Appendix B
Site to Site VPN Policies
Table B-19 Preshared Key Page (continued)
Element
Description
Negotiation Method
Main Mode Address |
| Select this negotiation method for exchanging key information, if | |||
|
|
|
| the IP address of the devices is known. Negotiation is based on IP | |
|
|
|
| address. Main mode provides the highest security because it has | |
|
|
|
| three | |
|
|
|
| mode address is the default negotiation method. | |
|
|
|
| Then click one of the following radio buttons to define the | |
|
|
|
| negotiation address type: | |
|
|
|
| • Peer | |
|
|
|
| of each peer. A key is created for each peer, providing high | |
|
|
|
| security. | |
|
|
|
| • | |
|
|
|
| ||
|
|
|
| device in a specified subnet, even if the IP address of the device | |
|
|
|
| is unknown. Each peer is identified by its subnet. After | |
|
|
|
| selecting this option, enter the subnet in the field provided. | |
|
|
|
| In a | |
|
|
|
| preshared key is created on the peers. | |
|
|
|
| • | |
|
|
|
| hubs in a | |
|
|
|
| have a fixed IP address or belong to a specific subnet. In this | |
|
|
|
| case, all spokes connecting to the hub will have the same | |
|
|
|
| preshared key, which could compromise security. Use this | |
|
|
|
| option if a spoke in your | |
|
|
|
| dynamic IP address. | |
|
|
|
| In a | |
|
|
|
| is created on the peers. | |
|
|
|
| Note When configuring DMVPN with direct | |
|
|
|
| connectivity, you create a wildcard key on the spokes. | |
|
|
| |||
Main Mode FQDN |
| Select this negotiation method for exchanging key information, if | |||
|
|
|
| the IP address is not known and DNS resolution is available for the | |
|
|
|
| device(s). Negotiation is based on DNS resolution, with no reliance | |
|
|
|
| on IP address. | |
|
|
|
| ||
|
| User Guide for Cisco Security Manager 3.0.1 | |||
|
| ||||
|
|
|
| ||
|
|
| |||
|
|
|
|
|
|
