Cisco IP Solution Center Security User Guide, 3.0
Site-to-Site VPN Services
Downloads: This chapterpdf (PDF - 567.0KB) The complete bookPDF (PDF - 3.65MB) | Feedback

Site-to-Site VPN Services

Table Of Contents

Site-to-Site VPN Services

Creating a VPN Definition

Creating an Encryption Policy

Customizing IKE Proposals (Optional)

Customizing IPsec Proposals (Optional)

Creating a Site-to-Site VPN Policy

IPsec

IPsec + GRE

DMVPN

Easy VPN

Creating Site-to-Site VPN Service Requests


Site-to-Site VPN Services


This chapter contains the following sections:

Creating a VPN Definition

Creating an Encryption Policy

Creating a Site-to-Site VPN Policy

Creating Site-to-Site VPN Service Requests


Note Before creating an ISC security policy or service request, it is necessary to populate the ISC repository with the target devices in your network, collect the initial device configuration files, designate customers and customer sites, and define each device as a CPE.

CPE devices are the devices at each end of the VPN tunnel. Creating CPE devices includes assigning each target device to a specific customer and customer site and marking the device interfaces. Specifically for security management, you must define at least one public and one private interface on each device.

For how-to information on populating your ISC repository and setting up CPE devices, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.


Creating a VPN Definition

Before creating your site-to-site policy, you must create a VPN definition with which to associate the customer site devices. To do this, perform the following the steps:


Step 1 Click Service Inventory > Inventory and Connection Manager > VPNs. The VPNs page appears. If there are previously defined VPNs in your ISC repository, then they are displayed on the VPNs page as shown in Figure 3-1.

Figure 3-1 The VPNs Page

Step 2 Click Create to add a new VPN definition. The Create VPN page appears as shown in Figure 3-2.


Note To modify an existing VPN definition, check the box next to the VPN name and click Edit. (Also, you can completely remove a VPN by checking the box next to the VPN name and clicking Delete.)


Figure 3-2 The Create VPN Page

Step 3 Enter the values for the Create VPN fields by following the instructions in Table 3-1.

Table 3-1 The Create VPN Page Fields 

Field Name
Type
Instructions

Name

text box

Enter a name for the VPN.

Customer

combo box

Associate a Customer to the VPN by clicking Select. The Select Customer page appears as shown in Figure 3-3. Choose the customer and click Select.

MPLS Attributes

section name

On the The Create VPN Page, ignore the MPLS attributes section. It it is used for IPsec-to-MPLS mapping only. For more information on IPsec-to-MPLS mapping, refer to the Cisco IP Solutions Center, 3.0: MPLS VPN Management User Guide, 3.0.


Figure 3-3 The Select Customer Page

Step 4 Click Save to continue.


Creating an Encryption Policy

Next, you must define the encryption parameters your site-to-site VPNs will use by creating an encryption policy. The encryption policy defines the security parameters for protecting data traveling through the VPN tunnel. It consists of one or more IKE proposals, one or more IPsec proposals, and some global attributes. For example, an IKE proposal could consist of selecting the 3DES, SHA, Certs, and DH 2 options, and an IPsec proposal could consist of selecting the ESP-AES, ESP-SHA, no AH, no compression, and no PFS options.

To create an encryption policy, perform the following steps:


Step 1 Click Service Design > Policy Manager. The Policies page appears. If you have existing policies, they display here as shown in Figure 3-4.

Figure 3-4 The Policies Page

Step 2 Click Create > IPsec Policy. The IPsec Policy Creation page appears as shown in Figure 3-5.

Figure 3-5 The IPsec Policy Creation Page

Step 3 Click Encryption Policy. The IPsec Encryption Policy page appears as shown in Figure 3-6. Follow the instructions in Table 3-2 to enter the values for your encryption policy.

Figure 3-6 The IPsec Encryption Policy Page

Table 3-2 IPsec Encryption Policy Fields 

Field Name
Type
Instructions

Policy Name

text box

Enter the name of the encryption policy.

Owner

drop-down list

Specify whether the policy is global by clicking Global, or customer owned by clicking Customer.

