Filter
Top Products
32-9
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices
Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices)
CA Server Select the Certification Authority (CA) server to use for managing
certificate requests for the device. Click Select to select the PKI
enrollment policy object that defines the CA server, or to create a new
object. For more information, see PKI Enrollment Dialog Box,
page 25-54.
For more information about IPsec configuration with CA servers, see
Understanding Public Key Infrastructure Policies, page 25-47.
Virtual Template IP Type Available if you selected Enable Dynamic VTI.
Specify the virtual template interface to use:
• IP—To use an IP address as the virtual template interface. Specify
the private IP address.
• Use Loopback Interface—To use the IP address taken from an
existing loopback interface as the virtual template interface. Click
Select to select the interface or interface role object, or to create a
new object that identifies the loopback interface.
VRF Solution Available if you selected Enable VRF Settings.
Select the VRF solution:
• 1-Box (IPsec Aggregator + MPLS PE)—One device serves as the
Provider Edge (PE) router that does the MPLS tagging of the
packets in addition to IPsec encryption and decryption from the
Customer Edge (CE) devices. For more information, see
VRF-Aware IPsec One-Box Solution, page 24-14.
• 2-Box (IPsec Aggregator Only)—The PE device does only the
MPLS tagging, while the IPsec Aggregator device does the IPsec
encryption and decryption from the CEs. For more information, see
VRF-Aware IPsec Two-Box Solution, page 24-15.
VRF Name The name of the VRF routing table on the IPsec Aggregator. The VRF
name is case-sensitive.
Route Distinguisher The unique identifier of the VRF routing table on the IPsec Aggregator.
This unique route distinguisher maintains routing separation for each
VPN across the MPLS core to the other PE routers. The identifier can
be in either of the following formats:
• IP address:X, where X is in the range of 0-999999999.
• N:X, where N is in the range of 0-65535, and X is in the range of
0-999999999.
Note You cannot override the RD identifier after deploying the VRF
configuration to your device. To modify the RD identifier after
deployment, you must manually remove it through the device
CLI and then deploy again.
Table 32-3 IPsec Proposal Editor, Dynamic VTI/VRF Aware IPsec Tab (Continued)
Element Description