Create VPN Topology button

Click to create a VPN topology, then select the type of topology you want to create from the options that are displayed. The Create VPN wizard opens.

Edit VPN Topology button

Opens the Edit VPN dialog box for editing a selected VPN topology.

Note You can also edit a VPN topology by right-clicking it in the VPNs selector, and selecting the Edit option.

Delete VPN Topology button

Deletes a selected VPN topology.

Note You can also delete a selected VPN topology by right-clicking it and selecting the Delete option.

A confirmation dialog box opens asking you to confirm the deletion.

VPNs selector

Lists each VPN topology, represented by its name and an icon indicating its VPN type (hub and spoke, point to point, or full mesh).

Policies selector

Lists each individually named policy that is already assigned to, or can be configured on, devices in the selected VPN topology.

Select a policy to open a page on which you can view or edit the parameters for the selected policy. See Site to Site VPN Policies.

Name and Technology Page

Step 1

Step 1

Step 1

Device Selection Page

Step 2

Step 2

Step 2

Endpoints Page

Step 3

Step 3

—

High Availability Page

Step 4

—

—

GET VPN Group Encryption Page

—

—

Step 3

GET VPN Peers Page

—

—

Step 4

VPN Defaults Page

Step 5

Step 4

Step 5

Name

A unique name that identifies the VPN topology.

Description

Information about the VPN topology.

IPsec Technology

IPsec technology associated with the VPN topology: Regular IPsec, IPsec/GRE, DMVPN, Easy VPN, or GET VPN.

Note If you are editing an existing VPN, the assigned IPsec technology is displayed, but unavailable for editing. To edit the technology, you must delete the VPN topology and create a new one.

Type

Available if the selected IPsec technology is IPsec/GRE or DMVPN.

•IPsec/GRE—Select either Standard (for IPsec/GRE) or Spokes with Dynamic IP (for GRE Dynamic IP). For more information, see Configuring GRE or GRE Dynamic IP Policies, page 9-65.

•DMVPN—Select either Standard (for regular DMVPN) or Large Scale with IPsec Terminator (for a large scale DMVPN). For more information, see Configuring Large Scale DMVPNs, page 9-70.

Available Devices

Lists all devices that can be included in your selected VPN topology, that support the IPsec technology type, and which you are authorized to view.

Note Clicking a device group selects all its devices.

IPsec Terminators

Available only if you selected Large Scale with IPsec Terminator as the DMVPN technology type in the Name and Technology page.

Catalyst 6500/7600 devices defined as IPsec Terminators in your Large Scale DMVPN configuration.

To add devices to the list, select them and click >>. To remove devices from the list, select them and click <<.

Note You can use the Up and Down buttons to change the order of the devices in the list.

For more information, see Configuring Large Scale DMVPNs, page 9-70.

Hubs

Devices defined as hubs in your hub-and-spoke topology. In an Easy VPN topology, the selected devices are servers.

Note If you selected only one device, it becomes the primary hub. If multiple devices are selected, you must make sure that the required primary hub device appears first in the list. You can use the Up and Down buttons to change the order of the Hubs in the list.

You need to select the primary hub only when there are 2 or more IPsec terminators. When there is only one IPsec terminator, regardless of how many hubs are connected to the same IPsec terminator, it is not possible to designate one hub as the primary hub.

Spokes

Devices defined as spokes in your hub-and-spoke topology. In an Easy VPN topology, the selected devices are clients.

Peer One/Peer Two

Devices defined as peers in your point-to-point topology.

Key Servers

Devices defined as key servers in your GET VPN topology.

Group Members

Devices defined as group members in your GET VPN topology.

>> button

To add devices to the list, select them and click >>

>>button

To remove devices from the list, select them and click <<.

Group Name

Name of the Group Domain of Interpretation (GDOI) group. This name is the same as a VPN name.

Group Identity

Parameter that is used to identify the group. All key servers and group members use this parameter to identify the group.

The identity can be either a number or any IP address.

Receive Only

If enabled, group members decrypt traffic and forward it in clear text. This feature is useful for testing the VPN.

Security Policy

ACL Policy object to be used as the security policy.

Note The ACL policy object must contain a deny ACE statement as its first deny statement. This statement allows the group members to receive rekey packets sent using multicast protocol.

Authorization Type

Type of association mechanism used by the group: None, Certificates, or Preshared Key.

If you select Certificates, you must define a certificates filter (either dn or fqdn). This filter, located on the key server, specifies the attributes and values used to validate whether the group member is authorized to join the GDIO or not.

Enter a name for the certificate filter and click the Create button. See Add Certificate Filter Dialog Box.

Key Distribution

Address method used to distribute keys to each group member:

•Unicast or Multicast—If unicast is selected, the key server sends a rekey message to each registered group member and waits for an acknowledgment. If multicast is selected, the key server sends a rekey message to all group members at once.

Note If you select multicast, make sure that the router used as the key server is multicast enabled.

•Group IP Address—IP Address to be used for key distribution.

•Use Static IGMP Joins on Group Members—This checkbox is applicable only when key servers use multicast to distribute keys to group members. If you select this option, the static Source Specific Multicast (SSM) mappings are enabled, which reveal the source of multicast traffic to the group member. In the case of GET VPN, the group member learns the key server address.

RSA Key Label

(Optional) Label that key servers use to sign rekey messages with. If rekeying is not required, you do not need to assign an RSA key label.

Note Security Manager does not manage RSA keys and therefore appropriate keys need to be manually generated on the key server before deployment. FlexConfig can be used. See Creating FlexConfig Policy Objects, page 18-26.

Lifetime (KEK)

Number of seconds that the key encryption key (KEK) is valid.

Note If you are encrypting high packet rates for count-based anti-replay, ensure that you do not make the lifetime too long or it can take several hours for the sequence number to wrap. For example, if the packet rate is 100 kilopackets per second, the lifetime should be configured as less than 11.93 hours so that the SA is used before the sequence number wraps.

Encryption Algorithm

Algorithm that the key server uses to encrypt the rekey messages sent to group members.

Retransmits

Number of times the rekey message can be sent.

Interval

Number of seconds between retries.

Role

The role of the device—hub, spoke, peer, or IPsec Terminator.

Device

The name of the device.

VPN Interface

The primary or backup VPN interface that is defined for the selected device.

Depending on the selection in the Show list, the interface roles, or the interfaces that match each interface role, for the VPN interface may also be displayed.

Select a row and click Edit to change the device's VPN interfaces. The Edit Endpoints dialog box opens, from which you can select the required VPN interface. See VPN Interface Tab.

Note You can select more than one device at a time for editing. The changes you make in the VPN Interface tab are applied to all the selected devices.

When selecting multiple devices for editing the VPN interfaces, you cannot include Catalyst 6500/7600 devices in your selection. If you want to edit these devices, you must select them separately.

To edit the VPN interface for a Catalyst 6500/7600 device, see VPN Interface Tab—VPNSM/VPN SPA Settings.

Protected Networks

The protected networks that are defined for the selected device.

Depending on the selection in the Show list, the interface roles, or the interfaces that match each interface role, for the protected networks may also be displayed.

Select a row and click Edit to change the device's protected networks. The Edit Endpoints dialog box opens, from which you can select the required protected networks. See Protected Networks Tab.

Note You can select more than one device at a time for editing. The changes you make in the Protected Networks tab are applied to all selected devices.

When selecting multiple devices for editing the protected networks, you cannot include Catalyst VPN Service Module devices in your selection. If you want to edit these devices, you must select them separately.

Show

Select to display either the interface roles or matching interfaces, for the VPN interfaces and protected networks in the table, as follows:

•Interface Roles Only (default)—To display only the interface roles assigned to the VPN interfaces and protected networks.

•Matching Interfaces—To display the interfaces that match the pattern of each interface role. If there are no matching interfaces "No Match" will be displayed.

Edit button

Opens the Edit Endpoints dialog box so you can edit the VPN interface and/or protected networks for a selected device in the table. See Edit Endpoints Dialog Box.

Enable the VPN Interface Changes on All Selected Peers

Available if you selected more than one device on the Endpoints page for editing.

When selected, applies any changes you make in the VPN interface tab to all the selected devices.

VPN Interface

The VPN interface defined for the selected device. The default is External.

VPN interfaces are predefined interface role objects. If required, click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, in which you can make your selection, or create interface role objects.

If the device is an ASA 5505 version 7.2(1) or later, it must have two interfaces defined with different security levels. For more information, see Managing Device Interfaces, page 14-5.

Connection Type

Only available in a hub-and-spoke VPN topology, if the selected device is an ASA or PIX 7.0 hub, and the selected technology is Regular IPsec.

Select the type of connection that the ASA hub will use during an SA negotiation:

•Answer Only—To configure the hub to only respond to an SA negotiation, but not initiate it.

•Originate Only—To configure the hub to only initiate an SA negotiation, but not respond to one.

•Bidirectional—To configure the hub to both initiate and respond to an SA negotiation.

Local Peer IPSec Termination

Unavailable if the selected technology is Easy VPN.

Specifies the IP address of the VPN interface of the local router. You can select one of the following options:

•VPN Interface IP Address—This is the default. Uses the configured IP address on the selected VPN interface. Only one VPN interface can match the interface role.

•IP Address—To enter manually the IP address of the VPN interface of the local router. Enter the IP address in the field provided.

Note If you select a tunnel source as the VPN interface, it is likely that the VPN interface has a dynamically assigned IP address.

•IP Address of Another Existing Interface to be Used as Local Address (unavailable if IPsec technology is DMVPN)—To use the configured IP address on any interface as a local address, not necessarily a VPN interface. Enter the interface in the field provided.

You can choose the required interface by clicking Select. A dialog box opens that lists all available predefined interface roles, and in which you can create an interface role object.

Tunnel Source

Available only for a hub when the selected technology is IPsec/GRE or DMVPN.

If you have enabled the setting to use a unique tunnel source per tunnel interface in the GRE Modes > Tunnel Parameters tab, the Override Unique Tunnel Source per Tunnel Interface check box is available. Click this check box to specify a different tunnel source for the selected device.

Specifies the tunnel source address to be used by the GRE or DMVPN tunnel on the spoke side. You can select one of the following options:

•Inside VLAN—Uses the inside VLAN VPN interface as the tunnel source address.

•Outside VLAN/External Port (When CCA/VRF is Enabled)—Uses the outside VLAN VPN interface as the tunnel source address (available only when CCA/VRF is enabled).

•Interface—To use any interface as the tunnel source address, not necessarily a VPN interface. Enter the interface in the field provided.

You can choose the required interface by clicking Select. A dialog box opens that lists all available predefined interface roles, and in which you can create an interface role object.

Enable Backup

Available if the selected device is an IOS router that is in a point-to-point or full mesh topology, or that is a spoke in a hub-and-spoke topology, or is a remote client in an Easy VPN topology.

When selected, enables you to configure a backup interface to use as a fallback link for the primary route VPN interface, if its connection link becomes unavailable.

