Skip to content
Network as Code

Site to Site

Location in GUI: Secure Connections » Site-to-Site VPN & SD-WAN

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

vpns (fmc.domains)

Section titled “vpns (fmc.domains)”
NameTypeConstraintMandatoryDefault Value
site_to_siteList[site_to_site]No

site_to_site (fmc.domains.vpns)

Section titled “site_to_site (fmc.domains.vpns)”
NameTypeConstraintMandatoryDefault Value
nameStringYes
network_topologyChoicePOINT_TO_POINT, HUB_AND_SPOKE, FULL_MESHYes
route_basedBooleantrue, falseYes
ikev1Booleantrue, falseNofalse
ikev2Booleantrue, falseNofalse
endpointsList[endpoints]Yes
ike_settingsClass[ike_settings]No
ipsec_settingsClass[ipsec_settings]No
advanced_settingsClass[advanced_settings]No

endpoints (fmc.domains.vpns.site_to_site)

Section titled “endpoints (fmc.domains.vpns.site_to_site)”
NameTypeConstraintMandatoryDefault Value
nameStringYes
peer_typeChoicePEER, HUB, SPOKEYes
extranet_deviceBooleantrue, falseYes
allow_incoming_ikev2_routesBooleantrue, falseNotrue
backup_interface_logical_nameStringNo
backup_interface_public_ip_addressIPNo
backup_local_identity_typeChoiceADDRESS, AUTO, EMAILID, HOSTNAME, KEYIDNo
backup_local_identity_stringStringNo
connection_typeChoiceORIGINATE_ONLY, ANSWER_ONLY, BIDIRECTIONALNoORIGINATE_ONLY
extranet_dynamic_ipBooleantrue, falseNo
extranet_ip_addressesListIPNo
interface_logical_nameStringNo
interface_ipv6_addressStringNo
interface_public_ip_addressIPNo
local_identity_typeChoiceADDRESS, AUTO, EMAILID, HOSTNAME, KEYIDNo
local_identity_stringStringNo
nat_exemptionBooleantrue, falseNo
nat_exemption_inside_interfaceStringNo
nat_traversalBooleantrue, falseNotrue
override_remote_vpn_filter_access_listStringNo
protected_networksListStringNo
protected_networks_access_listStringNo
reverse_route_injectionBooleantrue, falseNofalse
send_virtual_tunnel_interface_ip_to_peerBooleantrue, falseNo
vpn_filter_access_listStringNo

ike_settings (fmc.domains.vpns.site_to_site)

Section titled “ike_settings (fmc.domains.vpns.site_to_site)”
NameTypeConstraintMandatoryDefault Value
ikev1_authentication_typeChoiceMANUAL_PRE_SHARED_KEY, AUTOMATIC_PRE_SHARED_KEY, CERTIFICATENo
ikev1_automatic_pre_shared_key_lengthIntegermin: 1, max: 127No
ikev1_certificateStringNo
ikev1_manual_pre_shared_keyStringNo
ikev1_policiesListStringNo
ikev2_authentication_typeChoiceMANUAL_PRE_SHARED_KEY, AUTOMATIC_PRE_SHARED_KEY, CERTIFICATENo
ikev2_automatic_pre_shared_key_lengthIntegermin: 1, max: 127No
ikev2_certificateStringNo
ikev2_enforce_hex_based_pre_shared_keyBooleantrue, falseNo
ikev2_manual_pre_shared_keyStringNo
ikev2_policiesListStringNo

ipsec_settings (fmc.domains.vpns.site_to_site)

Section titled “ipsec_settings (fmc.domains.vpns.site_to_site)”
NameTypeConstraintMandatoryDefault Value
crypto_map_typeChoiceSTATIC, DYNAMICNo
do_not_fragment_policyChoiceSET, COPY, CLEAR, NONENoNONE
ikev1_ipsec_proposalsListStringNo
ikev2_ipsec_proposalsListStringNo
ikev2_modeChoiceTUNNEL, TRANSPORT_PREFERRED, TRANSPORT_REQUIREDNoTUNNEL
lifetime_durationIntegermin: 120, max: 2147483647No28800
lifetime_sizeIntegermin: 10, max: 2147483647No4608000
perfect_forward_secrecyBooleantrue, falseNofalse
perfect_forward_secrecy_modulus_groupIntegermin: 1, max: 31No
reverse_route_injectionBooleantrue, falseNotrue
security_association_strength_enforcementBooleantrue, falseNofalse
tfcBooleantrue, falseNofalse
tfc_burst_bytesIntegermin: 0, max: 16No0
tfc_payload_bytesIntegermin: 0, max: 1024No0
tfc_timeoutIntegermin: 0, max: 60No0
validate_incoming_icmp_error_messagesBooleantrue, falseNofalse

advanced_settings (fmc.domains.vpns.site_to_site)