If you select Customer, you are required to specify the owner. To do this, click Customer > Select. The Customer for IPsec Policy dialog box appears as shown in Figure 3-7. Click the button next to the customer you want to select and click Select (to choose that customer), or click Cancel to exit the dialog box without saving changes. Both return you to the main page.

IPsec Lifetime

text box

Specify the lifetime in seconds. This is the IPsec SA idle peer timeout. The IPsec policy is renegotiated after the lifetime elaspes.

IPsec Lifetime

text box

Specify the lifetime in kilobytes. After the volume limit (in kilobytes) is reached, the IPsec policy is renegotiated.

IKE Keepalive Interval

text box

Specify the keepalive interval in seconds. This is the time interval between each keepalive packet.

IKE Keepalive Retry Interval

text box

Specify the keepalive retry interval in seconds. If there is no response from the peer, this value determines when to send the next keepalive packet to peer.

PFS

drop-down list

Specify the Diffie-Hellman Group ID if you want to enable Perfect Forward Secrecy (PFS).


Figure 3-7 Customer for IPsec Policy Dialog Box

Step 4 If you want to use the default IKE and IPsec proposals, click Save. If you would like to customize the IKE or IPsec proposals, do not click Save. Instead, refer to the "Customizing IKE Proposals (Optional)" section or "Customizing IPsec Proposals (Optional)" section, respectively.


Customizing IKE Proposals (Optional)


Step 1 Click Service Design > Policy Manager > Create > IPsec Policy > Encryption Policy > IKE Proposals to add, modify, or delete an IKE proposal. The IKE Proposals page appears as shown in Figure 3-8.

Figure 3-8 The IKE Proposals Page

Step 2 To add a new IKE proposal, click Create.

To modify an existing proposal, select the checkbox next to it and then click Create.

To delete a proposal, select the checkbox next to it and then click Delete.

Step 3 If you chose to add or modify an IKE proposal, the IKE Proposals page appears as shown in Figure 3-9. (If you chose to delete an IKE proposal, it is removed immediately when you click Delete without any further steps.)

Step 4 Use the instructions in Table 3-4 to customize the IKE proposal parameters for your encryption policy.

Figure 3-9 IKE Proposals Dialog Box

Table 3-3 IKE Proposal Fields 

Field Name
Type
Instructions

Authentication

drop-down list

Select one of the following options:

IKE_PRESHARED_KEY - (Default.) Available on all ISC supported platforms. Specify to use preshared keys for authentication. The preshared keys are derived from the password of the user or peer group.

IKE_RSA_SIGNATURES - Cisco IOS and PIX Firewall devices only. Specify to use a Certificate Authority (CA) for authentication, based on RSA signatures, and can be used only when all participating peers recognize the certificate authority (CA) as the authenticating authority.

IKE_RSA_ENCRYPTION - Specify to use RSA encryption for authentication.

IKE_DSA_CERTIFICATE - VPN 3000 only. Specify to use digital certificates with keys generated by the DSA algorithm for authentication.

Encryption

drop-down list

Select one of the following encryption options:

DES - Specify to use Data Encryption Standard (DES) for encryption.

3DES - Specify to use Triple Data Encryption Standard (3DES) for encryption.

AES - Specify to use Advanced Encryption Standard (AES) with a 128-bit key for encryption.

AES-192 - Specify to use AES with a 192-bit key for encryption.

AES-256 - Specify to use AES with a 256-bit key for encryption.

Hash Algorithm

drop-down list

Select one of the following hash algorithm options:

SHA - Specify to use Secure Hash Algorithm (SHA) as the hash algorithm. SHA produces 160-bit hash values, which are longer than MD5. SHA is generally considered more secure and is the recommended hash algorithm.

MD5 - Specify to use Message Digest 5 (MD5) as the hash algorithm. MD5 produces a 128-bit hash values.

DH Group ID

drop-down list

Diffie-Hellman (DH) is a public key cryptography protocol that enables two parties to establish a shared secret over unsecured communications channels. Select one of the following DH groups to use in Internet Key Exchange (IKE) to establish session keys:

DH_GROUP_1 - Available on all ISC supported platforms. Specify to use 768-bit Diffie-Hellman Group 1 cryptography.