Note Before configuring a backup interface, you must first configure the dialer interface settings on the device. For more information, see Dialer Interfaces on Cisco IOS Routers, page 13-22.

Dialer Interface

The logical interface through which the secondary route traffic is directed when the dialer interface is activated. This can be a Serial, Async, or BRI interface.

You can choose the required interface by clicking Select. A dialog box opens that lists all available interfaces and predefined interface roles, and in which you can create an interface role object.

Primary Next Hop IP Address

Available only if the selected technology is Regular IPsec, IPsec/GRE, GRE Dynamic IP, or Easy VPN.

The IP address to which the primary interface connects when it is active. This is known as the next hop IP address.

If you do not specify the next hop IP address, Security Manager configures a static route using the VPN interface name. The VPN interface must be point-to-point or deployment fails.

You can choose the required IP address by clicking Select. The Network/Hosts selector opens, in which you can select a network from which the IP address will be allocated.

Tracking IP Address

The IP address of the destination device to which connectivity must be maintained from the primary VPN interface connection. This is the device that is pinged by the Service Assurance agent through the primary route to track connectivity. The backup connection is triggered if connectivity to this device is lost.

Note If you do not specify an IP address, the primary hub VPN interface is used in a hub-and-spoke or Easy VPN topology. In a point-to-point or full mesh VPN topology, the peer VPN interface is used.

You can choose the required IP address by clicking Select. The Network/Hosts selector opens, in which you can select a network from which the IP address will be allocated.

Advanced button

Available if the selected technology is Regular IPsec, IPsec/GRE, GRE Dynamic IP, or Easy VPN.

Opens the Dial Backup Settings dialog box for configuring additional (optional) settings. See Dial Backup Settings Dialog Box.

Enable the VPN Interface Changes on All Selected Peers

Note Available if you selected more than one Catalyst 6500/7600 device for editing in the Endpoints page.

When selected, applies any changes you make in the VPN interface tab to all the selected devices.

VPNSM/VPN SPA Settings

•Use Crypto Connect Alternate—When selected, only encrypted traffic entering the VPNSM/VPN SPA on the Catalyst 6500/7600 is passed through. Cleartext traffic does not go through (bypasses) the adapters.

This mode is recommended as an alternate to Crypto connect mode for enterprise customers who have a need to support large VPN topologies (financial institutions, for example) or need to pass large amounts of data over an encrypted channel (remote disaster recovery or backup over Internet).

•Inside VLAN—VLAN that serves as the inside interface to the VPN Services Module or VPN SPA. It is also the hub endpoint of the VPN tunnel (unless VRF-Aware IPsec is configured on the device). Enter the name of the interface or click Select to display an Object Selectors, page F-205.

•Slot and Subslot—Number designating the slot location of the VPNSM or VPNSPA/VSPA. If you are configuring a VPNSPA/VSPA, the subslot number is also required.

•Outside VLAN/Extern—External port or VLAN that connects to the inside VLAN. Enter the name of the interface or click Select to display an Object Selectors, page F-205.

Note If VRF-Aware IPsec is configured on the device, the external port or VLAN must have an IP address.

Note You must select an interface or interface role that differs from the one selected for the inside VLAN.

Tunnel Source

Note Available only for a hub when the selected technology is IPsec/GRE or DMVPN.

Specifies the tunnel source address to be used by the GRE or DMVPN tunnel on the spoke side. You can select one of the following options:

•Override Unique Tunnel Source per Tunnel Interface—If you have enabled the setting to use a unique tunnel source per tunnel interface in the GRE Modes > Tunnel Parameters tab, this check box is available. Click this check box to specify a different tunnel source for the selected device.

•Outside VLAN/External Port (When CCA/VRF is Enabled)—When the Use Crypto Connect Alternate check box is selected, this radio button is available. When selected, specifies the outside VLAN/external port as the tunnel source.

•Inside VLAN—When selected, uses the interface configured for the inside VLAN as the tunnel source.

•VPN Interface—When selected, uses the selected VPN interface as the tunnel source address.

•Interface—To use any interface as the tunnel source address, not necessarily a VPN interface, enter the interface in the field provided or click Select to display an Object Selectors, page F-205.

Local Peer IPSec Termination

Define the IPSec termination point of the VPN interface on the local router:

•Inside VLAN—Click this radio button to use interface configured as the inside VLAN.

•IP Address—Click this radio button and enter the IP address of the VPN interface on the local router.

Note If you select a tunnel source as the VPN interface, it is likely that the VPN interface has a dynamically assigned IP address.

Enable Failover Blade

When selected, enables you to configure a failover VPNSM or VPNSPA/VSPA blade for intra-chassis high availability.

Note A VPNSM and VPNSPA/VSPA blade cannot be used on the same device as primary and failover blades.

Specify the failover blade, as follows:

•Slot—From the list of available slots, select the number that identifies where the VPNSM blade or VPNSPA/VSPA blade is located.

•Subslot—If you are configuring a VPNSPA/VSPA, select the number of the subslot (0 or 1) on which the failover VPN SPA blade is installed.

Note If you are configuring a VPNSM, select the blank option.

Enable the Protected Networks Changes on All Selected Peers

Available if you selected more than one device for editing in the Endpoints page.

When selected, applies any changes you make in the Protected Networks tab to all the selected devices.

Available Protected Networks

A hierarchy of all available protected networks, including the interface roles whose naming pattern may match the internal VPN interface type of the device. If Regular IPsec is the assigned technology, access control lists (ACLs) are also included in the list of available protected networks.

Note In a hub-and-spoke VPN topology in which Regular IPsec is the assigned technology, when an ACL object is used to define the protected network on a spoke, Security Manager mirrors the spoke's ACL object on the hub to the matching crypto map entry.

Select the interface role(s), protected networks, and/or access control lists that you want to define for the selected device, then click >>.

Selected Protected Networks

The protected networks and interface roles you selected for the device.

Note You can reorder the selected protected networks/interface roles in the list by selecting them (one at a time), then clicking the Move Up or Move Down button, as required.

>> button

Moves protected networks from the available networks list to the selected networks list.

<< button

Removes protected networks from the selected list.

Create button

If the required interface roles, protected networks, or access control lists do not appear in the Available Protected Networks list, click Create and select the required option to create an interface role, protected network, or access control list.

Note The Access Control List option is only available if the assigned technology is Regular IPsec.

If you select the Interface Role option, the Interface Role Editor page opens in which you can create an interface role object. For more information, see Creating Interface Role Objects, page 8-34.

If you select the Protected Network option, the Network Editor page opens in which you can create a network object. For more information, see Creating Network/Host Objects, page 8-66.

If you select the Access Control List option, the Access Lists Editor page opens in which you can create an access control list object. For more information, see Creating Access Control List Objects, page 8-23.

Enable FWSM Settings

When selected, enables you to configure the connection between the Firewall Services Module (FWSM) and the VPN Services Module (VPNSM) or VPN SPA on the selected Catalyst 6500/7600 device.

FWSM Inside VLAN

The VLAN which serves as the inside interface to the Firewall Services Module (FWSM).

If required, click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, and in which you can make your selection, or create interface role objects.

FWSM Blade

From the list of available blades, select the blade number to which the selected FWSM inside VLAN interface is connected.

Security Context

If the selected FWSM inside VLAN is part of a security context, specify its name in this field. The name is case-sensitive.

You can partition an FWSM into multiple virtual firewalls, known as security contexts. A security context is an independent virtual firewall that has its own security policy, interfaces, and administrators. You can define security contexts when you import a Catalyst 6500/7600 device into the Security Manager inventory.

For more information, see Security Contexts Page, page K-198.

Enable the VRF Settings Changes on All Selected Peers

Available if you selected more than one device for editing in the Endpoints page.

When selected, applies any changes you make in the VRF Settings tab to all the selected devices.

Enable VRF Settings

When selected, enables the configuration of VRF settings on the selected hub for the selected hub-and-spoke topology.

Note To remove VRF settings that were defined for the VPN topology, deselect this check box.

1-Box (IPsec Aggregator + MPLS PE)

When selected, enables you to configure a one-box VRF solution.

In the one-box solution, one device serves as the Provider Edge (PE) router that does the MPLS tagging of the packets in addition to IPsec encryption and decryption from the Customer Edge (CE) devices. For more information, see VRF-Aware IPsec One-Box Solution, page 9-35.

2-Box (IPsec Aggregator Only)

When selected (the default), enables you to configure a two-box VRF solution.

In the two-box solution, the PE device does just the MPLS tagging, while the IPsec Aggregator device does the IPsec encryption and decryption from the CEs. For more information, see VRF-Aware IPsec Two-Box Solution, page 9-36.

VRF Name

The name of the VRF routing table on the IPsec Aggregator. The VRF name is case-sensitive.

Route Distinguisher

The unique identifier of the VRF routing table on the IPsec Aggregator.

This unique route distinguisher maintains the routing separation for each VPN across the MPLS core to the other PE routers.

The identifier can be in either of the following formats:

•IP address:X (where X is in the range 0- 2147483647).

•N:X (where N is in the range 0-65535, and X is in the range 0- 2147483647).

Note You cannot override the RD identifier after deploying the VRF configuration to your device. To modify the RD identifier after deployment, you must manually remove it using the device CLI, and then deploy again.

Interface Towards Provider Edge

Available only when a 2-Box solution is selected.

Specify the VRF forwarding interface on the IPsec Aggregator towards the PE device.

Note If the IPsec Aggregator (hub) is a Catalyst VPN service module, you must specify a VLAN.

Interfaces and VLANs are predefined interface role objects. If required, you can click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, in which you can make your selection, or create interface role objects.

Routing Protocol

Available only when a 2-Box solution is selected.

Select the routing protocol to be used between the IPsec Aggregator and the PE.

If the routing protocol used for the secured IGP differs from the routing protocol between the IPsec Aggregator and the PE, select the routing protocol to use for redistributing the routing to the secured IGP.

The options are BGP, EIGRP, OSPF, RIPv2, or Static route. The default is BGP.

For information about protocols, see Chapter 13, "Managing Routers".

AS Number

Available only when a 2-Box solution is selected.

Enter the number that will be used to identify the autonomous system (AS) area between the IPsec Aggregator and the PE.

If the routing protocol used for the secured IGP differs from the routing protocol between the IPsec Aggregator and the PE, enter an AS number that will be used to identify the secured IGP into which the routing will be redistributed from the IPsec Aggregator and the PE. This is relevant only when IPsec/GRE or DMVPN are applied.

The AS number must be within the range 1-65535.

Process Number

Available only if the 2-Box radio button is selected, and if the selected routing protocol is OSPF.

The routing process ID number that will be used to identify the secured IGP.

The range is 1-65535.

OSPF Area ID

Available only if the 2-Box radio button is selected, and if the selected routing protocol is OSPF.

The ID number of the area in which the packet belongs. You can enter any number from 0-4294967295.

Note All OSPF packets are associated with a single area, so all devices must have the same area ID number.

Next Hop IP Address

Available only when a 2-Box solution is selected with static routing.

Specify the IP address of the interface that is connected to the IPsec Aggregator.

