24-23
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Site-To-Site VPN Discovery
There are inconsistencies in the policies
or values in the VPN configurations
across the devices in the VPN.
• If the values on the hub and the spokes differ, preference
is given to the values on the hub.
• If a simple selection of one policy or value from several
eligible policies or values is required and does not put
functionality at risk, Security Manager selects a single
policy/value that is common to all devices. For example,
a VPN can have a single IKE policy only, whereas there
can be more than one IKE policy on the devices.
• If selecting one value puts the functionality at risk, no
value is discovered for the policy and a validation
message is received upon deployment.
• If numeric values differ, a message is generated during
discovery, and the lower value is discovered. For
example, the lowest SA lifetime value in an IPsec policy.
• If none of the above options are possible, VPN discovery
fails.
Preshared key configuration—there is a
different key per set of peers.
The preshared key policy is not discovered; you will have to
configure it after discovery is completed. Security Manager
discovers preshared key policies only when the preshared
key has the same value on all devices.
There is more than one eligible crypto
map on the device.
The crypto map that is associated with all or the majority of
the devices selected for VPN discovery is used.
A spoke does not have a crypto map
associated with the hub.
VPN discovery proceeds but the spoke is not discovered and
an error message is generated.
A device does not have the selected
transform set value.
VPN discovery proceeds but the device might removed from
the VPN topology.
A device does not have the selected IKE
proposal.
VPN discovery proceeds but the device might removed from
the VPN topology.
A device supports DVTI, but does not
have DVTI or a crypto map configured.
VPN discovery fails.
A server supports DVTI, but does not
have an IP address configured in the
DVTI configuration.
VPN discovery proceeds but with a warning.
A client does not support DVTI. If the hub is configured with DVTI, discovery proceeds
without any warning or Error.
A Hub and Spoke topology where the
spokes are not using the same
VPNSPA/VSPA slot on the hub
(Catalyst 6500/7600).
VPN discovery fails.
The same set of key servers and group
members are participating in more than
one GET VPN.
Security Manager discovers only one of the topologies.
Table 24-3 VPN Discovery Rules (Continued)
If this condition exists: The VPN discovery is handled as follows: