FQDN Support for IKE Gateway Peer IP Address

Configure an IKE gateway peer address as an FQDN, or address object that uses an FQDN, and avoid reconfiguring the peer if that address changes.
When you configure an IPSec tunnel with an IKE gateway peer, you can now configure that address as an FQDN or an address object that uses an FQDN. Using an FQDN for the peer address saves you from repeatedly reconfiguring peer addresses in several scenarios. An FQDN prevents IKE exchange problems that arise when many branch offices use a DHCP-assigned address on their external interface and that dynamic address changes. Similarly, FQDNs are a benefit in cloud environments where AWS and Azure use dynamic addresses as IKE termination points.
Another use case is when you have several satellite offices with multiple hub locations and VPN connectivity between firewalls at the satellites and hub gateway. You can configure each satellite office to use an FQDN for the IKE peer address object, so that if one hub goes down, the DNS server for that FQDN then resolves the FQDN to the IP address for the second hub. You don’t have to reconfigure the IKE peer to use the IP address of the second hub.
  1. Set up an IKE gateway.
    Perform the first two steps to Set Up an IKE Gateway (define the gateway and establish the local endpoint of the tunnel).
  2. Specify the IKE peer IP address for the peer at the far end of the tunnel (gateway) as an FQDN . You can enter the FQDN string directly or use the FQDN in an address object.
  3. Continue to Set Up an IKE Gateway , resuming with the step where you specify how the peer is authenticated.

Related Documentation