Using Management Center for VPN Routers 1.3
Router MC Scenarios
Download this chapter
Router MC ScenariosRouter MC Scenarios
Download the complete book
Using Management Center for VPN Routers 1.3 - full book PDFUsing Management Center for VPN Routers 1.3 - full book PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Router MC Scenarios

Overview of Scenarios

Scenario 1: Configuring a Basic VPN with Router MC

Understanding the Example VPN

Task 1: Creating a Device Group

Task 2: Importing Devices

Task 3: Defining VPN Settings

Task 4: Defining an IKE Policy

Task 5: Defining a Tunnel Policy

Task 6: Deploying Your Policies

Scenario 2: Designating Specific Traffic to be Tunneled

Scenario 3: Configuring GRE for Failover and Routing

Scenario 4: Uploading Existing VPN Configurations into Router MC


Router MC Scenarios

An example VPN scenario has been created to guide you through the process of creating a simple, basic VPN over an existing network and give you hands-on experience with the application. The example scenario covers the basic user workflow described in Understanding the Router MC User Taskflow, page 1-9.

Additional scenarios are provided that are based on this end-to-end basic VPN scenario. They provide step-by-step instructions that guide you through the procedures for configuring the more advanced features of Router MC. You must complete the example VPN scenario before you can practice the additional scenarios.

The following topics provide information about the Router MC scenarios:

Overview of Scenarios

Scenario 1: Configuring a Basic VPN with Router MC

Scenario 2: Designating Specific Traffic to be Tunneled

Scenario 3: Configuring GRE for Failover and Routing

Scenario 4: Uploading Existing VPN Configurations into Router MC

Overview of Scenarios

The following scenarios are covered:

Scenario 1 shows you how to configure a basic site-to-site VPN between a corporate site and its remote site, across an existing public network. All the other scenarios (2 through 4) are based on this example VPN scenario. See Scenario 1: Configuring a Basic VPN with Router MC for more information.

Scenario 2 shows you how to use split-tunneling to transmit both encrypted and unencrypted traffic on the same interface. Split tunneling requires that you specify exactly which traffic will be secured, so that only the specified traffic enters the IPSec tunnel, while the rest is transmitted unencrypted across the public network. See Scenario 2: Designating Specific Traffic to be Tunneled for more information.

Scenario 3 shows you how to configure Generic Routing Encapsulation (GRE) for advanced failover and resiliency. Using GRE, one IPSec peer can know the status of other IPSec peers at all times, a greater level of resiliency is possible than with IKE keepalive, spoke-to-spoke connectivity is possible, and multicast and broadcast transmissions are also supported.
See Scenario 3: Configuring GRE for Failover and Routing for more information.

Scenario 4 shows you how to upload existing VPN configurations on a device into Router MC, without having to redefine these VPN configurations in Router MC. See Scenario 4: Uploading Existing VPN Configurations into Router MC for more information.

Scenario 1: Configuring a Basic VPN with Router MC

This example scenario takes you through the steps required to create a simple, basic VPN over an existing public network.

The scenario takes you through the following tasks:

Understanding the Example VPN

Task 1: Creating a Device Group

Task 2: Importing Devices

Task 3: Defining VPN Settings

Task 4: Defining an IKE Policy

Task 5: Defining a Tunnel Policy

Task 6: Deploying Your Policies

Note Sample configuration files for the example VPN are provided with the Router MC installation files on Cisco.com, in the Example Configs directory (or on the Router MC CD-ROM, if you installed the application from a CD-ROM). These sample configuration files will allow you to work through the example VPN without using your own network devices. You must copy these sample files to a directory on the Router MC server before importing them into your device inventory.

Understanding the Example VPN

The basic site-to-site VPN in the scenario consists of a secure connection between a corporate site (central office) and its remote site (branch office) across a public network. Figure 1-1 shows an example of the basic VPN.

The goal of the scenario is to create a site-to-site VPN between the San Jose corporate site and the San Francisco remote site.

