Configure a Policy-based Site-to-Site VPN
Procedure
Step 1 | Choose Devices > Site To Site. Then click + Site To Site VPN, or edit a listed VPN topology. |
Step 2 | Enter a unique Topology Name. We recommend naming your topology to indicate that it is a threat defense VPN, and its topology type. |
Step 3 | Click Policy Based (Crypto Map) to configure a site-to-site VPN. |
Step 4 | Choose the Network Topology for this VPN. |
Step 5 | Choose the IKE versions to use during IKE negotiations. IKEv1 or IKEv2. Default is IKEv2. Select either or both options as appropriate; select IKEv1 if any device in the topology doesn’t support IKEv2. You can also configure a backup peer for point-to-point extranet VPNs. For more information, see Threat Defense VPN Endpoint Options. |
Step 6 | Add Endpoints for this VPN deployment by clicking Add () for each node in the topology. Configure each endpoint field as described in Threat Defense VPN Endpoint Options.
|
Step 7 | (Optional) Specify non-default IKE options for this deployment as described in Threat Defense VPN IKE Options |
Step 8 | (Optional) Specify non-default IPsec options for this deployment as described in Threat Defense VPN IPsec Options |
Step 9 | (Optional) Specify non-default Advanced options for this deployment as described in Threat Defense Advanced Site-to-site VPN Deployment Options. |
Step 10 | Click Save. The endpoints are added to your configuration. |
What to do next
Deploy configuration changes.
Note | Some VPN settings are validated only during deployment. Be sure to verify that your deployment was successful. If you get an alert that your VPN tunnel is inactive even when the VPN session is up, follow the VPN troubleshooting instructions to verify and ensure that your VPN is active. . |