Prerequisites and Limitations for Site-to-Site VPN Tunnels
Supported VPN Tunnel Connection Endpoints
You can create a VPN tunnel connection with any of the following setups:
-
Multicloud Defense Gateway to a Multicloud Defense Gateway.
-
Multicloud Defense Gateway to a cloud service provider (AWS, Azure, GCP).
-
Multicloud Defense Gateway to an ASA device hosted in CDO.
Multicloud Defense Gateway Prerequisites and Limitations
You must have the following prerequisites completed prior to creating a VPN tunnel regardless of the type of device or platform involved:
-
You must be running Multicloud Defense Gateway version 24.04 or version 24.04-01. This includes Terraform versions.
-
You must have VPN enabled in the gateway.
-
At least one cloud service provider or third party device already connected to Multicloud Defense.
-
Your cloud service provider or third party device must be configured to allow and create VPN tunnel connections. See the service or platform documentation for more information.
-
You must have at least one IPSec profile. This profile must be attached to the VPN tunnel connection.
-
The VPC and VNET must be deployed without Network Address Translation gateway on both sides.
-
(Optional) We recommend creating at least one BGP profile. This profile must be attached to the gateway instance associated with the VPN tunnel connection.
Note |
If you plan to utilize you gateway for a VPN tunnel, we strongly recommend creating a BGP profile after configuring the Multicloud Defense Gateway; VPN tunnels can be more effective when paired with a BGP profile as the profile offers additional control over how traffic flows in your networks. See BGP Profile for more information. |
Be aware of the following limitations when creating a VPN tunnel connection:
-
The Multicloud Defense Gateway you select must be an egress/east-west gateway.
-
AWS and Azure gateways must be 8 core instance type. 2 core and 4 core are not suppoted at this time.
-
Site-to-site VPN connections only support to up 10 VPN peers.
-
VPCs and VNETs for either AWS or Azure environment must be created with a single availability zone. Multiple availability zones are not supported at this time.
-
Site-to-site VPN tunnels do not support forward-proxy firewall rules at this time.
-
Your bandwidth must be at least 800 Mbps.
Note |
If you disable or enable a gateway, you must delete the site-to-site connection assocaited with the gateway and recreate the VPN connection. |
Limitations for VPN Tunnel Between Multicloud Defense and an ASA Device
Be aware of the following limitations when creating a VPN tunnel connection between the Multicloud Defense Gateway and an ASA device:
-
When choosing the endpoints for the VPN tunnel, ensure at least one endpoint is an ASA device and the one endpoint is an Multicloud Defense Gateway (step 4-6).
-
If you create a site-to-site VPN tunnel for a third-party or an on-premises device, the table of VPN connections only displays the status of the IPSec profile on Multicloud Defense's endpoint of the connection.
-
Autoscaling is not currently supported.
For more information on VPN Tunnels to an ASA device that is hosted in CDO, see ASA Site-to-Site VPN Configuration.
Note |
If you are using a third-party device or an on-premises management center, only the Multicloud Defense's side of the IPSEC status is displayed at this time. |
Limitations for VPN Tunnel Between Multicloud Defense and an FTD Device
Be aware of the following limitations when creating a VPN tunnel connection between the Multicloud Defense Gateway and an FTD device:
-
Both IPsec IKEv1 & IKEv2 protocols are supported.
-
Automatic or manual pre-shared keys for authentication.
-
IPv4 and IPv6. All combinations of inside and outside are supported.
-
IPsec IKEv2 site-to-site VPN topologies provide configuration settings to comply with Security Certifications.
-
Static and dynamic interfaces.
-
Support for the dynamic IP address for the extranet device as an endpoint.
For more information on VPN Tunnels to an FTD device that is hosted in CDO, see Configure Site-to-Site VPN for an FDM-Managed Device.