About Firepower Threat Defense Site-to-site VPNs
Firepower Threat Defense site-to-site VPN supports the following features:
-
Both IPsec IKEv1 & IKEv2 protocols are supported.
-
Certificates and automatic or manual preshared keys for authentication.
-
IPv4 & IPv6. All combinations of inside and outside are supported.
-
IPsec IKEv2 Site-to-Site VPN topologies provide configuration settings to comply with Security Certifications.
-
Static and Dynamic Interfaces.
-
Support for both Firepower Management Center and Firepower Threat Defense HA environments.
-
VPN alerts when the tunnel goes down.
-
Tunnel statistics available using the Firepower Threat Defense Unified CLI.
-
Support for IKEv1 back-up peer configuration for point-to-point extranet VPN.
-
Support for extranet device as hub in 'Hub and Spokes' deployments.
-
Support for dynamic IP address for a managed endpoint pairing with extranet device in 'Point to Point' deployments.
-
Support for dynamic IP address for extranet device as an endpoint.
-
Support for hub as extranet in 'Hub and Spokes' deployments.
VPN Topology
To create a new site-to-site VPN topology you must, at minimum, give it a unique name, specify a topology type, choose the IKE version that is used for IPsec IKEv1 or IKEv2, or both. Also, determine your authentication method. Once configured, you deploy the topology to Firepower Threat Defense devices. The Firepower Management Center configures site-to-site VPNs on Firepower Threat Defense devices only.
You can select from three types of topologies, containing one or more VPN tunnels:
-
Point-to-point (PTP) deployments establish a VPN tunnel between two endpoints.
-
Hub and Spoke deployments establish a group of VPN tunnels connecting a hub endpoint to a group of spoke nodes.
-
Full Mesh deployments establish a group of VPN tunnels among a set of endpoints.
IPsec and IKE
In the Firepower Management Center, site-to-site VPNs are configured based on IKE policies and IPsec proposals that are assigned to VPN topologies. Policies and proposals are sets of parameters that define the characteristics of a site-to-site VPN, such as the security protocols and algorithms that are used to secure traffic in an IPsec tunnel. Several policy types may be required to define a full configuration image that can be assigned to a VPN topology.
Authentication
For authentication of VPN connections, configure a preshared key in the topology, or a trustpoint on each device. Preshared keys allow for a secret key, used during the IKE authentication phase, to be shared between two peers. A trustpoint includes the identity of the CA, CA-specific parameters, and an association with a single enrolled identity certificate.
Extranet Devices
Each topology type can include Extranet devices, devices that you do not manage in Firepower Management Center. These include:
-
Cisco devices that Firepower Management Center supports, but for which your organization is not responsible. Such as spokes in networks managed by other organizations within your company, or a connection to a service provider or partner's network.
-
Non-Cisco devices. You cannot use Firepower Management Center to create and deploy configurations to non-Cisco devices.
Add non-Cisco devices, or Cisco devices not managed by the Firepower Management Center, to a VPN topology as "Extranet" devices. Also specify the IP address of each remote device.
Firepower Threat Defense Site-to-site VPN Guidelines and Limitations
-
A VPN connection can only be made across domains by using an extranet peer for the endpoint not in the current domain.
-
A VPN topology cannot be moved between domains.
-
Network objects with a 'range' option are not supported in VPN
-
Firepower Threat Defense VPNs are only be backed up using the Firepower Management backup.
-
The Firepower Threat Defense VPNs do not currently support PDF export and policy comparison.
-
There is no per-tunnel or per-device edit option for Firepower Threat Defense VPNs, only the whole topology can be edited.
-
Device interface address verification will not be performed for Transport mode when Crypto ACL is selected.
-
All nodes in a topology must be configured with either Crypto ACL or Protected Network. A topology may not be configured with Crypto ACL on one node and Protected Network on another.
-
There is no support for automatic mirror ACE generation. Mirror ACE generation for the peer is a manual process on either side.
-
While using Crypto ACL, there is no support for tunnel health events for VPN topologies. With Crypto ACL, there is no support for Hub, Spoke, and Full Mesh topologies; only point to point VPN is supported.
-
Whenever IKE ports 500/4500 are in use or when there are some PAT translations that are active, the Site-to-Site VPN cannot be configured on the same ports as it fails to start the service on those ports.
-
Tunnel status is not updated in realtime, but at an interval of 5 minutes in the Firepower Management Center.
-
The character " (double quote) is not supported as part of pre-shared keys. If you have used " in a pre-shared key, ensure that you change the character after you upgrade to Firepower Threat Defense 6.30.