Redistribute Static Route

Available only when a 2-Box solution is selected with any routing protocol other than Static route.

When selected, enables static routes to be advertised in the routing protocol configured on the IPsec Aggregator towards the PE device.

Next Hop Forwarding

Backup Next Hop IP Address

If required, enter the next hop IP address of the ISDN BRI or analog modem backup interface (that is, the IP address to which the backup interface will connect when it is active).

If you do not enter the next hop IP address, Security Manager configures a static route using the interface name.

You can choose the required IP address by clicking Select. The Network/Hosts selector opens, in which you can select a network from which the IP address will be allocated.

Tracking Object Settings

Timeout

The number of milliseconds the Service Assurance Agent operation waits to receive a response from the destination device. The default is 5000 ms.

Frequency

How often Response Time Reporter (RTR) should be used to detect loss of performance on the primary route. The default is every 60 seconds.

Threshold

The rising threshold in milliseconds that generates a reaction event and stores history information for the RTR operation. The default is 5000 ms.

Enable

When selected, enables you to configure high availability on a group of hubs.

When deselected, enables you to remove an HA group that was defined for the VPN topology.

Inside Virtual IP

The IP address that is shared by the hubs in the HA group and represents the inside interface of the HA group. The virtual IP address must be on the same subnet as the inside interfaces of the hubs in the HA group, but must not be identical to the IP address of any of these interfaces.

You can choose the required IP address by clicking Select. The Network/Hosts selector opens, in which you can select a network from which the IP address is allocated.

Note If there is an existing standby group on the device, make sure that the IP address you provide is different to the virtual IP address already configured on the device.

Inside Mask

The subnet mask for the inside virtual IP address.

VPN Virtual IP

The IP address that is shared by the hubs in the HA group and represents the VPN interface of the HA group. This IP address serves as the hub endpoint of the VPN tunnel.

You can choose the required IP address by clicking Select. The Network/Hosts selector opens, in which you can select a host from which the IP address is allocated.

Note If there is an existing standby group on the device, make sure that the IP address you provide is different to the virtual IP address already configured on the device.

VPN Mask

The subnet mask for the VPN virtual IP address.

Hello Interval

The duration in seconds (within the range of 1-254) between each hello message sent by a hub to the other hubs in the group to indicate status and priority. The default is 5 seconds.

Hold Time

The duration in seconds (within the range of 2-255) that a standby hub will wait to receive a hello message from the active hub before concluding that the hub is down. The default is 15 seconds.

Standby Group Number (Inside)

The standby number of the inside hub interface that matches the internal virtual IP subnet for the hubs in the HA group. The number must be within the range of 0-255. The default is 1.

Standby Group Number (Outside)

The standby number of the outside hub interface that matches the external virtual IP subnet for the hubs in the HA group. The number must be within the range of 0-255. The default is 2.

Note The outside standby group number must be different to the inside standby group number.

Stateful Failover

When selected, enables SSO for stateful failover.

Note In an Easy VPN topology, this check box appears selected and disabled, as stateful failover must always be configured.

You can only configure stateful failover on an HA group that contains two hubs that are Cisco IOS routers. This check box is disabled if the HA group contains more than two hubs.

Note When deselected in a Regular IPsec topology, stateless failover is configured on the HA group. Stateless failover will also be configured if the HA group contains more than two hubs. Stateless failover can be configured on Cisco IOS routers or Catalyst 6500/7600 devices.

For more information, see Understanding High Availability, page 9-39.

Key Servers Table

The device name, identity, priority, and registration interface are shown. For detailed information about these attributes, see Edit Key Server Dialog Box.

•To add a key server to the table, click the Add button.

•To edit a key server, select it and click the Edit button.

•To delete a key server, select it and click the Delete button.

•To move a key server, select it and click the up or down arrow button.

Using the arrow keys, you can establish the order of cooperative key servers (configured for redundancy). Group members register with the first key server in the list. If the first key server cannot be reached, they will register with the second key server, and so on. For more information about key server redundancy, see Redundancy Using Cooperative Key Servers, page 9-85.

•To show specific device identity information, select Interface Roles Only or Matching Interfaces in the Show field.

Group Members Table

The device name, GET-enabled interface, and local security policy are shown. For detailed information about these attributes, see Edit Group Member Dialog Box.

•To add a group member to the table, click the Add button.

•To edit a group member, select it and click the Edit button.

•To delete a group member, select it and click the Delete button.

•To show specific device identity information, select Interface Roles Only or Matching Interfaces in the Show field.

Identity Interface

Interface group members use to identify the key server and register with it. The default is Loopback.

Priority

A number value between 1-100 that designates the role of the key server. If two or more key servers are assigned the same priority, the device with the highest IP address is used. The default priority is 100 for the first key server, 95 for the second, and so on.

Note There can be more than one primary key server if the network is partitioned.

Registration Interface

Interface assigned to handle group domain of interpretation (GDOI) registrations. If no registration interface is specified GDOI registrations can occur on any interface.

GET-Enabled Interface

VPN-enabled outside interface to the provider edge (PE). Traffic originating or terminating on this interface is evaluated for encryption or decryption, as appropriate. You can configure multiple interfaces.

Interface to be used as local address

Local address interface. If there are more than one GET-enabled interface, you must define a local address interface. Enter an interface name or click Select to display an Object Selectors, page F-205.

Security Policy

Local group member security ACL used to deny some group member-specific traffic over and above the security ACL downloaded from the key server.

Override Key Servers

Click the check box to specify key servers to be used by the selected group member instead of the key servers designated for the GET VPN topology. This setting can be used to select a subset of the key servers defined at the GET VPN topology level to be used by the selected group member. It can also be used to change the order of the overridden key servers for the selected group member.

Policy type

Lists the VPN policy types that can be assigned to your VPN topology. For each policy type, select the default VPN policy you want to assign to your VPN topology.

You can accept the Factory Default policy (available for a mandatory policy only) or select a shared VPN policy that was created (and submitted or approved, depending on the workflow mode) using Security Manager.

Note If you want to assign a default policy that is not provided in the list, you can change the policy defaults selection in the Administration tool's VPN Policy Defaults page. The policy will then be available for assignment to all future VPN topologies that are created. For more information, see VPN Policy Defaults Page, page A-41.

Note If you try to select a default policy that is currently locked by another user, a message is displayed warning you of a lock problem. To bypass the lock, select a different policy or cancel the VPN topology creation until the lock is approved. For more information, see Understanding Locking, page 6-7.

View Content button

Opens a page that displays the contents of the selected VPN policy.

Note If you make any changes on this page, you cannot save them.

Mode

Select the required configuration mode for your remote device, as follows:

•Client—Specifies that all traffic from the remote client's inside network will undergo Port Address Translation (PAT) to a single IP address which was assigned for the device by the head end server at connect time.

•Network Extension—Specifies that PCs and other hosts at the client end of the VPN tunnel should be given IP addresses that are fully routable and reachable by destination network. PAT is not used, allowing the client PCs and hosts to have direct access to the PCs and hosts at the destination network.

•Network Extension Plus—An enhancement to Network Extension mode, that enables an IP address that is received via mode configuration to be automatically assigned to an available loopback interface. The IPsec SAs for this IP address are automatically created by the Easy VPN client. The IP address is typically used for troubleshooting (using ping, Telnet, and Secure Shell).

Note Network Extension Plus mode can be configured only on IOS routers. If the selected client device is a PIX 6.3 or ASA 5505 running OS version 7.2(1), Network Extension mode will be configured.

For more information, see Configuring Client Connection Characteristics for Easy VPN, page 9-79.

Xauth Credentials Source

Select how you want to enter the Xauth credentials for user authentication when you establish a VPN connection with the server, as follows:

•Device Stored Credentials (default)—The username and password are saved on the device itself in the device's configuration file to be used each time the tunnel is established.

•Interactive Entered Credentials—Enables you to manually enter the username and password each time Xauth is requested, in a web browser window or from the command line interface.

For more information, see Configuring Client Connection Characteristics for Easy VPN, page 9-79.

Xauth Credentials

Available only if you selected Device Stored Credentials as the Xauth Credentials Source.

Displays the default Xauth credentials.

Xauth Credentials are predefined objects. If required, click Select to open the Credentials Selector in which you can select different Xauth credentials, and from which you can create or edit Credential objects.

Note If you want to configure different Xauth credentials on your remote client, you must override the default one by clicking the Allow Value Override per Device check box in the Add/Edit Xauth Credentials dialog box.

For more information, see Creating Credential Objects, page 8-30.

User Authentication Method (IOS)

Available only if the remote device is an IOS router, and if you selected the Interactive Entered Credentials option for the Xauth credentials source.

Select one of these ways to enter the Xauth username and password interactively each time Xauth authentication is requested:

•Web Browser (default)—Manually in a web browser window (http page).

•Router Console—Manually from the command line interface (CLI).

Tunnel Activation (IOS)

If the remote device is an IOS router, and if you selected the Device Stored Credentials option for the Xauth password source, you must select a tunnel activation method, as follows:

•Auto (default)—The Easy VPN tunnel is established automatically when the Easy VPN configuration is delivered to the device configuration file. If the tunnel times out or fails, the tunnel automatically reconnects and retries indefinitely.

•Traffic Triggered Activation—The Easy VPN tunnel is established whenever outbound local (LAN side) traffic is detected. When using this option, you must specify the Access Control List (ACL) that defines the "interesting" traffic.

Traffic Triggered Activation is recommended for use when Easy VPN dial backup is configured so that backup is activated only when there is traffic to send across the tunnel.

Note Manual tunnel activation is configured implicitly when you select to configure the Xauth password interactively.

ACL (IOS)

If you selected the Traffic Triggered Activation option for Tunnel Activation, you must configure an ACL-triggered tunnel by specifying the Access Control List (ACL) that defines the "interesting" traffic.

Click Select to open the Access Control Lists Selector from which you can select the required ACL, or create or edit an ACL object.

Tunnel Group Name

The name of the tunnel group that contains the policies for this IPsec connection.

Group Policy

The group policy to be applied to the tunnel group. A group policy is a collection of user-oriented attribute/value pairs stored either internally on the device or externally on a RADIUS/LDAP server.

Click Select to open a dialog box that lists all available ASA group policies, and in which you can create an ASA group policy object.

AAA

Authentication Server Group

The name of the authentication server group (LOCAL if the tunnel group is configured on the local device).

You can click Select to open a dialog box that lists all available AAA server groups, and in which you can create AAA server group objects.

Note If you want to set the authentication server group per interface, click the Advanced tab.

If an AAA server with SDI protocol is selected, RADIUS SDI authentication is enabled. For more information, see Configuring a Tunnel Group Policy for Easy VPN, page 9-78

User LOCAL if Server Group fails

Available if you selected LOCAL for the authentication server group.

When selected, enables fallback to the local database for authentication if the selected authentication server group fails.

Authorization Server Group

The name of the authorization server group (LOCAL if the tunnel group is configured on the local device).

You can click Select to open a dialog box that lists all available AAA server groups, and in which you can create AAA server group objects.