DH_GROUP_2 - Cisco IOS and PIX Firewall devices only. Specify to use 1024-bit Diffie-Hellman Group 2 cryptography.

DH_GROUP_5 - Available on all ISC supported platforms if the software system requirements for the platform are met. Specify to use 1536-bit Diffie-Hellman (DH) Group 5 cryptography.

DH_GROUP_7 - VPN 3000 only. Specify to use DH Group 7 Elliptic Curve Cryptography (ECC), the 163-character Elliptic Curve Diffie-Hellman (ECDH) group.

Lifetime

text box

Enter the duration for the IKE lifetime (session length) in seconds.


Step 5 Click OK when done.

Step 6 Click OK again to exit from the IKE Proposals page.


Customizing IPsec Proposals (Optional)


Step 1 Click Service Design > Policy Manager > Create > IPsec Policy > Encryption Policy > IPsec Proposals. The IPsec Proposals page appears as shown in Figure 3-10.

Figure 3-10 The IPsec Proposals Page

Step 2 To add a new IPsec proposal click Create.

To modify an existing proposal, select the checkbox next to it and then click Create.

To delete a proposal, select the checkbox next to it and then click Delete. If you chose to delete an IPsec proposal, it is removed immediately when you click Delete without any other steps.

Step 3 If you chose to add or modify an IPsec proposal, the IPsec Proposals dialog box appears as shown in Figure 3-11.

Figure 3-11 IPsec Proposals Dialog Box

Step 4 Use the instructions in Table 3-4 to set the IPsec proposal parameters for your encryption policy.

Table 3-4 IPsec Proposal Fields for Site-to-Site IPsec

Field Name
Type
Instructions

AH

drop-down list

Select one of the following authentication header (AH) options:

NOTSET - Disables AH. ("Not set" means that the feature is not used.)

SHA - Specify to use Secure Hash Algorithm (SHA) as the hash algorithm. SHA produces 160-bit hash values, which are longer than MD5. SHA is generally considered more secure and is the recommended hash algorithm.

MD5 - Specify to use Message Digest 5 (MD5) as the hash algorithm. MD5 produces a 128-bit hash values.

ESP Authentication

drop-down list

Select one of the following Encapsulating Security Payload (ESP) authentication options:

NOTSET- Disables ESP. ("Not set" means that the feature is not used.)

SHA - Specify to use Secure Hash Algorithm (SHA) as the hash algorithm. SHA produces 160-bit hash values, which are longer than MD5. SHA is generally considered more secure and is the recommended hash algorithm.

MD5 - Specify to use Message Digest 5 (MD5) as the hash algorithm. MD5 produces a 128-bit hash values.

ESP Encryption

drop-down list

Select one of the following ESP encryption options:

DES - Specify to use Data Encryption Standard (DES) for encryption.

3DES - Specify to use Triple Data Encryption Standard (3DES) for encryption.

AES - Specify to use Advanced Encryption Standard (AES) with a 128-bit key for encryption.

AES-192 - Specify to use AES with a 192-bit key for encryption.

AES-256 - Specify to use AES with a 256-bit key for encryption.

Compression

drop-down list

Select one of the following options:

NOTSET - Disables compression. ("Not set" means that the feature is not used.)

LZS - Specify to use the LZS compression algorithm.


Step 5 Click OK when done. The newly created encryption policy should be listed in the Policies page.


Creating a Site-to-Site VPN Policy

Site-to-site VPNs are secure tunnels between CPE devices. The site-to-site VPN policy defines the characteristics of the site-to-site VPN, such as whether the tunnels are IPsec tunnels or IPsec + GRE tunnels and, if a routing option is chosen, which routing protocol runs over the VPN tunnels. The site-to-site policy uses the encryption policy you defined in "Creating an Encryption Policy" section.

There are four site-to-site VPN options supported by ISC, as described in Table 3-5.

