24-59
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
The initial defaults listed in this page are configured in the Security Manager Administration VPN
Policy Defaults Page, page 11-53. If no specific default was configured for a mandatory policy, the
Factory Default policy is selected. For more information about configuring default policies, see
Understanding and Configuring VPN Default Policies, page 24-12.
The shared policies listed are only those that have been committed to the database. For example, if
you create a new shared IPsec Proposal policy before using the Create VPN wizard, but you do not
submit (and have approved, if necessary) the policy beforehand, the new policy does not appear in
the list. Ensure that you submit policies before creating a VPN if you need to use the new policies.
If a policy is mandatory, you must make a selection. If there are no shared policies, Factory Default
is your only option. You can always edit the policy after you create the topology.
Note If you try to select a shared policy that is currently locked by another user, a message is
displayed warning you of a lock problem. To bypass the lock, select a different policy or
cancel the VPN topology creation until the lock is removed. For more information, see
Understanding Policy Locking, page 5-7.
If a policy is optional, and there are no shared policies, you cannot select anything. If you want the
features provided by that policy, configure it after you finish creating the topology.
To view the contents of the policy in a read-only dialog box, select the policy and click the View
Contents button beside the policy list.
If you are creating a topology that supports IKEv2 only, the Create VPN wizard will still create
either an IKEv1 Preshared Key or IKEv1 Public Key Infrastructure policy according to your
selection. There are no default configurations for IKEv2 Authentication policies. Whenever you
choose to support IKEv2, you must manually edit the IKEv2 Authentication policy after creating the
VPN to define at least the global IKEv2 settings. You can also create peer-specific IKEv2 overrides.
When supporting IKEv2 only, you can unassign the IKEv1-specific policies created by the wizard.
When you are done, click Finish to create the new VPN topology. The new VPN topology appears in the
VPNs selector in the Site-to-Site VPN window, with the VPN Summary page displayed. See Viewin g a
Summary of a VPN Topology’s Configuration, page 24-59.
Viewing a Summary of a VPN Topology’s Configuration
Use the VPN Summary page to view a summary of the configuration of a selected VPN topology. This
includes information about the type of VPN topology, its devices, the assigned technology, and specific
policies that are configured in it. The summary page is opened automatically after you create a VPN
topology. When creating an Extranet VPN, it is also shown as the final step of the Create Extranet VPN
wizard.
To open the VPN Summary page for a VPN topology:
(Site-to-Site VPN Manager Window, page24-18) Select the VPN topology, then select VPN
Summary from the Policies list.
(Device view) Select a device that participates in the VPN and select the Site-to-Site VPN policy
from the Policies list. Select the VPN topology, then click the Edit VPN Policies button. This opens
the Site-to-Site VPN Manager window with the topology selected, where you can select VPN
Summary from the Policies list.
The following table describes the information shown on this page.