User must exist in the authorization database to connect

When selected, specifies that the username of the remote client must exist in the database so a successful connection can be established. If the username does not exist in the authorization database, then the connection is denied.

Accounting Server Group

The name of the accounting server group (LOCAL if the tunnel group is configured on the local device).

You can click Select to open a dialog box that lists all available AAA server groups, and in which you can create AAA server group objects.

Strip Realm from Username

When selected, removes the realm from the username before passing the username on to the AAA server. A realm is an administrative domain. Enabling this option allows the authentication to be based on the username alone.

You must select this check box if your server cannot parse delimiters.

Strip Group from Username

When selected, removes the group name from the username before passing the username on to the AAA server. Enabling this option allows the authentication to be based on the username alone.

You must select this check box if your server cannot parse delimiters.

Client Address Assignment

DHCP Server

The DHCP servers to be used for client address assignments. The server uses the DHCP servers in the order listed. You can add up to 10 servers.

A default DHCP server is displayed. DHCP servers are predefined network objects. If you want to use a different DHCP server, or select additional DHCP servers, click Select to open the Network/Hosts selector that lists all available network hosts, and in which you can create network host objects.

Address Pools

The address pools from which IP addresses will be assigned. The server uses these pools in the order listed. If all addresses in the first pool have been assigned, it uses the next pool, and so on. You can specify up to 6 pools.

A default address pool is displayed. Address pools are predefined network objects. If you want to use a different address pool, or select additional address pools, click Select to open the Network/Hosts selector that lists all available network hosts, and in which you can create network host objects.

Preshared Key

The value of the preshared key for the tunnel group. The maximum length of a preshared key is 127 characters.

Trustpoint Name

The trustpoint name if any trustpoints are configured. A trustpoint represents a CA/identity pair and contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate.

IKE Peer ID Validation

Select whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate. During IKE negotiations, peers must identify themselves to one another.

Enable Sending Certificate Chain

When selected, enables the sending of the certificate chain for authorization. A certificate chain includes the root CA certificate, identity certificate, and key pair.

Enable Password Update with RADIUS Authentication

When selected, enables passwords to be updated with the RADIUS authentication protocol.

For more information, see Supported AAA Server Types, page 8-16.

Monitor Keepalive

When selected, enables you to configure IKE keepalive as the default failover and routing mechanism.

For more information, see Understanding ISAKMP/IPsec Settings, page 9-52.

Confidence Interval

The number of seconds that a device waits between sending IKE keepalive packets.

Retry Interval

The number of seconds a device waits between attempts to establish an IKE connection with the remote peer. The default is 2 seconds.

Use Entire DN as the Username

Select to use the entire Distinguished Name (DN) as the identifier for the username.

A distinguished name (DN) is a unique identification, made up of individual fields, that can be used as the identifier when matching users to a tunnel group. DN rules are used for enhanced certificate authentication on PIX Firewalls and ASA devices.

Specify Individual DN fields as the Username

Select to use individual DN fields as the username when matching users to the tunnel group.

A DN certificate is made up of different field identifiers to match users to tunnel groups.

Primary DN field

Available if you selected to use individual DN fields as the username.

Select the primary DN field identifier to be used for identification from the list.

Secondary DN field

Available if you selected to use individual DN fields as the username.

Select the secondary DN field identifier to be used for identification. Select None if no secondary field identifier is required.

Interface Role

The interface role to be associated with the authentication server group.

You can click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, in which you can make your selection, or create interface role objects.

Server Group

The server group to be associated with the selected interface role.

You can click Select to open a dialog box that lists all available AAA server groups, and in which you can create AAA server group objects.

Use LOCAL if server group fails.

When selected, enables fallback to the LOCAL database if the selected server group fails.

Add >> button

Click to add the specified interface role and server group to the list.

Remove button

Click to remove an associated interface role and server group from the list.

Interface Role

The interface role to assign a client address to.

You can click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, in which you can make your selection, or create interface role objects.

Address Pool

The address pool to be used to assign to a client address to the selected interface.

Address pools are predefined network objects. You can click Select to open a dialog box that lists all available network hosts, and in which you can create or edit network host objects.

Add >> button

Click to add the specified interface role and address pool to the list.

Remove button

Click to remove an associated interface role and address pool from the list.

All Windows Platforms

When selected, enables you to configure the specific revision level and URL of the VPN client on all Windows platforms.

Then enter the appropriate information in the fields provided.

Various Windows Platforms

When selected, enables you to configure the specific revision level and URL of the VPN client on Windows 95/98/ME or NT4.1/2000/XP platforms.

Then enter the appropriate information in the fields provided.

VPN Client Revisions

The specific revision level of the VPN3002 client.

Image URL

The specific URL of the VPN3002 client software image.

Transform Sets

The transform set(s) to be used for your tunnel policy. Transform sets specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel. You can select up to six transform sets.

Transform sets may use only tunnel mode IPsec operation.

Note If more than one of your selected transform sets is supported by both peers, the transform set that provides the highest security will be used.

A default transform set is displayed. If you want to use a different transform set, or select additional transform sets, click Select to open a dialog box that lists all available transform sets, and in which you can create transform set objects. For more information, see Creating IPSec Transform Set Objects, page 8-36.

For more information, see About Transform Sets, page 9-49.

Reverse Route

Supported on ASA devices, PIX 7.0 devices, and Cisco IOS routers except 7600 devices.

Reverse Route Injection (RRI) enables static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. For more information, see About Reverse Route Injection, page 9-50.

Select one of the following options to configure RRI on the crypto map:

•None—To disable the configuration of RRI on the crypto map.

•Standard—To create routes based on the destination information defined in the crypto map access control list (ACL). This is the default option.

•Remote Peer—To create two routes, one for the remote endpoint and one for route recursion to the remote endpoint via the interface to which the crypto map is applied.

•Remote Peer IP—To specify an interface or address as the explicit next hop to the remote VPN device. Then, click Select to open the Network/Hosts Selector, from which you can select the IP address of the remote peer to be used as the next hop.

Note You can select the Allow Value Override per Device check box to override the default route, if required.

Enable Network Address Translation

Supported on PIX 7.0 and ASA devices.

When selected, enables you to configure Network Address Translation (NAT) on a device.

NAT enables devices that use internal IP addresses to send and receive data through the Internet. Private NAT addresses are converted to globally routable IP addresses when they try to access data on the Internet.

For more information, see Understanding NAT, page 9-53.

Group Policy Lookup/AAA Authorization Method

Supported on Cisco IOS routers only.

The AAA authorization method list that will be used to define the order in which the group policies are searched. Group policies can be configured on both the local server or on an external AAA server.

You can click Select to open a dialog box that lists all available AAA group servers, and in which you can create AAA group server objects.

User Authentication (Xauth)/AAA Authentication Method

Supported on Cisco IOS routers only.

The AAA or Xauth user authentication method used to define the order in which user accounts are searched.

Xauth allows all Cisco IOS software AAA authentication methods to perform user authentication in a separate phase after the IKE authentication phase 1 exchange. The AAA configuration list-name must match the Xauth configuration list-name for user authentication to occur.

For more information about defining user accounts, see Defining Accounts and Credential Policies, page 13-48.

You can click Select to open a dialog box that lists all available AAA group servers from which you can make your selection, and in which you can create additional AAA group server objects.

Enable Dynamic VTI

When selected, enables Security Manager to implicitly create a dynamic virtual template interface on the device.

Note If the device is a hub server that does not support Dynamic VTI, a warning message is displayed, and a crypto map is deployed without dynamic VTI. In the case of a client device, an error message is displayed.

Virtual Template IP

If you are configuring Dynamic VTI on a hub in the topology, specify either the subnet address or interface role:

•Subnet—To use the IP address taken from a pool of addresses. Then, in the Subnet field, enter the private IP address including the unique subnet mask, for example 10.1.1.0/24.

•Interface Role—To use a physical or loopback interface on the device. If required, click Select to open the Interface selector in which you can select or add an interface.

If you are configuring Dynamic VTI on a spoke in the topology, select None.

Routing Protocol

Select the required dynamic routing protocol (EIGRP, OSPF, or RIPv2,) or static route to be used for GRE or GRE Dynamic IP.

The default routing protocol is EIGRP.

AS Number

Available only if you selected the EIGRP routing protocol.

The number that is used to identify the autonomous system (AS) area to which the EIGRP packet belongs. The range is 1-65535. The default is 110.

An autonomous system (AS) is a collection of networks that share a common routing strategy. An AS can be divided into a number of areas, which are groups of contiguous networks and attached hosts. Routers with multiple interfaces can participate in multiple areas. An AS ID identifies the area to which the packet belongs. All EIGRP packets are associated with a single area, so all devices must have the same AS number.

Process Number

Available only if you selected the OSPF routing protocol.

The routing process ID number that will be used to identify the secured IGP that Security Manager adds when configuring GRE.

The range is between 1 and 65535. The default is 110.

Security Manager adds an additional Interior Gateway Protocol (IGP) that is dedicated for IPsec and GRE secured communication. An IGP refers to a group of devices that receive routing updates from one another by means of a routing protocol. Each "routing group" is identified by the process number.

For more information, see Understanding GRE, page 9-62.

Hello Interval

Available only if you selected the EIGRP routing protocol.

The interval between hello packets sent on the interface, between 1 and 65535 seconds. The default is 5 seconds.

Hold Time

Available only if you selected the EIGRP routing protocol.

The number of seconds the router will wait to receive a hello message before invalidating the connection. The range is between 1 and 65535. The default hold time is 15 seconds (three times the hello interval).

Delay

Available only if you selected the EIGRP routing protocol.

The throughput delay for the primary route interface, in microseconds. The range of the tunnel delay time is 1-16777215. The default is 1000.

Failover Delay

Available only if you selected the EIGRP routing protocol.

The throughput delay for the failover route interface, in microseconds. The range of the tunnel delay time is 1-16777215. The default is 1500.

Bandwidth

Available only if you selected the EIGRP routing protocol.

The amount of bandwidth available to the primary route interface for the EIGRP packets. You should enter a value that gives priority to the primary route over other routes.

You can enter a value in the range 1 to 10000000 kb. The default is 1000 kb.

The amount of bandwidth available to the primary route interface for the EIGRP packets. You can enter a value in the range 1 to 10000000 kb. The default is 1000 kb.

Note By default, the cost of sending a packet on an interface is calculated based on the bandwidth—the higher the bandwidth, the lower the cost.

Failover Bandwidth

Available only if you selected the EIGRP routing protocol.

The amount of bandwidth available to the failover route interface for the EIGRP packets.

Enter a value in the range 1 to 10000000 kb. The default is 1000 kb.

Hub Network Area ID

Available only if you selected the OSPF routing protocol.

The ID number of the area in which the hub's protected networks will be advertised, including the tunnel subnet. You can specify any number. The default is 0.

Spoke Protected Network Area ID

Available only if you selected the OSPF routing protocol.

The ID number of the area in which the remote protected networks will be advertised, including the tunnel subnet. You can specify any number. The default is 1.

