Create a Site-To-Site VPN using the Advanced Configuration

Procedure

Step 1

In the Security Cloud Control platform menu, choose Products > Firewall.

Step 2

In the left pane, choose Manage > Secure Connections > Network Connections > Site to Site VPN.

Step 3

Click > Site-to-Site VPN with FDM label.

Step 4

In the Peer Devices section, specify the following device configurations:

  1. Enter a unique topology Configuration Name. We recommend naming your topology to indicate that it is an FDM-managed devicee VPN, and its topology type.

  2. Choose the endpoint devices for this VPN deployment from Devices.

  3. If you choose an extranet device, select Static and specify an IP address or select Dynamic for extranet devices with DHCP assigned IP. The IP Address displays the IP address for static interface or DHCP Assigned for the dynamic interface.

  4. Choose the VPN Access Interface for the endpoint devices.

Note

If one or both endpoint devices have dynamic IP addresses, see Configure Site-to-Site VPN Connections with Dynamically-Addressed Peers for additional instructions.

Step 5

Click the blue plus button to add the Protected Networks for the participating devices.

Step 6

Click Advanced.

Step 7

In the IKE Settings section, choose the IKE versions to use during Internet Key Exchange (IKE) negotiations and specify the privacy configurations: For more information on the IKE policies, see the About Global IKE Policies.

Note

IKE policies are global to a device and apply to all VPN tunnels associated with it. Therefore, adding or deleting policies affect all VPN tunnels in which this device is participating.

  1. Select either or both options as appropriate.

    Note

    By default, IKEV Version 2 is enabled and the IKEV2 POLICIES.

  2. Click the blue plus button and select the IKEv2 policies.

    Click Create New IKEv2 Policy to create new IKEv2 policies. Alternatively, in Security Cloud Control click Manage > Objects, then click > IKEv2 Policy. For more information about creating new IKEv2 policies, see the Configuring IKEv2 Policies. To delete an existing IKEv2 Policy, hover-over the selected policy and click the x icon.

  3. Click IKE Version 1 to enable it.

  4. Click the blue plus button and select the IKEv1 policies. Click Create New IKEv1 Policy to create new IKEv1 policies. Alternatively, you can go to the Security Cloud Control navigation bar and click Manage > Objects , then click > IKEv1 Policy. For more information about creating new IKEv1 policies, see the Configuring IKEv1 Policies. To delete an existing IKEv1 Policy, hover-over the selected policy and click the x icon.

  5. Enter the Pre-Shared Key for the participating devices. Preshared keys are secret key strings configured on each peer in the connection. These keys are used by IKE during the authentication phase.

    • (IKEv2) Peer 1 Pre-shared Key, Peer 2 Pre-shared Key: For IKEv2, you can configure unique keys on each peer. Enter the Pre-shared Key. You can click the Show Override button and enter the appropriate pre-shared for the peer. The key can be 1-127, alphanumeric characters. The following table describes the purpose of the pre-shared key for both peers.

      Local Pre-shared Key

      Remote Peer Pre-shared Key
      Peer 1 Peer 1 Pre-shared Key Peer 2 Pre-shared Key
      Peer 2 Peer 2 Pre-shared Key Peer 1 Pre-shared Key

    • (IKEv1) Pre-shared Key: For IKEv1, you must configure the same preshared key on each peer. The key can be 1-127, alphanumeric characters. In this scenario, Peer 1 and Peer 2 use the same pre-shared key to encrypt and decrypt data.

  6. Click Next.

Step 8

In the IPSec Settings section, specify the IPSec configurations. The corresponding IKEV proposals are available depending on the selection that is made in the IKE Settings step.

For more information on the IPSec settings, see the About IPsec Proposals.

  1. Click the blue plus button and select the IKEv2 proposals. To delete an existing IKEv2 Proposal, hover-over the selected proposal and click the x icon.

    Note

    Click Create New IKEv2 Proposal to create new IKEv2 proposals. Alternatively, you can go to the Security Cloud Control navigation bar and click Manage > Objects, then click > IKEv2 IPSec Proposal.

    For more information about creating new IKEv2 policies, see the Configuring IPSec Proposals for IKEv2.

  2. Choose the Diffie-Hellman Group for Perfect Forward Secrecy. For more information, see Deciding Which Diffie-Hellman Modulus Group to Use.

  3. Click Create VPN.

  4. Read the configuration and then click Finish if you're satisfied.

  5. Perform the additional mandatory configuration. See Configure networking for protected traffic between the Site-To-Site Peers.