Table 3-5 ISC Site-to-Site VPN Policy Options

Option Name
Summary
Supported Platforms

IPsec

The IPsec option is pure IPsec and provides network data encryption at the IP packet level, offering a robust security solution that is standards-based. It supports all types of Cisco devices but is not flexible. If there is a change in network prefixes, one must redeploy the service request.

Pure IPsec is supported on Cisco IOS, PIX Firewall, and VPN 3000 devices.

IPsec + GRE

Pure IPsec configurations cannot use routing protocols such as RIP, EIGRP, or OSPF. In order for routing updates to take place within the IPsec tunnels, generic routing encapsulation (GRE) must be used in conjunction with IPsec.

The ISC 3.0 IPsec+GRE features are supported by Cisco IOS devices only.

DMVPN

Dynamic Multipoint VPN (DMVPN) enables users to scale large and small VPNs by combining GRE tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP) into crypto profiles, which override the requirement for defining static crypto maps and dynamic discovery of tunnel endpoints.

The ISC DMVPN feature is by supported Cisco IOS devices only.

Easy VPN

Easy VPN simplifies VPN deployment for remote offices. Using Easy VPN, security policies defined at the head-end are pushed to remote VPN devices, ensuring that clients have up-to-date policies in place before attempting to establish a secure connection.

Easy VPN can be configured in client mode or network extension mode. Client mode is the default configuration and allows devices at the client site to access resources at the central site; however, resources at the client site are unavailable to the central site. Network extension mode allows users at the central site to access the network resources at the remote client site and allows the client site to access resources at the central site.

Easy VPN is supported on Cisco IOS, PIX Firewall, and VPN 3000 devices.


Specify which options to use when you create your site-to-site VPN policy.


Note Once the policies have been created, they can be used in service requests. Each policy can be used multiple times, speeding up service provisioning and providing consistency.

Although policies can be edited on a per-service request basis, if you modify a policy, you must Force Deploy any associated service requests to update the policy in those service requests.



Step 1 To create a site-to-site VPN policy, click Service Design > Policy Manager > Create > IPsec Policy. The IPsec Policy Creation page appears.

Figure 3-12 The IPsec Policy Creation Page

There are four different types of site-to-site policies you can create, as shown in the TOC in Figure 3-12. They are as follows:

IPsec

IPsec + GRE

DMVPN

Easy VPN

If you know you are going to implement the four types, you must define a policy for each one separately. Depending on what you want to implement, use the steps in the corresponding section.


Note You must enter a wildcard preshared key for any CPE devices to be used as a hub when you set up your CPE devices for use with DMVPN, Easy VPN, or pure IPsec with dynamic crypto maps. Click Service Inventory > Inventory and Connection Manager > Customers > CPE Devices > Edit CPE Devices to access the CPE Devices page to verify this has been done or to update your CPE devices. The field name to check is Wildcard preshared key. The wildcard preshared key can be from 3 characters to a maximum of no more characters in length than the shortest preshared key in the trusted network.


IPsec

The VPN tunnel between the CPE devices (at different customer sites) may be configured to run a routing protocol or perform no routing. The IPsec only policy option uses no routing; the policy created here is used for pure IPsec provisioning.


Step 1 Click Service Design > Policy Manager > Create > IPsec Policy > IPsec. The IPsec Site-to-Site Policy page appears as shown in Figure 3-13.

Figure 3-13 The IPsec Site-to-Site Policy Page for Pure IPsec

Step 2 Enter values for the pure IPsec policy fields by following the instructions in Table 3-6.


Note If the Editable box is checked, you can make changes to that parameter at a later time without creating a new policy. If you want that parameter to be editable only by creating a new policy, uncheck the box.

The Comments column indicates the device type.


Table 3-6 Pure IPsec Fields 

Field Name
Type
Instructions

Name

text box

Enter a name for the policy.

Owner

drop-down list

Specify whether the policy is global by clicking Global, or customer owned by clicking Customer.

If you select Customer, you are required to specify the owner. To do this, click Customer > Select. The Customer for IPsec Profile dialog box appears as shown in Figure 3-7. Click the button next to the customer you want to select and click Select (to choose that customer), or click Cancel to exit the dialog box without saving changes. Both return you to the main page.

