24-26
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Site-To-Site VPN Discovery
If you want to maintain your original definitions, or create a new VPN that has spokes with different
definitions, you can choose one of two approaches:
Define multiple VPN topologies in Security Manager, where each topology includes spokes
containing matching spoke definitions.
Define a FlexConfig policy that contains the specialized definition, then assign the policy to the
spokes that require this definition, as described in the following procedure.
Related Topics
Creating a New Shared Policy, page 5-51
Creating FlexConfig Policy Objects, page 7-27
Modifying Policy Assignments in Policy View, page 5-51
Site-To-Site VPN Discovery, page 24-19
Discovering Site-to-Site VPNs, page 24-24
VPN Discovery Rules, page 24-21
Step 1 Create a shared FlexConfig policy in Policy view:
a. Select View > Policy View.
b. Right-click FlexConfigs in the Policy Type selector, then select New FlexConfigs Policy.
c. Enter a name for the policy and click OK.
Step 2 Define the FlexConfig policy by creating and selecting a FlexConfig object:
a. In the work area of Policy view, click the Add button on the Details tab.
b. In the FlexConfigs Selector, click the Create button in the lower-left corner of the window to open
Add or Edit FlexConfig Dialog Box, page 7-29.
c. Define an appended FlexConfig object that contains the required client definition. For example, to
define the client mode on an Easy VPN spoke, enter the following commands:
crypto ipsec client ezvpn CSM_EASY_VPN_CLIENT_1
mode client
exit
d. After you create the FlexConfig object, add it to the FlexConfig policy using the selector.
Step 3 In the work area of Policy view, use the Assignments tab to select the spokes to which this policy should
be assigned, then click Save.
Step 4 Deploy the policy.
Rediscovering Site-to-Site VPNs
You can rediscover the configurations of existing VPN topologies that are already managed with
Security Manager so that you do not have to recreate policies changes in the application.
The same rules by which Security Manager translates and discovers VPN configurations apply also to
rediscovery. However, you can perform rediscovery only on devices that participate in a VPN topology,
and you cannot make any changes to the IPsec technology or topology type. Only the configurations of