A P P E N D I X B Site-to-Site VPN User Interface Reference The pages that you access by selecting Site-To-Site VPN Manager from the Tools menu, or clicking the Site-To-Site VPN Manager button on the toolbar, help you configure site-to-site VPNs. Note You can also configure site-to-site VPNs in Device view (View > Device View) and Policy view (View > Policy View).
Appendix B Site-to-Site VPN User Interface Reference Site-to-Site VPN Manager Window Site-to-Site VPN Manager Window Use the Site-to-Site VPN Manager window to: • View all available VPN topologies. • Create, edit, and delete VPN topologies. • View detailed information about each VPN topology. • View the endpoints defined for a VPN topology. • View and edit the policies assigned to a VPN topology.
Appendix B Site-to-Site VPN User Interface Reference Site-to-Site VPN Manager Window Table B-1 Site-to-Site VPN Manager Window (continued) Element Description Edit VPN Topology button Opens the Edit VPN dialog box for editing a selected VPN topology. Note Delete VPN Topology button You can also edit a VPN topology by right-clicking it in the VPNs selector, and selecting the Edit option. Deletes a selected VPN topology.
Appendix B Site-to-Site VPN User Interface Reference Site-to-Site VPN Manager Window Navigation Path Open the Site-to-Site VPN Manager Window, page B-2, select a topology in the VPNs selector, then select VPN Summary in the Policies selector. Note • The VPN Summary page opens when you finish creating or editing a VPN topology. • The VPN Summary page also opens from Device view, when editing the VPN policies defined for a VPN topology.
Appendix B Site-to-Site VPN User Interface Reference Site-to-Site VPN Manager Window Table B-2 VPN Summary Page (continued) Element Description Primary Hub Available if the VPN topology type is hub-and-spoke. The name of the primary hub in the hub-and-spoke topology. Failover Hubs Available if the VPN topology type is hub-and-spoke. The name of any secondary backup hubs that are configured in the hub-and-spoke topology. Number of Spokes Available if the VPN topology type is hub-and-spoke.
Appendix B Site-to-Site VPN User Interface Reference Site-to-Site VPN Manager Window Table B-2 VPN Summary Page (continued) Element Description Routing Protocol Available only if the selected technology is GRE, GRE Dynamic IP, or DMVPN. The routing protocol and autonomous system (or process ID) number used in the secured IGP for configuring a GRE, GRE Dynamic IP, or DMVPN routing policy. Note Security Manager adds a routing protocol to all the devices in the secured IGP on deployment.
Appendix B Site-to-Site VPN User Interface Reference Site-to-Site VPN Manager Window Peers Page Use the Peers page to view the endpoints defined for a VPN topology, including the internal and external VPN interfaces and protected networks assigned to the devices in the topology. The interface roles, or interfaces that match each interface role, may also be displayed for the VPN interfaces and protected networks.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-3 Peers Page (continued) Element Description Show Select to display either the interface roles or matching interfaces, for the VPN interfaces and protected networks in the table, as follows: • Interface Roles Only (default)—To display only the interface roles assigned to the VPN interfaces and protected networks. • Matching Interfaces—To display the interfaces that match the pattern of each interface role.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard The following pages describe the steps in the Create VPN wizard: • Name and Technology Page, page B-9 • Device Selection Page, page B-10 • Endpoints Page, page B-13 • High Availability Page, page B-34 Navigation Path 1. In the Site-to-Site VPN Manager Window, page B-2, click the Create VPN Topology button above the VPNs selector. 2.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Related Topics • Create VPN Wizard, page B-8 • Editing a VPN Topology, page 9-24 • Understanding IPSec Technologies and Policies, page 9-8 • Defining a Name and IPSec Technology, page 9-12 Field Reference Table B-4 Create VPN wizard > Name and Technology Page Element Description Name A unique name you want to specify for the VPN topology, for identification purposes.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Note When editing the device selection for a VPN topology, the Device Selection tab is used. The elements of the tab (except for the buttons) are identical to those that appear on the Device Selection page. For more information, see Editing a VPN Topology, page 9-24. The contents of this page differ depending on the VPN topology type.