Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
24-47
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
In a VPN topology with two hubs, you must configure VRF-Aware IPsec on both devices.
You cannot configure VRF-Aware IPsec on a device that belongs to another VPN topology in which
VRF-Aware IPsec is not configured.
You cannot configure VRF-Aware IPsec on hubs that have been configured with high availability.
See Configuring High Availability in Your VPN Topology, page 24-49.
Deployment might fail if the IPsec Aggregator is configured with the same keyring CLI command
as the existing preshared key (keyring) command, and is not referenced by any other command. In
this case, Security Manager does not use the VRF keyring CLI, but generates the keyring with a
different name, causing deployment to fail. You must manually remove the preshared key keyring
command through the CLI before you can deploy the configuration.
Navigation Path
On the Endpoints Page of the Create VPN wizard or Edit VPN dialog box, or on the VPN Peers policy,
select a device that supports VRF-Aware IPsec configuration in a hub-and-spoke topology, and click
Edit to open the Edit Endpoints Dialog Box. Select the VRF-Aware IPsec tab in the Edit Endpoints
dialog box. For information on how to access these pages and dialog boxes, see Defining the Endpoints
and Protected Networks, page 24-33 and Creating or Editing VPN Topologies, page 24-28.
Field Reference
Table 24-10 Edit Endpoints Dialog Box, VRF Aware IPsec Tab
Element Description
Enable the VRF Settings
Changes on All Selected
Peers
Available if you selected more than one device for editing in the
Endpoints page.
When selected, applies any changes you make in the VRF Settings tab
to all the selected devices.
Enable VRF Settings Whether to enable the configuration of VRF settings on the device.
Note You can remove VRF settings that were defined for the VPN
topology by deselect this check box. However, if VRF-Aware
IPsec is configured on a Catalyst 6500/7600 device, disabling it
requires additional steps, as explained in Enabling and
Disabling VRF on Catalyst Switches and 7600 Devices,
page 24-17.
VRF Solution The type of VRF solution you want to configure:
1-Box (IPsec Aggregator + MPLS PE)—In the one-box solution,
one device serves as the Provider Edge (PE) router that does the
MPLS tagging of the packets in addition to IPsec encryption and
decryption from the Customer Edge (CE) devices. For more
information, see VRF-Aware IPsec One-Box Solution, page 24-14.
2-Box (IPsec Aggregator Only)—In the two-box solution, the PE
device does just the MPLS tagging, while the IPsec Aggregator
device does the IPsec encryption and decryption from the CEs. For
more information, see VRF-Aware IPsec Two-Box Solution,
page 24-15.
VRF Name The name of the VRF routing table on the IPsec Aggregator. The VRF
name is case-sensitive.