Configure an IKE gateway peer address as an FQDN, or
address object that uses an FQDN, and avoid reconfiguring the peer
if that address changes.
When you configure an IPSec tunnel with an
IKE gateway peer, you can now configure that address as an FQDN
or an address object that uses an FQDN. Using an FQDN for the peer
address saves you from repeatedly reconfiguring peer addresses in
several scenarios. An FQDN prevents IKE exchange problems that arise
when many branch offices use a DHCP-assigned address on their external
interface and that dynamic address changes. Similarly, FQDNs are
a benefit in cloud environments where AWS and Azure use dynamic
addresses as IKE termination points.
Another use case is when
you have several satellite offices with multiple hub locations and
VPN connectivity between firewalls at the satellites and hub gateway. You
can configure each satellite office to use an FQDN for the IKE peer
address object, so that if one hub goes down, the DNS server for
that FQDN then resolves the FQDN to the IP address for the second
hub. You don’t have to reconfigure the IKE peer to use the IP address
of the second hub.
Set up an IKE gateway.
Perform the first two steps to Set Up an IKE Gateway (define the gateway
and establish the local endpoint of the tunnel).
Specify the IKE peer IP address for the peer at the far
end of the tunnel (gateway) as an FQDN. You can enter the FQDN string directly
or use the FQDN in an address object.
Continue to Set Up an IKE Gateway, resuming with the
step where you specify how the peer is authenticated.