Filter
Top Products
24-66
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing Extranet VPNs
Note The DH Group attribute (for Diffie-Hellman modulus group) is called Modulus Group
in other policies and policy objects.
• Configure the IKE Phase 2 (IPsec) Proposal parameters. Most of these parameters will be used to
create an IPsec transform set policy object with the name ExtranetName_transformSet. For an
explanation of the parameters, see Configuring IPSec IKEv1 or IKEv2 Transform Set Policy
Objects, page 25-25. Note that the AH Hash Algorithm setting is available only if the local device
is a router.
To edit these values after creating the VPN, you simply need to edit the object. You can edit the
object in the Policy Object Manager or directly through the IPsec Proposal policy for the VPN.
The following settings are not part of the IPsec transform set object:
–
Enable Perfect Forward Secrecy, DH Group—Whether to use a unique session key for each
encrypted exchange, which prevents an attacker from decrypting a captured exchange even if
the attacker knows the preshared or private keys used by both ends of the tunnel. If you select
this option, also select the Diffie-Hellman (DH) modulus group to use for deriving the key. For
more information on the modulus group, see Deciding Which Diffie-Hellman Modulus Group
to Use, page 25-7.
To change this option after creating the VPN, edit the IPsec Proposal policy.
–
Lifetime—The number of seconds a security association will exist before expiring. The default
is 3,600 seconds (one hour).
To change this option after creating the VPN, edit the VPN Global Settings policy.
• If you select Preshared Key for authentication, enter the key used to authenticate connections with
the remote host.
To edit the key after creating the VPN, you must edit either the IKEv1 Preshared Key or IKEv2
Authentication policy depending on the IKE version you are using. The key is masked in these
policies, but you can display the key by selecting the VPN Summary policy and clicking the Show
Key button beside the preshared key.
• If you select Certificate, select the PKI enrollment object that defines the certificate name. If the
required object is not yet defined, select <Add New> to open the Add PKI selector, from which you
can add new, or edit existing, PKI enrollment objects. For more information about PKI enrollment
objects, see PKI Enrollment Dialog Box, page 25-54.
To edit the certificate settings after creating the VPN, you can edit the object in the Policy Object
Manager or directly through either the IKEv1 Public Key Infrastructure or IKEv2 Authentication
policy depending on the IKE version you are using.
In the wizard, click Next.
Step 5 (Create Extranet VPN wizard only.) On the Summary page, verify that the settings are correct and click
Finish.
Security Manager creates the topology and the required policy objects, and adds the VPN to the list of
VPNs in the Site-to-Site VPN Manager.
Step 6 If you want to configure dial backup, select the Peers policy and follow the instructions in Configuring
Dial Backup, page 24-39.