Filter
Top Products
24-58
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Step 1 Configure the key servers if the default settings are not appropriate.
For each key server you want to modify, select it, click the Edit (pencil) button beneath the table, and
configure at least following settings. For information on all available settings, see Edit Key Server
Dialog Box, page 28-19.
• Identity Interface—Select the interface that group members use to identify the key server and
register with it. The default is the Loopback interface role, which identifies all Loopback interfaces
defined on the key server.
• Priority—Define the role of the key server as primary or secondary by entering a priority value
between 1-100. The key server with the highest priority becomes the primary key server. If two or
more key servers are assigned the same priority value, the device with the highest IP address is used.
The default priority is 100 for the first key server, 95 for the second, and so on.
Note There can be more than one primary key server if the network is partitioned.
Step 2 Move key servers up or down in the table to specify the order that group members use to register with
key servers. Group members register with the first key server in the list. If the first key server cannot be
reached, they will register with the second key server, and so on. Note that this order does not define the
overall key server priority, which is used to determine which key server is the primary key server.
Step 3 Configure the group members if the default settings are not appropriate.
For each group member you want to modify, select it, click the Edit (pencil) button beneath the table,
and configure at least the following settings:
• GET-Enabled Interface—This is the VPN-enabled outside interface to the provider edge (PE).
Traffic originating or terminating on this interface is evaluated for encryption or decryption, as
appropriate. You can configure multiple interfaces by selecting an interface role object that resolves
to more than one interface. Click Select to select an interface role object or to create a new object.
• Interface To Be Used As Local Address—The interface whose IP address is used to identify the
group member to the key server for sending data, such as rekey information. If GET is enabled on
only one interface, you do not need to specify the interface to be used as the local address. If GET
is enabled on more than one interface, you must specify the interface to be used as the local address.
Enter the name of the interface or interface role, or click Select to select an interface role.
For information on the other available settings, see Edit Group Member Dialog Box, page 28-21.
Assigning Initial Policies (Defaults) to a New VPN Topology
Use the VPN Defaults page of the Create VPN wizard to view and select the shared site-to-site VPN
policies that will be assigned to the VPN topology you are creating. The page displays all the available
mandatory and optional policies that can be assigned to your VPN topology, according to the selected
IPsec technology. (For more information, see Understanding Mandatory and Optional Policies for
Site-to-Site VPNs, page 24-6.)
For information on opening the Create VPN wizard, see Creating or Editing VPN Topologies,
page 24-28. After you create the topology, you edit these policies directly.
For each policy type, select the shared VPN policy you want to assign to your VPN topology. Only
shared policies are available for selection. Use the following tips to guide your selection: