FMC Preshared Automatic Key

When we configure a site to site VPN in FMC, on the IKE tab, we see an authentication type option to use a Preshared Automatic Key. In this post we will see what that option does for us. FMC as you know can manage multiple FTD appliances. The appliances that would be managed by the FMC do not necessarily have to be located in the same domain. For instance, we might have an FTD in London and another in New York, both managed by the same FMC.

In that case, you might want to set up a site to site VPN between those two FTD appliances. Now because both of them are managed by the same FMC, the FMC can push whatever policies or settings to those appliances. Here where the Preshared Automatic Key would be used.

When we use the Preshared Automatic Key in our VPN topology, we are simply saying, hey FMC, take care of generating a preshared key for this VPN, and push it to the interested peers. We can set how long the Preshared Automatic Key can be, and the FMC will mix it with upper and lower characters along with numbers.

The Preshared Automatic Key can't be used if one of the two peers is not managed by the FMC, since as you could guess, the FMC would not be able to push any settings to the external peer.

In this lab we will have two peers one is called FTDv-02 and another called FTDv-03. We will set up a site to site VPN between them and we will use the Preshared Automatic Key. Once we deploy the configuration from the FMC, we will go to check how this Preshared Automatic Key looks like on both appliances.

The lab will be focusing only on the VPN configuration part. The NAT exemption rules and all IP addressing have been already configured. You will see on the topology a DHCP server behind the FTDv-03. The reason why I put this server in the topology is because the next post will show how to configure DHCP Relay in the FMC.