In the VPN, the San Jose corporate site has a primary hub (R1) and a backup hub (R2). The San Francisco remote site has two devices (R3 and R4). All devices at both sites are contained in the California device group. The default IKE Keepalive will be used for resiliency.

All traffic between the San Jose Corporate Management subnets and the San Francisco HR and Sales subnets is tunneled, using moderate security. The subnets are directly attached to the inside interfaces of the hubs at the San Jose corporate site, and the inside interfaces of the spokes at the San Francisco remote site.

Figure 1-1 Site-to-Site Example VPN

Table 1-1 contains specific information about the devices used in the example VPN. The configuration files for these devices are provided with the Router MC installation files on Cisco.com, in the Example Configs directory (or on the Router MC CD-ROM, if you installed the application from a CD-ROM).

Table 1-1 Site-to-Site Example VPN 

Device Name
Device Model
LAN Segment
Device Assignment
Cisco IOS Software Release
Inside Interfaces
VPN Interface

R1

Cisco 7100

Corporate Management

Primary Hub

12.1(9)E

FastEthernet 0/1 192.168.101.3

Serial 1/0 192.21.11.3

R2

Cisco 7100

Corporate Management

Backup Hub

12.1(9)E

FastEthernet 0/1 192.168.102.3

Serial 1/0 192.21.12.3

R3

Cisco 2600

Human Resources

Spoke

12.2

Ethernet 0/0
192.168.103.3

Serial 0/0 192.21.13.3

R4

Cisco 3620

Sales

Spoke

12.2T

Ethernet 0/0
192.168.104.3

Serial 0/0 192.21.14.3


Task 1: Creating a Device Group

In this task, you will establish the framework for your VPN topology by creating the California device group. See Working with Device Groups, page 1-8 for information about the concept of device groups in Router MC.

Procedure

Step 1 Select Devices > Device Hierarchy. The Device Hierarchy page appears.

Step 2 Click Create Group. The Create Device Group dialog box appears.

Step 3 Enter a unique name for your device group in the Name field. For example, enter CaliforniaDeviceGroup (you cannot include spaces in this Name field).

Step 4 Select the parent object in which the device group will be created in the Create In area. In this example, click the Global folder or text. The name of the selected object appears in the selection confirmation area.

Step 5 Click Create. The Device Hierarchy page refreshes. The California Device Group appears within the Global folder, as shown in Figure 1-2.

Figure 1-2 VPN Device Hierarchy for Example VPN

You are now ready to import devices. See Task 2: Importing Devices.

Task 2: Importing Devices

In this task, you will import devices into the California Device Group by importing the configurations for each device from configuration files. When you import the files, you add device information to the device inventory. See Importing Devices, page 1-12 for information about importing devices.

The devices used in this task are based on the example network illustrated in the Understanding the Example VPN.

Before You Begin

Make sure you have your sample device configuration files. These files are provided with the Router MC installation files on Cisco.com, in the Example Configs directory (or on the Router MC CD-ROM, if you installed the application from a CD-ROM). Copy the sample configuration files to a directory on the Router MC server, such as c:\temp.

Make sure you have completed all the steps in Task 1: Creating a Device Group successfully.

Procedure

Step 1 Select Devices > Device Import. The Device Import page appears.

Step 2 Select the device group into which you are importing the devices. In this example, select the check box next to CaliforniaDeviceGroup.

Step 3 Click Import. The Choose Method page appears. By default, Import multiple device config files in a specified directory is selected.

Step 4 Click Next. The Parameters page appears.

Step 5 Click Browse. The Browse Files on Server dialog box appears.

Step 6 Navigate from your current directory location to the directory in which you copied the sample configuration files, such as c:\temp.

Step 7 Click OK. The Browse Files on Server dialog box closes.

Step 8 Click Next in the Parameters page. The Import Devices page appears, displaying the devices that can be imported from configuration files.

