Cisco Systems CL-28826-01

24-65

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter24 Managing Site-to-Site VPNs: The Basics

Creating or Editing Extranet VPNs

–

Protected Networks—The networks that the device is protecting for this VPN. Click Select to

display the Protected Network Selection dialog box in which you can specify the protected

networks using an interface name, interface role object, network/host group object, or ACL

object. You can also use the Protected Network Selection dialog box to define new network/host

group or ACL objects.

Note You can also edit the local device endpoint settings as described in Defining the

Endpoints and Protected Networks, page 24-33. The settings are similar to these, with

the added ability to define interface role objects.

•Remote—This is the device that you are not managing in Security Manager. Configure all of these

properties:

–

Name—The name of the device, equivalent to the display name used in the Security Manager

inventory.

–

IP Address—The IP address of the VPN interface on the device.

–

Protected Networks—The networks that the device is protecting for this VPN. Click Select to

display the Protected Network Selection dialog box in which you can specify the protected

networks using a network/host group object or ACL object. You can also use the Protected

Network Selection dialog box to define new network/host group or ACL objects.

Note You can also edit the remote device endpoint settings as described in Defining the

Endpoints and Protected Networks, page 24-33. However, the settings are identical to

these, and you cannot specify the protected networks using an interface name or

interface role object.

In the wizard, click Next. In the Edit VPN dialog box, you are finished; to edit the remaining

characteristics, you must edit the IKE Proposal, IPsec Proposal, IKEv1 Preshared Key, IKEv1 Public

Key Infrastructure, IKEv2 Authentication, and VPN Global Settings policies to change the settings

described in the next step.

Step 4 On the IKE Proposal page of the Create Extranet VPN wizard, define the IKE proposal, the IPsec

proposal, and either the preshared key or the certificate:

•Select IKEv1 or IKEv2. You can use IKEv2 on ASA 5500 series devices running release 8.4(x)

only.

If you want to change IKE versions after creating the Extranet VPN, you must edit all of these

policies to unassign or replace the old configuration while configuring options for the desired

version: IKE Proposal, IPsec Proposal, IKEv1 Preshared Key, IKEv1 Public Key Infrastructure,

IKEv2 Authentication, VPN Global Settings. For information on how IKEv1 and IKEv2 differ, see

Comparing IKE Version 1 and 2, page 25-4.

•Configure the IKE Phase 1 Proposal parameters. These parameters will be used to create an IKE

proposal policy object with the name ExtranetName_ikeBB. For an explanation of the parameters,

see Configuring IKEv1 Proposal Policy Objects, page25-10 or Configuring IKEv2 Proposal Policy

Objects, page 25-13.

To edit these values after creating the VPN, you simply need to edit the object. You can edit the

object in the Policy Object Manager or directly through the IKE Proposal policy for the VPN.