24-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Understanding IPsec Technologies and Policies
• Including Unmanaged or Non-Cisco Devices in a VPN, page 24-11
• Understanding and Configuring VPN Default Policies, page 24-12
• Using Device Overrides to Customize VPN Policies, page 24-13
• Understanding VRF-Aware IPsec, page 24-14
Understanding Mandatory and Optional Policies for Site-to-Site VPNs
Some site-to-site VPN policies are mandatory, which means that you must configure them to create a
VPN topology or to save your changes when editing them. Most mandatory policies have predefined
defaults, which you can use to complete the definition of a VPN topology, but you typically must edit
the policies to ensure their settings work for your network.
Optional policies, which you need to configure only if you desire the services defined by the policy, do
not come with predefined defaults.
Tip You can configure your own mandatory policy defaults by creating shared policies that specify the
desired settings, and then by selecting these shared policies when creating a VPN. You can even make
the shared policies the defaults for the Create VPN wizard. However, these default policies do not apply
when you create Extranet VPNs; with Extranet VPNs, you must always configure the settings for
mandatory policies as part of the normal wizard flow. In addition, you cannot create a default policy for
IKEv2 Authentication. For more information, see Understanding and Configuring VPN Default Policies,
page 24-12.
Some mandatory policies are mandatory only under certain conditions. For example, an IKEv1 preshared
key policy is mandatory only if the default (mandatory) IKEv1 proposal uses preshared key
authentication. If the selected IKE authentication method is Certificate (RSA Signature), an IKEv1
Public Key Infrastructure policy is mandatory (see Deciding Which Authentication Method to Use,
page 25-8). If you allow IKEv2 negotiations in the topology, an IKEv2 Authentication policy is
mandatory.
The following table lists the mandatory and optional policies for each predefined technology that you
can assign to the devices in your site-to-site VPN topology.
Table 24-1 Site-to-Site VPN IPsec Technologies and Policies
Technology Mandatory Policies Optional Policies
Regular IPsec
See Understanding IPsec Proposals for
Site-to-Site VPNs, page 25-18.
• IKE Proposal
• IPsec Proposal
• When allowing IKEv1,
one of: IKEv1 Preshared
Key or IKEv1 Public
Key Infrastructure
• When allowing IKEv2,
IKEv2 Authentication
• VPN Global Settings