27-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter2 7 Easy VPN
Configuring a Connection Profile Policy for Easy VPN
Related Topics
Understanding Easy VPN, page 27-1
Configuring an IPsec Proposal for Easy VPN, page 27-10
Field Reference
Configuring a Connection Profile Policy for Easy VPN
A connection profile consists of a set of records that contain IPsec tunnel connection policies.
Connection profiles, or tunnel groups, identify the group policy for a specific connection, and include
user-oriented attributes. If you do not assign a particular group policy to a user, the default group policy
for the connection applies. For a successful connection, the username of the remote client must exist in
the database, otherwise the connection is denied.
In site-to site VPNs, you configure connection profile policies on an Easy VPN server, which can be a
PIX Firewall version 7.0+ or an ASA 5500 series device. The Easy VPN connection profile policy is
similar to the one used for remote access VPNs.You can unassign the connection profile policy if none
of the Easy VPN servers are ASA or PIX 7.0+ devices.
Creating a connection profile policy involves specifying:
The group policy—A collection of user-oriented attributes stored either internally on the device or
externally on RADIUS/LDAP server.
Global AAA settings—Authentication, Authorization, and Accounting servers.
The DHCP servers to be used for client address assignment, and the address pools from which the
IP addresses will be assigned.
Settings for Internet Key Exchange (IKE) and IPsec (such as preshared key).
Table27-4 Easy VPN IPSec Proposal, Dynamic VTI Tab
Element Description
Enable Dynamic VTI When selected, enables Security Manager to implicitly create a
dynamic virtual template interface on the device.
If the device is a hub server that does not support Dynamic VTI, a
warning message is displayed, and a crypto map is deployed without
dynamic VTI. In the case of a client device, an error message is
displayed.
Virtual Template IP If you are configuring Dynamic VTI on a hub in the topology, specify
either the subnet address or interface role:
Subnet—To use the IP address taken from a pool of addresses.
Enter the private IP address including the subnet mask, for example
10.1.1.0/24.
Interface Role—To use a physical or loopback interface on the
device. If required, click Select to open the Interface selector
where you can select the interface role object that identifies the
desired interface. If an appropriate object does not already exist,
you can create one in the selection dialog box.
If you are configuring Dynamic VTI on a spoke in the topology, select
None.