Configuring Site-to-Site VPN for Firepower Threat Defense

In this article we will take a look at how to configure site-to-site virtual private networks (VPN) on Firepower Threat Defense (FTD) managed devices.


Note: This demonstration assumes that managed devices are licensed appropriately.


In this demonstration, the site-to-site VPN will be configured using IKEv2. One Firepower device is configured as a standalone and will be configured using the Firepower Device Manager (FDM) and the other is configured to be managed using the Firepower Management Center (FMC).


The underlying network is already configured and will NOT be covered as part of this demonstration.


Configuring Firepower S2S VPN using FDM


Access the FDM GUI and login to the Firepower appliance



From the device summary page, scroll to the bottom of the page and click on Site to Site VPN



Click on 'Create Site-to-Site Connection'


Configure the following settings relevant to your environment:

  • Connection Profile Name

  • Local VPN Access Interface

  • Local Network for interesting VPN traffic

  • Remote Site IP Address

  • Remote Site Network for interesting VPN traffic


Click 'Next' to configure the IKE policy. As mentioned at the start of the article, we will focus on configuring IKEv2.


The following IKEv2 policy is configured for this demonstration. Modify your policy as best suited to your organisation.



Configure the IPsec Proposal settings and complete the configuration by specifying the Pre-shared key (PSK) for both the local and remote peers.


Note: There is no need for NAT exception in this demonstration however please consider this in your environment if required.




Click 'Next' and verify the configuration before proceeding by pressing the 'Finish' button to complete the S2S configuration.




The last step is to create an access control policy to permit the interesting traffic across the VPN.


On the menu bar click 'Policies' and proceed to create an access rule to permit the local sites interesting traffic.



The last step is to deploy the configuration. Navigate to 'Deployment', check the items that will be deployed and proceed with the deployment to apply the configuration changes to the device.


Note: If on a production network, this change should be performed as part of a change window.



Configuring Firepower S2S VPN using the FMC


To configure S2S VPN using the FMC navigate to Devices > VPN > Site to Site and click 'Firepower Threat Defense Device'.


On the Endpoints tab, configure the following settings relevant to your environment:

  • Connection Profile Name

  • Local VPN Access Interface

  • Local Network for interesting VPN traffic

  • Remote Site IP Address

  • Remote Site Network for interesting VPN traffic



Once the Endpoint tab has been configured, click on the 'IKE' tab and configure the IKEv2 settings, ensuring that they match the peer device.



Click on the IPsec tab and ensure the configuration is mutual to the peer device.


Once complete, click 'Save' (The Advanced tab is beyond the scope of this article).



The VPN configuration is now complete. Please ensure that you've configured any Access Control Lists relevant for interesting traffic as well as NAT configuration if required.


Once satisfied with the configuration, proceed to deploy the configuration to the managed device by navigating to 'Deploy'.


Once the configuration has been deployed, you should be ready to test the VPN connection. The best way to do this is to establish connectivity between interesting networks. You can also verify that the VPN has come up using the following commands.


show crypto ikev2 sa
show vpn-sessiondb


©2020 by Network Wizkid