Step 9 For each device listed, you must specify whether it will serve as a hub or a spoke in your VPN topology.

a. Select Hub in the Role column for devices R1 and R2.

b. Do not change the Role column setting for R3 and R4. They should remain spokes for this scenario.

c. Deselect the Import check box for the fifth device, R5. At this time, you are importing only four devices into the VPN, and the fifth device will be imported later.

Step 10 Specify the model of each imported device.

a. Select 7100 in the Model column for devices R1 and R2.

b. Select 2600 in the Model column for device R3.

c. Select 3620 in the Model column for device R4.

Step 11 Specify the IOS software release of each imported device.

a. Select 12.1(9)E in the IOS Version column for devices R1 and R2.

b. Select 12.2 in the IOS Version column for device R3.

c. Select 12.2T in the IOS Version column for device R4.

Step 12 Click Finish.

The Last Import Status dialog box appears. The device status displays "Pending" before the devices are imported, and then changes to "In Progress" while the devices are being imported. When the import process is complete, the device status changes to "Completed."

Step 13 Click Close to close the dialog box.

The Device Import page re-appears, displaying the imported devices in the California Device Group, as shown in Figure 1-3.

Figure 1-3 Device Import for Example VPN

You are now ready to define the settings that will enable the operation of the VPN. See Task 3: Defining VPN Settings.

Task 3: Defining VPN Settings

In this task, you will learn how to define inside interfaces on your hub and spokes. When you create the tunnel policy for the VPN, you will secure the traffic flow between the inside interfaces on the hubs and the inside interfaces on the spokes. You will also define a VPN interface on your spokes and assign primary and backup hubs to the spokes, thus defining the interfaces through which the devices will communicate using a secure tunnel. See Chapter 1, "Configuring VPN Settings" for information about the concept of VPN settings in Router MC. The devices used in this task are based on the example network illustrated in Understanding the Example VPN.

Before You Begin

Make sure you have completed all the steps in Task 2: Importing Devices successfully.

Procedure

Step 1 Select Configuration > Settings. The Settings page appears.

Step 2 Expand the Object Selector, then select CaliforniaDeviceGroup.

Step 3 Define inside interfaces for the hub:

a. In the TOC, select Hub, then select  Inside Interfaces. The Hub Inside Interfaces page appears.

b. Click Show Interfaces. The Show Interfaces dialog box appears.

c. Select the FastEthernet0/1 check box, then click Select. The dialog box closes, and the name of the selected interface appears in the selection confirmation area.

Note For this scenario, some fields in the Hub Inside Interfaces page display no information. This is the expected result of your choice in the Show Interfaces dialog box.

d. Click Apply. Upon deployment, each hub in the device group will be configured with FastEthernet0/1 as the inside interface.

Step 4 Define inside interfaces for the spokes:

a. In the TOC, select Spoke , then select Inside Interfaces. The Spoke Inside Interfaces page appears.

b. Click Show Interfaces. The Show Interfaces dialog box appears.

c. Select the Ethernet0/0 check box, then click Select. The dialog box closes, and the name of the selected interface appears in the selection confirmation area.

Note For this scenario, some fields in the Spoke Inside Interfaces page display no information. This is the expected result of your choice in the Show Interfaces dialog box.

d. Click Apply. The Spoke Inside Interfaces page refreshes. Upon deployment, each spoke in the device group will be configured with Ethernet0/0 as the inside interface.

Step 5 Define VPN interfaces for the spokes:

a. Select Spoke > VPN Interfaces in the TOC. The Spoke VPN Interfaces page appears.

b. Click Show Interfaces. The Show Interfaces dialog box appears.

c. Select the Serial 0/0 check box, and then click Select. The dialog box closes, and the name of the selected interface appears in the selection confirmation area.

Note For this scenario, some fields in the Spoke VPN Interfaces page display no information. This is the expected result of your choice in the Show Interfaces dialog box.

d. Click Apply. The page refreshes. Upon deployment, each spoke in the device group will be configured with Serial 0/0 as the VPN interface.

