Introduction to Site-to-Site Virtual Private Network
A site-to-site VPN tunnel connects networks in different geographic locations. These peers can have any mix of inside and outside IPv4 and IPv6 addresses. Site-to-site tunnels are built using the Internet Protocol Security (IPsec) protocol suite and Internet Key Exchange version 2 (IKEv2). After the VPN connection is established, the hosts behind the local gateway can connect to the hosts behind the remote gateway through the secure VPN tunnel.
This connection enables secure communication between the two sites, protecting the data being exchanged from unauthorized access.
VPN Topology
To create a new site-to-site VPN topology, you must provide a unique name, choose the IKE version that is used for IPsec IKEv1 or IKEv2, or both and authentication method. When configured, you deploy the topology to the devices from the on-premises management center.
IPsec and IKE Protocols
In Security Cloud Control, site-to-site VPNs are configured based on IKE policies and IPsec proposals that are assigned to VPN topologies. Policies and proposals are sets of parameters that define the characteristics of a site-to-site VPN, such as the security protocols and algorithms that are used to secure traffic in an IPsec tunnel. Several policy types may be required to define a full configuration image that can be assigned to a VPN topology.
Authentication
For authentication of VPN connections, configure a pre-shared key in the topology on each device. Pre-shared keys allow a secret key, which is used during the IKE authentication phase, to be shared between two peers.
VPN Encryption Domain
Security Cloud Control supports only route-based encryption for creating site-to-site VPN for on-premises management center-managed threat defense devices.
Route-Based: The encryption domain is set to encrypt only specific IP ranges for both source and destination. It creates a virtual IPsec interface, and whatever traffic enters that interface is encrypted and decrypted. ASA supports route-based VPN with the use of Virtual Tunnel Interfaces (VTIs).