Encryption Policy

selection box

Choose the name of an encryption policy you created in previous steps by clicking Select.

Topology

drop-down list

Choose one of the following VPN topology options:

Hub and Spoke - Enables VPN tunnels with connectivity from spoke sites to a central hub site.

Full Mesh - Enables VPN tunnels with full-mesh (or any-to-any) connectivity between sites.

Crypto Map Type

drop-down list

Choose one of the following crypto map options:

Static Only - Generates only static crypto maps.

Dynamic Only - Generates only dynamic crypto maps.

Auto - ISC determines the crypto map type based on the IP address (static or dynamic) of the spoke device. For example, if the spoke IP address is generated by dynamic DHCP or PPP, ISC creates a dynamic crypto map on the hub. Otherwise, ISC creates a static crypto map on the hub.

Generate Crypto Local Identity

checkbox

Checked (enabled) by default. Uncheck to prevent ISC from generating the crypto local identity.

Generate Default Route

checkbox

Disabled (unchecked) by default. When enabled, generates a default route.

Split Tunneling

checkbox

When checked, protected traffic will be sent through the tunnel, while all others will be sent through directly to the internet.

Generate Reverse Route Injection

drop-down list

When ON, this option injects the hub and device routes running IGP with the set of networks or hosts that are available across the VPN Tunnel. This option is for Network-based IPsec only. Refer to the Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0 for information on network-based IPsec.

NAT Transparency

drop-down list

When ON, this option allows IPsec traffic to travel through a NAT or PAT point in the network. Requires IOS 12.2(13)T and above.

IPsec Prefragmentation

drop-down list

When ON, this option allows the encrypting router to predetermine the encrypted packet size. If it is determined that the packet will exceed the MTU of the output interface, the packet is fragmented before encryption.

Invalid SPI Recovery

checkbox

Cisco IOS only. Check your Cisco IOS Software version for feature availability. When checked, the option provides an effective way to handle a "dead peer" situation in IPsec tunnels.

QoS Pre-Classify

checkbox

When enabled, the QoS features on the output interface classify packets before encryption.

Permit IPsec Traffic

checkbox

Enables IPsec traffic to pass through the PIX Firewall.


Figure 3-14 Customer for IPsec Profile Dialog Box

Step 3 Click Save when done.


IPsec + GRE

The IPsec tunnel between CPE devices may be configured to run a routing protocol or perform no routing. The IPsec + GRE policy option supports the EIGRP, RIPv2, and OSPF routing protocols and GRE static routes. This policy is used with the following:

Dynamic Routing Protocols (EIGRP, RIPv2, OSPF) - This option involves having an IPsec-protected GRE tunnel between the CPE devices, over which a routing protocol is run.

Static routes - This option involves having an IPsec-protected GRE tunnel between the CPE devices. For each of the CPE device subnets, a static route is created on the CPE pointing to the corresponding tunnel interface.


Step 1 Click Service Design > Policy Manager > Create > IPsec Policy > IPsec + GRE. The IPsec Site-to-Site Policy page appears.

Figure 3-15 The IPsec Site-to-Site Policy Page for IPsec + GRE

Step 2 Enter values for the IPsec+GRE policy fields by following the instructions in Table 3-7.


Note If the Editable box is checked, you can make changes to that parameter at a later time without creating a new policy. If you want that parameter to be editable only by creating a new policy, uncheck the box.

The Comments column indicates the device type.


Table 3-7 IPsec + GRE Fields 

Field Name
Type
Instructions

Name

text box

Enter a name for the policy.

Owner

drop-down list

Specify whether the policy is global by clicking Global, or customer owned by clicking Customer.

If you select Customer, you are required to specify the owner. To do this, click Customer > Select. The Customer for IPsec Profile dialog box appears. Click the button next to the customer you want to select and click Select (to choose that customer), or click Cancel to exit the dialog box without saving changes. Both return you to the main page.

Encryption Policy

selection box

Choose the name of an encryption policy you created in previous steps by clicking Select.

