Cisco Cisco Firepower Management Center 4000
C H A P T E R
11-1
FireSIGHT System User Guide
11
Using Gateway VPNs
A virtual private network (VPN) is a network connection that establishes a secure tunnel between
endpoints via a public source, such as the Internet or other network. You can configure the FireSIGHT
System to build secure VPN tunnels between the virtual routers of Cisco managed devices. The system
builds tunnels using the Internet Protocol Security (IPSec) protocol suite.
endpoints via a public source, such as the Internet or other network. You can configure the FireSIGHT
System to build secure VPN tunnels between the virtual routers of Cisco managed devices. The system
builds tunnels using the Internet Protocol Security (IPSec) protocol suite.
Only Cisco managed devices can be used as endpoints in Cisco VPN deployments. Third-party endpoints
are not supported.
are not supported.
After the VPN connection is established, the hosts behind the local gateway can connect to the hosts
behind the remote gateway through the secure VPN tunnel. A connection consists of the IP addresses
and host names of the two gateways, the subnets behind them, and the shared secrets for the two
gateways to authenticate to each other.
behind the remote gateway through the secure VPN tunnel. A connection consists of the IP addresses
and host names of the two gateways, the subnets behind them, and the shared secrets for the two
gateways to authenticate to each other.
The VPN endpoints authenticate to each other with either the Internet Key Exchange (IKE) version 1 or
version 2 protocol to create a security association for the tunnel. The system uses either the IPSec
authentication header (AH) protocol or the IPSec encapsulating security payload (ESP) protocol to
authenticate the data entering the tunnel. The ESP protocol encrypts the data as well as providing the
same functionality as AH.
version 2 protocol to create a security association for the tunnel. The system uses either the IPSec
authentication header (AH) protocol or the IPSec encapsulating security payload (ESP) protocol to
authenticate the data entering the tunnel. The ESP protocol encrypts the data as well as providing the
same functionality as AH.
If you have access control policies in your deployment, the system does not send VPN traffic until it has
passed through access control. In addition, the system does not send tunnel traffic to the public source
when the tunnel is down.
passed through access control. In addition, the system does not send tunnel traffic to the public source
when the tunnel is down.
To configure and apply VPN deployments, you must have a VPN license enabled on each of your target
managed devices. Additionally, VPN features are only available on Series 3 devices.
managed devices. Additionally, VPN features are only available on Series 3 devices.
See the following sections for more information on creating and managing VPN deployments:
•
•
•
Understanding IPSec
The IPSec protocol suite defines how IP packets across a VPN tunnel are hashed, encrypted, and
encapsulated in the ESP or AH security protocol. The FireSIGHT System uses the hash algorithm and
encryption key of the Security Association (SA), which becomes established between the two gateways
by the Internet Key Exchange (IKE) protocol.
encapsulated in the ESP or AH security protocol. The FireSIGHT System uses the hash algorithm and
encryption key of the Security Association (SA), which becomes established between the two gateways
by the Internet Key Exchange (IKE) protocol.