Filter
Top Products
24-34
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Tips:
• This configuration applies to all IPsec technology types except GET VPN. To configure GET VPN
endpoints when creating the VPN, see Defining GET VPN Peers, page 24-57. For existing GET
VPNs, configure endpoints using the Key Servers and Group Members policies; see Configuring
GET VPN Key Servers, page 28-18 and Configuring GET VPN Group Members, page 28-20.
• The devices listed on this page are selected in the Device Selection Page (see Selecting Devices for
Your VPN Topology, page 24-32). You can change the list only when editing the Peers policy, where
you can select a device and click the Delete (trash can) button to remove it. To add devices, you
must edit the VPN topology itself.
• Although you can edit the endpoints for an Extranet VPN using the Peers policy, you should instead
edit the endpoints through the Edit Extranet VPN dialog box by editing the VPN topology. The
Endpoints page does not appear in the Create Extranet VPN wizard.
The table shows the role each device plays in the VPN (hub, spoke, peer, or IPsec Terminator), the device
name, and the VPN interface and protected networks. Initially, the VPN interface and protected network
is set to the default interface roles defined in the Security Manager Administrative settings for external
and internal interfaces (see VPN Policy Defaults Page, page 11-53). The endpoint configuration might
include configurations not shown in this table, but the VPN interface and protected network are the only
required settings.
• To change the endpoint configuration for a device, select it and click the Edit Row button beneath
the table. You can select more than one device to edit at a time, but the devices must serve the same
role, and you cannot include Catalyst 6500/7600 devices or VPN service modules when selecting
multiple devices. You perform endpoint editing in the Edit Endpoints Dialog Box, whose content
differs depending on the selected device type and IPsec technology.
See the following topics for detailed information about the options you can configure in the Edit
Endpoints dialog box:
–
VPN Interface tab—To configure the VPN interface and other required interface settings (see
Configuring VPN Interface Endpoint Settings, page 24-35). In some cases, you can also
configure dial backup (for more information about dial backup, see Configuring Dial Backup,
page 24-39).
For Catalyst 6500/7600 devices, the VPN Interface tab provides settings that enable you to
configure a VPN Services Module (VPNSM) or a VPNSPA/VSPA blade on the device (which
might be an IPsec Terminator in a large scale DMVPN), and are described in Configuring
VPNSM or VPN SPA/VSPA Endpoint Settings, page 24-41.
–
Extranet Device Details—To configure the endpoint settings for the remote (unmanaged)
device in an Extranet VPN. The tab appears in the Peers policy only. Instead of editing the
information on this tab, the preferred method is to edit the VPN topology and change the
settings there. For more information, see Creating or Editing Extranet VPNs, page 24-63.
–
Hub Interface tab—If the selected device is a hub in a large scale DMVPN, specify the
interface that is connected to the IPsec Terminator. See Configuring Large Scale DMVPNs,
page 26-16.
–
Protected Networks tab—To define the networks that are encrypted (see Identifying the
Protected Networks for Endpoints, page 24-45). The protected network can be an interface role,
network/host group object, or in the case of regular IPsec, an ACL policy object.
–
FWSM tab—To define the settings that enable you to connect between a Firewall Services
Module (FWSM) and an IPsec VPN Services Module (VPNSM) or VPNSPA/VSPA that is
already configured on a Catalyst 6500/7600 device. This is possible only in a hub-and-spoke