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Field Reference Table B-5 Create VPN wizard > Device Selection Page Element Description Available Devices Lists all devices that can be included in your selected VPN topology, that support the IPSec technology type, and which you are authorized to view. Note Hubs Clicking a device group selects all its devices. The devices you selected to be hubs in your hub-and-spoke topology.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Endpoints Page Use the Endpoints page of the Create VPN wizard to view the devices in your VPN topology, and define or edit their external or internal interfaces and protected networks. Note When editing a VPN topology, the Endpoints tab is used. The elements of the tab (except for the buttons) are identical to those that appear on the Endpoints page. For more information, see Editing a VPN Topology, page 9-24.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Field Reference Table B-6 Create VPN wizard > Endpoints Page Element Description Role The role of the device—hub, spoke, or peer. Device The name of the device. VPN Interface The primary or backup VPN interface that is currently defined for the selected device. Depending on the selection in the Show list, the interface roles, or the interfaces that match each interface role, for the VPN interface may also be displayed.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-6 Create VPN wizard > Endpoints Page (continued) Element Description Protected Networks The protected networks that are defined for the selected device. Depending on the selection in the Show list, the interface roles, or the interfaces that match each interface role, for the protected networks may also be displayed. Select a row and click Edit to change the device’s protected networks.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-6 Create VPN wizard > Endpoints Page (continued) Element Description Finish button Saves your wizard definitions and closes the wizard. The new or edited VPN topology appears in the VPNs selector in the Site-to-Site VPN window, with the VPN Summary page displayed. See VPN Summary Page, page B-3. Cancel button Closes the wizard without saving your changes. Help Opens help for this page.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard • Clicking OK on any tab in the dialog box saves your definitions on all the tabs. Navigation Path You can access the Edit Endpoints dialog box from the Endpoints Page, page B-13 (or tab). Then select a device in the Endpoints table, and click Edit.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard becomes unavailable. You can only configure a backup interface on a Cisco IOS security router, which is a spoke in the VPN topology. For more information, see Understanding Dial Backup, page 9-27. Navigation Path The VPN Interface tab is displayed when you open the Edit Endpoints Dialog Box, page B-16. You can also open it by clicking the VPN Interface tab from any other tab in the Edit Endpoints dialog box.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-7 Edit Endpoints Dialog Box > VPN Interface Tab (continued) Element Description Connection Type Note This element is only available in a hub-and-spoke VPN topology, if the hub is an ASA or PIX 7.0 device and the selected technology is regular IPSec.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-7 Edit Endpoints Dialog Box > VPN Interface Tab (continued) Element Description Tunnel Source Available for a hub when the selected technology is GRE or DMVPN. To define the tunnel source address to be used by the GRE or DMVPN tunnel on the spoke side, click one of the following radio buttons: • VPN Interface—To use the selected VPN interface as the tunnel source address.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-7 Edit Endpoints Dialog Box > VPN Interface Tab (continued) Element Description Tracking IP Address The IP address of the destination device to which connectivity must be maintained from the primary VPN interface connection. This is the device that is pinged by the Service Assurance agent through the primary route to track connectivity. The backup connection will be triggered if connectivity to this device is lost.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Note • Before you define the VPNSM or VPN SPA settings, you must import your Catalyst 6500/7600 device to the Security Manager inventory and discover its interfaces. For more information, see Procedure for Configuring a VPNSM or VPN SPA Blade, page 9-34.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-8 Edit Endpoints Dialog Box > VPN Interface Tab > VPNSM/VPN SPA Settings Element Description Slot From the list of available slots, select the VPNSM blade slot number to which the inside VLAN interface is connected, or the number of the slot in which the VPN SPA blade is inserted. For more information, see Adding VPN SPA Slot Locations, page 5-44.