24-57
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Defining GET VPN Peers
Use the GET VPN Peers page of the Create VPN wizard to configure peer properties for the key servers
and group members in a GET VPN topology. After creating the topology, use the Key Servers and
Group Members policies to modify these settings. The policies are the same as the wizard page, except
that the key server and group member tables are split into separate policies.
Tip The list of key servers and group members includes those devices you selected on the Device Selection
page of the wizard (see Selecting Devices for Your VPN Topology, page 24-32), however, you can use
the Add (+) and Delete (trash can) buttons to add or remove devices from this page.
Examine the list of key servers and group members to determine if the default settings are appropriate
for your VPN. You can select Matching Interfaces from the Show field below each table to display the
actual interfaces that will be selected by the default interface roles. The interface roles must resolve to
actual interfaces on the device for the GET VPN configuration to be valid.
Before You Begin
This procedure describes how to define peers for GET VPN when creating a new VPN, and explains just
the GET VPN peers configuration. For information on opening the Create VPN wizard, see Creating or
Editing VPN Topologies, page 24-28.
Related Topics
• Configuring Fail-Close to Protect Registration Failures, page 28-8
• Using Passive Mode to Migrate to GET VPN, page 28-23
• Configuring GET VPN Key Servers, page 28-18
• Configuring GET VPN Group Members, page 28-20
Enable IPSec Lifetime Whether to configure an IPsec security association lifetime that
overrides the global setting, which is configured in the Global Settings
for GET VPN policy (see Configuring Global Settings for GET VPN,
page 28-16). This lifetime value controls how long the traffic
encryption key (TEK) can be used before a rekey is required.
Configure a value based on the volume of traffic (in kilobytes) between
group members, seconds, or both. The key expires when either of the
values is reached. Use the following recommendations:
• The lifetime should be significantly shorter than the one used for
the key encryption key (KEK) (see Defining GET VPN Group
Encryption, page 24-51), perhaps a third of the length.
• The timed lifetime is the recommended approach, because high
traffic volumes can cause excessive rekeys (with potential data
loss).
• Leave a field blank to not override that global setting.
Table 24-13 Add New Security Association Dialog Box (Continued)
Element Description