Filter
Top Products
24-52
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Table 24-12 GET VPN Group Encryption Policy Page
Element Description
Group Settings Tab
Group Name The name of the Group Name of Interpretation (GDOI) group. This
name is the same as a VPN name.
Group Identity A parameter that is used to identify the group. All key servers and group
members use this parameter to identify with the group.
The identity can be either a number (such as 3333) or any IP address
(such as the multicast address used for rekey).
Receive Only If enabled, group members decrypt traffic and forward it in clear text.
This feature is useful for testing the VPN. In normal operation, ensure
that this option is not selected. For detailed information, see Using
Passive Mode to Migrate to GET VPN, page 28-23.
Security Policy
(Create VPN wizard only.)
An ACL policy object to be used as the security policy. For a detailed
explanation of the contents of this object and how it relates to the group
member security policy, see Understanding the GET VPN Security
Policy and Security Associations, page 28-10.
This field appears only if you are using the Create VPN wizard. In the
Group Encryption Policy, you configure the security policy on the
Security Associations tab (described below).
Note If you are using multicast as the method to distribute the keys,
then the ACL policy object must contain a deny rule (ACE) for
the multicast address. In this way, the rekey packets sent using
multicast will not be encrypted by the TEK. This statement
allows the group members to receive rekey packets sent using
the multicast protocol.
Authorization Type The type of authorization mechanism used by the group: None,
Certificates, or Preshared Key. Selecting Certificates or Preshared Key
provides additional security in allowing only authorized group
members to register with the key server. This type of additional security
is required when a key server serves multiple GDOI groups.
If you select Certificates, you must create a list of certificate filters
(using some combination of distinguished name or full-qualified
domain name attributes). This filter, located on the key server, specifies
the attributes and values used to validate whether the group member is
authorized to join the GDOI group. Enter a name for the certificate
filter, click the Add Row (+) button, and fill in the Add Certificate
Filter Dialog Box, page 24-54.
Note To configure certificate authorization, you must also configure
a Public Key Infrastructure (PKI) policy for the GET VPN. The
PKI enrollment object that you use should define the same
distinguished names, or include the device’s fully-qualified
domain name, as appropriate.
If you select Preshared Key, also select an ACL policy object to
identify the authorized group members. Use permit rules to identify the
host or network addresses of group members.