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-8 Edit Endpoints Dialog Box > VPN Interface Tab > VPNSM/VPN SPA Settings Element Description Peer IP Address To define the IP address of the VPN interface of the peer device, click one of the following radio buttons: OK button • VPN Interface IP Address—To use the configured IP address on the selected VPN interface. • IP Address for IPSec Termination—To enter manually the IP address of the peer device.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Related Topics • Edit Endpoints Dialog Box, page B-16 • Defining the Endpoints and Protected Networks, page 9-18 Field Reference Table B-9 Edit Endpoints Dialog Box > Protected Networks Tab Element Description Enable the Protected Networks Changes on All Selected Peers Available if you selected more than one device for editing in the Endpoints page.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-9 Edit Endpoints Dialog Box > Protected Networks Tab (continued) Element Description Create button If the required interface roles, protected networks, or access control lists do not appear in the Available Protected Networks list, click Create and select the required option to create an interface role, protected network, or access control list.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Note Before defining the FWSM settings, you must import your Catalyst 6500/7600 device to the Security Manager inventory. Then open Cisco Catalyst Device Manager (Cisco CDM), and discover the FWSM configurations on the device, and assign a VLAN that will serve as the inside interface to the FWSM.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-10 Edit Endpoints Dialog Box > FWSM Tab (continued) Element Description FWSM Inside VLAN The VLAN which serves as the inside interface to the Firewall Services Module (FWSM). If required, click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, and in which you can make your selection, or create interface role objects.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard • Deployment may fail if the IPSec Aggregator is configured with the same keyring CLI command as the existing preshared key (keyring) command, and is not referenced by any other command. In this case, Security Manager does not use the VRF keyring CLI, but generates the keyring with a different name, causing deployment to fail.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-11 Edit Endpoints Dialog Box > VRF Aware IPSec Tab (continued) Element Description Enable VRF Settings When selected, enables the configuration of VRF settings on the selected hub for the selected hub-and-spoke topology. Note To remove VRF settings that were defined for the VPN topology, deselect this check box. 1-Box (IPSec Aggregator + MPLS PE) When selected, enables you to configure a one-box VRF solution.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-11 Edit Endpoints Dialog Box > VRF Aware IPSec Tab (continued) Element Description Interface Towards Provider Edge Available only when a 2-Box solution is selected. The VRF forwarding interface on the IPSec Aggregator towards the PE device. Note If the IPSec Aggregator (hub) is a Catalyst VPN service module, you must specify a VLAN. Interfaces and VLANs are predefined interface role objects.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-11 Edit Endpoints Dialog Box > VRF Aware IPSec Tab (continued) Element Description Process Number Available only if the 2-Box radio button is selected, and if the selected routing protocol is OSPF. The routing process ID number that will be used to identify the secured IGP. The range is 1-65535. OSPF Area ID Available only if the 2-Box radio button is selected, and if the selected routing protocol is OSPF.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Mandatory settings for dial backup are configured in the VPN Interface tab on the Edit Endpoints dialog box. See VPN Interface Tab, page B-17. Note You must configure the dialer interface settings before dial backup can work properly. For more information, see Configuring Dialer Interfaces on Cisco IOS Routers, page 12-29.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-12 Dial Backup Settings Dialog Box (continued) Element Description Frequency How often Response Time Reporter (RTR) should be used to detect loss of performance on the primary route. The default is every 60 seconds. Threshold The rising threshold in milliseconds that generates a reaction event and stores history information for the RTR operation. The default is 5000 ms.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Related Topics • Endpoints Page, page B-13 • Configuring High Availability in Your VPN Topology, page 9-51 • Create VPN Wizard, page B-8 Field Reference Table B-13 Create VPN wizard > High Availability Page Element Description Enable When selected, enables you to configure high availability on a group of hubs. Note Inside Virtual IP When deselected, enables you to remove an HA group that was defined for the VPN topology.
