Filter
Top Products
24-27
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Site-To-Site VPN Discovery
device specific policies, such as VPN interfaces and protected networks, and any High Availability (HA)
policies that are configured on hubs, can be rediscovered. VPN global policies, such as IKE proposals
or PKI enrollments, cannot be rediscovered. In addition, you cannot rediscover the following topologies:
• Easy VPN topologies with Dynamic VTI
• Extranet VPNs
This procedure describes how to rediscover the configurations of a Site-to-Site VPN topology that
already exists in Security Manager.
Related Topics
• Discovering Site-to-Site VPNs, page 24-24
• Discovering Policies, page 5-12
• Prerequisites for VPN Discovery, page 24-21
• VPN Discovery Rules, page 24-21
• Understanding Devices Supported by Each IPsec Technology, page 24-9
• Including Unmanaged or Non-Cisco Devices in a VPN, page 24-11
Step 1 In the Site-to-Site VPN Manager window, right-click the VPN topology whose configurations you want
to rediscover and select Rediscover Peers. This opens the Rediscover VPN Policies Wizard—Name and
Technology page.
This page displays the type of topology and IPsec technology used in the VPN, which you cannot
change.
Step 2 Specify the following information:
• VPN Discovery Name—The name of the rediscover VPN job.
• Description—An optional description of the VPN.
• Discover From—You can either rediscover the VPN directly from the network or from
Configuration Archive.
–
Network—Security Manager connects to all live devices to obtain the device configuration.
–
Config Archive—Rediscovery from Configuration Archive is recommended if you deploy to
configuration files instead of live devices. The most recent version of the device configuration
in Configuration Archive is used for all devices.
Step 3 Click Next to open the Rediscover VPN Policies Wizard—Device Selection page.
Step 4 Select the devices whose peer level policies need to be rediscovered and their role in the VPN (hub,
spoke, peer one, peer two, key server, group member, or simply selected devices for full-mesh VPNs)
depending on the topology type. For Easy VPN topologies, servers are hubs and clients are spokes.
If there are two or more IPsec terminators in a hub-and-spoke VPN, use the Up and Down arrow buttons
to ensure the primary hub is listed first. When there is only one IPsec terminator, regardless of how many
hubs are connected to the same IPsec terminator, it is not possible to designate one hub as the primary
hub.
For more detailed information on selecting devices for a VPN, see Selecting Devices for Your VPN
Topology, page 24-32.