24-32
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Selecting Devices for Your VPN Topology
Note This topic does not apply to Extranet VPNs. For information about selecting devices in an Extranet VPN,
see Creating or Editing Extranet VPNs, page 24-63.
Use the Device Selection page (or tab) of the Create VPN wizard and Edit VPN dialog box to select the
devices to include in the VPN topology. The contents of this page differ depending on whether you are
creating or editing a hub-and-spoke, large scale DMVPN, point-to-point, or full mesh VPN topology.
Also, you cannot use this page to edit the membership in a GET VPN (instead, see Configuring GET
VPN Group Members, page 28-20 and Configuring GET VPN Key Servers, page28-18 when working
with an existing GET VPN).
For information on opening the Create VPN wizard or Edit VPN dialog box, see Creating or Editing VPN
Topologies, page24-28.
In most cases, the devices that are listed in the Available Devices list include only those that can be used
for the selected VPN topology type, that support the IPsec technology type, and which you are
authorized to view. In addition, the available devices depend on the selected IPsec technology—for
example, if the IPsec technology is IPsec/GRE, GRE Dynamic IP, or DMVPN, PIX Firewalls and ASA
devices are not displayed. However, the lists are not adjusted to account for the IKE versions you are
supporting in the topology. For more information, see the supported platforms described in
Understanding Devices Supported by Each IPsec Technology, page 24-9.
Tip When selecting devices, you can select a device group to select all of the eligible devices in the group.
The following list explains how to add or remove devices based on the type of topology:
To select devices for a full mesh VPN topology with Regular IPSec or IPSec/GRE technology,
select them in the Available Devices list and click >>.
To select devices for a full mesh VPN topology that uses the GET VPN technology:
Select the devices that you want to define as key servers and click >> next to the Key Servers
field.
If you have more than one key server, use the Up and Down arrow buttons to ensure the primary
key server is listed first. Group members register with the first key server in the list. If the first
key server cannot be reached, they try to register with the second key server, and so on.
Select the devices that you want to define as group members and click >> next to the Group
Members field.
To select devices for a hub-and-spoke VPN topology:
Select the devices that you want to define as hubs (or servers in an Easy VPN configuration)
and click >> next to the Hubs list.
If you have more than one hub, ensure the hubs list is in priority order with the primary hub
listed first. To change the order, select a hub and click the Up and Down arrow buttons until the
device is ordered as desired.
Note You need to select the primary hub only when there are two or more IPsec terminators.
When there is only one IPsec terminator, regardless of how many hubs are connected to
the same IPsec terminator, it is not possible to designate one hub as the primary hub.