26-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 26 GRE and DM VPNs
Dynamic Multipoint VPNs (DMVPN)
Configuring DMVPN
To configure a hub-and-spoke Dynamic Multipoint VPN, use the Create VPN wizard as described in
Creating or Editing VPN Topologies, page24-28. You can also edit the membership of the VPN, or some
of its policies, using the described procedures. If you are creating a Large Scale DMVPN, also see
Configuring Large Scale DMVPNs, page 26-16.
If you need to make changes to other policies and settings, open the policies from the Site-to-Site
Manager page, as follows:
For ISAKMP and IPSec settings, select VPN Global Settings. See Configuring VPN Global
Settings, page 25-29.
For IKE proposal policies, select IKE Proposal. See Configuring an IKE Proposal, page 25-9.
For IPSec proposals, select IPsec Proposal. See Configuring IPsec Proposals in Site-to-Site VPNs,
page 25-21.
For preshared key policies, select IKEv1 Preshared Key. See Configuring IKEv1 Preshared Key
Policies, page 25-44.
For public key (PKI) policies, select Public Key Infrastructure. See Configuring IKEv1 Public
Key Infrastructure Policies in Site-to-Site VPNs, page 25-50.
For Generic Routing Encapsulation configuration, including the selection of phase 2 or 3
connections between spokes, select GRE Modes. See Configuring GRE Modes for DMVPN,
page 26-12.
For server load balancing policies that are used with Large Scale DMVPN, select Server Load
Balance. See Configuring Server Load Balancing in Large Scale DMVPN, page26-17.
Related Topics
Understanding IKE, page 25-5
Understanding DMVPN, page 26-10
Enabling Spoke-to-Spoke Connections in DMVPN Topologies, page26-10
Advantages of DMVPN with GRE, page 26-11
Configuring GRE Modes for DMVPN
Use the GRE Modes policy to define the routing and tunnel parameters for IPsec tunneling in a DMVPN.
To open the GRE Modes policy:
(Site-to-Site VPN Manager Window, page24-18) Select a DMVPN or Large Scale DMVPN
topology, then select GRE Modes from the policies list.
(Policy view) Select Site-to-Site VPN > GRE Modes, and create a new policy or select an existing
policy. Then, select either DMVPN or Large Scale DMVPN from the GRE Method list.
The following table describes the elements on the GRE Modes page for configuring a DMVPN.
Note When configuring a DMVPN routing policy, Security Manager adds a routing protocol to all the devices
in the secured IGP, on deployment. If you want to maintain this secured IGP, you must create a router
platform policy (on each member device) using the same routing protocol and autonomous system (or
process ID) number as defined in the GRE Modes policy.