24-33
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Select the devices that you want to define as spokes (or clients in an Easy VPN configuration)
and click >> next to the Spokes list.
If you are configuring a Large Scale DMVPN with IPsec Terminator topology, you must also
select the Catalyst 6500/7600 devices you want to be IPsec Terminators in your Large Scale
DMVPN configuration. If you select more than one IPsec Terminator, use the Up and Down
arrow buttons to put them in priority order. For more information, see Configuring Large Scale
DMVPNs, page 26-16.
To select devices for a point-to-point VPN topology:
From the Devices list, select a device to be Peer One and click >>.
Select another device to be Peer Two and click >>.
To remove devices (any topology or technology combination), select them from one of the
selected devices lists and click << to move them back to the Available Devices list.
If you are editing an existing VPN topology, you can remove devices from the VPN topology, but
you cannot save your changes if your device selections result in an invalid VPN configuration. When
removing devices, you should be aware of the following:
You cannot remove a device if it is the only hub in a hub-and-spoke VPN topology, unless you
replace it with a different hub.
You cannot remove a device that is one of the two devices in a point-to-point VPN topology,
unless you replace it with a different device.
In a VPN topology with multiple hub devices, deleting a hub causes the appropriate tunnels to
be removed.
If some, but not all, spokes in a VPN topology are deleted, the hub side crypto statements
change to reflect the removal.
GET VPNs must have at least one key server and one group member.
Related Topics
Including Unmanaged or Non-Cisco Devices in a VPN, page 24-11
Defining the Endpoints and Protected Networks
Use the Endpoints page of the Create VPN wizard and Edit VPN dialog box, or the Peers policy, to view
the devices in your VPN topology and to define or edit their VPN characteristics and features. You are
primarily defining the external or internal VPN interfaces and the protected networks for the devices in
the VPN topology. The VPN interfaces are the interfaces that encrypt the data. The protected networks
are the networks that are encrypted.
To get to the Endpoints page, do any of the following:
Open the Create VPN wizard or the Edit VPN dialog box; for the procedure, see Creating or Editing
VPN Topologies, page24-28.
In the Site-to-Site VPN Manager, select the desired VPN topology (excepting GET VPN topologies)
and select the Peers policy.