24-51
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Related Topics
Hub-and-Spoke VPN Topologies, page24-2
Understanding Easy VPN, page 27-1
Defining GET VPN Group Encryption
Use the GET VPN Group Encryption page to define the group settings and security associations for a
GET VPN topology.
The contents of this page differ depending on whether you are using the Create VPN wizard or you are
editing the Group Encryption Policy. The wizard page is not tabbed, whereas the policy is tabbed. There
is an extra field on the wizard page to allow the security association configuration.
To open the GET VPN Group Encryption page:
When creating a new GET VPN, use the Create VPN wizard. For information on starting the wizard,
see Creating or Editing VPN Topologies, page24-28.
(Site-to-Site VPN Manager Window) Select an existing GET VPN topology and then select Group
Encryption Policy in the Policies selector.
(Policy view) Select Site-to-Site VPN > Group Encryption Policy, and then select an existing
policy or create a new one.
The following table describes the options you can configure when defining the GET VPN group
encryption settings.
Enable Stateful Failover Whether to enable stateful failover, which uses Stateful SwitchOver
(SSO) to ensure that state information is shared between the HSRP
devices in the HA group. If a device fails, the shared state information
enables the standby device to maintain IPsec sessions without having to
re-establish the tunnel or renegotiate the security associations.
You can configure stateful failover only on an HA group that contains
two hubs that are Cisco IOS routers. This check box is disabled if the
HA group contains more than two hubs.
In an Easy VPN topology, this check box appears selected and disabled,
as stateful failover must always be configured.
Tips:
When deselected in a Regular IPsec topology, stateless failover is
configured on the HA group. Stateless failover will also be
configured if the HA group contains more than two hubs. You can
configure stateless failover on Cisco IOS routers or Catalyst
6500/7600 devices.
Stateful failover cannot be used when RSA Signature is the IKE
authentication method.
Stateful failover can be configured together with PKI
configuration, but only on devices with Cisco IOS version
12.3(14)T and later.
Table24-11 High Availability Page (Continued)
Element Description