-
User Guide for Cisco Security Manager 3.2.2
-
Preface
-
Getting Started with Security Manager
-
Managing User Accounts
-
Working with the Security Manager User Interface
-
Using Map View
-
Preparing Devices for Management
-
Managing the Device Inventory
-
Managing Policies
-
Managing Activities
-
Managing Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing Firewall Services
-
Managing IPS Services
-
Managing Routers
-
Managing Firewall Devices
-
Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
-
Managing IPS Devices
-
Managing Deployment
-
Managing FlexConfigs
-
Managing the Security Manager Server
-
Using Monitoring, Troubleshooting, and Diagnostic Tools
-
Administrative Settings User Interface Reference
-
Map View User Interface Reference
-
Device Inventory User Interface Reference
-
Policy User Interface Reference
-
Activities User Interface Reference
-
Policy Object Manager User Interface Reference
-
Site-to-Site VPN User Interface Reference
-
Remote Access VPN User Interface Reference
-
Firewall Services User Interface Reference
-
Router Platform User Interface Reference
-
PIX/ASA/FWSM Platform User Interface Reference
-
Catalyst Platform User Interface Reference
-
IPS User Interface Reference
-
Deployment User Interface Reference
-
Index
-
Table Of Contents
Site-to-Site VPN User Interface Reference
Site-to-Site VPN Manager Window
Dial Backup Settings Dialog Box
Public Key Infrastructure Page
GRE Modes Page > GRE or GRE Dynamic IP Policy
Edit Load Balancing Parameters Dialog Box
Tunnel Group Policy (PIX 7.0/ASA) Page
Tunnel Group Policy > General Tab
Tunnel Group Policy > IPsec Tab
Tunnel Group Policy > Advanced Tab
Tunnel Group Policy > Client VPN Software Update Tab
Client Connection Characteristics Page
VPN Topologies Device View Page
Discover VPN Policies Wizard—Name and Technology Page
Discover VPN Policies Wizard—Device Selection Page
Rediscover VPN Policies Wizard
Rediscover VPN Policies Wizard—Name and Technology Page
Rediscover VPN Policies Wizard—Device Selection Page
Site-to-Site VPN User Interface Reference
The pages that you access by selecting Site-To-Site VPN Manager from the Tools menu, or clicking the Site-To-Site VPN Manager button on the toolbar, help you configure site-to-site VPNs.
Note
You can also con figure site-to-site VPNs in Device view (View > Device View) and Policy view (View > Policy View). For more information, see:
Managing VPN Devices in Device View, page 10-44
Managing Shared Site-to-Site VPN Policies in Policy View, page 10-46These topics describe the pages that help you create VPN topologies, and the policies that will be assigned to them:
•
•
•
Site-to-Site VPN Manager Window
Use the Site-to-Site VPN Manager window to:
•
•
•
•
•
The VPNs selector, in the upper left pane of the window, lists all available VPN topologies, and enables you to select topologies for viewing or editing. The lower left pane of the page lists the policies that are assigned to the VPN topology selected in the upper pane.
Navigation Path
Click the Site-To-Site VPN Manager button on the toolbar or select Tools > Site-To-Site VPN Manager.
Related Topics
•
•
•
Field Reference
Table G-1 Site-to-Site VPN Manager Window
VPNs selector
Lists each VPN topology, represented by its name and an icon indicating its VPN type (hub and spoke, point to point, or full mesh).
Create VPN Topology button
Click to create a VPN topology, then select the type of topology you want to create from the options that are displayed. The Create VPN wizard opens.
Edit VPN Topology button
Opens the Edit VPN dialog box for editing a selected VPN topology.
Note
Delete VPN Topology button
Deletes a selected VPN topology.
Note
A confirmation dialog box opens asking you to confirm the deletion.
Policies selector
Lists each individually named policy that is already assigned to, or can be configured on, devices in the selected VPN topology.
Note
Select a policy to open a page on which you can view or edit the parameters for the selected policy. See Site to Site VPN Policies.
VPN Summary Page
Use the VPN Summary page to view information about a selected VPN topology. This includes information about the type of VPN topology, its devices, the assigned technology, and specific policies that are configured in it.
Navigation Path
Open the Site-to-Site VPN Manager Window, select a topology in the VPNs selector, then select VPN Summary in the Policies selector.
Please note the following:
•
•
•
Related Topics
•
•
•
•
•
•
•
•
•
•
•
•
•
Field Reference
Table G-2 VPN Summary Page
Type
The VPN topology type—Hub-and-Spoke, Point-to-Point, or Full Mesh.
Description
A description of the VPN topology.
IPsec Terminator
Available if the VPN topology is large scale DMVPN.
The name of the IPsec Terminator(s) used to load balance GRE traffic to the hubs in the large scale DMVPN.
Primary Hub
Available if the VPN topology type is hub-and-spoke.
The name of the primary hub in the hub-and-spoke topology.
Failover Hubs
Available if the VPN topology type is hub-and-spoke.
The name of any secondary backup hubs that are configured in the hub-and-spoke topology.
Number of Spokes
Available if the VPN topology type is hub-and-spoke.
The number of spokes that are included in the hub-and-spoke topology.
Peer 1
Available if the VPN topology type is point-to-point.
The name of the device that is defined as Peer One in the point-to-point VPN topology.
Peer 2
Available if the VPN topology type is point-to-point.
The name of the device that is defined as Peer Two in the point-to-point VPN topology.
Number of Peers
Available if the VPN topology type is full mesh.
The number of devices included in the full mesh VPN topology.
IPsec Technology
The IPsec technology assigned to the VPN topology. See Understanding IPsec Technologies and Policies, page 10-5.
IKE Proposal
The security parameters of the IKE proposal configured in the VPN topology. See IKE Proposal Page.
Dynamic VTI
Available in an Easy VPN topology.
Displays if a dynamic virtual template interface is configured on a device in an Easy VPN topology. See Dynamic VTI Tab.
Transform Sets
The transform sets that specify the authentication and encryption algorithms that will be used to secure the traffic in the VPN tunnel. See IPsec Proposal Page.
Preshared Key
Unavailable if the selected technology is Easy VPN.
Specifies whether the shared key to use in the preshared key policy is user defined or auto-generated. See Preshared Key Page.
Public Key Infrastructure
If a Public Key Infrastructure policy is configured in the VPN topology, specifies the CA server. See Public Key Infrastructure Page.
Routing Protocol
Available only if the selected technology is IPsec/GRE, GRE Dynamic IP, or DMVPN.
The routing protocol and autonomous system (or process ID) number used in the secured IGP for configuring a GRE, GRE Dynamic IP, or DMVPN routing policy.
Note
See GRE Modes Page.
Tunnel Subnet IP
Available only if the selected technology is IPsec/GRE, GRE Dynamic IP, or DMVPN.
If a tunnel subnet is defined, displays the inside tunnel interface IP address, including the unique subnet mask.
See GRE Modes Page.
User Group
Available for an Easy VPN topology.
If a User Group policy is configured on a device in the Easy VPN topology, displays the details of the policy. See User Group Policy Page.
PIX7.0/ASA Tunnel Group
Available for an Easy VPN topology.
If a Tunnel Group policy is configured on a PIX Firewall version 7.0, or ASA appliance in the Easy VPN topology, displays the details of the policy. See Tunnel Group Policy (PIX 7.0/ASA) Page.
High Availability
Available if the VPN topology type is hub-and-spoke.
If a High Availability policy is configured on a device in your hub-and-spoke VPN topology, displays the details of the policy. See Map Settings Dialog Box, page B-11.
VRF-Aware IPsec
Available if the VPN topology type is hub-and-spoke.
If a VRF-Aware IPsec policy is configured on a hub in your hub-and-spoke VPN topology, displays the type of VRF solution (1-Box or 2-Box) and the name of the VRF policy. See VRF Aware IPsec Tab.
Peers Page
Use the Peers page to view the endpoints defined for a VPN topology, including the internal and external VPN interfaces and protected networks assigned to the devices in the topology. The interface roles, or interfaces that match each interface role, may also be displayed for the VPN interfaces and protected networks.
The Peers page contains a scrollable table displaying the device roles, VPN interfaces and protected networks for all selected devices. By clicking the arrow displayed alongside any table heading, you can switch the order of the list to display from ascending to descending order, and vice versa. You can also filter the table contents using the filter controls above it to display only rows that match the criteria that you specify (see Filtering Tables, page 3-17).
Navigation Path
•
•
Related Topics
•
•
Field Reference
Table G-3 Peers Page
Role
The role of the device—hub (primary or failover), spoke, or peer.
Device
The name of the device.
VPN Interface
The VPN interface (external and internal) that is defined for the selected device.
Protected Networks
The protected networks that are defined for the selected device.
Show
Select to display either the interface roles or matching interfaces, for the VPN interfaces and protected networks in the table, as follows:
•
•
Create button
Opens the Device Selection tab of the Edit VPN dialog box on which you can change the selection of devices in your VPN topology.
Note
Edit button
Opens the Endpoints tab of the Edit VPN dialog box on which you can edit the VPN interfaces and protected networks for a selected device in the table.
Note
Delete button
Not available in a point-to-point VPN topology.
Deletes a selected device in the table. A dialog box opens asking you to confirm the deletion.
Note
For more information, see About Editing a VPN Topology, page 10-22.
Create VPN Wizard
Security Manager supports three basic types of topologies with which you can create a site-to-site VPN. Use the Create VPN wizard to create a hub-and-spoke, point-to-point, or full mesh VPN topology across multiple device types. For more information, see Understanding VPN Topologies, page 10-2.
