32-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices
Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices)
Configuring Dynamic VTI/VRF Aware IPsec in Remote Access VPNs (IOS
Devices)
Note The Dynamic VTI/VRF Aware IPsec tab is available only when the selected device is a Cisco IOS router
or Catalyst 6500/7600.
Use the Dynamic VTI/VRF Aware IPsec tab of the IPsec Proposal Editor to configure VRF Aware IPsec
settings (on a Cisco IOS router or Catalyst 6500/7600 device), configure a dynamic virtual interface on
a Cisco IOS router, or do both, in your remote access VPN.
IOS devices allow dynamic virtual template interfaces (VTIs), which provide highly secure and scalable
connectivity for remote-access VPNs, replacing dynamic crypto maps and the dynamic hub-and-spoke
method for establishing tunnels. You can use dynamic VTIs for both the server and remote configuration.
The tunnels provide an on-demand separate virtual access interface for each VPN session. The
configuration of the virtual access interfaces is duplicated from a virtual template configuration, which
includes the IPsec configuration and any features configured on the virtual template interface. Dynamic
VTIs provide efficiency in the use of IP addresses and provide secure connectivity. They enable
dynamically downloadable per-group and per-user policies to be configured on a RADIUS server.
Dynamic VTI simplifies VRF-Aware IPsec deployment, as the VRF is configured on the interface.
Slot
Subslot
The number designating the slot location of the VPNSM or
VPNSPA/VSPA. If you are configuring a VPNSPA/VSPA, the subslot
number is also required.
Note If you are configuring a VPNSM, select 0.
External Port The external port or VLAN that connects to the inside VLAN. Enter the
name of the VLAN or interface role object, or click Select to select it
from a list. You must select an interface or interface role that differs
from the one selected for the inside VLAN.
Note If VRF-Aware IPsec is configured on the device, the external
port or VLAN must have an IP address. If VRF-Aware IPsec is
not configured, the external port or VLAN must not have an IP
address.
Enable Failover Blade Whether to configure a failover VPNSM or VPNSPA/VSPA blade for
intra-chassis high availability.
Note A VPNSM and VPNSPA/VSPA blade cannot be used on the
same device as primary and failover blades.
Specify the failover blade, as follows:
Slot—The slot number that identifies where the VPNSM blade or
VPNSPA/VSPA blade is located.
Subslot—If you are configuring a VPNSPA/VSPA, select the
number of the subslot on which the failover VPN SPA blade is
installed.
Note If you are configuring a VPNSM, select 0.
Table32-2 VPNSM/VPN SPA/VSPA Settings Dialog Box (Continued)
Element Description