24-35
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
topology where the hub is a Catalyst 6500/7600 device that has these modules installed. For
more information, see Configuring a Firewall Services Module (FWSM) Interface with VPNSM
or VPNSPA/VSPA, page 24-45.
VRF Aware IPsec tab—To configure a VRF-Aware IPsec policy on a hub (IPsec Aggregator)
in a hub-and-spoke VPN topology. For more information, see Configuring VRF Aware IPsec
Settings, page 24-46 and Understanding VRF-Aware IPsec, page24-14.
To view the actual interfaces associated with an interface role for each device, select Matching
Interfaces in the Show list beneath the table. If there are no matching interfaces, “No Match” is
displayed. The default is to show the interface role policy object names. To create a valid VPN, these
roles must match to actual interfaces defined on the device.
Related Topics
Table Columns and Column Heading Features, page1-46
Filtering Tables, page1-45
Configuring VPN Interface Endpoint Settings
Use the VPN Interface tab in the Edit Endpoints dialog box to edit the VPN interfaces defined for devices
in the Endpoints table. When defining a primary VPN interface for a router device, you can also
configure a backup interface to use as a fallback link for the primary route VPN interface, if its
connection link becomes unavailable. You can configure a backup interface on a Cisco IOS security
router, that is in a point-to-point or full mesh topology, or that is a spoke in a hub-and-spoke topology,
or is a remote client in an Easy VPN topology. For more information, see Configuring Dial Backup,
page 24-39.
Tips
If the device is a hub in a large scale DMVPN, this tab is called Hub Interface. Specify the interface
that is connected to the IPsec Terminator in the Hub Interface Toward the IPsec Terminator field.
Enter the name of the interface or interface role, or click Select to select it from a list. For more
information, see Configuring Large Scale DMVPNs, page 26-16.
If the device is a Catalyst 6500/7600 device, the VPN Interface tab provides settings that enable you
to configure a VPN Services Module (VPNSM) or a VPNSPA/VSPA blade on the device. For a
description of the elements that appear on the VPN Interface tab for a Catalyst 6500/7600 device,
see Configuring VPNSM or VPN SPA/VSPA Endpoint Settings, page 24-41. The table below
assumes the device is not a Catalyst 6500/7600 device.
Navigation Path
On the Endpoints Page of the Create VPN wizard or Edit VPN dialog box, or on the VPN Peers policy,
select a device and click Edit to open the Edit Endpoints Dialog Box. Select the VPN Interfaces tab in
the Edit Endpoints dialog box. For information on how to access these pages and dialog boxes, see
Defining the Endpoints and Protected Networks, page 24-33.