Step 6 Assign a hub to each spoke:

a. Select Spoke > Hub Assignment in the TOC. The Hub Assignment page appears.

b. Select R1 from the Primary Hub list box.

c. Select Serial 1/0 from the Primary Interface list box. The primary hub will communicate with the spoke tunnel endpoint through this interface.

d. Select R2 from the Failover Hub list box.

e. Select Serial 1/0 from the Failover Interface list box. The failover hub will communicate with the spoke tunnel endpoint through this interface.

f. Click Apply. The Hub Assignment page refreshes. Upon deployment, the primary hub will be configured as the hub-end tunnel endpoint interface for CaliforniaDeviceGroup.

You are now ready to define an IKE policy for your VPN. See Task 4: Defining an IKE Policy.

Task 4: Defining an IKE Policy

In this task, you will learn how to define an IKE policy using moderate security for authentication and encryption for the California device group. In this task, you will use preshared key as the authentication method.

Before You Begin

Make sure you have completed all the steps in Task 3: Defining VPN Settings successfully.

Make sure you still have CaliforniaDeviceGroup selected in the Object Selector. If not, select it.

Procedure

Step 1 Select Configuration > IKE. The IKE page appears.

Step 2 Select IKE Policies from the TOC. The IKE Policies page appears.

Step 3 Click Create. The IKE Policy Name and Comment page appears.

Step 4 Specify the following information:

a. Enter a unique name for your IKE policy in the Name field. For example, enter SJSF-IKE.

b. Enter a description of the IKE policy in the Comment field. For example, enter Moderate security with preshared key.

c. Click Next. The Algorithms page appears.

Step 5 Specify the following parameters for moderate security under Algorithm Settings:

a. Select DES from the Encryption Algorithm list box.

b. Select MD5 from the Hash Algorithm list box. By default, the Modulus Group should be 1.

c. Click Next.

The Parameters page appears. By default, the value in the Lifetime (seconds) field (which specifies the duration of the IKE Security Association (SA)) should be 86400 seconds, and Preshared Key should be selected in the Authentication list box.

Step 6 Click Finish.

The IKE policy is created. Upon deployment, the IKE policy will be applied to CaliforniaDeviceGroup. The main IKE Policies page appears displaying the IKE policy you defined, as shown in Figure 1-4.

Figure 1-4 IKE Policy for Example VPN

You are now ready to define a tunnel policy for your VPN. See Task 5: Defining a Tunnel Policy.

Task 5: Defining a Tunnel Policy

In this task, you will learn how to create a tunnel policy for the California device group. You will apply security using a transform set with moderate authentication, encryption, and compression settings.

Before You Begin

Make sure that you have completed all the steps in Task 4: Defining an IKE Policy successfully.

Make sure that you still have CaliforniaDeviceGroup selected in the Object Selector. If not, select it.

Procedure

Step 1 Select Configuration > Tunnels.

Step 2 Select Tunnel Policies in the TOC. The Tunnel Policies page appears.

Step 3 Click Create. The Tunnel Policy Name and Comment page appears.

Step 4 Specify the following information under Tunnel Policy Name and Comment:

a. Enter a unique name for your tunnel policy in the Name field. For example, enter SJSF-Tunnel.

b. Enter a description of the tunnel policy in the Comment field. For example, enter Nor-Cal. Moderate Sec.

c. Click Next. The Traffic Filter page appears.

Step 5 Set up a traffic filter. At deployment, Router MC compares the settings on your selected devices to all four of the predefined access control entries (ACEs):

Spoke Side
Hub Side
Spoke Internal Networks

Hub Internal Networks

Inside Interfaces

Hub Internal Networks

Spoke Internal Networks

Inside Interfaces

Inside Interfaces

Inside Interfaces


Router MC applies the ACEs that are shown in this page under circumstances where they match the configuration of your devices.

Currently, the devices in this scenario have their inside interfaces defined, but their internal networks are undefined. Therefore, you could either choose at this stage to delete the first three ACEs—because they do not apply to your devices in this scenario and Router MC will ignore them at this time—or you could leave them as they are.