Appendix B Site-to-Site VPN User Interface Reference Create VPN Wizard Table B-13 Create VPN wizard > High Availability Page (continued) Element Description Hold Time The duration in seconds (within the range of 2-255) that a standby hub will wait to receive a hello message from the active hub before concluding that the hub is down. Standby Group Number (Inside) The standby number of the inside hub interface that matches the internal virtual IP subnet for the hubs in the HA group.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Site to Site VPN Policies You can access site-to-site VPN policies by selecting Tools > Site-To-Site VPN Manager, or clicking the Site-To-Site VPN Manager button on the toolbar, and then selecting the required policy in the Policies selector of the Site-to-Site VPN window. You can also access site-to-site VPN policies from Device view or Policy view.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies On the IKE Proposal page, you can view the parameters of the selected IKE proposal, select a different one from a list of predefined IKE proposals, or create a new one. Navigation Path Open the Site-to-Site VPN Manager Window, page B-2, select a topology in the VPNs selector, then select IKE Proposal in the Policies selector. Note You can also open the IKE Proposal page from Policy view.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-14 IKE Proposal Page (continued) Element Description Selected IKE Proposal The selected IKE proposal with its predefined default values. For more information about security parameters, see Understanding IKE, page 9-58. Note You cannot edit the selected IKE proposal because it is a predefined object. You can only edit the properties of an IKE proposal object you create.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Navigation Path Open the Site-to-Site VPN Manager Window, page B-2, select a topology in the VPNs selector, then select IPSec Proposal in the Policies selector. Note You can also open the IPSec Proposal page from Policy view. See Managing Shared Site-to-Site VPN Policies in Policy View, page 9-56.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-15 IPSec Proposal Page (continued) Element Description Transform Sets The transform set(s) to use for your tunnel policy. Transform sets specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel. Note Transform sets may use tunnel mode or transport mode of IPSec operation. When IPSec or Easy VPN is the assigned technology, you cannot use transport mode.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-15 IPSec Proposal Page (continued) Element Description Modulus Group Available if Enable Perfect Forward Secrecy is selected. Select the required Diffie-Hellman key derivation algorithm from the Modulus Group list box. Security Manager supports Diffie-Hellman group 1, group 2, group 5, and group 7 key derivation algorithms. Each group has a different size modulus: Group 1: 768-bit modulus.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-15 IPSec Proposal Page (continued) Element Description Enable Reverse Route Supported on ASA devices, PIX 7.0 devices, and Cisco IOS routers except 7600 devices, and when the selected technology is IPSec. Select this check box if you want to enable the RRI feature in the IPSec crypto map. Then click one of the following radio buttons: • Reverse Route—To create a route in the routing table from the host address.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies VPN Global Settings Page Use the VPN Global Settings page to define global settings for IKE, IPSec, NAT, and fragmentation, that apply to devices in your VPN topology.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies • Configuring VPN Global Settings, page 9-73 Field Reference Table B-16 VPN Global Settings Page > ISAKMP/IPSec Settings Tab Element Description ISAKMP Settings Enable Keepalive Enable—When selected, enables you to configure IKE keepalive as the default failover and routing mechanism. Note IKE keepalive is defined on the spokes in a hub-and-spoke VPN topology, or on both devices in a point-to-point VPN topology.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-16 VPN Global Settings Page > ISAKMP/IPSec Settings Tab (continued) Element Description SA Requests System Limit Supported on routers running IOS version 12.3(8)T and later, except 7600 routers. The maximum number of SA requests allowed before IKE starts rejecting them. You can enter a value in the range of 0-99999.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-16 VPN Global Settings Page > ISAKMP/IPSec Settings Tab (continued) Element Description Xauth Timeout Available when Easy VPN is the selected technology, and the selected device is a Cisco IOS router or Catalyst 6500/7600 device. The number of seconds the device waits for a response from the end user after an IKE SA has been established.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-16 VPN Global Settings Page > ISAKMP/IPSec Settings Tab (continued) Element Description Save button Saves your changes to the server but keeps them private. Note To publish your changes, click the Submit button on the toolbar. Close button Closes the Site-to-Site VPN window. Help button Opens help for this tab.