Filter
Top Products
Appendix B Site-to-Site VPN User Interface Reference
Site to Site VPN Policies
B-56
User Guide for Cisco Security Manager 3.0.1
OL-8214-02
Negotiation Method
Main Mode Address Select this negotiation method for exchanging key information, if
the IP address of the devices is known. Negotiation is based on IP
address. Main mode provides the highest security because it has
three two-way exchanges between the initiator and receiver. Main
mode address is the default negotiation method.
Then click one of the following radio buttons to define the
negotiation address type:
• Peer Address—Negotiation is based on the unique IP address
of each peer. A key is created for each peer, providing high
security.
• Subnet—Creates a group preshared key on a hub in a
hub-and-spoke topology to use for communication with any
device in a specified subnet, even if the IP address of the device
is unknown. Each peer is identified by its subnet. After
selecting this option, enter the subnet in the field provided.
In a point-to-point or full mesh VPN topology, a group
preshared key is created on the peers.
• Wildcard—Creates a wildcard key on a hub or on a group of
hubs in a hub-and-spoke topology to use when a spoke does not
have a fixed IP address or belong to a specific subnet. In this
case, all spokes connecting to the hub will have the same
preshared key, which could compromise security. Use this
option if a spoke in your hub-and-spoke VPN topology has a
dynamic IP address.
In a point-to-point or full mesh VPN topology, a wildcard key
is created on the peers.
Note When configuring DMVPN with direct spoke-to-spoke
connectivity, you create a wildcard key on the spokes.
Main Mode FQDN Select this negotiation method for exchanging key information, if
the IP address is not known and DNS resolution is available for the
device(s). Negotiation is based on DNS resolution, with no reliance
on IP address.
Table B-19 Preshared Key Page (continued)
Element Description