Tip The recommended best practice is to leave all of the predefined ACEs in the list.

a. Click Next. All internal traffic on the hubs and spokes will be secured. The Transform Sets page appears.

Step 6 Create a transform set for moderate security under Tunnel Policy Transform Sets:

a. Click Create.The Name and Comment page appears.

b. Enter a unique name for your transform set in the Name field. For example, enter DES-MD5.

c. Enter a description of the transform set in the Comment field. For example, enter Moderate auth/encr TS.

d. Click Next. The Protocols page appears.

e. Select MD5 from the AH Hash list box.

f. Select DES from the ESP Encryption list box.

g. Select MD5 from the ESP Hash list box. By default, the Compression check box is not selected.

h. Click Finish.

The DES-MD5 transform set is created, and will appear as an option in the list boxes in the Tunnel Policy Transform Sets page.

Step 7 Select DES-MD5 from the Transform Set 1 list box, then click Next. The PFS page appears.

Step 8 Specify the following moderate IPSec session protection parameters under Perfect Forward Secrecy:

a. Select the Use PFS check box.

b. Select 1 from the Modulus Group list box.

c. Click Finish.

The tunnel policy is created. Upon deployment, the tunnel policy will be applied to the California device group. The main Tunnel Policies page appears. The tunnel policy you defined should appear in the Tunnel Policies page, as shown in Figure 1-5.

Figure 1-5 Tunnel Policy for Example VPN

You are now ready to deploy your policies. See Task 6: Deploying Your Policies.

Task 6: Deploying Your Policies

In this task, you will learn how to deploy the VPN configurations defined in the previous tasks to files. The devices used in this task are based on the example network illustrated in Understanding the Example VPN.

Before You Begin

Make sure you have completed all the steps in Task 5: Defining a Tunnel Policy successfully.

Procedure

Step 1

Click the Save and Deploy icon in the Actions bar.

The Select Devices page appears.

Since Router MC automatically preselects devices on which policy changes have been made but have not yet been deployed, you don't need to make any selection.

Step 2 Click Next. The Deployment Options page appears.

Step 3 Specify the following under Deployment Options:

a. Select File in the Deploy To list box.

b. Click Browse to specify an output directory for the file. The Browse Files on Server dialog box appears.

c. Select the directory in which you want to save the deployed configurations, and then click OK. For example, c:\temp.

d. Select the Deploy full configuration to file check box.

The configuration files will contain the entire configuration of the devices, including the commands Router MC will add or remove to implement your VPN configurations. By default, the Deploy only to running-config (disable write memory) check box is not selected.

e. Click Next. The Job Error Checking page appears. Errors prevent deployment, while warnings do not prevent deployment.

f. Ignore any displayed warnings, and click Finish. The Job Deployment Status window opens.

In this window, you can view the deployment status of your job, and of each device in the job relative to the job status. The job status is "Generating" during generation of the commands, and then changes to "Deployed" when the job has been deployed. The device status is "Pending" before the deployment starts, changes to "Deploying" during deployment, and "Completed" when the configurations for the device have been deployed, as shown in Figure 1-6.

Figure 1-6 Job Deployment Status for Example VPN

g. Click Refresh to get an updated view.

Click Close to close the Job Status window.

Step 4 To view the configurations generated for the devices.

a. Select Deployment > View Configs.

b. In the TOC, select Full

c. Expand the Object Selector, then select any device from CaliforniaDeviceGroup.

d. You can view incremental device configurations in either Telnet or TFTP format. To do so, select Incremental Telnet or Incremental Tftp from the TOC. The incremental VPN configuration for the selected device is displayed.

For either format, a list is displayed of permit and deny commands that the defined configuration requires for implementation. Additional configuration information is also displayed.

You have completed the tasks for configuring the end-to-end basic VPN scenario.

You can now perform the additional scenarios 2 through 4, that cover some of the more advanced features of Router MC.