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Field Reference Table B-17 VPN Global Settings Page > NAT Settings Tab Element Description Enable NAT Traversal When selected, enables you to configure NAT traversal on a device. You use NAT traversal when there is a device (referred to as the middle device) located between a VPN-connected hub and spoke, that performs Network Address Translation (NAT) on the IPSec traffic.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-17 VPN Global Settings Page > NAT Settings Tab (continued) Element Description Close button Closes the Site-to-Site VPN window. Help button Opens help for this tab. General Settings Tab Use the General Settings tab of the VPN Global Settings page to define fragmentation settings including maximum transmission unit (MTU) handling parameters.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Field Reference Table B-18 VPN Global Settings Page > General Settings Tab Element Description Fragmentation Settings Fragmentation Mode Supported on Cisco IOS routers and Catalyst 6500/7600 devices. Fragmentation minimizes packet loss in a VPN tunnel when transmitted over a physical interface that cannot support the original size of the packet.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-18 VPN Global Settings Page > General Settings Tab (continued) Element Description DF Bit Supported on Cisco IOS routers, Catalyst 6500/7600 devices, PIX 7.0 and ASA devices. A Don't Fragment (DF) bit within an IP header determines whether a device is allowed to fragment a packet. For more information, see Understanding Fragmentation, page 9-72.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-18 VPN Global Settings Page > General Settings Tab (continued) Element Description Enable Split Tunneling When selected (the default), enables you to configure split tunneling in your VPN topology. Split tunneling enables you to transmit both secured and unsecured traffic on the same interface.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Navigation Path Open the Site-to-Site VPN Manager Window, page B-2, select a topology in the VPNs selector, then select Preshared Key in the Policies selector. Note You can also open the Preshared Key page from Policy view. For more information, see Managing Shared Site-to-Site VPN Policies in Policy View, page 9-56.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-19 Preshared Key Page (continued) Element Description Regenerate Key (Only in Next Deployment) Only available if Auto Generate is selected. Select this check box if you want Security Manager to generate a new key for the next deployment to the device(s). This is useful if it is possible that the secrecy of the keys might be compromised. Note When you submit the job for deployment, this check box is cleared.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-19 Preshared Key Page (continued) Element Description Negotiation Method Main Mode Address Select this negotiation method for exchanging key information, if the IP address of the devices is known. Negotiation is based on IP address. Main mode provides the highest security because it has three two-way exchanges between the initiator and receiver. Main mode address is the default negotiation method.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-19 Preshared Key Page (continued) Element Description Aggressive Mode Available only in a hub-and-spoke VPN topology. Select this negotiation method for exchanging key information, if the IP address is not known and DNS resolution might not be available on the devices. Negotiation is based on hostname and domain name. Note Save button If direct spoke to spoke tunneling is enabled, you cannot use aggressive mode.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Related Topics • Configuring Public Key Infrastructure Policies, page 9-84 • Working with PKI Enrollment Objects, page 8-153 Field Reference Table B-20 Public Key Infrastructure (PKI) Page Element Description Available CA Servers Lists the predefined CA servers available for selection.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-20 Public Key Infrastructure (PKI) Page (continued) Element Description Save button Saves your changes to the server but keeps them private. To publish your changes, click the Submit button on the toolbar. Note To save the RSA key pairs and the CA certificates between reloads permanently to Flash memory on a PIX firewall version 6.3, you must configure the "ca save all" command.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Navigation Path Open the Site-to-Site VPN Manager Window, page B-2, select a topology in the VPNs selector, then select GRE Modes in the Policies selector. Note You can also open the GRE Modes page from Policy view. For more information, see Managing Shared Site-to-Site VPN Policies in Policy View, page 9-56.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-21 GRE Modes Page > GRE or GRE Dynamic IP Policy (continued) Element Description AS Number Available only if you selected the EIGRP routing protocol. The number that will be used to identify the autonomous system (AS) area to which the EIGRP packet belongs. The range is 1-65535. The default is 110. An autonomous system (AS) is a collection of networks that share a common routing strategy.