Site to Site
Location in GUI: Secure Connections » Site-to-Site VPN & SD-WAN
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”vpns (fmc.domains)
Section titled “vpns (fmc.domains)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| site_to_site | List | [site_to_site] | No |
site_to_site (fmc.domains.vpns)
Section titled “site_to_site (fmc.domains.vpns)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| network_topology | Choice | POINT_TO_POINT, HUB_AND_SPOKE, FULL_MESH | Yes | |
| route_based | Boolean | true, false | Yes | |
| ikev1 | Boolean | true, false | No | false |
| ikev2 | Boolean | true, false | No | false |
| endpoints | List | [endpoints] | Yes | |
| ike_settings | Class | [ike_settings] | No | |
| ipsec_settings | Class | [ipsec_settings] | No | |
| advanced_settings | Class | [advanced_settings] | No |
endpoints (fmc.domains.vpns.site_to_site)
Section titled “endpoints (fmc.domains.vpns.site_to_site)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| peer_type | Choice | PEER, HUB, SPOKE | Yes | |
| extranet_device | Boolean | true, false | Yes | |
| allow_incoming_ikev2_routes | Boolean | true, false | No | true |
| backup_interface_logical_name | String | No | ||
| backup_interface_public_ip_address | IP | No | ||
| backup_local_identity_type | Choice | ADDRESS, AUTO, EMAILID, HOSTNAME, KEYID | No | |
| backup_local_identity_string | String | No | ||
| connection_type | Choice | ORIGINATE_ONLY, ANSWER_ONLY, BIDIRECTIONAL | No | ORIGINATE_ONLY |
| extranet_dynamic_ip | IP | No | ||
| extranet_ip_addresses | List | IP | No | |
| interface_logical_name | String | No | ||
| interface_ipv6_address | String | No | ||
| interface_public_ip_address | IP | No | ||
| local_identity_type | Choice | ADDRESS, AUTO, EMAILID, HOSTNAME, KEYID | No | |
| local_identity_string | String | No | ||
| nat_exemption | Boolean | true, false | No | |
| nat_exemption_inside_interface | String | No | ||
| nat_traversal | Boolean | true, false | No | true |
| override_remote_vpn_filter_access_list | String | No | ||
| protected_networks | List | String | No | |
| protected_networks_access_list | String | No | ||
| reverse_route_injection | Boolean | true, false | No | false |
| send_virtual_tunnel_interface_ip_to_peer | Boolean | true, false | No | |
| vpn_filter_access_list | String | No |
ike_settings (fmc.domains.vpns.site_to_site)
Section titled “ike_settings (fmc.domains.vpns.site_to_site)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ikev1_authentication_type | Choice | MANUAL_PRE_SHARED_KEY, AUTOMATIC_PRE_SHARED_KEY, CERTIFICATE | No | |
| ikev1_automatic_pre_shared_key_length | Integer | min: 1, max: 127 | No | |
| ikev1_certificate | String | No | ||
| ikev1_manual_pre_shared_key | String | No | ||
| ikev1_policies | List | String | No | |
| ikev2_authentication_type | Choice | MANUAL_PRE_SHARED_KEY, AUTOMATIC_PRE_SHARED_KEY, CERTIFICATE | No | |
| ikev2_automatic_pre_shared_key_length | Integer | min: 1, max: 127 | No | |
| ikev2_certificate | String | No | ||
| ikev2_enforce_hex_based_pre_shared_key | Boolean | true, false | No | |
| ikev2_manual_pre_shared_key | String | No | ||
| ikev2_policies | List | String | No |
ipsec_settings (fmc.domains.vpns.site_to_site)
Section titled “ipsec_settings (fmc.domains.vpns.site_to_site)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| crypto_map_type | Choice | STATIC, DYNAMIC | No | |
| do_not_fragment_policy | Choice | SET, COPY, CLEAR, NONE | No | NONE |
| ikev1_ipsec_proposals | List | String | No | |
| ikev2_ipsec_proposals | List | String | No | |
| ikev2_mode | Choice | TUNNEL, TRANSPORT_PREFERRED, TRANSPORT_REQUIRED | No | TUNNEL |
| lifetime_duration | Integer | min: 120, max: 2147483647 | No | 28800 |
| lifetime_size | Integer | min: 10, max: 2147483647 | No | 4608000 |
| perfect_forward_secrecy | Boolean | true, false | No | false |
| perfect_forward_secrecy_modulus_group | Integer | min: 1, max: 31 | No | |
