Filter
Top Products
24-16
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Understanding IPsec Technologies and Policies
Figure 24-5 VRF-Aware IPsec Two-Box Solution
Using the two-box solution, you configure VRF-Aware IPsec on devices in your VPN topology, as
follows:
1. Configure the connection between the IPsec Aggregator and the PE device.
Create a hub-and-spoke VPN topology and assign an IPsec technology to it. In this topology, the hub
is the IPsec Aggregator, and the spokes may be Cisco IOS routers, PIX Firewalls, Catalyst VPN
service modules, or Adaptive Security Appliance (ASA) devices. The IPsec Aggregator may be a
security router or a Catalyst VPN service module. You then define the VRF parameters (VRF name
and unique routing identifier) on the hub.
Note VRF-Aware IPsec supports the configuration of IPsec, GRE, or Easy VPN technologies on
Cisco IOS routers and Catalyst VPN service modules. DMVPN is also supported, but only
on Cisco IOS routers.
2. Specify the VRF forwarding interface (or VLAN for a Catalyst VPN service module) between the
IPsec Aggregator and the PE device.
3. Define the routing protocol and autonomous system (AS) number to be used between the IPsec
Aggregator and the PE. Available routing protocols include BGP, EIGRP, OSPF, RIPv2, and Static
Route.
If the routing protocol defined between the IPsec Aggregator and the PE differs from the routing
protocol used for the secured IGP, routing is redistributed to the secured IGP, using this routing
protocol and AS number. Routing is also redistributed from the secured IGP to the PE.
Note Redistributing the routing is only relevant when IPsec/GRE or DMVPN is the selected
technology.
Related Topics
• Understanding VRF-Aware IPsec, page 24-14
• Configuring VRF Aware IPsec Settings, page 24-46