Topology

drop-down list

Choose one of the following VPN topology options:

Hub and Spoke - Enables VPN tunnels with connectivity from spoke sites to a central hub site. When provisioning VPNs, spokes generally have connectivity to hubs but not to other spokes. When using IPSec+GRE tunnels, spoke sites can have routing connectivity through the hub site.

Full Mesh - Enables VPN tunnels with full-mesh (or any-to-any) connectivity between sites.

Generate Crypto Local Identity

checkbox

Checked (enabled) by default. Uncheck to prevent ISC from generating the crypto local identity.

Generate Default Route

checkbox

Disabled (unchecked) by default. When enabled, generates a default route.

Force IPsec in Tunnel Mode

checkbox

Checked (enabled) by default. Uncheck to create the tunnel using transport mode.

Routing Protocol

drop-down list

Select the routing protocol you wish to use for IPsec + GRE.

Note For Static, OSPF, and EIGRP, you must also specify the additional parameters described below.

Static - Static Admin Distance, any number from 1to 250. The default cost is 1.

OSPF - OSPF has the following additional options:

OSPF Process Id, any number from 1 to 65535. The default is 1.

OSPF Area Id, any number from 0 to 65535. The default is 0.

RIPv2 - No additional options need to be specified for RIP version 2.

EIGRP - EIGRP AS Number - This is the autonomous system (AS) number.

GRE MTU

text box

Sets the maximum transmission unit (MTU) size. The default is 1408 bytes.

GRE FastSwitching

checkbox

Uncheck if you do not want to use FastSwitching on the GRE interfaces.

Block Routing Updates

checkbox

Use only with a static routing protocol. When checked, this option blocks routing updates.

GRE Keep Alive

drop-down list

The default is OFF. You can set this option to ON if a GRE keepalive timer is supported by the software running on your network devices.

NAT Transparency

drop-down list

When ON, this option allows IPsec traffic to travel through a NAT or PAT point in the network. Requires IOS 12.2(13)T and above.

IPsec Prefragmentation

drop-down list

When ON, this option allows the encrypting router to predetermine the encrypted packet size. If it is determined that the packet will exceed the MTU of the output interface, the packet is fragmented before encryption.

Invalid SPI Recovery

checkbox

Cisco IOS only. Check your Cisco IOS Software version for feature availability. When checked, the option provides an effective way to handle a "dead peer" situation in IPsec tunnels.

QoS Pre-Classify

checkbox

When enabled, the QoS features on the output interface classify packets before encryption.


Step 3 Click Save when done.


DMVPN

The policy created here is used for DMVPN provisioning. DMVPN incorporates multipoint GRE tunnels, IPsec, and the Next Hop Resolution Protocol (NHRP) technologies to support nodes with dynamically assigned IP addresses and enables dynamic tunnel creation for spoke-to-spoke tunnels.

To use DMVPN, Cisco IOS Software release 12.2(15)T or later is required.


Step 1 Click Service Design > Policy Manager > Create > IPsec Policy > DMVPN. The IPsec Site-to-Site Policy page appears.

Figure 3-16 The IPsec Site-to-Site Policy Page for DMVPN

Step 2 Enter values for DMVPN policy fields by following the instructions in Table 3-8.


Note If the Editable box is checked, you can make changes to that parameter at a later time without creating a new policy. If you want that parameter to be editable only by creating a new policy, uncheck the box.

The Comments column indicates the device type.


Table 3-8 DMVPN Fields 

Field Name
Type
Instructions

Name

text box

Enter a name for the policy.

Owner

drop-down list

Specify whether the policy is global by clicking Global, or customer owned by clicking Customer.

If you select Customer, you are required to specify the owner. To do this, click Customer > Select. The Customer for IPsec Profile dialog box appears. Click the button next to the customer you want to select and click Select (to choose that customer), or click Cancel to exit the dialog box without saving changes. Both return you to the main page.

Encryption Policy

selection box

Choose the name of an encryption policy you created in previous steps by clicking Select.

Topology

drop-down list

Choose one of the following VPN topology options:

Hub and Spoke - Enables VPN tunnels with connectivity from spoke sites to a central hub site.

Full Mesh - Enables VPN tunnels with full-mesh (or any-to-any) connectivity between sites.