Section titled “advanced_settings (fmc.domains.vpns.site_to_site)”
NameTypeConstraintMandatoryDefault Value
ike_keepaliveChoiceDISABLED, ENABLED, ENABLED_INFINITENoENABLED
ike_keepalive_thresholdIntegermin: 10, max: 3600No10
ike_keepalive_retry_intervalIntegermin: 1, max: 10No2
ike_identity_sent_to_peersChoiceIP_ADDRESS, HOST_NAME, AUTO_OR_DNNoAUTO_OR_DN
ike_peer_identity_validationChoiceDO_NOT_CHECK, REQUIRED, IF_SUPPORTED_BY_CERTNoREQUIRED
ike_aggressive_modeBooleantrue, falseNofalse
ike_notification_on_tunnel_disconnectBooleantrue, falseNofalse
ikev2_cookie_challengeChoiceCUSTOM, ALWAYS, NEVERNoCUSTOM
ikev2_threshold_to_challenge_incoming_cookiesIntegermin: 0, max: 100No50
ikev2_number_of_sas_allowed_in_negotiationIntegermin: 1, max: 100No100
ikev2_maximum_number_of_sas_allowedIntegerNo
ipsec_fragmentation_before_encryptionBooleantrue, falseNotrue
ipsec_path_maximum_transmission_unit_aging_reset_intervalIntegermin: 10, max: 30No
spoke_to_spoke_connectivity_through_hubBooleantrue, falseNofalse
nat_keepalive_message_traversal_intervalIntegermin: 10, max: 3600No20
vpn_idle_timeout_valueIntegermin: 1, max: 35791394No30
sgt_propagation_over_virtual_tunnel_interfaceBooleantrue, falseNofalse
bypass_access_control_policy_for_decrypted_trafficBooleantrue, falseNofalse
cert_use_certificate_map_configured_in_endpoint_to_determine_tunnelBooleantrue, falseNofalse
cert_use_ou_to_determine_tunnelBooleantrue, falseNotrue
cert_use_ike_identity_to_determine_tunnelBooleantrue, falseNotrue
cert_use_peer_ip_address_to_determine_tunnelBooleantrue, falseNotrue

Examples

Section titled “Examples”

Pre-requisites:

fmc:
  domains:
    - name: Global
      objects:


        networks:
          - name: MyNetworkName1
            prefix: 10.10.10.0/24
          - name: MyNetworkName2
            description: My Network 2 Description
            prefix: 10.10.20.0/24


        security_zones:
          - name: MySecurityZoneName1


        ikev2_policies:
          - name: MyIKEv2Policy1
            dh_groups:
              - 14
              - 24
            encryption_algorithms:
              - AES-256
              - AES-GCM-256
            integrity_algorithms:
              - SHA-256
              - SHA-384
            lifetime: 28800
            priority: 1
            prf_algorithms:
              - SHA-256


        ikev2_ipsec_proposals:
          - name: MyIKEv2IPSecProposal1
            esp_encryptions:
              - AES-256
              - AES-GCM-192
            esp_hashes:
              - SHA-256
              - SHA-384

Site-to-site VPN:

fmc:
  domains:
    - name: Global
      vpns:
        site_to_site:


          - name: MySiteToSiteVPNName1
            network_topology: POINT_TO_POINT
            route_based: false
            ikev2: true
            ike_settings:
              ikev2_authentication_type: MANUAL_PRE_SHARED_KEY
              ikev2_enforce_hex_based_pre_shared_key: false
              ikev2_manual_pre_shared_key: MykeyHere
              ikev2_policies:
                - MyIKEv2Policy1
            endpoints:
              - name: external-1
                extranet_device: true
                peer_type: PEER
                extranet_ip_addresses:
                  - 10.254.252.10
                protected_networks:
                  - MyNetworkName1
              - name: MyDeviceName1
                extranet_device: false
                peer_type: PEER
                interface_logical_name: OUTSIDE
                local_identity_type: HOSTNAME
                connection_type: BIDIRECTIONAL
                protected_networks:
                  - MyNetworkName2
                nat_traversal: true
                nat_exemption: true
                nat_exemption_inside_interface: MySecurityZoneName1
            ipsec_settings:
              crypto_map_type: STATIC
              ikev2_ipsec_proposals:
                - MyIKEv2IPSecProposal1
            advanced_settings:
              bypass_access_control_policy_for_decrypted_traffic: false