Authentication

Available if you selected the OSPF or RIPv2 routing protocol.

A string that specifies the OSPF or RIPv2 authentication key. The string can be up to eight characters long.

Cost

Available if you selected the OSPF or RIPv2 routing protocol.

The cost of sending a packet on the primary route interface.

If the selected protocol is OSPF, enter a value in the range 1-65535; the default is 100.

If the selected protocol is RIPv2, enter a value in the range 1-15; the default is 1.

Failover Cost

Available if you selected the OSPF or RIPv2 routing protocol.

The cost of sending a packet on the secondary (failover) route interface.

You can enter a value in the range 1-65535 for OSPF (the default is 125), or in the range 1-15 for RIPv2 (the default is 2).

Filter Dynamic Updates on Spokes

When selected, enables the creation of a redistribution list that filters all dynamic routing updates on the spokes. This forces the spoke devices to advertise (populate on the hub device) only their own protected subnets and not other IP addresses.

Tunnel Parameters Tab

Tunnel IP

Select the required option to specify the GRE or GRE Dynamic IP tunnel interface IP address.

Note To view the new GRE tunnel and/or loopback interfaces in the Router Interfaces page, you must rediscover the device inventory details after successfully deploying the VPN to the device. For more information, see Basic Interface Settings on Cisco IOS Routers, page 13-13.

•Use Physical Interface—When selected, uses the private IP address of the tunnel taken from the protected network.

•Use Subnet—When selected, uses the tunnel IP address taken from an IP range. This is the default.

In the Subnet field, enter the private IP address including the unique subnet mask (default is 1.1.1.0/24).

If you are also configuring a dial backup interface, enter its subnet in the Dial Backup Subnet field provided (default is 1.1.2.0/24).

Note In most cases, when you use a subnet to specify a GRE tunnel interface IP address, Security Manager creates a loopback interface on the device which is used for the tunnel IP address. If the device belongs to a VPN topology whose configurations were discovered by Security Manager, and you configure an IP address directly on the device's GRE tunnel, Security Manager keeps that configuration and does not create a loopback interface on the device. However, a loopback is always configured on a hub in a VPN topology; in a hub-and-spoke VPN topology with multiple hubs, a loopback interface is also configured on the spokes.

•Use Loopback Interface—When selected, uses the tunnel IP address taken from an existing loopback interface.
In the Role field, enter the interface, or select it from the list of interface roles provided.

Configure Unique Tunnel Source for each Tunnel

Available only if the assigned IPsec technology is GRE Standard.

When enabled, each GRE tunnel interface in the VPN is assigned a unique tunnel source. In the Tunnel Source IP Range field, enter a subnet IP to be used as tunnel sources.

Note When enabled, this feature is set for all GRE tunnel interfaces in the VPN. If you want to assign a specific tunnel source for an interface, use the Peers page (see Peers Page).

Tunnel Source IP Range

Available only if the assigned IPsec technology is GRE Dynamic IP.

The private IP address including the unique subnet mask that supports the loopback for GRE. The GRE tunnel interface has an IP address (inside tunnel IP address) which is taken from a loopback interface that Security Manager creates specifically for this purpose.

When a spoke has a dynamic IP address, there is no fixed GRE tunnel source address (to be used by the GRE tunnel on the spoke side) or destination address (to be used by the GRE tunnel on the hub side). Therefore, Security Manager creates additional loopback interfaces on the hub and the spoke to use as the GRE tunnel endpoints. You must specify a subnet from which Security Manager can allocate an IP address for the loopback interfaces.

Enable IP Multicast

When selected, enables multicast transmissions across your GRE tunnels. IP multicast delivers application source traffic to multiple receivers without burdening the source or the receivers, while using a minimum of network bandwidth.

Rendezvous Point

Only available if you selected the Enable IP Multicast check box.

If required, you can enter the IP address of the interface that will serve as the rendezvous point (RP) for multicast transmission. Sources send their traffic to the RP. This traffic is then forwarded to receivers down a shared distribution tree.

Routing Protocol

Select the required dynamic routing protocol, or static route, to be used in the DMVPN tunnel.

Options include the EIGRP, OSPF, and RIPv2 dynamic routing protocols, and GRE static routes. On-Demand Routing (ODR) is also supported. On-Demand Routing is not a routing protocol. It can be used in a hub-and-spoke VPN topology when the spoke routers connect to no other router other than the hub. If you are running dynamic protocols, On-Demand Routing is not suitable for your network environment.

For more information, see Understanding GRE, page 9-62.

AS Number

Available only if you selected the EIGRP routing protocol.

The number that is used to identify the autonomous system (AS) area to which the EIGRP packet belongs. The range is 1-65535. The default is 110.

An autonomous system (AS) is a collection of networks that share a common routing strategy. An AS can be divided into a number of areas, which are groups of contiguous networks and attached hosts. Routers with multiple interfaces can participate in multiple areas. An AS ID identifies the area to which the packet belongs. All EIGRP packets are associated with a single area, so all devices must have the same AS number.

Process Number

Available only if you selected the OSPF routing protocol.

The routing process ID number that will be used to identify the secured IGP that Security Manager adds when configuring DMVPN.

The valid range for either protocol is 1-65535. The default is 110.

Hello Interval

Available only if you selected the EIGRP routing protocol.

The interval between hello packets sent on the interface, from 1 to 65535 seconds. The default is 5 seconds.

Hold Time

Available only if you selected the EIGRP routing protocol.

The number of seconds the router will wait to receive a hello message before invalidating the connection. The range is 1-65535. The default hold time is 15 seconds (three times the hello interval)

Delay

Available only if you selected the EIGRP routing protocol.

The throughput delay for the primary route interface, in microseconds. The range of the tunnel delay time is 1-16777215. The default is 1000.

Hub Network Area ID

Available only if you selected the OSPF routing protocol.

The ID number of the area in which the hub's protected networks will be advertised, including the tunnel subnet. You can enter any number. The default is 0.

Spoke Protected Network Area ID

Available only if you selected the OSPF routing protocol.

The ID number of the area in which the remote protected networks will be advertised, including the tunnel subnet. You can enter any number. The default is 1.

Authentication

A string that indicates the OSPF authentication key. The string can be up to eight characters long.

Cost

Available if you selected the OSPF or RIPv2 routing protocol.

The cost of sending a packet on the primary route interface.

If the selected protocol is OSPF, enter a value in the range 1-65535; the default is 100.

If the selected protocol is RIPv2, enter a value in the range 1-15; the default is 1.

Allow Direct Spoke to Spoke Connectivity

When selected, enables direct communication between spokes, without going through the hub.

Note With direct spoke-to-spoke communication, you must use the Main Mode Address option for preshared key negotiation. For more information, see Understanding Preshared Key Policies, page 9-56.

Filter Dynamic Updates On Spokes

Unavailable if you are using On-Demand Routing or a static route for your DMVPN tunnel.

When selected, enables the creation of a redistribution list that filters all dynamic routing updates (EIGRP, OSPF, and RIPv2) on spokes. This forces the spoke devices to advertise (populate on the hub device) only their own protected subnets and not other IP addresses.

Tunnel IP Range

The IP range of the inside tunnel interface IP address, including the unique subnet mask.

Note If CSM detects that a tunnel interface IP address already exists on the device, and its IP address matches the tunnel's IP subnet field, it will use that interface as the GRE tunnel.

Dial Backup Tunnel IP Range

If you are configuring a dial backup interface, enter its inside tunnel interface IP address, including the unique subnet mask.

Server Load Balance

When selected, enables the configuration of load balancing on a Cisco IOS router that serves as a hub in a multiple hubs configuration.

Server load balancing optimizes performance in a multiple hubs configuration, by sharing the workload. In this configuration, the DMVPN server hubs share the same tunnel IP and source IP addresses, presenting the appearance of a single device to the spokes in a VPN topology.

Enable IP Multicast

When selected, enables multicast transmissions across your GRE tunnels.

IP multicast delivers application source traffic to multiple receivers without burdening the source or the receivers, while using a minimum of network bandwidth.

Rendezvous Point

Only available if you selected the Enable IP Multicast check box.

If required, you can enter the IP address of the interface that will serve as the rendezvous point (RP) for multicast transmission. Sources send their traffic to the RP. This traffic is then forwarded to receivers down a shared distribution tree.

Tunnel Key

A number that identifies the tunnel key. The default is 1.

The tunnel key differentiates between different multipoint GRE (mGRE) tunnel Non Broadcast Multiple Access (NBMA) networks. All mGRE interfaces in the same NBMA network must use the same tunnel key value. If there are two mGRE interfaces on the same router, they must have different tunnel key values.

Note To view the newly created tunnel interfaces in the Router Interfaces page, you must rediscover the device inventory details after successfully deploying the VPN to the device. For more information, see Basic Interface Settings on Cisco IOS Routers, page 13-13.

Network ID

All Next Hop Resolution Protocol (NHRP) stations within one logical Non-Broadcast Multi-Access (NBMA) network must be configured with the same network identifier. Enter a globally unique, 32-bit network identifier within the range of 1 to 4294967295.

Hold time

The time, in seconds, that routers will keep information provided in authoritative NHRP responses. The cached IP-to-NBMA address mapping entries are discarded after the hold time expires.

The default is 300 seconds.

Authentication

An authentication string that controls whether the source and destination NHRP stations allow intercommunication. All routers within the same network using NHRP must share the same authentication string. The string can be up to eight characters long.

Group Name

Name of the Group Name of Interpretation (GDOI) group. This name is the same as a VPN name.

Group Identity

Parameter that is used to identify the group. All key servers and group members use this parameter to identify with the group.

The identity can be either a number or any IP address.

Security Policy

Note This field appears only if you are using the Create a VPN Topology wizard.

ACL Policy object to be used as the security policy.

Note The ACL policy object must contain a deny ACE statement as its first deny statement. This statement allows the group members to receive rekey packets sent using multicast protocol.

Authorization Type

Type of authorization mechanism used by the group: None, Certificates, or Preshared Key. Selecting Certificates or Preshared Key provides additional security in allowing only authorized group members to register with the key server. This type of additional security is required when a key server serves multiple GDIO groups.

If you select Certificates, you must define a certificates filter (either dn or fqdn). This filter, located on the key server, specifies the attributes and values used to validate whether the group member is authorized to join the GDIO or not.

Enter a name for the certificate filter and click the Create button. See Add Certificate Filter Dialog Box.

Key Distribution

Transport method used to distribute keys to each group member:

•Unicast or Multicast—If unicast is selected, the key server sends a rekey message to each registered group member and waits for an acknowledgment. If multicast is selected, the key server sends a rekey message to all group members at once.

Note If you select multicast, make sure that the router used as the key server is multicast enabled.

•Group IP Address—If multicast is selected as the transport method, specify the group IP address to be used for key distribution.

•Use Static IGMP Joins on Group Members—If multicast is selected as the transport method, this option is available. If you select this option, the static Source Specific Multicast (SSM) mappings are enabled, which reveal the source of multicast traffic to the group member. In the case of GET VPN, the group member learns the key server address.