Note
Editing a VPN topology is done using the Edit VPN dialog box, which comprises tabs whose elements are identical (except for the buttons) to the pages of the Create VPN wizard. You can click a tab to go directly to the page that contains the fields you want to edit, without having to go through each step of the wizard. Clicking OK on any tab in the dialog box saves your definitions on all the tabs. For more information, see Editing a VPN Topology, page 10-23.
The following pages describe the steps in the Create VPN wizard:
•
Navigation Path
1.
2.
Related Topics
•
•
•
Name and Technology Page
Use the Name and Technology page of the Create VPN wizard to provide a name and description for the VPN topology, and select the IPsec technology that will be assigned to it.
Note
Navigation Path
•
•
Related Topics
•
•
•
Field Reference
Table G-4 Create VPN wizard > Name and Technology Page
Name
A unique name you want to specify for the VPN topology, for identification purposes.
Description
Any descriptive text or comments that you want to add about the VPN topology.
IPsec Technology
The IPsec technology that you want to assign to the VPN topology.
Four options are available—Regular IPsec, IPsec/GRE, DMVPN, or Easy VPN.
Note
Type
Available if the selected IPsec technology is IPsec/GRE or DMVPN.
•
•
Device Selection Page
Use the Device Selection page of the Create VPN wizard to select the devices that will be included in the VPN topology. The devices that are available for selection include only those that can be used for the selected VPN topology type, that support the IPsec technology type, and which you are authorized to view.
Note
Navigation Path
•
•
•
Related Topics
•
•
•
•
•
Field Reference
Table G-5 Create VPN wizard > Device Selection Page
Available Devices
Lists all devices that can be included in your selected VPN topology, that support the IPsec technology type, and which you are authorized to view.
Note
IPsec Terminators
Available only if you selected Large Scale with IPsec Terminator as the DMVPN technology type in the Name and Technology page.
Lists the Catalyst 6500/7600 devices you selected to be IPsec Terminators in your Large Scale DMVPN configuration.
Note
For more information, see Configuring Large Scale DMVPNs, page 10-74.
Hubs
The devices you selected to be hubs in your hub-and-spoke topology. In an Easy VPN topology, the selected devices are servers.
Note
You need to select the primary hub only when there are 2 or more IPsec terminators. When there is only one IPsec terminator, regardless of how many hubs are connected to the same IPsec terminator, it is not possible to designate one hub as the primary hub.To remove devices from the list, select them and click <<.
Spokes
The devices you selected to be spokes in your hub-and-spoke topology. In an Easy VPN topology, the selected devices are clients.
To remove devices from the list, select them and click <<.
Peer One/Peer Two
The devices you selected to be peers in your point-to-point topology.
To remove the selected device from the Peer One/Peer Two field, click <<.
Selected Devices
The devices you selected to be included in your full mesh topology.
To remove selected devices from the Selected Devices list, click <<.
Endpoints Page
Use the Endpoints page of the Create VPN wizard to view the devices in your VPN topology, and define or edit their external or internal interfaces and protected networks.
Note
The Endpoints page displays a scrollable table listing the VPN interfaces and protected networks for all selected devices. By clicking on the arrow displayed alongside any table heading, you can switch the order of the list to display from ascending to descending order, and vice versa. You can also filter the table contents using the filter controls above it to display only rows that match the criteria that you specify (see Filtering Tables, page 3-17).
Note
Navigation Path
•
•
Related Topics
•
•
•
Field Reference
Table G-6 Create VPN wizard > Endpoints Page
Role
The role of the device—hub, spoke, peer, or IPsec Terminator.
Device
The name of the device.
VPN Interface
The primary or backup VPN interface that is defined for the selected device.
Depending on the selection in the Show list, the interface roles, or the interfaces that match each interface role, for the VPN interface may also be displayed.
Select a row and click Edit to change the device's VPN interfaces. The Edit Endpoints dialog box opens, from which you can select the required VPN interface. See VPN Interface Tab.
Note
When selecting multiple devices for editing the VPN interfaces, you cannot include Catalyst 6500/7600 devices in your selection. If you want to edit these devices, you must select them separately.
To edit the VPN interface for a Catalyst 6500/7600 device, see VPN Interface Tab.Protected Networks
The protected networks that are defined for the selected device.
Depending on the selection in the Show list, the interface roles, or the interfaces that match each interface role, for the protected networks may also be displayed.
Select a row and click Edit to change the device's protected networks. The Edit Endpoints dialog box opens, from which you can select the required protected networks. See Protected Networks Tab.
Note
When selecting multiple devices for editing the protected networks, you cannot include Catalyst VPN Service Module devices in your selection. If you want to edit these devices, you must select them separately.Show
Select to display either the interface roles or matching interfaces, for the VPN interfaces and protected networks in the table, as follows:
•
•
Edit button
Opens the Edit Endpoints dialog box so you can edit the VPN interface and/or protected networks for a selected device in the table. See Edit Endpoints Dialog Box.
Edit Endpoints Dialog Box
Use the Edit Endpoints dialog box to:
•
•
•
•
•
•
•
The following tabs may be available on the Edit Endpoints dialog box:
Navigation Path
You can access the Edit Endpoints dialog box from the Endpoints Page (or tab). Then select a device in the Endpoints table, and click Edit.
Related Topics
•
•
•
•
•
•
VPN Interface Tab
Note
Note
Use the VPN Interface tab in the Edit Endpoints dialog box to edit the VPN interfaces defined for devices in the Endpoints table. When defining a primary VPN interface for a router device, you can also configure a backup interface to use as a fallback link for the primary route VPN interface, if its connection link becomes unavailable. You can configure a backup interface on a Cisco IOS security router, that is in a point-to-point or full mesh topology, or that is a spoke in a hub-and-spoke topology, or is a remote client in an Easy VPN topology. For more information, see Understanding Dial Backup, page 10-26.
Navigation Path
The VPN Interface tab is displayed when you open the Edit Endpoints Dialog Box. You can also open it by clicking the VPN Interface tab from any other tab in the Edit Endpoints dialog box.
Related Topics
•
•
•
•
Field Reference
Table G-7 describes the elements on the VPN Interface tab when a device other than a Catalyst 6500/7600 is selected. For a description of the elements that appear on the VPN Interface tab for a Catalyst 6500/7600 device, see Table G-8.
Table G-7 Edit Endpoints Dialog Box > VPN Interface Tab
Enable the VPN Interface Changes on All Selected Peers
Available if you selected more than one device on the Endpoints page for editing.
When selected, applies any changes you make in the VPN interface tab to all the selected devices.
VPN Interface
The VPN interface defined for the selected device. The default is External.
VPN interfaces are predefined interface role objects. If required, click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, in which you can make your selection, or create interface role objects.
If the device is an ASA 5505 version 7.2(1) or later, it must have two interfaces defined with different security levels. For more information, see Managing Device Interfaces, page 15-5.
Connection Type
Only available in a hub-and-spoke VPN topology, if the selected device is an ASA or PIX 7.0 hub, and the selected technology is Regular IPsec.
Select the type of connection that the ASA hub will use during an SA negotiation:
•
•
•
Local Peer IPSec Termination
Unavailable if the selected technology is Easy VPN.
Specifies the IP address of the VPN interface of the local router. You can select one of the following options:
•
•
Note
•
You can choose the required interface by clicking Select. A dialog box opens that lists all available predefined interface roles, and in which you can create an interface role object.
Tunnel Source
Available only for a hub when the selected technology is IPsec/GRE or DMVPN.
Specifies the tunnel source address to be used by the GRE or DMVPN tunnel on the spoke side. You can select one of the following options:
•
•
You can choose the required interface by clicking Select. A dialog box opens that lists all available predefined interface roles, and in which you can create an interface role object.
Dial Backup Settings
Enable Backup
Available if the selected device is an IOS router which is a spoke in a hub-and-spoke, point-to-point, full mesh topology, or a remote client in an Easy VPN topology.
Available if the selected device is an IOS router that is in a point-to-point or full mesh topology, or that is a spoke in a hub-and-spoke topology, or is a remote client in an Easy VPN topology.
When selected, enables you to configure a backup interface to use as a fallback link for the primary route VPN interface, if its connection link becomes unavailable.
Note
Dialer Interface
The logical interface through which the secondary route traffic is directed when the dialer interface is activated. This can be a Serial, Async, or BRI interface.
You can choose the required interface by clicking Select. A dialog box opens that lists all available interfaces and predefined interface roles, and in which you can create an interface role object.
Primary Next Hop IP Address
Available only if the selected technology is Regular IPsec, IPsec/GRE, GRE Dynamic IP, or Easy VPN.
The IP address to which the primary interface connects when it is active. This is known as the next hop IP address.
If you do not specify the next hop IP address, Security Manager configures a static route using the VPN interface name. The VPN interface must be point-to-point or deployment fails.
You can choose the required IP address by clicking Select. The Network/Hosts selector opens, in which you can select a network from which the IP address will be allocated.
Tracking IP Address
The IP address of the destination device to which connectivity must be maintained from the primary VPN interface connection. This is the device that is pinged by the Service Assurance agent through the primary route to track connectivity. The backup connection is triggered if connectivity to this device is lost.
Note
You can choose the required IP address by clicking Select. The Network/Hosts selector opens, in which you can select a network from which the IP address will be allocated.
Advanced button
Available if the selected technology is Regular IPsec, IPsec/GRE, GRE Dynamic IP, or Easy VPN.
Opens the Dial Backup Settings dialog box for configuring additional (optional) settings. See Dial Backup Settings Dialog Box.
Defining VPN Services Module (VPNSM) or VPN SPA Settings
When you select a Catalyst 6500/7600 device in the Endpoints table for editing, the VPN Interface tab of the Edit Endpoints dialog box provides settings for configuring a VPN Services Module (VPNSM) or VPN SPA on the device. You can select more than one Catalyst 6500/7600 device at the same time. Your changes are applied to all the selected devices.
