24-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter24 Managing Site-to-Site VPNs: The Basics
Understanding IPsec Technologies and Policies
Related Topics
Understanding IPsec Technologies and Policies, page24-5
Implicitly Supported Topologies, page24-5
Creating or Editing VPN Topologies, page24-28
Chapter 25, “Configuring IKE and IPsec Policies”

Implicitly Supported Topologies

In addition to the three main VPN topologies, other more complex topologies can be created as
combinations of these topologies. They include:
Partial mesh—A network in which some devices are organized in a full mesh topology, and other
devices form either a hub-and-spoke or a point-to-point connection to some of the fully meshed
devices. A partial mesh does not provide the level of redundancy of a full mesh topology, but it is
less expensive to implement. Partial mesh topologies are generally used in peripheral networks that
connect to a fully meshed backbone.
Tiered hub-and-spoke—A network of hub-and-spoke topologies in which a device can behave as a
hub in one or more topologies and a spoke in other topologies. Traffic is permitted from spoke
groups to their most immediate hub.
Joined hub-and-spoke—A combination of two topologies (hub-and-spoke, point-to-point, or full
mesh) that connect to form a point-to-point tunnel. For example, a joined hub-and-spoke topology
could comprise two hub-and-spoke topologies, with the hubs acting as peer devices in a
point-to-point topology.
Related Topics
Creating or Editing VPN Topologies, page24-28
Hub-and-Spoke VPN Topologies, page24-2
Point-to-Point VPN Topologies, page24-3
Full Mesh VPN Topologies, page 24-4
Understanding IPsec Technologies and Policies
Security Manager provides seven types of IPsec technologies that you can configure on the devices in
your site-to-site VPN topology—Regular IPsec, IPsec/GRE, GRE Dynamic IP, standard and large scale
DMVPN, Easy VPN, and GET VPN. The assigned technology determines which policies you can
configure for the VPN.
You assign an IPsec technology to a VPN topology during its creation. After an IPsec technology is
assigned to a VPN topology, you cannot change the technology, other than by deleting the VPN topology
and creating a new one. See Defining the Name and IPsec Technology of a VPN Topology, page 24-30.
The following topics explain some basic concepts about IPsec technologies and site-to-site VPN
policies:
Understanding Mandatory and Optional Policies for Site-to-Site VPNs, page 24-6
Overview of Site-to-Site VPN Policies, page 24-8
Understanding Devices Supported by Each IPsec Technology, page 24-9