Filter
Top Products
24-53
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Key Distribution The transport method to be used to distribute keys to each group
member, either unicast or multicast. For help deciding which to use, see
Choosing the Rekey Transport Mechanism, page 28-6.
If you select unicast, the key server sends a rekey message to each
registered group member and waits for an acknowledgment. If you
select multicast, the key server sends a rekey message to all group
members at once and does not wait for acknowledgment. Rekey
messages are retransmitted after the retransmit interval configured in
this policy.
If you select multicast, make sure that the router used as the key server
is multicast enabled, and also configure the following options:
• Group IP Address—The IP address of the multicast group to be
used for key distribution.
• Use Static IGMP Joins on Group Members—If you select this
option, the static Source Specific Multicast (SSM) mappings are
enabled, which reveal the source of multicast traffic to the group
member. In the case of GET VPN, the group member learns the key
server address.
RSA Key Label The label for the RSA key, which is used to encrypt a variety of
messages. This key can either already exist on the device, or it can be
an unused new label.
If you are creating a new VPN, you are asked at the end of the Create
VPN wizard whether you want this key synchronized among the key
servers; if you click Yes, Security Manager generates the key if it does
not already exist. If you change this value for an existing GET VPN,
you need to synchronize keys from the Key Servers policy. For more
detailed information about how this key is used, and the key generation
and synchronization process, see Generating and Synchronizing RSA
Keys, page 28-13.
Lifetime (KEK) The number of seconds that the key encryption key (KEK) is valid. This
key is used for encrypting rekey messages. Before the end of this
lifetime, the key server sends rekey messages to the group, which
includes a new KEK encryption key and transforms and new TEK
encryption keys and transforms.
The KEK lifetime value should be greater than the TEK lifetime value
(it is recommended that the KEK lifetime value be at least three times
greater than the TEK lifetime value). The default value of 86,400
seconds is usually appropriate. The TEK lifetime value is configured
for each security association (see Add New or Edit Security
Association Dialog Box, page 24-55).
Encryption Algorithm The algorithm used to encrypt the rekey message from the key server to
the group member.
Retransmits The number of times the rekey message can be sent if one or more
group members do not receive it.
Interval The number of seconds between retries.
Table 24-12 GET VPN Group Encryption Policy Page (Continued)
Element Description