Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
24-42
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
If you are configuring a VPNSM or VPNSPA/VSPA with VRF-Aware IPsec on a device, the device
cannot belong to a different VPN topology in which VRF-Aware IPsec is not configured. For more
information, see Configuring VRF Aware IPsec Settings, page 24-46.
Create an inside VLAN on the Catalyst 6500/7600 device, or edit an existing port or VLAN
configuration. If the device is configured with VRF-Aware IPsec, you must create a forwarding
VLAN.
Notes for VPNSMs
Security Manager supports the configuration of multiple VPNSMs on a Catalyst 6500/7600 device,
but only one module (or two if you are configuring intra chassis high availability) can be configured
per VPN topology.
VPNSM configuration requires that its parent Catalyst 6500/7600 device is running Cisco IOS
Software release 12.2(18)SXD1 and later.
You can use only Layer 3 VLANs for VPNSM configuration.
Notes for VPNSPA/VSPAs
This configuration also applies if you are configuring an IPsec Terminator in a large scale DMVPN
configuration. For more information, see Configuring Large Scale DMVPNs, page 26-16.
The VPN SPA supports the AES encryption algorithm for all key sizes (128-, 192-, and 256-bit), as
well as the DES and 3DES encryption algorithms. For more information, see Deciding Which
Encryption Algorithm to Use, page 25-6.
In VRF mode, the crypto engine slot slot/subslot {inside | outside} command is deployed on the
inside and outside VPN interfaces.
Make sure that the Catalyst 6500/7600 device is running Cisco IOS Software release 12.2(18)SXE2
or later.
If you plan to use Crypto Connect Alternate mode (whereby encrypted traffic entering the
VPNSM/VPN SPA is passed through and clear text traffic is bypassed), the Catalyst 6500 device
must be running Cisco IOS Software version 12.2(33)SXH or later, and the 7600 router must be
running 12.2(33)SRA or later.
In the case of a DMVPN topology in which multiple hubs participate, if one hub is configured with
a VPN SPA blade, a tunnel key must not be configured on any of the devices, whether they are
spokes or hubs. Devices that participate in such a topology must be running Cisco IOS Software
version 12.3T and later in order to support tunnels without keys.
Navigation Path
On the Endpoints Page of the Create VPN wizard or Edit VPN dialog box, or on the VPN Peers policy,
select a Catalyst 6500/7600 device, then click Edit to open the Edit Endpoints Dialog Box. Select the
FWSM tab in the Edit Endpoints dialog box. For information on how to access these pages and dialog
boxes, see Defining the Endpoints and Protected Networks, page 24-33.