Location in GUI: Secure Connections » Site-to-Site VPN & SD-WAN

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

vpns (fmc.domains)

Section titled “vpns (fmc.domains)”
NameTypeConstraintMandatoryDefault Value
site_to_siteList[site_to_site]No

site_to_site (fmc.domains.vpns)

Section titled “site_to_site (fmc.domains.vpns)”
NameTypeConstraintMandatoryDefault Value
nameStringYes
network_topologyChoicePOINT_TO_POINT, HUB_AND_SPOKE, FULL_MESHYes
route_basedBooleantrue, falseYes
ikev1Booleantrue, falseNofalse
ikev2Booleantrue, falseNofalse
endpointsList[endpoints]Yes
ike_settingsClass[ike_settings]No
ipsec_settingsClass[ipsec_settings]No
advanced_settingsClass[advanced_settings]No

endpoints (fmc.domains.vpns.site_to_site)

Section titled “endpoints (fmc.domains.vpns.site_to_site)”
NameTypeConstraintMandatoryDefault Value
nameStringYes
peer_typeChoicePEER, HUB, SPOKEYes
extranet_deviceBooleantrue, falseYes
allow_incoming_ikev2_routesBooleantrue, falseNotrue
backup_interface_logical_nameStringNo
backup_interface_public_ip_addressIPNo
backup_local_identity_typeChoiceADDRESS, AUTO, EMAILID, HOSTNAME, KEYIDNo
backup_local_identity_stringStringNo
connection_typeChoiceORIGINATE_ONLY, ANSWER_ONLY, BIDIRECTIONALNoORIGINATE_ONLY
extranet_dynamic_ipIPNo
extranet_ip_addressesListIPNo
interface_logical_nameStringNo
interface_ipv6_addressStringNo
interface_public_ip_addressIPNo
local_identity_typeChoiceADDRESS, AUTO, EMAILID, HOSTNAME, KEYIDNo
local_identity_stringStringNo
nat_exemptionBooleantrue, falseNo
nat_exemption_inside_interfaceStringNo
nat_traversalBooleantrue, falseNotrue
override_remote_vpn_filter_access_listStringNo
protected_networksListStringNo
protected_networks_access_listStringNo
reverse_route_injectionBooleantrue, falseNofalse
send_virtual_tunnel_interface_ip_to_peerBooleantrue, falseNo
vpn_filter_access_listStringNo

ike_settings (fmc.domains.vpns.site_to_site)

Section titled “ike_settings (fmc.domains.vpns.site_to_site)”
NameTypeConstraintMandatoryDefault Value
ikev1_authentication_typeChoiceMANUAL_PRE_SHARED_KEY, AUTOMATIC_PRE_SHARED_KEY, CERTIFICATENo
ikev1_automatic_pre_shared_key_lengthIntegermin: 1, max: 127No
ikev1_certificateStringNo
ikev1_manual_pre_shared_keyStringNo
ikev1_policiesListStringNo
ikev2_authentication_typeChoiceMANUAL_PRE_SHARED_KEY, AUTOMATIC_PRE_SHARED_KEY, CERTIFICATENo
ikev2_automatic_pre_shared_key_lengthIntegermin: 1, max: 127No
ikev2_certificateStringNo
ikev2_enforce_hex_based_pre_shared_keyBooleantrue, falseNo
ikev2_manual_pre_shared_keyStringNo
ikev2_policiesListStringNo

ipsec_settings (fmc.domains.vpns.site_to_site)

Section titled “ipsec_settings (fmc.domains.vpns.site_to_site)”
NameTypeConstraintMandatoryDefault Value
crypto_map_typeChoiceSTATIC, DYNAMICNo
do_not_fragment_policyChoiceSET, COPY, CLEAR, NONENoNONE
ikev1_ipsec_proposalsListStringNo
ikev2_ipsec_proposalsListStringNo
ikev2_modeChoiceTUNNEL, TRANSPORT_PREFERRED, TRANSPORT_REQUIREDNoTUNNEL
lifetime_durationIntegermin: 120, max: 2147483647No28800
lifetime_sizeIntegermin: 10, max: 2147483647No4608000
perfect_forward_secrecyBooleantrue, falseNofalse
perfect_forward_secrecy_modulus_groupIntegermin: 1, max: 31No
reverse_route_injectionBooleantrue, falseNotrue
security_association_strength_enforcementBooleantrue, falseNofalse
tfcBooleantrue, falseNofalse
tfc_burst_bytesIntegermin: 0, max: 16No0
tfc_payload_bytesIntegermin: 0, max: 1024No0
tfc_timeoutIntegermin: 0, max: 60No0
validate_incoming_icmp_error_messagesBooleantrue, falseNofalse

advanced_settings (fmc.domains.vpns.site_to_site)