Note
Before you define the VPNSM or VPN SPA settings, you must import your Catalyst 6500/7600 device to the Security Manager inventory and discover its interfaces. For more information, see Procedure for Configuring a VPNSM or VPN SPA Blade, page 10-32.
If you are configuring a VPNSM or VPN SPA with VRF-Aware IPsec on a device, verify that the device does not belong to a different VPN topology in which VRF-Aware IPsec is not configured. Similarly, if you are configuring a VPNSM or VPN SPA without VRF-Aware IPsec, make sure that the device belongs to a different VPN topology in which VRF-Aware IPsec is configured.Field Reference
Table G-8 describes the elements that appear on the VPN Interface tab of the Edit Endpoints dialog box, after you select a Catalyst 6500/7600 device (or IPsec Terminator) in the Endpoints dialog box.
Protected Networks Tab
Use the Protected Networks tab on the Edit Endpoints dialog box to edit the protected networks that are defined on a selected device in the Endpoints table.
You can specify the protected networks as interface roles whose naming patterns match the internal VPN interface type of the device, as network objects containing one or more network or host IP addresses, interfaces, or other network objects, or as access control lists (if Regular IPsec is the assigned technology).
For more information, see:
•
•
•
Navigation Path
You can access the Protected Networks tab from the Edit Endpoints dialog box. Open the Edit Endpoints Dialog Box, then click the Protected Networks tab.
Related Topics
•
Field Reference
Table G-9 Edit Endpoints Dialog Box > Protected Networks Tab
Enable the Protected Networks Changes on All Selected Peers
Available if you selected more than one device for editing in the Endpoints page.
When selected, applies any changes you make in the Protected Networks tab to all the selected devices.
Available Protected Networks
A hierarchy of all available protected networks, including the interface roles whose naming pattern may match the internal VPN interface type of the device. If Regular IPsec is the assigned technology, access control lists (ACLs) are also included in the list of available protected networks.
Note
Select the interface role(s), protected networks, and/or access control lists that you want to define for the selected device, then click >>.
Selected Protected Networks
The protected networks and interface roles you selected for the device.
Note
>> button
Moves protected networks from the available networks list to the selected networks list.
<< button
Removes protected networks from the selected list.
Create button
If the required interface roles, protected networks, or access control lists do not appear in the Available Protected Networks list, click Create and select the required option to create an interface role, protected network, or access control list.
Note
If you select the Interface Role option, the Interface Role Editor page opens in which you can create an interface role object. For more information, see Creating Interface Role Objects, page 9-62.
If you select the Protected Network option, the Network Editor page opens in which you can create a network object. For more information, see Creating Network/Host Objects, page 9-71.
If you select the Access Control List option, the Access Lists Editor page opens in which you can create an access control list object. For more information, see Creating Access Control List Objects, page 9-20.
FWSM Tab
Note
Use the FWSM tab on the Edit Endpoints dialog box to define the settings that enable you to connect between a Firewall Services Module (FWSM) and an IPsec VPN Services Module (VPNSM) or VPN SPA, that is already configured on a Catalyst 6500/7600 device.
Note
For more information, see:
Configuring a Firewall Services Module (FWSM) Interface with VPNSM or VPN SPA, page 10-34
Discovering Policies, page 7-11
Creating or Editing VLANs, page 16-9Navigation Path
You can access the FWSM tab from the Edit Endpoints dialog box. Open the Edit Endpoints Dialog Box, then click the FWSM tab.
Note
Related Topics
•
•
Field Reference
Table G-10 Edit Endpoints Dialog Box > FWSM Tab
Enable FWSM Settings
When selected, enables you to configure the connection between the Firewall Services Module (FWSM) and the VPN Services Module (VPNSM) or VPN SPA on the selected Catalyst 6500/7600 device.
FWSM Inside VLAN
The VLAN which serves as the inside interface to the Firewall Services Module (FWSM).
If required, click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, and in which you can make your selection, or create interface role objects.
FWSM Blade
From the list of available blades, select the blade number to which the selected FWSM inside VLAN interface is connected.
Security Context
If the selected FWSM inside VLAN is part of a security context, specify its name in this field. The name is case-sensitive.
You can partition an FWSM into multiple virtual firewalls, known as security contexts. A security context is an independent virtual firewall that has its own security policy, interfaces, and administrators. You can define security contexts when you import a Catalyst 6500/7600 device into the Security Manager inventory.
For more information, see Security Contexts Page, page K-210.
VRF Aware IPsec Tab
Use the VRF-Aware IPsec tab on the Edit Endpoints dialog box to configure a VRF-Aware IPsec policy on a hub in your hub-and-spoke VPN topology. When you select the row in the Endpoints table that contains the required hub device (the IPsec Aggregator), and click Edit, the VRF Aware IPsec tab opens. You can configure VRF-Aware IPsec as a one-box or two-box solution.
Note
You cannot configure VRF-Aware IPsec on a device that belongs to another VPN topology in which VRF-Aware IPsec is not configured.
Deployment may fail if the IPsec Aggregator is configured with the same keyring CLI command as the existing preshared key (keyring) command, and is not referenced by any other command. In this case, Security Manager does not use the VRF keyring CLI, but generates the keyring with a different name, causing deployment to fail. You must manually remove the preshared key keyring command through the CLI, before you can deploy the configuration.For more information about creating or editing a VRF-Aware IPsec policy, see Understanding VRF-Aware IPsec, page 10-36.
Navigation Path
You can access the VRF-Aware IPsec tab from the Edit Endpoints dialog box. Open the Edit Endpoints Dialog Box, then click the VRF-Aware IPsec tab.
Note
Related Topics
•
•
Field Reference
Table G-11 Edit Endpoints Dialog Box > VRF Aware IPsec Tab
Enable the VRF Settings Changes on All Selected Peers
Available if you selected more than one device for editing in the Endpoints page.
When selected, applies any changes you make in the VRF Settings tab to all the selected devices.
Enable VRF Settings
When selected, enables the configuration of VRF settings on the selected hub for the selected hub-and-spoke topology.
Note
1-Box (IPsec Aggregator + MPLS PE)
When selected, enables you to configure a one-box VRF solution.
In the one-box solution, one device serves as the Provider Edge (PE) router that does the MPLS tagging of the packets in addition to IPsec encryption and decryption from the Customer Edge (CE) devices. For more information, see VRF-Aware IPsec One-Box Solution, page 10-37.
2-Box (IPsec Aggregator Only)
When selected (the default), enables you to configure a two-box VRF solution.
In the two-box solution, the PE device does just the MPLS tagging, while the IPsec Aggregator device does the IPsec encryption and decryption from the CEs. For more information, see VRF-Aware IPsec Two-Box Solution, page 10-38.
VRF Name
The name of the VRF routing table on the IPsec Aggregator. The VRF name is case-sensitive.
Route Distinguisher
The unique identifier of the VRF routing table on the IPsec Aggregator.
This unique route distinguisher maintains the routing separation for each VPN across the MPLS core to the other PE routers.
The identifier can be in either of the following formats:
•
•
Note
Interface Towards Provider Edge
Available only when a 2-Box solution is selected.
Specify the VRF forwarding interface on the IPsec Aggregator towards the PE device.
Note
Interfaces and VLANs are predefined interface role objects. If required, you can click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, in which you can make your selection, or create interface role objects.
Routing Protocol
Available only when a 2-Box solution is selected.
Select the routing protocol to be used between the IPsec Aggregator and the PE.
If the routing protocol used for the secured IGP differs from the routing protocol between the IPsec Aggregator and the PE, select the routing protocol to use for redistributing the routing to the secured IGP.
The options are BGP, EIGRP, OSPF, RIPv2, or Static route. The default is BGP.
For information about protocols, see Chapter 14, "Managing Routers".
AS Number
Available only when a 2-Box solution is selected.
Enter the number that will be used to identify the autonomous system (AS) area between the IPsec Aggregator and the PE.
If the routing protocol used for the secured IGP differs from the routing protocol between the IPsec Aggregator and the PE, enter an AS number that will be used to identify the secured IGP into which the routing will be redistributed from the IPsec Aggregator and the PE. This is relevant only when IPsec/GRE or DMVPN are applied.
The AS number must be within the range 1-65535.
Process Number
Available only if the 2-Box radio button is selected, and if the selected routing protocol is OSPF.
The routing process ID number that will be used to identify the secured IGP.
The range is 1-65535.
OSPF Area ID
Available only if the 2-Box radio button is selected, and if the selected routing protocol is OSPF.
The ID number of the area in which the packet belongs. You can enter any number from 0-4294967295.
Note
Next Hop IP Address
Available only when a 2-Box solution is selected with static routing.
Specify the IP address of the interface that is connected to the IPsec Aggregator.
Redistribute Static Route
Available only when a 2-Box solution is selected with any routing protocol other than Static route.
When selected, enables static routes to be advertised in the routing protocol configured on the IPsec Aggregator towards the PE device.
Dial Backup Settings Dialog Box
Use the Dial Backup Settings dialog box to define optional settings for configuring a dial backup policy for your site-to-site VPN. These settings are available for Regular IPsec, IPsec/GRE, GRE Dynamic IP, or Easy VPN technologies.
Mandatory settings for dial backup are configured in the VPN Interface tab on the Edit Endpoints dialog box. See VPN Interface Tab.
Note
Navigation Path
Open the VPN Interface Tab from the Edit Endpoints dialog box, select the Enable check box in the Backup area, and click Advanced.
Related Topics
•
•
•
Field Reference
High Availability Page
Use the High Availability page to define a group of hubs as an HA group.
Note
High Availability may be configured in a hub-and-spoke VPN topology when Regular IPsec or Easy VPN is the assigned technology.
