Create a Route-based Site-to-Site VPN

You can configure a route-based site-to-site VPN for the following two topologies:

  • Point to Point : Configure VTIs on both nodes of the tunnel and use the wizard to configure the VPN.

  • Hub and Spoke: Configure VTIs on the hub and the spokes. Configure the hub with a dynamic VTI and spokes with static VTIs.

You can configure an extranet device as the hub and managed devices as spokes. You can configure multiple hubs and spokes, and also configure backup hubs and spokes.

  • For extranet hubs and spokes, you can configure multiple IPs as backup.

  • For managed spokes, you can configure a backup static VTI interface along with the primary VTI interface.

For more information on VTI, see About Virtual Tunnel Interfaces.

Note

All references to VTI stands for static VTI and dynamic VTI, unless mentioned.

Procedure


Step 1

Choose Devices > Site To Site.

Step 2

Click + Site To Site VPN.

Step 3

Enter a name for the VPN topology in the Topology Name field.

Step 4

Choose Route Based (VTI) and do one of the following:

Step 5

(Optional) Specify the IKE options for the deployment as described in Threat Defense VPN IKE Options.

Step 6

(Optional) Specify the IPsec options for the deployment as described in Threat Defense VPN IPsec Options.

Step 7

(Optional) Specify the Advanced options for the deployment as described in Threat Defense Advanced Site-to-site VPN Deployment Options.

Step 8

Click Save.


What to do next

After you configure VTI interfaces and VTI tunnel on both the devices, you must configure:

  • A routing policy to route the VTI traffic between the devices over the VTI tunnel. For more information, see Configure Routing and AC Policies for VTI.

  • An access control rule to allow encrypted traffic. Choose Policies > Access Control.