Scenario 2: Designating Specific Traffic to be Tunneled

The goal of this scenario is to create a maximum security tunnel between two peers. This tunnel will encrypt traffic from a Sales subnet host, H2, to a Corporate Management subnet host, H1. The tunnel will have the highest possible security because highly confidential information will be transmitted between the two hosts.

To do this, you will create a new tunnel policy on R4, which will override the SJSF Tunnel policy you created on the California device group. You will create a custom Access Control Entry (ACE) for the filter to specify exactly what traffic you want to tunnel. You will also create a transform set with higher security.

See Chapter 1, "Defining VPN Tunnel Policies" for more information.

Figure 1-7 shows the sample network topology for the split-tunneling scenario.

Figure 1-7 Sample Network Topology for Split-Tunneling

Before You Begin

This procedure assumes that you have completed all the tasks in
Scenario 1: Configuring a Basic VPN with Router MC.

Procedure

Step 1 Select the R4 device.

a. Select the Configuration tab.

b. Select R4 in the Object Selector. Global>CaliforniaDeviceGroup>R4 appears in the object bar.

Step 2 Start a new tunnel that is distinct from the SJSF Tunnel specified for the SJSF VPN.

a. Select Configuration > Tunnels.

b. From the TOC, select Tunnel Policies. The Tunnel Policies page appears.

c. Click Create. The Tunnel Policy Name and Comment page appears.

Step 3 Under Tunnel Policy Name and Comment, do the following:

a. In the Name field, enter a unique name for your tunnel policy. For example, enter Corporate-to-SalesTunnel. Do not enter spaces in the policy name.

b. In the Comment field, enter a description of the tunnel policy. For example, enter Max. auth/encr--Corp-to-Sales.

c. Click Next. The Traffic Filter page appears.

Step 4 To create a new traffic filter, click Create. The Create Filter dialog box appears. In the Create Filter dialog box, do the following:

a. In the Spoke Side IP address field, enter 172.168.13.1, which is the IP address of H2.

b. In the Hub Side IP address field, enter 172.168.10.1, which is the IP address of H1.

c. Click OK. The spoke side and hub side hosts are added to the table.

d. Click Next. The Transform Sets page appears.

Step 5 Under Tunnel Policy Transform Sets, create a transform set for high security:

a. Click Create.The Name and Comment page appears.

b. In the Name field, enter a unique name for your transform set. For example, enter Corp-Sales-TS.

c. In the Comment field, enter a description of the transform set. For example, enter Max. auth/encr TS.

d. Click Next in the Name and Comment page. The Protocols page appears.

Step 6 Under Protocols, specify the IPSec mode of operation, and authentication and encryption algorithms:

a. From the Mode list box, select Tunnel.

b. From the AH Hash list box, select SHA.

c. From the ESP Encryption list box, select 3DES.

d. From the ESP Hash list box, select SHA.

The Compression check box should not be selected.

e. Click Finish in the Protocols page.

The transform set is created. The Tunnel Policy Transform Sets page appears. The transform set you defined is an available option in the Transform Set list boxes.

f. From the Transform Set 1 list box, select Corp-Sales-TS and click Next. The Perfect Forward Secrecy page appears.

Step 7 Under Perfect Forward Secrecy, specify the maximum IPSec session protection parameters.

a. Select the PFS check box.

b. From the Modulus Group list box, select 5.

c. Click Finish.

The tunnel policy is created, and is applied to R4. The Tunnel Policies page appears, and displays the tunnel policy that you defined.

Upon deployment, the new tunnel policy will be generated.

Step 8 Deploy the selections from this scenario using the procedure described in Task 6: Deploying Your Policies.

Scenario 3: Configuring GRE for Failover and Routing

The goal of this scenario is to apply GRE to your network instead of the default IKE Keepalive. Although GRE can be applied at any level in the device hierarchy, for this scenario example, you will apply GRE globally to all the devices and the networks directly connected to the interfaces on the devices. Everything outside of the attached networks will no longer be a part of the SJSF VPN.

See Understanding Failover and Routing, page 1-2 and Configuring GRE, page 1-11 for more information.