For more information about the prerequisites for configuring high availability, see the section on Prerequisites for Successful High Availability Configuration in Understanding High Availability, page 10-41.
Navigation Path
•
•
Related Topics
•
•
•
Field Reference
Table G-13 Create VPN wizard > High Availability Page
Enable
When selected, enables you to configure high availability on a group of hubs.
When deselected, enables you to remove an HA group that was defined for the VPN topology.
Inside Virtual IP
The IP address that is shared by the hubs in the HA group and represents the inside interface of the HA group. The virtual IP address must be on the same subnet as the inside interfaces of the hubs in the HA group, but must not be identical to the IP address of any of these interfaces.
You can choose the required IP address by clicking Select. The Network/Hosts selector opens, in which you can select a network from which the IP address is allocated.
Note
Inside Mask
The subnet mask for the inside virtual IP address.
VPN Virtual IP
The IP address that is shared by the hubs in the HA group and represents the VPN interface of the HA group. This IP address serves as the hub endpoint of the VPN tunnel.
You can choose the required IP address by clicking Select. The Network/Hosts selector opens, in which you can select a host from which the IP address is allocated.
Note
VPN Mask
The subnet mask for the VPN virtual IP address.
Hello Interval
The duration in seconds (within the range of 1-254) between each hello message sent by a hub to the other hubs in the group to indicate status and priority. The default is 5 seconds.
Hold Time
The duration in seconds (within the range of 2-255) that a standby hub will wait to receive a hello message from the active hub before concluding that the hub is down. The default is 15 seconds.
Standby Group Number (Inside)
The standby number of the inside hub interface that matches the internal virtual IP subnet for the hubs in the HA group. The number must be within the range of 0-255. The default is 1.
Standby Group Number (Outside)
The standby number of the outside hub interface that matches the external virtual IP subnet for the hubs in the HA group. The number must be within the range of 0-255. The default is 2.
Note
Stateful Failover
When selected, enables SSO for stateful failover.
Note
You can only configure stateful failover on an HA group that contains two hubs that are Cisco IOS routers. This check box is disabled if the HA group contains more than two hubs.
Note
For more information, see Understanding High Availability, page 10-41.
VPN Defaults Page
Use the VPN Defaults page of the Create VPN wizard to view and select the default site-to-site VPN policies that will be assigned to the VPN topology you are creating. The page displays all the available mandatory and optional policies that can be assigned to your VPN topology, according to the selected IPsec technology.
Note
For more information, see Understanding VPN Default Policies, page 10-7.
Navigation Path
•
Related Topics
•
•
•
Field Reference
Table G-14 Create VPN wizard > VPN Defaults Page
Policy type
Lists the VPN policy types that can be assigned to your VPN topology. For each policy type, select the default VPN policy you want to assign to your VPN topology.
You can accept the Factory Default policy (available for a mandatory policy only) or select a shared VPN policy that was created (and submitted or approved, depending on the workflow mode) using Security Manager.
Note
Note
View Content button
Opens a page that displays the contents of the selected VPN policy.
Note
Site to Site VPN Policies
You can access site-to-site VPN policies by selecting Tools > Site-To-Site VPN Manager, or clicking the Site-To-Site VPN Manager button on the toolbar, and then selecting the required policy in the Policies selector of the Site-to-Site VPN window.
You can also access site-to-site VPN policies from Device view or Policy view.
In Device view, you can see the VPN topology (topologies) to which each device in the CSM inventory belongs, and if necessary, change its assignment to or from a VPN topology. For more information, see VPN Topologies Device View Page.
For more information about accessing site-to-site VPN policies from Policy view, see Managing Shared Site-to-Site VPN Policies in Policy View, page 10-46.
These topics describe the pages of the policies that you can assign to your VPN topologies:
•
•
•
IKE Proposal Page
Use the IKE Proposal page to select the IKE proposal that will be used to secure the IKE negotiation between two peers. An IKE proposal is a mandatory policy that is already configured in your VPN topology with predefined default values. On the IKE Proposal page, you can view the parameters of the selected IKE proposal, select a different one from a list of predefined IKE proposals, or create a new one.
Navigation Path
•
•
Related Topics
•
•
•
•
•
Field Reference
Table G-15 IKE Proposal Page
Available IKE Proposals
Lists the predefined IKE proposals available for selection.
Select the required IKE proposal in the list. The IKE proposal replaces the one in the Selected IKE Proposal field.
IKE proposals are predefined objects. If the required IKE proposal is not included in the list, click Add to open the IKE Editor dialog box that enables you to create or edit an IKE proposal object. For more information, see IKE Proposal Dialog Box, page F-52.
Selected
The selected IKE proposal with its predefined default values. The default is preshared_sha_3des_dh5_5.
Note
To remove the IKE proposal from this field, select a different one.
Create button
Opens the IKE Editor dialog box for creating an IKE proposal object. For more information, see IKE Proposal Dialog Box, page F-52.
Edit button
Opens the IKE Editor dialog box for editing the selected IKE proposal. For more information, see IKE Proposal Dialog Box, page F-52.
Save button
Saves your changes to the server but keeps them private.
Note
IPsec Proposal Page
Use the IPsec Proposal page to edit the IPsec policy definitions for your VPN topology.
Note
Navigation Path
•
•
Related Topics
•
•
Field Reference
Table G-16 IPsec Proposal Page
Crypto Map Type
A crypto map combines all the components required to set up IPsec security associations. When two peers try to establish an SA, they must each have at least one compatible crypto map entry.
Select the type of crypto map you want to generate:
•
•
For more information, see About Crypto Maps, page 10-51.
Transform Sets
The transform set(s) to use for your tunnel policy. Transform sets specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel. You can select up to six transform sets.
Note
A default transform set is displayed (tunnel_3des_sha). If you want to use a different transform set, or select additional transform sets, click Select to open a dialog box that lists all available transform sets, and in which you can create transform set objects. For more information, see Creating IPsec Transform Set Objects, page 9-66.
If more than one of your selected transform sets is supported by both peers, the transform set that provides the highest security will be used.
For more information, see About Transform Sets, page 10-51.
Enable Perfect Forward Secrecy
When selected, enables the use of Perfect Forward Secrecy (PFS) to generate and use a unique session key for each encrypted exchange.
The unique session key protects the exchange from subsequent decryption, even if the entire exchange was recorded and the attacker has obtained the preshared and/or private keys used by the endpoint devices.
Note
Modulus Group
Available if Enable Perfect Forward Secrecy is selected.
Select the required Diffie-Hellman key derivation algorithm from the Modulus Group list box.
Security Manager supports Diffie-Hellman group 1, group 2, group 5, and group 7 key derivation algorithms. Each group has a different size modulus:
•
•
•
•
For more information, see Deciding Which Diffie-Hellman Group to Use, page 10-48.
Lifetime (sec)
The number of seconds an SA will exist before expiring. The default is 3600 seconds (one hour).
Lifetime refers to the global lifetime settings for the crypto IPsec security association (SA). The IPsec lifetime can be specified in seconds, in kilobytes, or both.
Lifetime (kbytes)
The volume of traffic (in kilobytes) that can pass between IPsec peers using a given SA before it expires.
Valid values depend on the device type. Enter a value within the range 10-2147483647 for an IOS router, and 2560-536870912 for a PIX7.0/ASA device.
The default value is 4,608,000 kilobytes.
QoS Preclassify
Supported on Cisco IOS routers, except 7600 devices.
When selected, enables the classification of packets before tunneling and encryption occur.
The Quality of Service (QoS) for VPNs feature enables Cisco IOS QoS services to operate with tunneling and encryption on an interface.
The QoS features on the output interface classify packets and apply the appropriate QoS service before the data is encrypted and tunneled, enabling traffic flows to be adjusted in congested environments, and resulting in more effective packet tunneling.
Reverse Route
Supported on ASA devices, PIX 7.0 devices, and Cisco IOS routers except 7600 devices.
Reverse Route Injection (RRI) enables static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. For more information, see About Reverse Route Injection, page 10-52.
Select one of the following options to configure RRI on the crypto map:
•
•
•
•
Note
VPN Global Settings Page
Use the VPN Global Settings page to define global settings for IKE, IPsec, NAT, and fragmentation, that apply to devices in your VPN topology.
The following tabs are available on the VPN Global Settings page:
Navigation Path
•
•
ISAKMP/IPsec Settings Tab
Use the ISAKMP/IPsec Settings tab of the VPN Global Settings page to specify global settings for Internet Key Exchange (IKE) and IPsec.
Internet Key Exchange (IKE), also called Internet Security Association and Key Management Protocol (ISAKMP), is the negotiation protocol that lets two hosts agree on how to build an IPsec security association.
Navigation Path
The ISAKMP/IPsec Settings tab appears when you open the VPN Global Settings Page. You can also open it by clicking the ISAKMP/IPsec Settings tab from any other tab in the VPN Global Settings page.
Related Topics
•
•
•
•
Field Reference
Table G-17 VPN Global Settings Page > ISAKMP/IPsec Settings Tab
ISAKMP Settings
Enable Keepalive
When selected, enables you to configure IKE keepalive as the default failover and routing mechanism.
IKE keepalive is defined on the spokes in a hub-and-spoke VPN topology, or on both devices in a point-to-point VPN topology.
Interval
The number of seconds that a device waits between sending IKE keepalive packets. The default is 10 seconds.
Retry
The number of seconds a device waits between attempts to establish an IKE connection with the remote peer. The default is 2 seconds.
Periodic
Available only if Enable Keepalive is selected, and supported on routers running IOS version 12.3(7)T and later, except 7600 devices.