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-21 GRE Modes Page > GRE or GRE Dynamic IP Policy (continued) Element Description Delay Available only if you selected the EIGRP routing protocol. The throughput delay for the primary route interface, in microseconds. The range of the tunnel delay time is 1-16777215. The default is 1000. Failover Delay Available only if you selected the EIGRP routing protocol.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-21 GRE Modes Page > GRE or GRE Dynamic IP Policy (continued) Element Description Tunnel Parameters Tab Tunnel IP Click one of the following radio buttons to specify the GRE or GRE Dynamic IP tunnel interface IP address: • Use Physical Interface—To use the private IP address of the tunnel taken from the protected network. • Use Subnet—To use the tunnel IP address taken from an IP range.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-21 GRE Modes Page > GRE or GRE Dynamic IP Policy (continued) Element Description Enable IP Multicast Select to enable multicast transmissions across your GRE tunnels. IP multicast delivers application source traffic to multiple receivers without burdening the source or the receivers, while using a minimum of network bandwidth. Rendezvous Point Only available if you selected the Enable IP Multicast check box.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-22 describes the elements on the GRE Modes page for configuring a DMVPN policy. Table B-22 GRE Modes Page > DMVPN Policy Element Description Routing Parameters Tab Routing Protocol Select the required dynamic routing protocol, or static route, to be used in the DMVPN tunnel. Options include the EIGRP, OSPF, and RIPv2 dynamic routing protocols, and GRE static routes. On-Demand Routing (ODR) is also supported.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-22 GRE Modes Page > DMVPN Policy (continued) Element Description Hello Interval Available only if you selected the EIGRP routing protocol. The interval between hello packets sent on the interface, from 1 to 65535 seconds. The default is 5 seconds. Hold Time Available only if you selected the EIGRP routing protocol.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-22 GRE Modes Page > DMVPN Policy (continued) Element Description Failover Cost Available if you selected the OSPF or RIPv2 routing protocol. The cost of sending a packet on the secondary (failover) route interface. You can enter a value in the range 1-65535. The default is 125. Allow Direct Spoke to Spoke Connectivity When selected, enables direct communication between spokes, without going through the hub.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-22 GRE Modes Page > DMVPN Policy (continued) Element Description Server Load Balance When selected, enables the configuration of load balancing on a Cisco IOS router that serves as a hub in a multiple hubs configuration. Server load balancing optimizes performance in a multiple hubs configuration, by sharing the workload.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-22 GRE Modes Page > DMVPN Policy (continued) Element Description NHRP Parameters Network ID All Next Hop Resolution Protocol (NHRP) stations within one logical Non-Broadcast Multi-Access (NBMA) network must be configured with the same network identifier. Enter a globally unique, 32-bit network identifier within the range of 1 to 4294967295.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Navigation Path Open the Site-to-Site VPN Manager Window, page B-2, select a topology in the VPNs selector, then select Easy VPN IPSec Proposal in the Policies selector. Note You can also open the Easy VPN IPSec Proposal page from Policy view. For more information, see Managing Shared Site-to-Site VPN Policies in Policy View, page 9-56.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-23 Easy VPN IPSec Proposal Page (continued) Element Description Enable RRI Supported on Cisco IOS routers, PIX 7.0 and ASA devices. When selected (the default), enables Reverse Route Injection (RRI) on the crypto map (static or dynamic) for the support of VPN clients. Reverse Route injection (RRI) ensures that a static route is created on a device for each client internal IP address.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-23 Easy VPN IPSec Proposal Page (continued) Element Description Group Policy Lookup/AAA Authorization Method Supported on Cisco IOS routers only. The AAA authorization method list that will be used to define the order in which the group policies are searched. Group policies can be configured on both the local server or on an external AAA server.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies User Group Policy Page Use the User Group Policy page to create or edit a user group policy on your Easy VPN server. For more information about user group policies in Easy VPN, see Configuring a User Group Policy for Easy VPN, page 9-106. Note You can also configure user group policies in remote access VPNs. For more information, see Understanding User Group Policies in Remote Access VPNs, page 10-4.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-24 Easy VPN Server > User Group Policy Page (continued) Element Description Selected The selected user group. Note You cannot edit the selected user group because it is a predefined object. You can only edit the properties of an object you create. To remove the selected user group, select a different one. Save button Saves your changes to the server but keeps them private.