Section titled “advanced_settings (fmc.domains.vpns.site_to_site)”
NameTypeConstraintMandatoryDefault Value
ike_keepaliveChoiceDISABLED, ENABLED, ENABLED_INFINITENoENABLED
ike_keepalive_thresholdIntegermin: 10, max: 3600No10
ike_keepalive_retry_intervalIntegermin: 1, max: 10No2
ike_identity_sent_to_peersChoiceIP_ADDRESS, HOST_NAME, AUTO_OR_DNNoAUTO_OR_DN
ike_peer_identity_validationChoiceDO_NOT_CHECK, REQUIRED, IF_SUPPORTED_BY_CERTNoREQUIRED
ike_aggressive_modeBooleantrue, falseNofalse
ike_notification_on_tunnel_disconnectBooleantrue, falseNofalse
ikev2_cookie_challengeChoiceCUSTOM, ALWAYS, NEVERNoCUSTOM
ikev2_threshold_to_challenge_incoming_cookiesIntegermin: 0, max: 100No50
ikev2_number_of_sas_allowed_in_negotiationIntegermin: 1, max: 100No100
ikev2_maximum_number_of_sas_allowedIntegerNo
ipsec_fragmentation_before_encryptionBooleantrue, falseNotrue
ipsec_path_maximum_transmission_unit_aging_reset_intervalIntegermin: 10, max: 30No
spoke_to_spoke_connectivity_through_hubBooleantrue, falseNofalse
nat_keepalive_message_traversal_intervalIntegermin: 10, max: 3600No20
vpn_idle_timeout_valueIntegermin: 1, max: 35791394No30
sgt_propagation_over_virtual_tunnel_interfaceBooleantrue, falseNofalse
bypass_access_control_policy_for_decrypted_trafficBooleantrue, falseNofalse
cert_use_certificate_map_configured_in_endpoint_to_determine_tunnelBooleantrue, falseNofalse
cert_use_ou_to_determine_tunnelBooleantrue, falseNotrue
cert_use_ike_identity_to_determine_tunnelBooleantrue, falseNotrue
cert_use_peer_ip_address_to_determine_tunnelBooleantrue, falseNotrue

Examples

Section titled “Examples”

Pre-requisites:

fmc:
  domains:
    - name: Global
      objects:


        networks:
          - name: MyNetworkName1
            prefix: 10.10.10.0/24
          - name: MyNetworkName2
            description: My Network 2 Description
            prefix: 10.10.20.0/24


        security_zones:
          - name: MySecurityZoneName1


        ikev2_policies:
          - name: MyIKEv2Policy1
            dh_groups:
              - 14
              - 24
            encryption_algorithms:
              - AES-256
              - AES-GCM-256
            integrity_algorithms:
              - SHA-256
              - SHA-384
            lifetime: 28800
            priority: 1
            prf_algorithms:
              - SHA-256


        ikev2_ipsec_proposals:
          - name: MyIKEv2IPSecProposal1
            esp_encryptions:
              - AES-256
              - AES-GCM-192
            esp_hashes:
              - SHA-256
              - SHA-384

Site-to-site VPN:

fmc:
  domains:
    - name: Global
      vpns:
        site_to_site:


          - name: MySiteToSiteVPNName1
            network_topology: POINT_TO_POINT
            route_based: false
            ikev2: true
            ike_settings:
              ikev2_authentication_type: MANUAL_PRE_SHARED_KEY
              ikev2_enforce_hex_based_pre_shared_key: false
              ikev2_manual_pre_shared_key: MykeyHere
              ikev2_policies:
                - MyIKEv2Policy1
            endpoints:
              - name: external-1
                extranet_device: true
                peer_type: PEER
                extranet_ip_addresses:
                  - 10.254.252.10
                protected_networks:
                  - MyNetworkName1
              - name: MyDeviceName1
                extranet_device: false
                peer_type: PEER
                interface_logical_name: OUTSIDE
                local_identity_type: HOSTNAME
                connection_type: BIDIRECTIONAL
                protected_networks:
                  - MyNetworkName2
                nat_traversal: true
                nat_exemption: true
                nat_exemption_inside_interface: MySecurityZoneName1
            ipsec_settings:
              crypto_map_type: STATIC
              ikev2_ipsec_proposals:
                - MyIKEv2IPSecProposal1
            advanced_settings:
              bypass_access_control_policy_for_decrypted_traffic: false