When selected, enables you to send dead-peer detection (DPD) keepalive messages even if there is no outbound traffic to be sent. Usually, DPD keepalive messages are sent between peer devices only when no incoming traffic is received but outbound traffic needs to be sent.
For more information, see Understanding ISAKMP/IPsec Settings, page 10-55.
Identity
During Phase I IKE negotiations, peers must identify themselves to each other.
When selected, enables you to use the (IP) address or the hostname of the device that it will use to identify itself in IKE negotiations. You can also select to use a Distinguished Name (DN) to identify a user group name. The default is Address.
SA Requests System Limit
Supported on routers running IOS version 12.3(8)T and later, except 7600 routers.
The maximum number of SA requests allowed before IKE starts rejecting them. The specified value must equal or exceed the number of peers, or the VPN tunnels may be disconnected.
You can enter a value in the range of 0-99999.
SA Requests System Threshold
Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.
The percentage of system resources that can be used before IKE starts rejecting new SA requests. The default is 75 percent.
Enable Aggressive Mode
Supported on ASA devices and PIX 7.0 devices.
When selected, enables you to use aggressive mode in ISAKMP negotiations, for an ASA device. Aggressive mode is enabled by default.
Deselect this check box to disable the use of aggressive mode in ISAKMP negotiations, for an ASA device.
IPsec Settings
Enable Lifetime
When selected, enables you to configure the global lifetime settings for the crypto IPsec security associations (SAs) on the devices in your VPN topology.
Lifetime (secs)
The number of seconds a security association will exist before expiring. The default is 3,600 seconds (one hour).
Lifetime (kbytes)
The volume of traffic (in kilobytes) that can pass between IPsec peers using a given security association before it expires. The default is 4,608,000 kilobytes.
Xauth Timeout
Available when Easy VPN is the selected technology, and the selected device is a Cisco IOS router or Catalyst 6500 /7600 device.
The number of seconds the device waits for a response from the end user after an IKE SA has been established.
When negotiating tunnel parameters for establishing IPsec tunnels in an Easy VPN configuration, Xauth adds another level of authentication that identifies the user who requests the IPsec connection. Using the Xauth feature, the client waits for a "username/password" challenge after the IKE SA has been established. When the end user responds to the challenge, the response is forwarded to the IPsec peers for an additional level of authentication.
Max Sessions
Supported on ASA devices and PIX 7.0 devices.
The maximum number of SAs that can be enabled simultaneously on the device.
Enable IPsec via Sysopt
Supported on ASA devices and PIX Firewalls versions 6.3 or 7.0.
When selected (the default), specifies that any packet that comes from an IPsec tunnel is implicitly trusted (permitted).
Enable SPI Recovery
Supported on routers running IOS version 12.3(2)T and later, in addition to Catalyst 6500/7600 devices running version 12.2(18)SXE and later.
When selected, enables the SPI recovery feature to configure your device so that if an invalid SPI (Security Parameter Index) occurs, an IKE SA will be initiated.
SPI (Security Parameter Index) is a number which, together with a destination IP address and security protocol, uniquely identifies a particular security association. When using IKE to establish security associations, the SPI for each security association is a pseudo-randomly derived number. Without IKE, the SPI is manually specified for each security association. When an invalid SPI occurs during IPsec packet processing, the SPI recovery feature enables an IKE SA to be established.
Save button
Saves your changes to the server but keeps them private.
Note
NAT Settings Tab
Use the NAT Settings tab of the VPN Global Settings page to define the NAT settings that will be configured on the devices in your VPN topology.
Note
Navigation Path
Open the VPN Global Settings Page, then click the NAT Settings tab.
Related Topics
•
Field Reference
Table G-18 VPN Global Settings Page > NAT Settings Tab
Enable Traversal Keepalive
When selected, enables you to configure NAT traversal keepalive on a device.
NAT traversal keepalive is used for the transmission of keepalive messages when there is a device (middle device) located between a VPN-connected hub and spoke, and that device performs NAT on the IPsec flow.
Note
For more information, see Understanding NAT, page 10-55.
Interval
Available when NAT Traversal Keepalive is enabled.
The interval, in seconds, between the keepalive signals sent between the spoke and the middle device to indicate that the session is active. The NAT keepalive value can be from 5 to 3600 seconds. The default is 10 seconds.
Enable PAT (Port Address Translation) on Split Tunneling for Spokes
Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.
When selected, enables Port Address Translation (PAT) to be used for split-tunneled traffic on spokes in your VPN topology.
PAT can associate thousands of private NAT addresses with a small group of public IP address, through the use of port addressing. PAT is used if the addressing requirements of your network exceed the available addresses in your dynamic NAT pool. See Understanding NAT, page 10-55.
Note
For information on creating or editing a dynamic NAT rule as a router platform policy, see Defining Dynamic NAT Rules, page 14-11.
Save button
Saves your changes to the server but keeps them private.
Note
General Settings Tab
Use the General Settings tab of the VPN Global Settings page to define fragmentation settings including maximum transmission unit (MTU) handling parameters.
Navigation Path
Open the VPN Global Settings Page, then click the General Settings tab.
Related Topics
•
Field Reference
Preshared Key Page
Use the Preshared Key page to view or edit the parameters for a preshared key policy.
Note
Navigation Path
•
•
Related Topics
•
•
Field Reference
Public Key Infrastructure Page
Use the Public Key Infrastructure page to select the CA server that will be used to create a Public Key Infrastructure (PKI) policy, for generating enrollment requests for CA certificates.
Navigation Path
•
•
Related Topics
•
•
•
Field Reference
Table G-21 Public Key Infrastructure (PKI) Page
Available CA Servers
Lists the predefined CA servers available for selection.
CA servers are predefined PKI enrollment objects that contain server information and enrollment parameters that are required for creating enrollment requests for CA certificates.
Select the required CA server if you want to replace the default one in the Selected field.
If the required CA server is not included in the list, click Create to open a dialog box that enables you to create or edit a PKI enrollment object. For more information, see PKI Enrollment Dialog Box, page F-115.
Note
Selected
The selected CA server.
Note
To remove the selected CA server, select a different one.
Save button
Saves your changes to the server but keeps them private. To publish your changes, click the Submit button on the toolbar.
Note
GRE Modes Page
Use the GRE Modes page to define the routing and tunnel parameters, that enable you to configure IPsec tunneling with GRE, GRE Dynamic IP, and DMVPN policies.
Table G-22 describes the elements on the GRE Modes page for configuring IPsec tunneling with GRE or GRE Dynamic IP.
Table G-23 describes the elements on the GRE Modes page for configuring DMVPN.
Note
Navigation Path
•
•
Related Topics
•
•
•
•
•
•
GRE Modes Page > GRE or GRE Dynamic IP Policy
Table G-22 describes the elements on the GRE Modes page for configuring IPsec tunneling with GRE or GRE Dynamic IP.
Table G-22 GRE Modes Page > GRE or GRE Dynamic IP Policy
Routing Parameters Tab
Routing Protocol
Select the required dynamic routing protocol (EIGRP, OSPF, or RIPv2,) or static route to be used for GRE or GRE Dynamic IP.
The default routing protocol is EIGRP.
AS Number
Available only if you selected the EIGRP routing protocol.
The number that will be used to identify the autonomous system (AS) area to which the EIGRP packet belongs. The range is 1-65535. The default is 110.
An autonomous system (AS) is a collection of networks that share a common routing strategy. An AS can be divided into a number of areas, which are groups of contiguous networks and attached hosts. Routers with multiple interfaces can participate in multiple areas. An AS ID identifies the area to which the packet belongs. All EIGRP packets are associated with a single area, so all devices must have the same AS number.
Process Number
Available only if you selected the OSPF routing protocol.
The routing process ID number that will be used to identify the secured IGP that Security Manager adds when configuring GRE.
The range is between 1 and 65535. The default is 110.
Security Manager adds an additional Interior Gateway Protocol (IGP) that is dedicated for IPsec and GRE secured communication. An IGP refers to a group of devices that receive routing updates from one another by means of a routing protocol. Each "routing group" is identified by the process number.
For more information, see Understanding GRE, page 10-65.
Hello Interval
Available only if you selected the EIGRP routing protocol.
The interval between hello packets sent on the interface, between 1 and 65535 seconds. The default is 5 seconds.
Hold Time
Available only if you selected the EIGRP routing protocol.
The number of seconds the router will wait to receive a hello message before invalidating the connection. The range is between 1 and 65535. The default hold time is 15 seconds (three times the hello interval).
Delay
Available only if you selected the EIGRP routing protocol.
The throughput delay for the primary route interface, in microseconds. The range of the tunnel delay time is 1-16777215. The default is 1000.
Failover Delay
Available only if you selected the EIGRP routing protocol.
The throughput delay for the failover route interface, in microseconds. The range of the tunnel delay time is 1-16777215. The default is 1500.
Bandwidth
Available only if you selected the EIGRP routing protocol.
The amount of bandwidth available to the primary route interface for the EIGRP packets. You should enter a value that gives priority to the primary route over other routes.
You can enter a value in the range 1 to 10000000 kb. The default is 1000 kb.
The amount of bandwidth available to the primary route interface for the EIGRP packets. You can enter a value in the range 1 to 10000000 kb. The default is 1000 kb.
Note
Failover Bandwidth
Available only if you selected the EIGRP routing protocol.
The amount of bandwidth available to the failover route interface for the EIGRP packets.
Enter a value in the range 1 to 10000000 kb. The default is 1000 kb.
Hub Network Area ID
Available only if you selected the OSPF routing protocol.
The ID number of the area in which the hub's protected networks will be advertised, including the tunnel subnet. You can specify any number. The default is 0.
Spoke Protected Network Area ID
Available only if you selected the OSPF routing protocol.
The ID number of the area in which the remote protected networks will be advertised, including the tunnel subnet. You can specify any number. The default is 1.
