24-9
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter24 Managing Site-to-Site VPNs: The Basics
Understanding IPsec Technologies and Policies
IKEv1 Preshared Key. See Configuring IKEv1 Preshared Key Policies, page 25-44.
IKEv1 Public Key Infrastructure. See Configuring IKEv1 Public Key Infrastructure Policies in
Site-to-Site VPNs, page 25-50.
Server Load Balance. See Configuring Server Load Balancing in Large Scale DMVPN, page 26-17.
User Group Policy. See Configuring a User Group Policy for Easy VPN, page27-14.
VPN Global Settings. See Configuring VPN Global Settings, page25-29.
Global Settings for GET VPN. See Configuring Global Settings for GET VPN, page28-16.
Understanding Devices Supported by Each IPsec Technology
Each IPsec technology supports different devices as members of their topology. The following table
describes the basic device support. These requirements are enforced when you select devices for a VPN;
in some cases, the device lists are filtered to show only supported devices. In other cases, a device might
be supported in one role (for example, as a spoke), but not supported in another role; in these cases, you
can select the wrong device type, but you are prevented from saving the change (a message will explain
the specific problem).
Tip Some device models have NO-VPN versions, which do not support VPN configuration. Thus, although
the 3845 model might be supported for a type of VPN, the 3845 NOVPN model is not supported. In
addition, the Cisco Catalyst 6500 series ASA Services Module (running software release 8.5(x)) does
not support any type of VPN.
Table24-2 Devices Supported by Each IPsec Technology
Technology Supported Platforms
Regular IPsec
See Chapter 25, “Configuring IKE and
IPsec Policies”.
Regular IPsec policies can be configured on Cisco IOS
security routers (including Aggregation Service Routers, or
ASRs), PIX Firewalls, and ASA 5500 series devices. Except
for Extranet VPNs, Catalyst VPN service modules are also
supported.
IKEv2 is supported on ASA release 8.4(x) only. If you limit
the topology to IKEv2 only, all devices must support IKEv2.
If you allow both IKEv1 and IKEv2, devices that do not
support IKEv2 automatically use IKEv1.
IPsec/GRE (Generic Routing
Encapsulation).
See Understanding GRE, page 26-2.
GRE policies can be configured on Cisco IOS security
routers (including ASRs) and Catalyst 6500/7600 devices.
GRE Dynamic IP.
See Understanding GRE Configuration
for Dynamically Addressed Spokes,
page 26-5.
GRE Dynamic IP can be configured on Cisco IOS security
routers (including ASRs) and Catalyst 6500/7600 devices.