Point-to-Point GRE in Spokes

checkbox

When checked, this option generates point-to-point GRE interfaces on spoke devices instead of point-to-multipoint. This disables the virtual full mesh topology by not allowing spoke devices to initiate IPsec tunnels with other spokes directly.

Generate Crypto Local Identity

checkbox

Checked (enabled) by default. Uncheck to prevent ISC from generating the crypto local identity.

Generate Default Route

checkbox

Disabled (unchecked) by default. When enabled, generates a default route.

Force IPsec in Tunnel Mode

checkbox

Checked (enabled) by default. Uncheck to create the tunnel using transport mode.

NHRP Authentication Key

text box

(Optional.) Enter an authentication string for the Next Hop Resolution Protocol (NHRP).

NHRP Network ID

text box

Enter a numeric id for the customer site network, from 1 to 4294967295.

NHRP Hold Time

text box

Any value from 1 to 4294967295 seconds. The default is NHRP hold time is 500 seconds.

GRE Tunnel Key

text box

Enter a numeric key for the GRE tunnel, from 0 from 4294967295.

GRE FastSwitching

checkbox

Uncheck if you do not want to use FastSwitching on the GRE interfaces.

Routing Protocol

drop-down list

Select the routing protocol you wish to use for DMVPN.

Note For Static, OSPF, and EIGRP, you must also specify the additional parameters described below.

Static - Static Admin Distance, any number from 1 - 250. The default cost is 1.

OSPF - has the following

OSPF Process Id, any number from 1 to 65535. The default is 1.

OSPF Area Id, any number from 0 to 65535. The default is 0.

OSPF Hub Priority, any number from 0 to 255. The default is 2.

OSPF Spoke Priority, any number from 0 to 255. The default is 0.

RIPv2 - No additional options need to be specified for RIP version 2.

EIGRP - EIGRP AS Number - This is the autonomous system (AS) number.

NAT Transparency

drop-down list

When ON, this option allows IPsec traffic to travel through a NAT or PAT point in the network. Requires IOS 12.2(13)T and above.

IPsec Prefragmentation

drop-down list

When ON, this option allows the encrypting router to predetermine the encrypted packet size. If it is determined that the packet will exceed the MTU of the output interface, the packet is fragmented before encryption.

Invalid SPI Recovery

checkbox

Cisco IOS only. Check your Cisco IOS Software version for feature availability. When checked, the option provides an effective way to handle a "dead peer" situation in IPsec tunnels.

QoS Pre-Classify

checkbox

When enabled, the QoS features on the output interface classify packets before encryption.


Step 3 Click Save when done.


Easy VPN

Easy VPN enables most VPN parameters to be defined on an Easy VPN server, which can be a VPN 3000 concentrator, a Cisco IOS router, or a PIX security appliance. Easy VPN client support on a PIX security appliance requires PIX Firewall software version 6.3. Easy VPN uses Cisco VPN Client software to establish the management connection tunnel.

ISC supports both the server and the client provisioning, as well as both network extension and client modes.


Step 1 Click Service Design > Policy Manager > Create > IPsec Policy > Easy VPN. The IPsec Site-to-Site Policy page appears.

Figure 3-17 The IPsec Site-to-Site Policy Page for Easy VPN

Step 2 Enter values for the Easy VPN policy fields by following the instructions in Table 3-9.


Note If the Editable box is checked, you can make changes to that parameter at a later time without creating a new policy. If you want that parameter to be editable only by creating a new policy, uncheck the box.

The Comments column indicates the device type.


Table 3-9 Easy VPN Fields  

Field Name
Type
Instructions

Name

text box

Enter a name for the policy.

Owner

drop-down list

Specify whether the policy is global by clicking Global, or customer owned by clicking Customer.

If you select Customer, you are required to specify the owner. To do this, click Customer > Select. The Customer for IPsec Profile dialog box appears. Click the button next to the customer you want to select and click Select (to choose that customer), or click Cancel to exit the dialog box without saving changes. Both return you to the main page.

Remote Access VPN Policy

text box and Select button

Click Select to specify a remote access VPN policy. To use Easy VPN, you must create a remote access VPN policy using "Remote Access VPN Services."