RSA Key Label

Label used by key servers to sign rekey messages with.

Note Security Manager does not manage RSA keys and therefore appropriate keys need to be manually generated on the key server before deployment. FlexConfig can be used. See Creating FlexConfig Policy Objects, page 18-26.

Lifetime (KEK)

Number of seconds that the key used for encrypting traffic keys is valid.

Encryption Algorithm

Algorithm used to encrypt the rekey message from the key server to the group member.

Retransmits

Number of times the rekey message can be sent if one or more group members do not receive it.

Interval

Number of seconds between retries.

Use the Security Associations tab to define security associations for the selected VPN topology. The columns in the table summarize the settings for an entry and are explained in Add New Security Association Dialog Box.

To configure security associations:

•Click the Add button to add an entry to the table, and fill in the Add New Security Association dialog box.

•Select an entry and click the Edit button to edit an existing entry.

•Select an entry and click the Delete button to delete it.

File Type

Type of file: dn (domain name) or fqdn (fully-qualified domain name).

Subject Name

If you selected dn as the file type, specify a comma separated list of name=value pairs. For example, OU=Cisco, C=India.

Domain Name

If you selected fqdn as the file type, specify the fully qualified domain name (for example, cisco.com).

ID

ID number of the profile. Keep the default number or enter a new one.

IPSec Profile Name

Name of the IPSec profile.

Transform Sets

Transform sets (security protocols, algorithms, and other settings) defined for the IPSec profile. Click Select to choose from a list of predefined transform sets or to create a new one.

Security Policy

Access control lists defined for the security association. Click Select to choose from a list of predefined ACLs or to create a new one.

Enable Anti-Replay

Click the check box to enable the anti-replay feature. When enabled, you must select and define either the counter or time window size.

Enable IPSec Lifetime

Click the check box to enable the IPSec lifetime feature. When enabled, you must define the IPSec lifetime in kilobytes and/or seconds.

Available IKE Proposals

Lists the predefined IKE proposals available for selection.

Select the required IKE proposal in the list. The IKE proposal replaces the one in the Selected IKE Proposal field.

IKE proposals are predefined objects. If the required IKE proposal is not included in the list, click Add to open the IKE Editor dialog box that enables you to create or edit an IKE proposal object. For more information, see Add or Edit IKE Proposal Dialog Box, page F-53.

Selected

The selected IKE proposal with its predefined default values. The default is preshared_sha_3des_dh5_5.

Note You cannot edit the selected IKE proposal because it is a predefined object. You can only edit the properties of an IKE proposal object you create.

To remove the IKE proposal from this field, select a different one.

Create button

Opens the IKE Editor dialog box for creating an IKE proposal object. For more information, see Add or Edit IKE Proposal Dialog Box, page F-53.

Edit button

Opens the IKE Editor dialog box for editing the selected IKE proposal. For more information, see Add or Edit IKE Proposal Dialog Box, page F-53.

IKE Proposal

IKE proposal policy object. Click Select to open a list of predefined IKE proposal policy objects from which to choose.

IKE Proposal Settings

Settings defined for the selected IKE proposal policy object. For descriptions of these fields, see Add or Edit IKE Proposal Dialog Box, page F-53.

IKE Proposal Overrides

Number of seconds that the ISAKMP SA for key servers and group members is valid. When the lifetime is exceeded, the SA expires and must be renegotiated between the peers.

Note If a cooperative key server is configured, key servers should have long lifetimes to keep the ISAKMP SA active for cooperative key server communications.

Note We recommend that you set the group member lifetime low as compared to the key server lifetime, especially when cooperative key servers are configured.

Crypto Map Type

A crypto map combines all the components required to set up IPsec security associations. When two peers try to establish an SA, they must each have at least one compatible crypto map entry.

Select the type of crypto map you want to generate:

•Static—Use a static crypto map in a point-to-point or full mesh VPN topology.

•Dynamic—Dynamic crypto maps can only be used in a hub-and-spoke VPN topology. Dynamic crypto map policies allow remote peers to exchange IPsec traffic with a local hub, even if the hub does not know the remote peer's identity.

For more information, see About Crypto Maps, page 9-49.

Transform Sets

The transform set(s) to use for your tunnel policy. Transform sets specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel. You can select up to six transform sets.

Note Transform sets may use tunnel mode or transport mode of IPsec operation. When IPsec or Easy VPN is the assigned technology, you cannot use transport mode.

A default transform set is displayed (tunnel_3des_sha). If you want to use a different transform set, or select additional transform sets, click Select to open a dialog box that lists all available transform sets, and in which you can create transform set objects. For more information, see Creating IPSec Transform Set Objects, page 8-36.

If more than one of your selected transform sets is supported by both peers, the transform set that provides the highest security will be used.

For more information, see About Transform Sets, page 9-49.

Enable Perfect Forward Secrecy

When selected, enables the use of Perfect Forward Secrecy (PFS) to generate and use a unique session key for each encrypted exchange.

The unique session key protects the exchange from subsequent decryption, even if the entire exchange was recorded and the attacker has obtained the preshared and/or private keys used by the endpoint devices.

Note To enable PFS, you must also select a Diffie-Hellman group for generating the PFS session key.

Modulus Group

Available if Enable Perfect Forward Secrecy is selected.

Select the required Diffie-Hellman key derivation algorithm from the Modulus Group list box.

Security Manager supports Diffie-Hellman group 1, group 2, group 5, and group 7 key derivation algorithms. Each group has a different size modulus:

•Group 1 (the default): 768-bit modulus.

•Group 2: 1024-bit modulus.

•Group 5: 1536-bit modulus.

•Group 7: Use when the elliptical curve field size is 163 characters.

For more information, see Deciding Which Diffie-Hellman Group to Use, page 9-46.

Lifetime (sec)

The number of seconds an SA will exist before expiring. The default is 3600 seconds (one hour).

Lifetime refers to the global lifetime settings for the crypto IPsec security association (SA). The IPsec lifetime can be specified in seconds, in kilobytes, or both.

Lifetime (kbytes)

The volume of traffic (in kilobytes) that can pass between IPsec peers using a given SA before it expires.

Valid values depend on the device type. Enter a value within the range 10-2147483647 for an IOS router, and 2560-536870912 for a PIX7.0/ASA device.

The default value is 4,608,000 kilobytes.

QoS Preclassify

Supported on Cisco IOS routers, except 7600 devices.

When selected, enables the classification of packets before tunneling and encryption occur.

The Quality of Service (QoS) for VPNs feature enables Cisco IOS QoS services to operate with tunneling and encryption on an interface.

The QoS features on the output interface classify packets and apply the appropriate QoS service before the data is encrypted and tunneled, enabling traffic flows to be adjusted in congested environments, and resulting in more effective packet tunneling.

Reverse Route

Supported on ASA devices, PIX 7.0 devices, and Cisco IOS routers except 7600 devices.

Reverse Route Injection (RRI) enables static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. For more information, see About Reverse Route Injection, page 9-50.

Select one of the following options to configure RRI on the crypto map:

•None—Disables the configuration of RRI on the crypto map.

•Standard—It creates routes based on the destination information defined in the crypto map access control list (ACL). This is the default option.

•Remote Peer—Creates two routes, one for the remote endpoint and one for route recursion to the remote endpoint via the interface to which the crypto map is applied.

•Remote Peer IP—Specifies an interface or address as the explicit next hop to the remote VPN device. Then, click Select to open the Network/Hosts Selector, from which you can select the IP address of the remote peer to be used as the next hop.

Note You can select the Allow Value Override per Device check box to override the default route, if required.

User Defined

When selected, enables you to use a manually defined preshared key.

Enter the required preshared key in the Key field, then enter it again in the Confirm field.

Auto Generated

When selected, allocates a random key to the participating peers. This ensures security because a different key is generated for every hub-spoke connection. Auto Generated is the default selection.

Note The key is allocated during the first deployment to the devices and is used in all subsequent deployments to the same devices, until you select the Regenerate Key (Only in Next Deployment) check box.

Key Length

The required length of the preshared key to be automatically generated (maximum 127 characters). The default is 24.

Same Key for All Tunnels

Unavailable in a point-to-point VPN topology.

When selected, enables you to use the same auto-generated key for all tunnels.

Note If you do not select this check box, different keys are used for the tunnels, except in cases, such as DMVPN configuration, when different multipoint GRE interfaces in the same network must use the same preshared key.

Regenerate Key (Only in Next Deployment)

Only available if Auto Generate is selected.

When selected, enables Security Manager to generate a new key for the next deployment to the device(s). This is useful if it is possible that the secrecy of the keys might be compromised.

Note When you submit the job for deployment, this check box is cleared. It does not remain selected because the new key will only be generated for the upcoming deployment, and not for subsequent deployments (unless you select it again).

Negotiation Method

Main Mode Address

This is the default negotiation method.

Use this negotiation method for exchanging key information, if the IP address of the devices is known. Negotiation is based on IP address. Main mode provides the highest security because it has three two-way exchanges between the initiator and receiver. Main mode address is the default negotiation method.

Then click one of the following three radio buttons to define the negotiation address type:

•Peer Address—Negotiation is based on the unique IP address of each peer. A key is created for each peer, providing high security. This is the default.

•Subnet—Creates a group preshared key on a hub in a hub-and-spoke topology to use for communication with any device in a specified subnet, even if the IP address of the device is unknown. Each peer is identified by its subnet. After selecting this option, enter the subnet in the field provided.

In a point-to-point or full mesh VPN topology, a group preshared key is created on the peers.

(continued)

Main Mode Address (continued)

•Wildcard—Creates a wildcard key on a hub or on a group of hubs in a hub-and-spoke topology to use when a spoke does not have a fixed IP address or belong to a specific subnet. In this case, all spokes connecting to the hub have the same preshared key, which could compromise security. Use this option if a spoke in your hub-and-spoke VPN topology has a dynamic IP address.

In a point-to-point or full mesh VPN topology, a wildcard key is created on the peers.

Note When configuring DMVPN with direct spoke-to-spoke connectivity, you create a wildcard key on the spokes.

Main Mode FQDN

Select this negotiation method for exchanging key information, if the IP address is not known and DNS resolution is available for the device(s). Negotiation is based on DNS resolution, with no reliance on IP address.

Aggressive Mode

Available only in a hub-and-spoke VPN topology.

Select this negotiation method for exchanging key information, if the IP address is not known and DNS resolution might not be available on the devices. Negotiation is based on hostname and domain name.

Note If direct spoke to spoke tunneling is enabled, you cannot use aggressive mode.

Available CA Servers

Lists the predefined CA servers available for selection.

CA servers are predefined PKI enrollment objects that contain server information and enrollment parameters that are required for creating enrollment requests for CA certificates.

Select the required CA server if you want to replace the default one in the Selected field.

If the required CA server is not included in the list, click Create to open a dialog box that enables you to create or edit a PKI enrollment object. For more information, see PKI Enrollment Dialog Box, page F-142.

