24-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter24 Managing Site-to-Site VPNs: The Basics
Understanding IPsec Technologies and Policies
Step 2 If desired, create defaults for the VPN endpoints. These defaults are interface role objects, which identify
the interface names used for VPN connections (for example, GigabitEthernet0/ 1). Create separate roles
for internal and external VPN interfaces.
a. Select Manage > Policy Objects to open the Policy Object Manager, page 6-4.
b. Select Interface Roles from the table of contents.
c. Click the New Object (+) button, enter the interface name patterns that identify the most commonly
used interfaces for VPN internal or external interfaces in your network, and click OK.
For more information about interface roles and the wildcards you can use to configure them, see
Understanding Interface Role Objects, page 6-67 and Creating Interface Role Objects, page 6-68.
Step 3 Submit the policies and policy objects to the database. You will have to resolve any validation errors.
In non-Workflow mode, select File > Submit.
In Workflow mode without an activity approver, select Activities > Approve Activity.
In Workflow mode with an activity approver, select Activities > Submit Activity. You will have to
wait for the activity to be approved before you can select the policies and objects as defaults.
Step 4 Select your newly-configured policies and policy objects as VPN policy defaults.
a. Select Tools > Security Manager Administration, and then select VPN Policy Defaults from the
table of contents (see VPN Policy Defaults Page, page 11-53).
b. Select the desired tabs, then select the policies you configured from the drop-down lists for each of
the mandatory or optional policies for which you configured defaults.
On the S2S Endpoints tab, select the appropriate interface role objects.
c. Click Save to save your defaults.
The next time a user runs the Create VPN wizard, the defaults you selected will be used as the
wizard’s defaults. Users can select any other shared policy or interface role to override the default.
Using Device Overrides to Customize VPN Policies
Many VPN policies use Security Manager policy objects in their configuration. Policy objects are
containers that allow you to create reusable configurations.
Because a VPN policy applies to every device in a VPN topology, you might need to make modifications
to a policy object used in a policy for certain devices within the VPN topology. There might even be
situations where you need to make modifications for all devices within a topology. You accomplish these
modifications with device-level overrides on the policy objects.
For example, when defining a PKI policy, you need to select a PKI enrollment object. If the hub of your
VPN uses a different CA server than the spokes, you must use device-level overrides to specify the CA
server used by the hub. Although the PKI policy references a single PKI enrollment object, the actual
CA server represented by this object differs for the hub, based on the device-level override you define.
To enable a policy object to be overridden, you must select the Allow Override per Device option in the
policy object definition. You can then create device-level overrides. For more information about
overriding a VPN policy object at the device level, see the following topics:
Understanding Policy Object Overrides for Individual Devices, page6-17
Allowing a Policy Object to Be Overridden, page6-18
Creating or Editing Object Overrides for a Single Device, page6-18