Authentication
Available if you selected the OSPF or RIPv2 routing protocol.
A string that specifies the OSPF or RIPv2 authentication key. The string can be up to eight characters long.
Cost
Available if you selected the OSPF or RIPv2 routing protocol.
The cost of sending a packet on the primary route interface.
If the selected protocol is OSPF, enter a value in the range 1-65535; the default is 100.
If the selected protocol is RIPv2, enter a value in the range 1-15; the default is 1.
Failover Cost
Available if you selected the OSPF or RIPv2 routing protocol.
The cost of sending a packet on the secondary (failover) route interface.
You can enter a value in the range 1-65535 for OSPF (the default is 125), or in the range 1-15 for RIPv2 (the default is 2).
Filter Dynamic Updates on Spokes
When selected, enables the creation of a redistribution list that filters all dynamic routing updates on the spokes. This forces the spoke devices to advertise (populate on the hub device) only their own protected subnets and not other IP addresses.
Tunnel Parameters Tab
Tunnel IP
Select the required option to specify the GRE or GRE Dynamic IP tunnel interface IP address.
Note
Use Physical Interface
When selected, uses the private IP address of the tunnel taken from the protected network.
Use Subnet
When selected, uses the tunnel IP address taken from an IP range. This is the default.
In the Subnet field, enter the private IP address including the unique subnet mask (default is 1.1.1.0/24).
If you are also configuring a dial backup interface, enter its subnet in the Dial Backup Subnet field provided (default is 1.1.2.0/24).
Note
Use Loopback Interface
When selected, uses the tunnel IP address taken from an existing loopback interface.
In the Role field, enter the interface, or select it from the list of interface roles provided.
Tunnel Source IP Range
Available only if the assigned IPsec technology is GRE Dynamic IP.
The private IP address including the unique subnet mask that supports the loopback for GRE. The GRE tunnel interface has an IP address (inside tunnel IP address) which is taken from a loopback interface that Security Manager creates specifically for this purpose.
When a spoke has a dynamic IP address, there is no fixed GRE tunnel source address (to be used by the GRE tunnel on the spoke side) or destination address (to be used by the GRE tunnel on the hub side). Therefore, Security Manager creates additional loopback interfaces on the hub and the spoke to use as the GRE tunnel endpoints. You must specify a subnet from which Security Manager can allocate an IP address for the loopback interfaces.
Enable IP Multicast
When selected, enables multicast transmissions across your GRE tunnels. IP multicast delivers application source traffic to multiple receivers without burdening the source or the receivers, while using a minimum of network bandwidth.
Rendezvous Point
Only available if you selected the Enable IP Multicast check box.
If required, you can enter the IP address of the interface that will serve as the rendezvous point (RP) for multicast transmission. Sources send their traffic to the RP. This traffic is then forwarded to receivers down a shared distribution tree.
GRE Modes Page > DMVPN Policy
Table G-23 describes the elements on the GRE Modes page for configuring a DMVPN policy.
Table G-23 GRE Modes Page > DMVPN Policy
Routing Parameters Tab
Routing Protocol
Select the required dynamic routing protocol, or static route, to be used in the DMVPN tunnel.
Options include the EIGRP, OSPF, and RIPv2 dynamic routing protocols, and GRE static routes. On-Demand Routing (ODR) is also supported. On-Demand Routing is not a routing protocol. It can be used in a hub-and-spoke VPN topology when the spoke routers connect to no other router other than the hub. If you are running dynamic protocols, On-Demand Routing is not suitable for your network environment.
For more information, see Understanding GRE, page 10-65.
AS Number
Available only if you selected the EIGRP routing protocol.
The number that is used to identify the autonomous system (AS) area to which the EIGRP packet belongs. The range is 1-65535. The default is 110.
An autonomous system (AS) is a collection of networks that share a common routing strategy. An AS can be divided into a number of areas, which are groups of contiguous networks and attached hosts. Routers with multiple interfaces can participate in multiple areas. An AS ID identifies the area to which the packet belongs. All EIGRP packets are associated with a single area, so all devices must have the same AS number.
Process Number
Available only if you selected the OSPF routing protocol.
The routing process ID number that will be used to identify the secured IGP that Security Manager adds when configuring DMVPN.
The valid range for either protocol is 1-65535. The default is 110.
Hello Interval
Available only if you selected the EIGRP routing protocol.
The interval between hello packets sent on the interface, from 1 to 65535 seconds. The default is 5 seconds.
Hold Time
Available only if you selected the EIGRP routing protocol.
The number of seconds the router will wait to receive a hello message before invalidating the connection. The range is 1-65535. The default hold time is 15 seconds (three times the hello interval)
Delay
Available only if you selected the EIGRP routing protocol.
The throughput delay for the primary route interface, in microseconds. The range of the tunnel delay time is 1-16777215. The default is 1000.
Hub Network Area ID
Available only if you selected the OSPF routing protocol.
The ID number of the area in which the hub's protected networks will be advertised, including the tunnel subnet. You can enter any number. The default is 0.
Spoke Protected Network Area ID
Available only if you selected the OSPF routing protocol.
The ID number of the area in which the remote protected networks will be advertised, including the tunnel subnet. You can enter any number. The default is 1.
Authentication
A string that indicates the OSPF authentication key. The string can be up to eight characters long.
Cost
Available if you selected the OSPF or RIPv2 routing protocol.
The cost of sending a packet on the primary route interface.
If the selected protocol is OSPF, enter a value in the range 1-65535; the default is 100.
If the selected protocol is RIPv2, enter a value in the range 1-15; the default is 1.
Allow Direct Spoke to Spoke Connectivity
When selected, enables direct communication between spokes, without going through the hub.
Note
Filter Dynamic Updates On Spokes
Unavailable if you are using On-Demand Routing or a static route for your DMVPN tunnel.
When selected, enables the creation of a redistribution list that filters all dynamic routing updates (EIGRP, OSPF, and RIPv2) on spokes. This forces the spoke devices to advertise (populate on the hub device) only their own protected subnets and not other IP addresses.
Tunnel Parameters Tab
Tunnel IP Range
The IP range of the inside tunnel interface IP address, including the unique subnet mask.
Note
Dial Backup Tunnel IP Range
If you are configuring a dial backup interface, enter its inside tunnel interface IP address, including the unique subnet mask.
Server Load Balance
When selected, enables the configuration of load balancing on a Cisco IOS router that serves as a hub in a multiple hubs configuration.
Server load balancing optimizes performance in a multiple hubs configuration, by sharing the workload. In this configuration, the DMVPN server hubs share the same tunnel IP and source IP addresses, presenting the appearance of a single device to the spokes in a VPN topology.
Enable IP Multicast
When selected, enables multicast transmissions across your GRE tunnels.
IP multicast delivers application source traffic to multiple receivers without burdening the source or the receivers, while using a minimum of network bandwidth.
Rendezvous Point
Only available if you selected the Enable IP Multicast check box.
If required, you can enter the IP address of the interface that will serve as the rendezvous point (RP) for multicast transmission. Sources send their traffic to the RP. This traffic is then forwarded to receivers down a shared distribution tree.
Tunnel Key
A number that identifies the tunnel key. The default is 1.
The tunnel key differentiates between different multipoint GRE (mGRE) tunnel Non Broadcast Multiple Access (NBMA) networks. All mGRE interfaces in the same NBMA network must use the same tunnel key value. If there are two mGRE interfaces on the same router, they must have different tunnel key values.
Note
NHRP Parameters
Network ID
All Next Hop Resolution Protocol (NHRP) stations within one logical Non-Broadcast Multi-Access (NBMA) network must be configured with the same network identifier. Enter a globally unique, 32-bit network identifier within the range of 1 to 4294967295.
Hold time
The time, in seconds, that routers will keep information provided in authoritative NHRP responses. The cached IP-to-NBMA address mapping entries are discarded after the hold time expires.
The default is 300 seconds.
Authentication
An authentication string that controls whether the source and destination NHRP stations allow intercommunication. All routers within the same network using NHRP must share the same authentication string. The string can be up to eight characters long.
Save button
Saves your changes to the server but keeps them private.
Note
Server Load Balance Page
Use the Server Load Balance page to view or edit the server load balance policy configured on the IPsec Terminators in a large scale DMVPN. Server load balancing optimizes performance in multiple hub-and-spoke VPN topologies, by sharing the workload. In large scale DMVPN configurations, the IPsec Terminators perform the traffic load balancing.
For more information, see Configuring Large Scale DMVPNs, page 10-74.
The Server Load Balance page contains a scrollable table displaying the server load balance parameters for each hub that is connected to an IPsec Terminator. By clicking the arrow displayed alongside any table heading, you can switch the order of the list to display from ascending to descending order, and vice versa. You can also filter the table contents using the filter controls above it to display only rows that match the criteria that you specify (see Filtering Tables, page 3-17).
Navigation Path
•
•
Related Topics
•
Field Reference
Table G-24 Server Load Balance Page
Hub
The name of the hub connected to the IPsec Terminator.
Weight
The capacity of the hub relative to other hubs connected to the IPsec Terminator.
A weighted round robin (WRR) scheduling algorithm is used to control the bandwidth allocated to output transmission queues. Weighting is based on the amount of bandwidth used by each transmit queue on an interface. Packets from queues with higher capacity are transmitted more often than those from queues with less capacity.
Max Connections
The maximum number of active connections to the IPsec Terminator permitted to the hub.
Edit button
Click to open the Edit Load Balancing Parameters Dialog Box, in which you can modify the parameters of a selected load balancing policy.
Save button
Saves your changes to the server but keeps them private.
Note
Edit Load Balancing Parameters Dialog Box
In the Edit Load Balancing Parameters dialog box, you can edit the server load balance parameters configured on a hub that is connected to an IPsec Terminator in a large scale DMVPN.