Note If you are making a PKI enrollment request on an Easy VPN remote access system, you must configure each remote component (spoke) with the name of the user group to which it connects. You specify this information in the Organization Unit (OU) field in the Certificate Subject Name tab of the PKI Enrollment Editor dialog box. You do not need to configure the name of the user group on the hub (Easy VPN Server). For more information, see PKI Enrollment Dialog Box—Certificate Subject Name Tab, page F-150.

Selected

The selected CA server.

Note You cannot edit the selected CA server because it is a predefined object. You can only edit the properties of an object you define.

To remove the selected CA server, select a different one.

Save button

Saves your changes to the server but keeps them private. To publish your changes, click the Submit button on the toolbar.

Note To save the RSA key pairs and the CA certificates between reloads permanently to Flash memory on a PIX firewall version 6.3, you must configure the "ca save all" command. You can do this manually on the device or using a FlexConfig (see Chapter 18, "Managing FlexConfigs").

Hub

The name of the hub connected to the IPsec Terminator.

Weight

The capacity of the hub relative to other hubs connected to the IPsec Terminator.

A weighted round robin (WRR) scheduling algorithm is used to control the bandwidth allocated to output transmission queues. Weighting is based on the amount of bandwidth used by each transmit queue on an interface. Packets from queues with higher capacity are transmitted more often than those from queues with less capacity.

Max Connections

The maximum number of active connections to the IPsec Terminator permitted to the hub.

Edit button

Click to open the Edit Load Balancing Parameters Dialog Box, in which you can modify the parameters of a selected load balancing policy.

Weight

Specify the capacity of the hub relative to other hubs connected to the IPsec Terminator, based on the weighted round robin (WRR) scheduling algorithm.

You can enter a value between 1 and 255.

Max Connections

Specify the maximum number of active connections to the IPsec Terminator that are permitted to the hub.

You can enter a value between 1 and 65535. The default is 500.

Available User Groups

Lists the predefined user groups available for selection.

Select the required user group if you want to replace the default one in the Selected field.

User groups are predefined objects. If the required user group is not included in the list, click Create to open the User Groups Editor dialog box that enables you to create or edit a user group object.

Selected

Displays the selected user group.

To remove the selected user group, select a different one.

Note You cannot edit the selected user group because it is a predefined object. You can only edit the properties of an object you create.

ISAKMP Settings

Enable Keepalive

When selected, enables you to configure IKE keepalive as the default failover and routing mechanism.

IKE keepalive is defined on the spokes in a hub-and-spoke VPN topology, or on both devices in a point-to-point VPN topology.

Interval

The number of seconds that a device waits between sending IKE keepalive packets. The default is 10 seconds.

Retry

The number of seconds a device waits between attempts to establish an IKE connection with the remote peer. The default is 2 seconds.

Periodic

Available only if Enable Keepalive is selected, and supported on routers running IOS version 12.3(7)T and later, except 7600 devices.

When selected, enables you to send dead-peer detection (DPD) keepalive messages even if there is no outbound traffic to be sent. Usually, DPD keepalive messages are sent between peer devices only when no incoming traffic is received but outbound traffic needs to be sent.

For more information, see Understanding ISAKMP/IPsec Settings, page 9-52.

Identity

During Phase I IKE negotiations, peers must identify themselves to each other.

When selected, enables you to use the (IP) address or the hostname of the device that it will use to identify itself in IKE negotiations. You can also select to use a Distinguished Name (DN) to identify a user group name. The default is Address.

SA Requests System Limit

Supported on routers running IOS version 12.3(8)T and later, except 7600 routers.

The maximum number of SA requests allowed before IKE starts rejecting them. The specified value must equal or exceed the number of peers, or the VPN tunnels may be disconnected.

You can enter a value in the range of 0-99999.

SA Requests System Threshold

Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.

The percentage of system resources that can be used before IKE starts rejecting new SA requests. The default is 75 percent.

Enable Aggressive Mode

Supported on ASA devices and PIX 7.0 devices.

When selected, enables you to use aggressive mode in ISAKMP negotiations, for an ASA device. Aggressive mode is enabled by default.

Deselect this check box to disable the use of aggressive mode in ISAKMP negotiations, for an ASA device.

See Understanding IKE, page 9-45.

Enable Lifetime

When selected, enables you to configure the global lifetime settings for the crypto IPsec security associations (SAs) on the devices in your VPN topology.

Lifetime (secs)

The number of seconds a security association will exist before expiring. The default is 3,600 seconds (one hour).

Lifetime (kbytes)

The volume of traffic (in kilobytes) that can pass between IPsec peers using a given security association before it expires. The default is 4,608,000 kilobytes.

Xauth Timeout

Available when Easy VPN is the selected technology, and the selected device is a Cisco IOS router or Catalyst 6500 /7600 device.

The number of seconds the device waits for a response from the end user after an IKE SA has been established.

When negotiating tunnel parameters for establishing IPsec tunnels in an Easy VPN configuration, Xauth adds another level of authentication that identifies the user who requests the IPsec connection. Using the Xauth feature, the client waits for a "username/password" challenge after the IKE SA has been established. When the end user responds to the challenge, the response is forwarded to the IPsec peers for an additional level of authentication.

Max Sessions

Supported on ASA devices and PIX 7.0 devices.

The maximum number of SAs that can be enabled simultaneously on the device.

Enable IPsec via Sysopt

Supported on ASA devices and PIX Firewalls versions 6.3 or 7.0.

When selected (the default), specifies that any packet that comes from an IPsec tunnel is implicitly trusted (permitted).

Enable SPI Recovery

Supported on routers running IOS version 12.3(2)T and later, in addition to Catalyst 6500/7600 devices running version 12.2(18)SXE and later.

When selected, enables the SPI recovery feature to configure your device so that if an invalid SPI (Security Parameter Index) occurs, an IKE SA will be initiated.

SPI (Security Parameter Index) is a number which, together with a destination IP address and security protocol, uniquely identifies a particular security association. When using IKE to establish security associations, the SPI for each security association is a pseudo-randomly derived number. Without IKE, the SPI is manually specified for each security association. When an invalid SPI occurs during IPsec packet processing, the SPI recovery feature enables an IKE SA to be established.

Enable Traversal Keepalive

When selected, enables you to configure NAT traversal keepalive on a device.

NAT traversal keepalive is used for the transmission of keepalive messages when there is a device (middle device) located between a VPN-connected hub and spoke, and that device performs NAT on the IPsec flow.

Note On Cisco IOS routers, NAT traversal is enabled by default. If you want to disable the NAT traversal feature, you must do this manually on the device or using a FlexConfig (see Chapter 18, "Managing FlexConfigs").

For more information, see Understanding NAT, page 9-53.

Interval

Available when NAT Traversal Keepalive is enabled.

The interval, in seconds, between the keepalive signals sent between the spoke and the middle device to indicate that the session is active. The NAT keepalive value can be from 5 to 3600 seconds. The default is 10 seconds.

Enable PAT (Port Address Translation) on Split Tunneling for Spokes

Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.

When selected, enables Port Address Translation (PAT) to be used for split-tunneled traffic on spokes in your VPN topology.

PAT can associate thousands of private NAT addresses with a small group of public IP address, through the use of port addressing. PAT is used if the addressing requirements of your network exceed the available addresses in your dynamic NAT pool. See Understanding NAT, page 9-53.

Note When this check box is enabled, Security Manager implicitly creates an additional NAT rule for split-tunneled traffic, on deployment. This NAT rule, which denies VPN-tunneled traffic and permits all other traffic (using the external interface as the IP address pool), is not reflected as a router platform policy.

For information on creating or editing a dynamic NAT rule as a router platform policy, see Defining Dynamic NAT Rules, page 13-10.

Fragmentation Settings

Fragmentation Mode

Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.

Fragmentation minimizes packet loss in a VPN tunnel when transmitted over a physical interface that cannot support the original size of the packet.

Select the required fragmentation mode option from the list:

•No Fragmentation—Select if you do not want to fragment before IPsec encapsulation. After encapsulation, the device fragments packets that exceed the MTU setting before transmitting them through the public interface.

•End to End MTU Discovery—Select to use ICMP messages for the discovery of MTU. Use this option when the selected technology is IPsec.

End-to-end MTU discovery uses Internet Control Message Protocol (ICMP) messages to determine the maximum MTU that a host can use to send a packet through the VPN tunnel without causing fragmentation.

Note For Catalyst 6500 /7600 devices, end-to-end path MTU discovery is supported only on images 12.2(33)SRA, 12.2(33)SRB, 12.2(33)SXH, 12.2(33)SXI or above.

•Local MTU Handling—Select to set the MTU locally on the devices. This option is typically used when ICMP is blocked, and when the selected technology is IPsec/GRE.

Local MTU Size

Supported on Cisco IOS routers and Catalyst 6500 /7600 devices, when Local MTU Handling is the selected fragmentation mode option.

Note The permitted MTU size is between 68 and 65535 bytes depending on the VPN interface.

DF Bit

Supported on Cisco IOS routers, Catalyst 6500 /7600 devices, PIX 7.0 and ASA devices.

A Don't Fragment (DF) bit within an IP header determines whether a device is allowed to fragment a packet.

Select the required setting for the DF bit:

•Copy—Copies the DF bit from the encapsulated header in the current packet to all the device's packets. If the packet's DF bit is set to fragment, all future packets are fragmented. This is the default option.

•Set—Sets the DF bit in the packet you are sending. A large packet that exceeds the MTU is dropped and an ICMP message is sent to the packet's initiator.

•Clear—Fragments packets regardless of the original DF bit setting. If ICMP is blocked, MTU discovery fails and packets are fragmented after encryption.

Enable Fragmentation Before Encryption

Supported on Cisco IOS routers, Catalyst 6500 /7600 devices, PIX 7.0 and ASA devices.

When selected, enables fragmentation to occur before encryption, if the expected packet size exceeds the MTU.

Lookahead Fragmentation (LAF) is used before encryption takes place to calculate the packet size that would result after encryption, depending on the transform sets configured on the IPsec SA. If the packet size exceeds the specified MTU, the packet will be fragmented before encryption.

Enable Notification on Disconnection

Supported on PIX 7.0 and ASA devices.

When selected, enables the device to notify qualified peers of sessions that are about to be disconnected. The peer receiving the alert decodes the reason and displays it in the event log or in a pop-up panel. This feature is disabled by default.

Enable Split Tunneling

When selected (the default), enables you to configure split tunneling in your VPN topology.

Split tunneling enables you to transmit both secured and unsecured traffic on the same interface. Split tunneling requires that you specify exactly which traffic will be secured and what the destination of that traffic is, so that only the specified traffic enters the IPsec tunnel, while the rest is transmitted unencrypted across the public network.

Enable Spoke-to-Spoke Connectivity through the Hub

Supported on PIX 7.0 and ASA devices.

When selected, enables direct communication between spokes in a hub-and-spoke VPN topology, in which the hub is an ASA/PIX 7.0 device.

Enable Default Route

Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.

When selected, the device uses the configured external interface as the default outbound route for all incoming traffic.

