Create a Site-to-Site VPN Tunnel Between Cloud-delivered Firewall Management Center-Managed Threat Defense and Multicloud Defense

You can create site-to-site IPsec connections between a Cloud-delivered Firewall Management Center-managed threat defense and Multicloud Defense from the Security Cloud Control dashboard that complies with all relevant standards. After the VPN connection is established, the hosts behind the firewall can connect to the hosts behind the gateway through the secure VPN tunnel.

Multicloud Defense currently supports Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), and Oracle OCI cloud accounts.

Use the following procedure to create a VPN tunnel between a cloud-delivered Firewall Management Center-managed threat defense device and Multicloud Defense from the Security Cloud Control dashboard:

Before you begin

Ensure that the following prerequisites are met:

Procedure

Step 1

In the navigation pane, choose Manage > Secure Connections > Network Connections > Site to Site VPN.

Step 2

Click the Create Tunnel () icon and then click Site-to-Site VPN.

Step 3

In the Peer Selection area, provide the following information:

  • Configuration Name: Enter a unique topology name.

  • Peer 1: Click the FTD tab and select a Threat Defense device.

  • Peer 2: Click the Multicloud Defense tab and select the gateway you want.

    If you choose an extranet device, select Static and specify an IP address or select Dynamic for extranet devices with DHCP assigned IP. The IP Address displays the IP address for static interface or DHCP Assigned for the dynamic interface.

Step 4

Click Next.

Step 5

In the Peer Details area, provide the following information:

  • VPN Access Interface: Select the interface for threat defense to establish a connection with the gateway.

  • Public IP (optional): Specify the public IP address of the NAT that maps to the outside interface of the selected threat defense.

  • Routing: Click Add Networks and select one or more protected networks from threat defense to create a site-to-site tunnel between the selected networks and the Multicloud Defense Gateway

Step 6

Click Next.

Step 7

In the Tunnel Details area, provide the following information:

  • Virtual Tunnel Interface IP: Specify the addresses for the new Virtual Tunnel Interfaces on the peer. You can assign any unused IP address that is currently not used on this device.

  • Autonomous System Number: Specify the autonomous system number of the network.

Step 8

Click Next.

Step 9

In the IKE Settings area, click Add IKEv2 and add the IKE version for the Internet Key Exchange (IKE) negotiations and specify the privacy configurations.

Security Cloud Control generates a default Local Pre-Shared Key. This is a secret key string that is configured on the peers. IKE uses this key during the authentication phase. It is used to verify each other when establishing a tunnel between the peers.

Step 10

Click Next.

Step 11

In the IPSec Settings area, click Add IKEv2 IPSec Proposals and select the IKE IPSec configuration. The proposals are available depending on the selection that is made in the IKE Settings step. See Configuring IPSec Proposals.

Step 12

Click Next.

Step 13

In the Finish area, review the configuration and continue further only if you’re satisfied with the configuration.

Step 14

Click Submit.

The configurations are pushed to the Multicloud Defense Gateway.

Step 15

Perform the following steps to deploy the configuration to a cloud-delivered Firewall Management Center-managed threat defense device:

  1. Choose Administration > Integrations > Firewall Management Center.

  2. Ensure the check box corresponding to Cloud-Delivered FMC is checked and in the Actions pane on the right, click Deployment.

  3. Select the device participating in the site-to-site VPN configuration and click Deploy.

  4. Choose Devices > VPN > Site To Site. You can see the same VPN topology that was configured in Security Cloud Control.