Navigation Path
Open the Server Load Balance Page, select an entry in the table and click Edit.
Related Topics
•
Field Reference
Easy VPN IPsec Proposal Page
Use the Easy VPN IPsec Proposal page to create or edit the IPsec policy definitions for your Easy VPN server, including the configuration of Dynamic VTI. For more information, see Configuring an IPsec Proposal for Easy VPN, page 10-79.
Note
The following tabs are available on the Easy VPN IPsec Proposal page:
Navigation Path
•
•
Easy VPN IPsec Proposal Tab
Use the Easy VPN IPsec Proposal tab to create or edit the IPsec policy definitions for your Easy VPN server.
Navigation Path
The Easy VPN IPsec Proposal tab appears when you open the Easy VPN IPsec Proposal Page.
Related Topics
•
•
•
Field Reference
Table G-26 Easy VPN IPsec Proposal Tab
Transform Sets
The transform set(s) to be used for your tunnel policy. Transform sets specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel. You can select up to six transform sets.
Transform sets may use only tunnel mode IPsec operation.
Note
A default transform set is displayed. If you want to use a different transform set, or select additional transform sets, click Select to open a dialog box that lists all available transform sets, and in which you can create transform set objects. For more information, see Creating IPsec Transform Set Objects, page 9-66.
For more information, see About Transform Sets, page 10-51.
Reverse Route
Supported on ASA devices, PIX 7.0 devices, and Cisco IOS routers except 7600 devices.
Reverse Route Injection (RRI) enables static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. For more information, see About Reverse Route Injection, page 10-52.
Select one of the following options to configure RRI on the crypto map:
•
•
•
•
Note
Enable Network Address Translation
Supported on PIX 7.0 and ASA devices.
When selected, enables you to configure Network Address Translation (NAT) on a device.
NAT enables devices that use internal IP addresses to send and receive data through the Internet. Private NAT addresses are converted to globally routable IP addresses when they try to access data on the Internet.
For more information, see Understanding NAT, page 10-55.
Group Policy Lookup/AAA Authorization Method
Supported on Cisco IOS routers only.
The AAA authorization method list that will be used to define the order in which the group policies are searched. Group policies can be configured on both the local server or on an external AAA server.
You can click Select to open a dialog box that lists all available AAA group servers, and in which you can create AAA group server objects.
User Authentication (Xauth)/AAA Authentication Method
Supported on Cisco IOS routers only.
The AAA or Xauth user authentication method used to define the order in which user accounts are searched.
Xauth allows all Cisco IOS software AAA authentication methods to perform user authentication in a separate phase after the IKE authentication phase 1 exchange. The AAA configuration list-name must match the Xauth configuration list-name for user authentication to occur.
For more information about defining user accounts, see Defining Accounts and Credential Policies, page 14-51.
You can click Select to open a dialog box that lists all available AAA group servers from which you can make your selection, and in which you can create additional AAA group server objects.
Dynamic VTI Tab
Use the Dynamic VTI tab to configure a dynamic virtual interface on a device in a hub-and-spoke Easy VPN topology. For more information, see the section on Easy VPN with Dynamic Virtual Tunnel Interfaces.
Note
Navigation Path
Open the Easy VPN IPsec Proposal Page, then click the Dynamic VTI tab.
Related Topics
•
•
Field Reference
User Group Policy Page
Use the User Group Policy page to create or edit a user group policy on your Easy VPN server. An Easy VPN user group policy can be configured on a Cisco IOS security router, PIX 6.3 Firewall, or Catalyst 6500 /7600 device.
Note
Navigation Path
•
•
Related Topics
•
•
•
•
Field Reference
Tunnel Group Policy (PIX 7.0/ASA) Page
Use the Tunnel Group Policy (PIX 7.0/ASA) page to create or edit tunnel group policies on your Easy VPN server. An Easy VPN tunnel group policy can be configured only on PIX Firewalls running version 7.0, and ASA devices.
Note
The following tabs are available on the Tunnel Group Policy (PIX 7.0/ASA) page:
•
•
•
•
Navigation Path
•
•
Related Topics
•
•
Tunnel Group Policy > General Tab
Use the General tab of the Tunnel Group Policy (PIX 7.0/ASA) page to specify the global AAA settings for your tunnel group. On this tab you can also select the method (or methods) of address assignment to use.
Navigation Path
The General tab appears when you open the Tunnel Group Policy (PIX 7.0/ASA) Page. You can also open it by clicking the General tab from any other tab on the Tunnel Group Policy (PIX 7.0/ASA) page.
Related Topics
•
•
•
•
•
Field Reference
Table G-29 Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > General Tab
Tunnel Group Name
The name of the tunnel group that contains the policies for this IPsec connection.
Group Policy
The group policy to be applied to the tunnel group. A group policy is a collection of user-oriented attribute/value pairs stored either internally on the device or externally on a RADIUS/LDAP server.
Click Select to open a dialog box that lists all available ASA group policies, and in which you can create an ASA group policy object.
AAA
Authentication Server Group
The name of the authentication server group (LOCAL if the tunnel group is configured on the local device).
You can click Select to open a dialog box that lists all available AAA server groups, and in which you can create AAA server group objects.
Note
If an AAA server with SDI protocol is selected, RADIUS SDI authentication is enabled. For more information, see Configuring a Tunnel Group Policy for Easy VPN, page 10-81User LOCAL if Server Group fails
Available if you selected LOCAL for the authentication server group.
When selected, enables fallback to the local database for authentication if the selected authentication server group fails.
Authorization Server Group
The name of the authorization server group (LOCAL if the tunnel group is configured on the local device).
You can click Select to open a dialog box that lists all available AAA server groups, and in which you can create AAA server group objects.
User must exist in the authorization database to connect
When selected, specifies that the username of the remote client must exist in the database so a successful connection can be established. If the username does not exist in the authorization database, then the connection is denied.
Accounting Server Group
The name of the accounting server group (LOCAL if the tunnel group is configured on the local device).
You can click Select to open a dialog box that lists all available AAA server groups, and in which you can create AAA server group objects.
Strip Realm from Username
When selected, removes the realm from the username before passing the username on to the AAA server. A realm is an administrative domain. Enabling this option allows the authentication to be based on the username alone.
You must select this check box if your server cannot parse delimiters.
Strip Group from Username
When selected, removes the group name from the username before passing the username on to the AAA server. Enabling this option allows the authentication to be based on the username alone.
You must select this check box if your server cannot parse delimiters.
Client Address Assignment
DHCP Server
The DHCP servers to be used for client address assignments. The server uses the DHCP servers in the order listed. You can add up to 10 servers.
A default DHCP server is displayed. DHCP servers are predefined network objects. If you want to use a different DHCP server, or select additional DHCP servers, click Select to open the Network/Hosts selector that lists all available network hosts, and in which you can create network host objects.
Address Pools
The address pools from which IP addresses will be assigned. The server uses these pools in the order listed. If all addresses in the first pool have been assigned, it uses the next pool, and so on. You can specify up to 6 pools.
A default address pool is displayed. Address pools are predefined network objects. If you want to use a different address pool, or select additional address pools, click Select to open the Network/Hosts selector that lists all available network hosts, and in which you can create network host objects.
Save button
Saves your changes to the server but keeps them private.
Note
Tunnel Group Policy > IPsec Tab
Use the IPsec tab of the Tunnel Group Policy (PIX 7.0/ASA) page to specify IPsec and IKE parameters for the tunnel group policy.
Navigation Path
Open the Tunnel Group Policy (PIX 7.0/ASA) Page, then click the IPsec tab. You can also open the IPsec tab by clicking it from any other tab on the Tunnel Group Policy (PIX 7.0/ASA) page.
Related Topics
•
•
Field Reference
Table G-30 Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > IPsec Tab
Preshared Key
The value of the preshared key for the tunnel group. The maximum length of a preshared key is 127 characters.
Trustpoint Name
The trustpoint name if any trustpoints are configured. A trustpoint represents a CA/identity pair and contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate.
IKE Peer ID Validation
Select whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate. During IKE negotiations, peers must identify themselves to one another.
Enable Sending Certificate Chain
When selected, enables the sending of the certificate chain for authorization. A certificate chain includes the root CA certificate, identity certificate, and key pair.
Enable Password Update with RADIUS Authentication
When selected, enables passwords to be updated with the RADIUS authentication protocol.
For more information, see Supported AAA Server Types, page 9-16.
ISAKMP Keepalive
Monitor Keepalive
When selected, enables you to configure IKE keepalive as the default failover and routing mechanism.
For more information, see Understanding ISAKMP/IPsec Settings, page 10-55.
Confidence Interval
The number of seconds that a device waits between sending IKE keepalive packets.
Retry Interval
The number of seconds a device waits between attempts to establish an IKE connection with the remote peer. The default is 2 seconds.
Authorization Settings
Use Entire DN as the Username
Select to use the entire Distinguished Name (DN) as the identifier for the username.
A distinguished name (DN) is a unique identification, made up of individual fields, that can be used as the identifier when matching users to a tunnel group. DN rules are used for enhanced certificate authentication on PIX Firewalls and ASA devices.
Specify Individual DN fields as the Username
Select to use individual DN fields as the username when matching users to the tunnel group.
A DN certificate is made up of different field identifiers to match users to tunnel groups.
Primary DN field
Available if you selected to use individual DN fields as the username.
Select the primary DN field identifier to be used for identification from the list.
Secondary DN field
Available if you selected to use individual DN fields as the username.
Select the secondary DN field identifier to be used for identification. Select None if no secondary field identifier is required.
Save button
Saves your changes to the server but keeps them private.