Before You Begin

This procedure assumes that you have completed:

Scenario 1: Configuring a Basic VPN with Router MC

Scenario 2: Designating Specific Traffic to be Tunneled

Procedure

Step 1 Select Global in the Object Selector. Global appears in the object bar.

Step 2 Configure GRE globally.

a. Select Configuration >  Settings.

b. In the TOC, select General VPN, then select  Failover and Routing.

c. Select GRE in the Policy Type list box.

d. Select EIGRP from the Routing Protocol list box.

e. Enter 192.168.121.60/255.255.128.0 in the Tunnel Interface IP (IP/Subnet) field.

f. Leave the Enable IP Multicast check box deselected.

g. Click Apply. Upon deployment, GRE will be configured globally.

Step 3 Deploy the selections from this scenario using the procedure described in Task 6: Deploying Your Policies.

Scenario 4: Uploading Existing VPN Configurations into Router MC

The goal of this scenario is to upload policy settings from an imported device to a device group. In this scenario, another spoke (R5) will be added to the remote site (San Francisco) created in Scenario 1: Configuring a Basic VPN with Router MC, Task 1: Creating a Device Group. A single configuration file will be imported. The imported device will have an IKE policy that is more secure than the IKE policy on existing devices. The IKE policy from the imported device will be applied to the existing device group, effectively overriding the IKE policy on the device group.

See Chapter 1, "Uploading Device Configurations" for more information.

Figure 1-8 shows the sample network topology after the device has been imported and the VPN configurations on the device have been uploaded.

Figure 1-8 Scenario 2: Sample Network Topology for Importing and Uploading

Table 1-2 contains new information about the VPN profile characteristics.

Table 1-2 Scenario 4: Site-to-Site VPN Addition

Device Name
Device Model
LAN Segment
Device Assignment
Cisco IOS Software Release
Internal Interface
External Interface
Remote Site 1 (San Francisco)

R5

Cisco 3660
192.168.1.5

Marketing

Spoke

12.2T

Ethernet 0/1
192.168.105.3

Serial 0/0 192.21.15.3


Before You Begin

This procedure assumes that you have completed Scenario 1: Configuring a Basic VPN with Router MC.

Procedure

Step 1 Import R5 from the example configurations provided for you.

a. Select Devices > Device Import. The Device Hierarchy page appears.

b. Specify the device group into which R5 will be imported. Click the California Device Group folder.

The Choose Import Method page appears.

c. Select Import single device config file.

d. Click Next. The Parameters page appears.

e. Click Browse. The Browse Files on Server dialog box appears.

f. Navigate from your current directory location to the location where you stored copies of the sample configuration files. For example, c:\temp.

g. Select R5.cfg and click OK. The Browse Files on Server dialog box closes.

h. Click Next in the Parameters page. The Import Devices page appears.

i. To specify that R5 will serve as a spoke in your VPN topology, do not change the Role column setting for R5.

j. Select 3620 in the Model column.

k. Select 12.2T in the IOS Version column.

l. Click Finish.

The Last Import Status dialog box appears. The device status is "Pending" before R5 is imported, and then changes to "In Progress" while R5 is being imported. When the import process is complete, the status changes to "Completed."

m. Click Close. The Device Import page appears, displaying the imported device R5 in the device hierarchy.

Step 2 Select the Configuration tab, then select the California Device Group in the Object Selector. Global > CaliforniaDeviceGroup appears in the object bar.

Step 3 Select Configuration > Upload. The Upload page appears.

Step 4 Select the R5 device as the source of the configuration policy you want to upload, and upload its policy.

a. In the Upload From field, select the source device, R5.

b. In the Upload To field, click Select Target. Select the target device, R5.

c. Select the Override existing policies check box, to replace the existing California Device Group policy settings such as transform sets, IKE policies, and preshared key.

d. Click Upload. The upload report appears, informing you that the R5 IKE policy uploaded successfully.

Step 5 Deploy the selections from this scenario using the procedure described in Task 6: Deploying Your Policies.