ISAKMP Settings

Enable Keepalive

When selected, enables you to configure IKE keepalive as the default failover and routing mechanism.

IKE keepalive is defined on the spokes in a hub-and-spoke VPN topology, or on both devices in a point-to-point VPN topology.

Interval

The number of seconds that a device waits between sending IKE keepalive packets. The default is 10 seconds.

Retry

The number of seconds a device waits between attempts to establish an IKE connection with the remote peer. The default is 2 seconds.

Periodic

Available only if Enable Keepalive is selected, and supported on routers running IOS version 12.3(7)T and later, except 7600 devices. Periodic ISAKMP keep-alives should be configured for cooperative key servers.

When selected, enables you to send dead-peer detection (DPD) keepalive messages even if there is no outbound traffic to be sent. Usually, DPD keepalive messages are sent between peer devices only when no incoming traffic is received but outbound traffic needs to be sent.

For more information, see Understanding ISAKMP/IPsec Settings, page 9-52.

Identity

During Phase I IKE negotiations, peers must identify themselves to each other.

When selected, enables you to use the (IP) address or the hostname of the device that it will use to identify itself in IKE negotiations. You can also select to use a Distinguished Name (DN) to identify a user group name. The default is Address.

SA Requests System Limit

Supported on routers running IOS version 12.3(8)T and later, except 7600 routers.

The maximum number of SA requests allowed before IKE starts rejecting them. The specified value must equal or exceed the number of peers, or the VPN tunnels may be disconnected.

You can enter a value in the range of 0-99999.

SA Requests System Threshold

Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.

The percentage of system resources that can be used before IKE starts rejecting new SA requests. The default is 75 percent.

IPsec Settings

Enable Lifetime

When selected, enables you to configure the global lifetime settings for the crypto IPsec security associations (SAs) on the devices in your VPN topology.

Lifetime (secs)

The number of seconds a security association will exist before expiring. The default is 3,600 seconds (one hour).

Lifetime (kbytes)

The volume of traffic (in kilobytes) that can pass between IPsec peers using a given security association before it expires. The default is 4,608,000 kilobytes.

Type

The VPN topology type: Hub-and-Spoke, Point-to-Point, or Full Mesh.

Description

A description of the VPN topology.

IPsec Terminator

Available if the VPN topology is large scale DMVPN.

The name of the IPsec Terminator(s) used to load balance GRE traffic to the hubs in the large scale DMVPN.

Primary Hub

Available if the VPN topology type is hub-and-spoke.

The name of the primary hub in the hub-and-spoke topology.

Failover Hubs

Available if the VPN topology type is hub-and-spoke.

The name of any secondary backup hubs that are configured in the hub-and-spoke topology.

Number of Spokes

Available if the VPN topology type is hub-and-spoke.

The number of spokes that are included in the hub-and-spoke topology.

Peer 1

Available if the VPN topology type is point-to-point.

The name of the device that is defined as Peer One in the point-to-point VPN topology.

Peer 2

Available if the VPN topology type is point-to-point.

The name of the device that is defined as Peer Two in the point-to-point VPN topology.

Number of Peers

Available if the VPN topology type is full mesh.

The number of devices included in the full mesh VPN topology.

IPsec Technology

The IPsec technology assigned to the VPN topology. See Understanding IPsec Technologies and Policies, page 9-5.

IKE Proposal

The security parameters of the IKE proposal configured in the VPN topology. See IKE Proposal Page.

Dynamic VTI

Available in an Easy VPN topology.

Displays if a dynamic virtual template interface is configured on a device in an Easy VPN topology. See Dynamic VTI Tab.

Transform Sets

The transform sets that specify the authentication and encryption algorithms that will be used to secure the traffic in the VPN tunnel. See IPsec Proposal Page.

Preshared Key

Unavailable if the selected technology is Easy VPN.

Specifies whether the shared key to use in the preshared key policy is user defined or auto-generated. See Preshared Key Page.

Public Key Infrastructure

If a Public Key Infrastructure policy is configured in the VPN topology, specifies the CA server. See Public Key Infrastructure Page.

Routing Protocol

Available only if the selected technology is IPsec/GRE, GRE Dynamic IP, or DMVPN.

The routing protocol and autonomous system (or process ID) number used in the secured IGP for configuring a GRE, GRE Dynamic IP, or DMVPN routing policy.

Note Security Manager adds a routing protocol to all the devices in the secured IGP on deployment. If you want to maintain this secured IGP, you must create a router platform policy using this routing protocol and autonomous system (or process ID) number.

See GRE Modes Page.

Tunnel Subnet IP

Available only if the selected technology is IPsec/GRE, GRE Dynamic IP, or DMVPN.

If a tunnel subnet is defined, displays the inside tunnel interface IP address, including the unique subnet mask.

See GRE Modes Page.

User Group

Available for an Easy VPN topology.

If a User Group policy is configured on a device in the Easy VPN topology, displays the details of the policy. See User Group Policy Page.

PIX7.0/ASA Tunnel Group

Available for an Easy VPN topology.

If a Tunnel Group policy is configured on a PIX Firewall version 7.0, or ASA appliance in the Easy VPN topology, displays the details of the policy. See Tunnel Group Policy (PIX 7.0/ASA) Page.

High Availability

Available if the VPN topology type is hub-and-spoke.

If a High Availability policy is configured on a device in your hub-and-spoke VPN topology, displays the details of the policy. See Map Settings Dialog Box, page B-10.

VRF-Aware IPsec

Available if the VPN topology type is hub-and-spoke.

If a VRF-Aware IPsec policy is configured on a hub in your hub-and-spoke VPN topology, displays the type of VRF solution (1-Box or 2-Box) and the name of the VRF policy. See VRF Aware IPsec Tab.

Type

An icon that depicts the topology type.

Name

The unique name that identifies the VPN topology.

IPsec Technology

The IPsec technology assigned to the VPN topology.

Description

Any description defined for the VPN topology.

Edit VPN Policies button

Click to edit the VPN policies defined for a selected VPN topology. The Site-to-Site VPN Policies window opens, displaying information about the VPN topology.

To edit a policy, select it in the Policies selector. A page opens on which you can view or edit the parameters for the selected policy. See Site to Site VPN Policies.

Create VPN Topology button

Opens the Create VPN wizard to create a VPN topology. See Create VPN Wizard.

Note You can also create a VPN topology by right-clicking in the table and selecting the Create VPN Topology option.

Edit VPN Topology button

Click to edit the properties of a selected VPN topology. The Edit VPN dialog box opens, displaying the Device Selection tab. See Device Selection Page.

Note You can also edit the properties of a VPN topology by double-clicking its row in the table, or right-clicking it and selecting the Edit VPN Topology option.

For more information, see About Editing a VPN Topology, page 9-25.

Delete VPN Topology button

Deletes a selected VPN topology. A dialog box opens asking you to confirm the deletion.

Note You can also delete a VPN topology by right-clicking it in the table and selecting the Delete VPN Topology option.

For more information, see Deleting a VPN Topology, page 9-28.

VPN Name

The name of the VPN being discovered.

Description

Any descriptive text or comments that you want to specify about the VPN.

Topology

The type of VPN that you want to discover—Hub and Spoke, Point to Point, or Full Mesh.

IPsec Technology

The IPsec technology assigned to the VPN—Regular IPsec, IPsec/GRE, GRE Dynamic IP (sub-technology), DMVPN, Easy VPN, or GET VPN.

Note If you selected IPsec/GRE, you must also specify the type which may be Standard (for IPsec/GRE) or Spokes with Dynamic IP (to configure GRE Dynamic IP).

Discover From

You can either discover the VPN directly from the network or from Config Archive.

•Network—Security Manager connects to all live devices to obtain the device configuration.

•Config Archive—Discovery from Config Archive is recommended if you use configuration files. The most recent version of the device configuration in Config Archive is used for all devices.

Available Devices

Lists all devices that can be included in your selected VPN topology, that support the IPsec technology type, and which you are authorized to view.

Note Clicking a device group selects all its devices.

>> button

Select devices and click this button to add them to the list.

<< button

Select devices and click this button to remove them from the list.

Hubs

Devices that are hubs in your hub-and-spoke topology. In an Easy VPN topology, the selected devices are servers.

Note If multiple devices are selected, you must make sure that the required primary hub device appears first in the list. You can use the Up and Down buttons to change the order of the hubs in the list.

You need to select the primary hub only when there are 2 or more IPsec terminators. When there is only one IPsec terminator, regardless of how many hubs are connected to the same IPsec terminator, it is not possible to designate one hub as the primary hub.

Spokes

Devices that are spokes in your hub-and-spoke topology. In an Easy VPN topology, the selected devices are clients.

Peer One/Peer Two

Devices that are peers in your point-to-point topology.

Selected Devices

Devices that participate in your full mesh topology.

Key Servers

Devices defined as key servers in your GET VPN topology.

Group Members

Devices defined as group members in your GET VPN topology.

Finish button

Saves your wizard definitions and closes the wizard.

The Discovery Status dialog box opens, allowing you to monitor the status of the VPN discovery task and view any relevant error or warning messages. See Viewing Policy Discovery Task Status, page 6-16.

Note When the process is complete, the Site-to-Site VPN Manager window opens, displaying summary information for the VPN that was discovered.

VPN Name

The name of the VPN whose policies will be rediscovered.

Note You cannot edit this VPN name.

Description

Any descriptive text or comments that you want to add about the VPN.

Discover From

Specify whether you want to rediscover the VPN policies directly from the network or from the Config Archive.

Note Only device specific VPN policies can be rediscovered.

•Network—When selected, Security Manager connects to all live devices to obtain the device configuration.

•Config Archive—When selected, the most recent version of the device configuration in Config Archive is used for all devices. Rediscovery from Config Archive is recommended if you use configuration files.

Available Devices

Lists all devices that can be included in your selected VPN topology, that support the IPsec technology type, and which you are authorized to view.

Note Clicking a device group selects all its devices.

>> button

Select devices and click this button to add them to the list.

<< button

Select devices and click this button to remove them from the list.

Hubs

The devices that are hubs in your hub-and-spoke topology. In an Easy VPN topology, the selected devices are servers.

Note If you selected only one device, it becomes the primary hub. If multiple devices are selected, you must make sure that the required primary hub device appears first in the list. You can use the Up and Down buttons to change the order of the hubs in the list.

Spokes

The devices that are spokes in your hub-and-spoke topology. In an Easy VPN topology, the selected devices are clients.

Peer One/Peer Two

The devices that are peers in your point-to-point topology.

Key Servers

Devices defined as key servers in your GET VPN topology.

Group Members

Devices defined as group members in your GET VPN topology.

Selected Devices

The devices that participate in your full mesh topology.

Finish button

Saves your wizard definitions and closes the wizard.

The Discovery Status dialog box opens, allowing you to monitor the status of the VPN rediscovery task and view any relevant error or warning messages. See Viewing Policy Discovery Task Status, page 6-16.

Note When the process is complete, the Site-to-Site VPN Manager window opens, displaying summary information for the VPN that was rediscovered.