Note
Tunnel Group Policy > Advanced Tab
Use the Advanced tab of the PIX7.0/ASA Tunnel Group Policy page to specify interface-specific information for your tunnel group.
Navigation Path
Open the Tunnel Group Policy (PIX 7.0/ASA) Page, then click the Advanced tab. You can also open the Advanced tab by clicking it from any other tab on the Tunnel Group Policy (PIX 7.0/ASA) page.
Related Topics
•
•
•
•
•
Field Reference
Tunnel Group Policy > Client VPN Software Update Tab
Use the Client VPN Software Update tab of the PIX7.0/ASA Tunnel Group Policy page to view or edit the client type, VPN Client revisions, and image URL for each client VPN software package installed.
Navigation Path
Open the Tunnel Group Policy (PIX 7.0/ASA) Page, then click the Client VPN Software Update tab. You can also open the Client VPN Software Update tab by clicking it from any other tab on the Tunnel Group Policy (PIX 7.0/ASA) page.
Related Topics
•
•
Field Reference
Client Connection Characteristics Page
Use the Client Connection Characteristics page to specify how traffic will be routed in the VPN and how the VPN tunnel will be established. You configure these characteristics on a remote client, which may be a PIX Firewall, a Cisco 800-3800 Series router, or an ASA 5505 running OS version 7.2(1) or later.
Navigation Path
•
•
Related Topics
•
•
•
Field Reference
Table G-33 Easy VPN Remote > Client Connection Characteristics Page
Mode
Select the required configuration mode for your remote device, as follows:
•
•
•
Note
For more information, see Configuring Client Connection Characteristics for Easy VPN, page 10-83.
Xauth Credentials Source
Select how you want to enter the Xauth credentials for user authentication when you establish a VPN connection with the server, as follows:
•
•
For more information, see Configuring Client Connection Characteristics for Easy VPN, page 10-83.
Xauth Credentials
Available only if you selected Device Stored Credentials as the Xauth Credentials Source.
Displays the default Xauth credentials.
Xauth Credentials are predefined objects. If required, click Select to open the Credentials Selector in which you can select different Xauth credentials, and from which you can create or edit Credential objects.
Note
For more information, see Understanding Credential Objects, page 9-35.
User Authentication Method (IOS)
Available only if the remote device is an IOS router, and if you selected the Interactive Entered Credentials option for the Xauth credentials source.
Select one of these ways to enter the Xauth username and password interactively each time Xauth authentication is requested:
•
•
Tunnel Activation (IOS)
If the remote device is an IOS router, and if you selected the Device Stored Credentials option for the Xauth password source, you must select a tunnel activation method, as follows:
•
•
Traffic Triggered Activation is recommended for use when Easy VPN dial backup is configured so that backup is activated only when there is traffic to send across the tunnel.
Note
ACL (IOS)
If you selected the Traffic Triggered Activation option for Tunnel Activation, you must configure an ACL-triggered tunnel by specifying the Access Control List (ACL) that defines the "interesting" traffic.
Click Select to open the Access Control Lists Selector from which you can select the required ACL, or create or edit an ACL object.
Save button
Saves your changes to the server but keeps them private.
Note
VPN Topologies Device View Page
Device view provides an easy way to view and edit the structure of your VPN topologies at the device level. Use this page to view the VPN topology (topologies) to which each device in the CSM inventory belongs, and if necessary, change its assignment to or from a VPN topology. From this page, you can also create and delete VPN topologies, edit the properties of a VPN topology, including its device selection, and edit its policies.
Navigation Path
1.
2.
3.
Related Topics
•
•
•
•
•
•
Field Reference
Table G-34 VPN Topologies Device View Page
Type
An icon that depicts the topology type.
Name
The unique name that identifies the VPN topology.
IPsec Technology
The IPsec technology assigned to the VPN topology.
Description
Any description defined for the VPN topology.
Edit VPN Policies button
Click to edit the VPN policies defined for a selected VPN topology. The VPN Summary page opens, displaying information about the VPN topology, including its defined policies.
To edit a policy, select it in the Policies selector. A page opens on which you can view or edit the parameters for the selected policy. See Site to Site VPN Policies.
Note
Create VPN Topology button
Opens the Create VPN wizard to create a VPN topology. See Create VPN Wizard.
Note
Edit VPN Topology button
Click to edit the properties of a selected VPN topology. The Edit VPN dialog box opens, displaying the Device Selection tab. See Device Selection Page.
Note
For more information, see About Editing a VPN Topology, page 10-22.
Delete VPN Topology button
Deletes a selected VPN topology. A dialog box opens asking you to confirm the deletion.
Note
For more information, see Deleting a VPN Topology, page 10-26.
Discover VPN Policies Wizard
Security Manager allows you to import your existing VPN configurations so that they can be managed by Security Manager, without you having to recreate them. You can do this using the Discover VPN Policies wizard.
The following pages describe the steps in the Discover VPN Policies wizard:
•
•
Navigation Path
Select Policy > Discover VPN Policies in Device view.
Related Topics
•
•
•
•
•
Discover VPN Policies Wizard—Name and Technology Page
Use the Name and Technology page of the Discover VPN Policies wizard to provide a name and description for the VPN, specify the topology type and IPsec technology of the VPN to be discovered, and whether you want to discover the VPN directly from the live devices in your network or from the Config Archive.
Navigation Path
Select Policy > Discover VPN Policies in Device view. The Discover VPN Policies wizard opens, displaying the Name and Technology page.
Related Topics
•
•
•
•
Field Reference
Discover VPN Policies Wizard—Device Selection Page
Use the Device Selection page of the Discover VPN Policies wizard to specify the devices participating in the VPN being discovered, and their role in the VPN topology. The devices that are available for selection include only those that can be used for the selected VPN topology type, that support the IPsec technology type, and which you are authorized to view.
The contents of this page differ depending on the VPN topology type. For example, if the topology type is hub and spoke, the page allows you to specify the devices as hubs or spokes.
Navigation Path
Open the Discover VPN Policies Wizard—Name and Technology Page, then click Next.
Related Topics
•
•
•
•
•
Field Reference
Table G-36 Discover VPN Policies wizard > Device Selection Page
Available Devices
Lists all devices that can be included in your selected VPN topology, that support the IPsec technology type, and which you are authorized to view.
Note
Hubs
The devices that are hubs in your hub-and-spoke topology. In an Easy VPN topology, the selected devices are servers.
Note
You need to select the primary hub only when there are 2 or more IPsec terminators. When there is only one IPsec terminator, regardless of how many hubs are connected to the same IPsec terminator, it is not possible to designate one hub as the primary hub.To remove devices from the list, select them and click <<.
Spokes
The devices that are spokes in your hub-and-spoke topology. In an Easy VPN topology, the selected devices are clients.
To remove devices from the list, select them and click <<.
Peer One/Peer Two
The devices that are peers in your point-to-point topology.
To remove the selected device from the Peer One/Peer Two field, click <<.
Selected Devices
The devices that participate in your full mesh topology.
To remove selected devices from the Selected Devices list, click <<.
Finish button
Saves your wizard definitions and closes the wizard.
The Discovery Status dialog box opens, allowing you to monitor the status of the VPN discovery task and view any relevant error or warning messages. See Viewing Policy Discovery Task Status, page 7-16.
Note
Rediscover VPN Policies Wizard
Security Manager allows you to rediscover the configurations of existing VPN topologies that are already managed with Security Manager, without you having to recreate them. You can do this in the Rediscover VPN Policies wizard.
Note
The following pages describe the steps in the Rediscover VPN Policies wizard:
•
•
Navigation Path
In the Site-to-Site VPN Manager window, right-click the VPN topology whose configurations you want to rediscover, and click Rediscover Peers.
Related Topics
•
•
•
•
•
Rediscover VPN Policies Wizard—Name and Technology Page
Use the Name and Technology page of the Rediscover VPN Policies wizard to specify whether you want to rediscover the VPN directly from the live devices in your network or from the Config Archive.
Note
Navigation Path
In the Site-to-Site VPN Manager window, right-click the VPN topology whose configurations you want to rediscover, and click Rediscover Peers. The Rediscover VPN Policies wizard opens, displaying the Name and Technology page.
Related Topics
•
•
•
•
•
Field Reference
Rediscover VPN Policies Wizard—Device Selection Page
Use the Device Selection page of the Rediscover VPN Policies wizard to specify the devices whose peer level policies need to be rediscovered, and their role in the VPN topology.
The contents of this page differ depending on the VPN topology type. For example, if the topology type is hub and spoke, the page allows you to specify the devices as hubs or spokes.
Navigation Path
Open the Rediscover VPN Policies Wizard—Name and Technology Page, then click Next.
Related Topics
•
•
•
•
•
•
Field Reference
Table G-38 Rediscover VPN Policies wizard > Device Selection Page
Available Devices
Lists all devices that can be included in your selected VPN topology, that support the IPsec technology type, and which you are authorized to view.
Note
Hubs
The devices that are hubs in your hub-and-spoke topology. In an Easy VPN topology, the selected devices are servers.
Note
To remove devices from the list, select them and click <<.
Spokes
The devices that are spokes in your hub-and-spoke topology. In an Easy VPN topology, the selected devices are clients.
To remove devices from the list, select them and click <<.
Peer One/Peer Two
The devices that are peers in your point-to-point topology.
To remove the selected device from the Peer One/Peer Two field, click <<.
Selected Devices
The devices that participate in your full mesh topology.
To remove selected devices from the Selected Devices list, click <<.
Finish button
Saves your wizard definitions and closes the wizard.
The Discovery Status dialog box opens, allowing you to monitor the status of the VPN rediscovery task and view any relevant error or warning messages. See Viewing Policy Discovery Task Status, page 7-16.
Note
