24-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Understanding IPsec Technologies and Policies
Understanding and Configuring VPN Default Policies
For most VPN policies that are mandatory, Security Manager includes “factory default” settings for the
policies. These defaults are generic, and might not be appropriate for your network, but they do allow
you to complete the creation of a VPN without having to stop and start over when you do not have the
needed shared policy configured. Therefore, you can, and should, create your own default VPN policies
for mandatory policies. You can also create defaults for certain optional policies.
Before configuring new defaults, consider the types of VPNs you are likely to configure, then review the
types of policies for which you can create defaults. Select Tools > Security Manager Administration,
then select VPN Policy Defaults from the table of contents. Select the tabs for the desired IPsec
technologies to see which policies are available. If a policy is assigned Factory Default, or if this option
is available from the drop-down list, the policy is mandatory; other policies are optional. You can also
create default policies for remote access VPNs, and for site-to-site endpoint configurations. Click the
View Content button next to a selected policy to see the policy definition.
The following procedure explains how to create and use VPN policy defaults.
Tips
When you configure VPN default policies, you are selecting shared policies. Although you can
configure only one default per policy per IPsec technology, users can select different shared policies
when configuring VPNs. Thus, you might want to configure more than one shared policy that users
can select, and configure the most commonly-used policy as the default policy. For more
information about how users can select different policies when configuring a VPN, see Assigning
Initial Policies (Defaults) to a New VPN Topology, page2 4-58.
Although the IKEv2 Authentication policy is a mandatory policy for topologies that allow IKEv2
negotiations, there are no IKEv2 Authentication factory default settings, and you cannot create
IKEv2 Authentication shared policies. Therefore, whenever you allow IKEv2 in a topology, you
must manually configure the IKEv2 Authentication policy before the topology is valid.
The Public Key Infrastructure policy is required for IKEv1 if you configure the IKE Proposal policy
to use certificate authentication. However, there are no factory default settings for this policy, so if
you intend to use certificate authentication for IKEv1, consider creating default Public Key
Infrastructure policies.
Keep in mind that any change to a shared policy affects all VPNs that are using the policy. This can
make it easy to implement across-the-board changes that are required for every VPN. However, after
creating the VPN, the user can switch from a shared policy to a local policy, so that any changes to
the configuration must be done specifically for the VPN topology. For more information about
shared policies, see Managing Shared Policies in Policy View, page 5-47.
These default policies do not apply when you create Extranet VPNs. With Extranet VPNs, you must
always configure the settings for mandatory policies as part of the normal wizard flow.
Step 1 Create the default policies. All default policies are shared policies.
a. In Policy view (select View > Policy View), select the policy for which you want to configure
defaults. The policies are in the Site-to-Site VPN or Remote Access VPN folders.
b. Click the Create a Policy (+) button at the bottom of the shared policy selector, enter a name for the
policy, and click OK.
c. Configure the desired settings. Click the Help (?) button in the toolbar to get reference information
about the settings available in the selected policy.
d. Repeat the process until you have created at least one shared policy for each policy for which you
want to define a default policy.