24-21
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Site-To-Site VPN Discovery
provisioning mechanism leverages the content of the existing configuration as much as possible
(assuming the content matches the policies configured in Security Manager), but does not retain the
naming conventions used in the CLI commands.
Related Topics
• Prerequisites for VPN Discovery, page 24-21
• VPN Discovery Rules, page 24-21
• Discovering Site-to-Site VPNs, page 24-24
Prerequisites for VPN Discovery
For successful VPN discovery, the following prerequisites must be met:
• Except for Extranet VPNs, all devices participating in the VPN must be added to the Security
Manager inventory.
• You must provide Security Manager with some basic information about the VPN. The VPN
discovery wizard prompts you for the following information:
–
VPN topology (hub and spoke, point to point, full mesh, Extranet).
–
VPN technology (Regular IPsec, IPsec/GRE, GRE dynamic IP, DMVPN, Easy VPN, GET
VPN).
–
Devices in the VPN and their roles (hub/spoke). For Extranet VPNs, you specify the managed
device only.
–
Source of the VPN configuration. The VPN can be discovered directly from the live network or
from Security Manager’s Configuration Archive.
• Each device in the VPN must have a crypto map associated with a physical interface. This rule does
not apply to the remote (unmanaged) devices in an Extranet VPN.
• If you use OSPF as your routing protocol in a VPN topology, all devices in the VPN must use the
same OSPF process number.
• Each PIX 6.3 or ASA 5505 client device in an Easy VPN topology must have a vpnclient
configuration.
Related Topics
• Supported and Unsupported Technologies and Topologies for VPN Discovery, page 24-20
• VPN Discovery Rules, page 24-21
• Discovering Site-to-Site VPNs, page 24-24
VPN Discovery Rules
The following table describes the rules by which Security Manager translates and discovers your VPN
configurations, and how it handles instances where your configuration on the device does not match what
is supported by Security Manager.