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Navigation Path Open the Site-to-Site VPN Manager Window, page B-2, select a topology in the VPNs selector, then select Tunnel Group Policy (PIX 7.0/ASA) in the Policies selector. Note You can also open the Tunnel Group Policy (PIX 7.0/ASA) page from Policy view. For more information, see Working with Site-to-Site VPN Policies in Policy View, page 9-56.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-25 Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > General Tab Element Description Group Policy The group policy to be applied to the tunnel group. A group policy is a collection of user-oriented attribute/value pairs stored either internally on the device or externally on a RADIUS/LDAP server.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-25 Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > General Tab Element Description Accounting Server Group The name of the accounting server group (LOCAL if the tunnel group is configured on the local device). You can click Select to open a dialog box that lists all available AAA server groups, and in which you can create AAA server group objects.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-25 Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > General Tab Element Description Address Pools The address pools from which IP addresses will be assigned. The server uses these pools in the order listed. If all addresses in the first pool have been assigned, it uses the next pool, and so on. You can specify up to 6 pools. A default address pool is displayed.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Field Reference Table B-26 Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > IPSec Tab Element Description Preshared Key The value of the preshared key for the tunnel group. The maximum length of a preshared key is 127 characters. Trustpoint Name The trustpoint name if any trustpoints are configured.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-26 Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > IPSec Tab (continued) Element Description Authorization Settings Use Entire DN as the Username Select to use the entire Distinguished Name (DN) as the identifier for the username. A distinguished name (DN) is a unique identification, made up of individual fields, that can be used as the identifier when matching users to a tunnel group.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Navigation Path Open the Tunnel Group Policy (PIX 7.0/ASA) Page, page B-74, then click the Advanced tab. You can also open the Advanced tab by clicking it from any other tab on the Tunnel Group Policy (PIX 7.0/ASA) page. Related Topics • Tunnel Group Policy (PIX 7.0/ASA) Page, page B-74 • Configuring a Tunnel Group Policy for Easy VPN, page 9-107 Field Reference Table B-27 Easy VPN Server > Tunnel Group Policy (PIX 7.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Table B-27 Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > Advanced Tab Element Description Interface-Specific Client Address Pools Interface Role The interface role to assign a client address to. You can click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, in which you can make your selection, or create interface role objects.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Related Topics • Tunnel Group Policy (PIX 7.0/ASA) Page, page B-74 • Configuring a Tunnel Group Policy for Easy VPN, page 9-107 Field Reference Table B-28 Easy VPN Server > Tunnel Group Policy (PIX 7.
Appendix B Site-to-Site VPN User Interface Reference Site to Site VPN Policies Navigation Path Open the Site-to-Site VPN Manager Window, page B-2, select a topology in the VPNs selector, then select Client Connection Characteristics in the Policies selector. Note You can also open the Client Connection Characteristics page from Policy view. For more information, see Working with Site-to-Site VPN Policies, page 9-55.
Appendix B Site-to-Site VPN User Interface Reference VPN Topologies Device View Page VPN Topologies Device View Page Device view provides an easy way to view and edit the structure of your VPN topologies at the device level. Use this page to view the VPN topology (topologies) to which each device in the Security Manager inventory belongs, and if necessary, change its assignment to or from a VPN topology.
Appendix B Site-to-Site VPN User Interface Reference VPN Topologies Device View Page Table B-30 VPN Topologies Device View Page (continued) Element Description Edit VPN Policies button Click to edit the VPN policies defined for a selected VPN topology. The VPN Summary page opens, displaying information about the VPN topology, including its defined policies. Note You can also open the VPN Summary page by right-clicking the VPN topology in the table, and selecting the Edit VPN Policies option.
Appendix B Site-to-Site VPN User Interface Reference VPN Topologies Device View Page User Guide for Cisco Security Manager 3.0.
Appendix B Site-to-Site VPN User Interface Reference VPN Topologies Device View Page User Guide for Cisco Security Manager 3.0.