26-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter2 6 GRE and DM VPNs
GRE and Dynamic GRE VPNs

Understanding GRE Configuration for Dynamically Addressed Spokes

When a spoke has a dynamic IP address, there is no fixed GRE tunnel source address (to be used by the
GRE tunnel on the spoke side) or destination address (to be used by the GRE tunnel on the hub side).
Therefore, Security Manager creates additional loopback interfaces on the hub and the spoke, to be used
as the GRE tunnel endpoints. You must specify a subnet from which Security Manager can allocate an
IP address for the loopback interfaces.
Note GRE Dynamic IP can only be configured on Cisco IOS routers and Catalyst 6500/7600 devices in
hub-and-spoke VPN topologies.
Security Manager uses the Cisco Configuration Engine to retrieve device IP addresses and other
information from dynamically addressed devices. Devices that have dynamic IP addresses connect to the
Configuration Engine manager at periodic intervals to upgrade device configuration files and to pass
device and status information.
For more information, see Adding, Editing, or Deleting Auto Update Servers or Configuration Engines,
page 3-35.
Note You can configure the GRE Dynamic IP settings in the GRE Modes page when GRE Dynamic IP is the
selected IPsec technology.
Related Topics
Understanding GRE, page 26-2
Configuring GRE Modes for GRE or GRE Dynamic IP VPNs, page 26-6
Configuring IPsec GRE VPNs
To configure an IPsec GRE (generic routing encapsulation) VPN, use the Create VPN wizard as
described in Creating or Editing VPN Topologies, page24-28. You can also edit the membership of the
VPN, or some of its policies, using the described procedures. If you are creating a hub-and-spoke VPN
with dynamically addressed spokes, also see Understanding GRE Configuration for Dynamically
Addressed Spokes, page 26-5.
If you need to make changes to other policies and settings, open the policies from the Site-to-Site
Manager page, as follows:
For ISAKMP and IPSec settings, select VPN Global Settings. See Configuring VPN Global
Settings, page 25-29.
For IKE proposal policies, select IKE Proposal. See Configuring an IKE Proposal, page25-9.
For IPSec proposals, select IPsec Proposal. See Configuring IPsec Proposals in Site-to-Site VPNs,
page 25-21.
For preshared key policies, select IKEv1 Preshared Key. See Configuring IKEv1 Preshared Key
Policies, page 25-44.
For public key (PKI) policies, select Public Key Infrastructure. See Configuring IKEv1 Public
Key Infrastructure Policies in Site-to-Site VPNs, page 25-50.
For Generic Routing Encapsulation configuration, select GRE Modes. See Configuring GRE
Modes for DMVPN, page 26-12.