To Site. You can see the same VPN topology that was configured in Security Cloud Control.