Topology

drop-down list

Only the Hub and Spoke topology option is available for Easy VPN. In hub and spoke topology, spoke sites are connected to a central hub site.

Generate Default Route

checkbox

For Cisco IOS devices only. Disabled (unchecked) by default. When enabled, generates a default route.

Mode

drop-down list

Specify the Easy VPN mode as follows:

Client - In Client Mode, the entire customer site behind the Easy VPN Client undergoes NAT to the IP address that is pushed down by the Easy VPN Server.

Network-Extension - In Network Extension Mode, the Easy VPN Server accommodates routable addresses on each of the Easy VPN Clients, thereby exempting the customer site as a whole from NAT.

XAuth Username

text box

For PIX Firewall only. Enter a user name for Extended Authentication (XAuth).

XAuth Password

text box

For PIX Firewall only. Enter the XAuth password.

Enable DHCP Server (Remote)

checkbox

For Cisco IOS devices only. Enabled by default.


Step 3 Click Save when done.


Creating Site-to-Site VPN Service Requests


Note All devices in the same service request must use the same encryption and VPN policy.


Perform the following steps to create a site-to-site service request:


Step 1 Click Home > Service Inventory > Inventory and Connection Manager > Service Requests. The Service Requests page appears as shown in Table 3-9.

Figure 3-18 The Service Requests Page

Step 2 Click Create > IPsec. The IPsec Service Editor page appears.

Figure 3-19 The IPsec Service Editor Page

Step 3 Choose the VPN you defined in the previous section by clicking Select in the VPN row. The VPN for IPsec Service Request dialog box appears as shown in Figure 3-20.

Figure 3-20 VPN for IPsec Service Request Dialog Box

Step 4 Click the button next to the VPN you want and click OK. The IPsec Service Editor - VPN Selected page appears as shown in Figure 3-21.

Figure 3-21 The IPsec Service Editor Page with the VPN Selected

Step 5 Notice the change from Figure 3-19 to Figure 3-21 when you specify a VPN. The page now contains a Select and Modify button in the Site-to-Site Policy field as well as a Select and Remove drop-down list for adding CPE devices.

Step 6 Click Select > CPEs on the lower right side of the page. The CPEs Associated with IPsec Service Request Dialog Box appears as shown in Figure 3-22.

Figure 3-22 CPEs Associated with IPsec Service Request Dialog Box

Step 7 Click the box next to the CPE(s) you want to select and click Select. The IPsec Service Editor page appears and displays the CPE devices you selected.

Figure 3-23 The IPsec Service Editor with CPE Devices Selected

Step 8 Follow the instructions in Table 3-10 to enter values for the fields in the IPsec Service Editor page.

Table 3-10 IPsec Service Editor Fields  

Field Name
Type
Instructions

Network-based IPsec

drop-down list

This applies to the IPsec-to-MPLS mapping feature that is documented in the Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0.

Site to Site Policy

Select button

Specify the site-to-site policy by clicking Select. Then choose the policy and click OK. Once a site-to-site policy has been chosen, you may modify it by clicking Modify.

Description

text box

Enter a description.

Topology

non-editable field

The topology displayed here is derived from the Topology options you choose in your site-to-site policy.

If the topology is Full Mesh then the only Role you can select is Hub. If the selected topology is Hub & Spoke then only one CPE device can have the Hub role and the others must be set as Spoke.

Role

drop-down list

Select the role of the CPE by choosing one of the following options:

Spoke - For Hub & Spoke topologies, select all CPE devices except one in the service request as Spoke (and designate the single non-spoke device as Hub.)

Hub - In Full Mesh topologies, all CPE devices must be marked as Hub. For Hub & Spoke topologies, be sure to specify at least one device as a hub.

Templates

link

(Optional) Add template to the service request. There may be features ISC does not support. If this is the case, a template can be added to the service request for upload to the CPE.

Failover Devices

link

(Optional) Specify a failover device by clicking on Add Failover Devices. Only devices in the same customer site as the primary device can be selected as failover units.


Step 9 Click Save when done.