| reverse_route_injection | Boolean | true, false | No | true |
| security_association_strength_enforcement | Boolean | true, false | No | false |
| tfc | Boolean | true, false | No | false |
| tfc_burst_bytes | Integer | min: 0, max: 16 | No | 0 |
| tfc_payload_bytes | Integer | min: 0, max: 1024 | No | 0 |
| tfc_timeout | Integer | min: 0, max: 60 | No | 0 |
| validate_incoming_icmp_error_messages | Boolean | true, false | No | false |
advanced_settings (fmc.domains.vpns.site_to_site)
Section titled “advanced_settings (fmc.domains.vpns.site_to_site)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ike_keepalive | Choice | DISABLED, ENABLED, ENABLED_INFINITE | No | ENABLED |
| ike_keepalive_threshold | Integer | min: 10, max: 3600 | No | 10 |
| ike_keepalive_retry_interval | Integer | min: 1, max: 10 | No | 2 |
| ike_identity_sent_to_peers | Choice | IP_ADDRESS, HOST_NAME, AUTO_OR_DN | No | AUTO_OR_DN |
| ike_peer_identity_validation | Choice | DO_NOT_CHECK, REQUIRED, IF_SUPPORTED_BY_CERT | No | REQUIRED |
| ike_aggressive_mode | Boolean | true, false | No | false |
| ike_notification_on_tunnel_disconnect | Boolean | true, false | No | false |
| ikev2_cookie_challenge | Choice | CUSTOM, ALWAYS, NEVER | No | CUSTOM |
| ikev2_threshold_to_challenge_incoming_cookies | Integer | min: 0, max: 100 | No | 50 |
| ikev2_number_of_sas_allowed_in_negotiation | Integer | min: 1, max: 100 | No | 100 |
| ikev2_maximum_number_of_sas_allowed | Integer | No | ||
| ipsec_fragmentation_before_encryption | Boolean | true, false | No | true |
| ipsec_path_maximum_transmission_unit_aging_reset_interval | Integer | min: 10, max: 30 | No | |
| spoke_to_spoke_connectivity_through_hub | Boolean | true, false | No | false |
| nat_keepalive_message_traversal_interval | Integer | min: 10, max: 3600 | No | 20 |
| vpn_idle_timeout_value | Integer | min: 1, max: 35791394 | No | 30 |
| sgt_propagation_over_virtual_tunnel_interface | Boolean | true, false | No | |
| bypass_access_control_policy_for_decrypted_traffic | Boolean | true, false | No | false |
| cert_use_certificate_map_configured_in_endpoint_to_determine_tunnel | Boolean | true, false | No | false |
| cert_use_ou_to_determine_tunnel | Boolean | true, false | No | true |
| cert_use_ike_identity_to_determine_tunnel | Boolean | true, false | No | true |
| cert_use_peer_ip_address_to_determine_tunnel | Boolean | true, false | No | true |
Examples
Section titled “Examples”Pre-requisites:
fmc: domains: - name: Global objects:
networks: - name: MyNetworkName1 prefix: 10.10.10.0/24 - name: MyNetworkName2 description: My Network 2 Description prefix: 10.10.20.0/24
security_zones: - name: MySecurityZoneName1
ikev2_policies: - name: MyIKEv2Policy1 dh_groups: - 14 - 24 encryption_algorithms: - AES-256 - AES-GCM-256 integrity_algorithms: - SHA-256 - SHA-384 lifetime: 28800 priority: 1 prf_algorithms: - SHA-256
ikev2_ipsec_proposals: - name: MyIKEv2IPSecProposal1 esp_encryptions: - AES-256 - AES-GCM-192 esp_hashes: - SHA-256 - SHA-384Site-to-site VPN:
fmc: domains: - name: Global vpns: site_to_site:
- name: MySiteToSiteVPNName1 network_topology: POINT_TO_POINT route_based: false ikev2: true ike_settings: ikev2_authentication_type: MANUAL_PRE_SHARED_KEY ikev2_enforce_hex_based_pre_shared_key: false ikev2_manual_pre_shared_key: MykeyHere ikev2_policies: - MyIKEv2Policy1 endpoints: - name: external-1 extranet_device: true peer_type: PEER extranet_ip_addresses: - 10.254.252.10 protected_networks: - MyNetworkName1 - name: MyDeviceName1 extranet_device: false peer_type: PEER interface_logical_name: OUTSIDE local_identity_type: HOSTNAME connection_type: BIDIRECTIONAL protected_networks: - MyNetworkName2 nat_traversal: true nat_exemption: true nat_exemption_inside_interface: MySecurityZoneName1 ipsec_settings: crypto_map_type: STATIC ikev2_ipsec_proposals: - MyIKEv2IPSecProposal1 advanced_settings: bypass_access_control_policy_for_decrypted_traffic: false