25-21
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter25 Configuring IKE and IPsec Policies
Understanding IPsec Proposals
For dynamic crypto maps, routes are created upon the successful establishment of IPsec security
associations (SAs) for those remote proxies. The next hop back to those remote proxies is through
the remote VPN router whose address is learned and applied during the creation of the dynamic
crypto map template. The routes are deleted after the SAs are deleted.
The Remote Peer option (available for IOS devices only) enables you to specify an interface or
address as the explicit next hop to the remote VPN device. Two routes are created. One route is the
standard remote proxy ID and the next hop is the remote VPN client tunnel address. The second
route is the actual route to the remote tunnel endpoint, when a recursive lookup is forced to impose
that the remote endpoint is reachable via “next-hop.” Creation of the second route for the actual next
hop is very important for VRF-Aware IPsec when a default route must be overridden by a more
explicit route.
Note For devices using a VPN Services Module (VPNSM), the next hop is the interface or
subinterface/VLAN on which the crypto map is applied.
In the case of Remote Peer IP (available for IOS devices only), one route is created to a remote proxy
by way of a user-defined next hop. The next hop can be used to override a default route to properly
direct outgoing encrypted packets. This option reduces the number of routes created and supports
those platforms that do not readily facilitate route recursion.
Related Topics
Understanding IPsec Proposals, page 25-17
Understanding Crypto Maps, page 25-18
Configuring IPsec Proposals in Site-to-Site VPNs, page 25-21
Configuring IPsec Proposals in Site-to-Site VPNs
Use the IPsec Proposal page to configure the IPsec proposal used during IKE Phase 2 negotiations for
site-to-site VPN topologies with the exception of Easy VPN topologies.
IPsec proposals used with Easy VPN topologies, and with remote access VPNs, are significantly
different than the basic site-to-site proposal explained in this topic. For information on IPsec proposals
in these other topologies, see the following topics:
Configuring an IPsec Proposal for Easy VPN, page 27-10
Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX 7.0+ Devices),
page 30-33
Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices), page 32-3
Navigation Path
(Site-to-Site VPN Manager Window, page24-18) Select a non-Easy VPN topology in the VPNs
selector, then select IPsec Proposal in the Policies selector. If necessary, click the IPsec Proposal
tab.
(Policy view) Select Site-to-Site VPN > IPsec Proposal from the Policy Types selector. Select an
existing shared policy or create a new one.
Related Topics
Understanding IKE, page 25-5