3D Innovations 3.0.1 appendix Negotiation Method

Page 56

Appendix B Site-to-Site VPN User Interface Reference

Site to Site VPN Policies

Table B-19 Preshared Key Page (continued)

Element

Description

Negotiation Method

Main Mode Address

 

Select this negotiation method for exchanging key information, if

 

 

 

 

the IP address of the devices is known. Negotiation is based on IP

 

 

 

 

address. Main mode provides the highest security because it has

 

 

 

 

three two-way exchanges between the initiator and receiver. Main

 

 

 

 

mode address is the default negotiation method.

 

 

 

 

Then click one of the following radio buttons to define the

 

 

 

 

negotiation address type:

 

 

 

 

Peer Address—Negotiation is based on the unique IP address

 

 

 

 

of each peer. A key is created for each peer, providing high

 

 

 

 

security.

 

 

 

 

Subnet—Creates a group preshared key on a hub in a

 

 

 

 

hub-and-spoke topology to use for communication with any

 

 

 

 

device in a specified subnet, even if the IP address of the device

 

 

 

 

is unknown. Each peer is identified by its subnet. After

 

 

 

 

selecting this option, enter the subnet in the field provided.

 

 

 

 

In a point-to-point or full mesh VPN topology, a group

 

 

 

 

preshared key is created on the peers.

 

 

 

 

Wildcard—Creates a wildcard key on a hub or on a group of

 

 

 

 

hubs in a hub-and-spoke topology to use when a spoke does not

 

 

 

 

have a fixed IP address or belong to a specific subnet. In this

 

 

 

 

case, all spokes connecting to the hub will have the same

 

 

 

 

preshared key, which could compromise security. Use this

 

 

 

 

option if a spoke in your hub-and-spoke VPN topology has a

 

 

 

 

dynamic IP address.

 

 

 

 

In a point-to-point or full mesh VPN topology, a wildcard key

 

 

 

 

is created on the peers.

 

 

 

 

Note When configuring DMVPN with direct spoke-to-spoke

 

 

 

 

connectivity, you create a wildcard key on the spokes.

 

 

 

Main Mode FQDN

 

Select this negotiation method for exchanging key information, if

 

 

 

 

the IP address is not known and DNS resolution is available for the

 

 

 

 

device(s). Negotiation is based on DNS resolution, with no reliance

 

 

 

 

on IP address.

 

 

 

 

 

 

User Guide for Cisco Security Manager 3.0.1

 

 

B-56

 

 

 

OL-8214-02

 

 

 

 

 

 

 

 

 

 

Image 56
Contents Site-to-Site VPN User Interface Reference Understanding VPN Topologies, Working with VPN Topologies,B-37 VPN SummaryB-3 and Peers Page, page B-7 Configuring High Availability in Your VPN Topology, Configuring VRF-Aware IPSec Settings,Configuring an IKE Proposal, Configuring IPSec Proposals,Understanding IPSec Technologies and Policies, Topology. See IKE Proposal Page, page B-37See IPSec Proposal Page, page B-39 B-53IPSec Tab, page B-28 See GRE Modes Page, page B-59High Availability Page, page B-34 Peers Managing VPN Devices in Device View,Create VPN Wizard Topology. See Device Selection Page, page B-10Name and Technology Device Selection Editing a VPN Topology,Defining a Name and IPSec Technology, B-10Navigation Path Page, page B-9 Endpoints See VPN Interface Tab, page B-17 B-34 Tab, page B-24See Edit Endpoints Dialog Box, page B-16 Edit Endpoints Dialog Box VPN Interface Tab Procedure for Configuring a Vpnsm or VPN SPA Blade, Information, see Interface Roles Page, page C-126IP Address for IPSec Termination -To enter manually the IP More information, see Interface Roles Page, page C-126More information, see Configuring Dialer Interfaces on Cisco IOS Routers,Defining VPN Services Module Vpnsm or VPN SPA Settings Box, page B-32VPN SPA Blade, For more information, see Adding VPN SPA Slot Locations Protected Networks Tab IP Address for IPSec Termination-To enter manually the IPTable B-9 Edit Endpoints Dialog Box Protected Networks Tab More information, see Editing Access Control List Objects Fwsm TabMore information, see Editing Interface Role Objects, Information, see Editing Network/Host Objects,Table B-10 Edit Endpoints Dialog Box Fwsm Tab VRF Aware IPSec Tab For more information, see Interface Roles Page, page C-126Table B-11 Edit Endpoints Dialog Box VRF Aware IPSec Tab Solution, IPSec Two-Box Solution,C-126 RoutersDial Backup Settings Dialog Box Summary page. See VPN Summary Page, page B-3Table B-12 Dial Backup Settings Dialog Box High Availability Table B-13 Create VPN wizard High Availability Policy configured. See VPN Summary Page, page B-3 For more information, see Enabling Stateful Failover,Site to Site VPN Policies IKE ProposalMore information, see IKE Proposal Dialog Box, page C-123 Site-to-Site VPN Policies in Policy View,Understanding Preshared Key Policies, C-123 IPSec ProposalIKE, Shared Site-to-Site VPN Policies in Policy View, For more information, see About Crypto Maps,IPSec Transform Sets Page, page C-130 For more information, see About Transform Sets,To Use, Element Description VPN Global Settings ISAKMP/IPSec Settings TabConfiguring VPN Global Settings, For more information, see About IKE Keepalive,See Understanding IKE, Appendix B Site-to-Site VPN User Interface Reference NAT Settings Tab VPN Global Settings Page, page B-44 Understanding NAT,For more information, see About NAT Traversal, NAT,General Settings Tab For more information, see Understanding Fragmentation Select the required setting for the DF bit Preshared Key Table B-19 Preshared Key Element Description Negotiation Method Public Key Infrastructure Attributes, Working with PKI Enrollment Objects,C-140 FlexConfig see Working with FlexConfigs, GRE ModesTable B-21 GRE Modes Page GRE or GRE Dynamic IP Policy GRE?, OL-8214-02 Configuring Cisco IOS Router Interfaces, OL-8214-02 Configuration of GRE, For more information, see Prerequisites for SuccessfulElement Description Preshared Key Policies, For more information, see Configuring Cisco IOS Router Interfaces,Easy VPN IPSec Proposal Understanding Easy VPN, For more information, see Understanding NAT, More information, see Working with AAA Server Group Objects Device Access Policies,Group Objects, For more information, see Editing User Group Objects, User Group PolicyWorking with User Group Objects, Tunnel Group Policy PIX 7.0/ASA Tunnel Group Policy General Tab For more information, see Working with ASA User Groups Client Address Assignment Tunnel Group Policy IPSec Tab Network/Host Objects,For more information, see Supported AAA Server Types Tunnel Group Policy Advanced Tab More information, see Working with Interface Role Objects Tunnel Group Policy Client VPN Software Update Tab Tunnel Group Policy PIX 7.0/ASAClient Connection Characteristics Table B-29 Easy VPN Remote Client Connection Characteristics About Locking in Site-to-Site VPN Topologies, Working with Site-to-Site VPN Policies,For more information, see Deleting a VPN Topology, See Site to Site VPN Policies, page B-37For more information, see About Editing a VPN Topology OL-8214-02 OL-8214-02