24-28
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Step 5 Click Finish to close the wizard and start the rediscovery process. The Discovery Status window opens
and displays the status of the rediscovery and indicates whether the rediscovery of each device has been
successful or has failed (see Viewing Policy Discovery Task Status, page 5-21). Error or warning
messages are provided to indicate the source of any problems, which may be VPN specific or device
specific.
When the rediscovery process completes successfully, and you close the Discovery Status dialog box,
the Site-to-Site VPN Manager window opens, displaying summary information for the VPN that was
rediscovered.
Creating or Editing VPN Topologies
Security Manager supports three basic types of topologies with which you can create a site-to-site VPN.
Use the Create VPN wizard to create a hub-and-spoke, point-to-point, or full mesh VPN topology across
multiple device types. For more information about these topologies, see Understanding VPN Topologies,
page 24-2.
Tip If you want to create an Extranet point-to-point VPN, read Creating or Editing Extranet VPNs,
page 24-63 instead of this topic.
Creating a VPN topology involves specifying the devices and the networks that make up the site-to-site
VPN. You define the devices and their roles (such as hub, spoke, peer, key server, group member), the
VPN interfaces that are the source and destination endpoints of the VPN tunnel, and the protected
networks that will be secured by the tunnel. When you create a VPN topology, you assign to it the IPsec
technology (such as Regular IPSec, IPSec/GRE, GRE Dynamic IP, DMVPN, Large Scale DMVPN, Easy
VPN, GET VPN) with which a predefined set of policies is associated. See Understanding Mandatory
and Optional Policies for Site-to-Site VPNs, page 24-6.
Note When you complete the Create VPN wizard, your topology might be immediately deployable, because
Security Manager provides defaults for mandatory policies. However, if you use Security Manager
defaults, be sure to verify that the settings will work properly in your network. For more information,
see Understanding and Configuring VPN Default Policies, page 24-12.
When you edit a VPN topology, the Edit VPN dialog box contains the same pages as the Create VPN
wizard (except for the VPN defaults page), but the pages are laid out in a tabbed format rather than being
presented as a wizard. The only exception is for GET VPN topologies, where you can edit only the name
and description of the topology (you must edit GET VPN policies to change topology attributes, see
Configuring GET VPN, page 28-12). Clicking OK on any tab in the dialog box saves your definitions
on all the tabs. For all topologies, you must edit mandatory and optional policies originally presented on
the VPN defaults page directly.
By editing a VPN topology, you can change its device structure (adding or removing devices), change
the VPN interfaces and protected networks defined for a device, or modify the policies that are assigned
to the VPN. For example, if your organization frequently opens new sites, you might need to add spokes
to an existing hub-and-spoke VPN while applying all policies of the VPN to the new spokes. Or, you
might want to increase resiliency by adding a secondary hub to a VPN that has only one hub. While
editing a VPN topology, you might also need to modify the policies assigned to it, for example, to change
an IKE algorithm to a more secured one, or to change the DES encryption algorithm for a VPN to make
it more secure.