fixes Providing strong security and
verifying configuration entries Using device and
interface-specific defaults Examples of SDM wizards
include the following: - Startup wizard for initial
router configuration
- One-step router lockdown wizard
to harden the router
- Policy-based firewall and
access-list management to easily configure firewall settings
based on policy rules
- One-step site-to-site VPN
wizard
Use the SDM wizards to provide quick
deployment. A suggested workflow is given in the lower part of
each wizard screen to guide untrained users through the
process. Begin with configuring LAN, WAN, firewall, intrusion
prevention system (IPS), and VPN, and finish with performing a
security audit. SDM is embedded and factory-installed within
the Cisco IOS 800–3800 Series routers and available for
download for select router platforms. Figure displays a table
of platforms capable of supporting SDM version 2.3.
Note
This course focuses specifically on SDM version
2.2a. Due to the nature of the software, changes must be
expected with new revisions of the software. Although the
features and screens may vary between versions of SDM, the
concepts learned in this section are applicable to all
versions. Note
Although the emphasis of this section
is exclusively on using SDM to configure VPNs, it is important
to capture and analyze CLI running-configurations of VPN
installations.
Content 3.4 Configuring IPsec
Site-to-Site VPN Using SDM 3.4.2 Introducing
the SDM VPN Wizard Interface Figure shows the main page of
the Cisco SDM consisting of two sections: - About
Your Router: This section displays the hardware and
software configuration of the router.
- Configuration
Overview: This section displays basic traffic
statistics.
There are two important icons in the top
horizontal navigation bar: - The Configure icon
takes you to the configuration page.
- The
Monitor icon takes you to the page where you can monitor
the status of the tunnels, interfaces, and device.
Figure is the VPN configuration page that lists the VPN wizards
that help implement different types of IPsec VPNs. To select
and start a VPN wizard, follow this procedure: Step 1
Click the Configure icon in the top horizontal
navigation bar of the Cisco SDM main page to enter the
configuration page. Step 2 Click the VPN icon in
the left vertical navigation bar to open the VPN page. Step
3 Choose one of the available VPN wizards from the list.
The example in Figure shows the screen that appears when you
choose the Site to Site VPN wizard from the list. Here
you can create two types of site-to-site VPNs: classic and
generic routing encapsulation (GRE) over IPsec.
Content
3.4 Configuring IPsec Site-to-Site VPN Using
SDM 3.4.3 Site-to-Site VPN Components The
VPN wizards of the SDM use two sources to create a VPN
connection: - User input during the step-by-step wizard
process
- Preconfigured VPN components
The
SDM provides some default VPN components: - Two
Internet Key Exchange (IKE) policies
- IPsec transform
set for the Quick Setup wizard
Other components are
created by the VPN wizards during the step-by-step
configuration process. Some components must be configured
before the wizards can be used (for example, Public Key
Infrastructure [PKI]). Figure illustrates the VPN navigation
bar, which contains two major sections: - VPN
wizards:
- Site-to-Site VPN
- Easy VPN
Remote
- Easy VPN Server
- Dynamic Multipoint
VPN
- Individual IPsec components:
- Main components:
- Optional components:
- Group Policies (for
easy VPN server functionality)
- Public Key
Infrastructure (for IKE authentication using digital
certificates)
- The VPN Keys
Encryption option window appears if the Cisco IOS image on
your router supports Type 6 encryption, also referred to as VPN
key encryption. You can use this window to specify a master key
to use when encrypting VPN keys, such as pre-shared keys, Easy
VPN keys, and Xauth keys. When encrypted, these keys are not
readable by someone viewing the router configuration
file.
Using the VPN wizards simplifies
the configuration of individual VPN components. The individual
IPsec components section can be used later to modify some
parameters that may have been misconfigured during the VPN
wizard step-by-step configuration.
Content
3.4 Configuring IPsec Site-to-Site VPN Using
SDM 3.4.4 Launching the Site-to-Site VPN
Wizard Starting SDM
Follow these steps to start
SDM: Step 1 The method to start SDM depends on where
SDM is installed as follows: - If you installed SDM on
the router, start it by opening a browser and entering the IP
address of your router in the address bar of the browser. For
example, http://10.20.20.2.
- If you installed SDM on
the PC, start it by double-clicking the SDM shortcut, or by
choosing it from the program menu (Start >
Programs > Cisco Systems > Cisco
SDM). When the SDM Launcher window appears , enter the IP
address of the router.
Step 2 Enter the
appropriate username and password. When certificate windows
appear, click Yes or click Grant to accept the
certificates. Step 3 When the Launch page has loaded,
SDM displays the SDM Home page, shown in . The SDM Home page
gives you a snapshot of the router configuration and the
features that the Cisco IOS image supports. Step 4 From
the SDM Homepage, select the VPN wizard by choosing
Configure > VPN. Creating and Configuring a
Site-to-Site VPN
There are three steps to creating and
configuring a classic site-to-site VPN: Step 1 Click
the Create a Site to Site VPN radio button, and then
click the Launch the selected task button. Step
2 A window opens, asking you which wizard mode to use:
- The Quick setup uses SDM-default IKE policies
and IPsec transform sets.
- The Step by step
wizard allows you to specify all the details.
Step 3 Choose which wizard mode to use, and then click
the Next button to configure the parameters of the VPN
connection you chose. Using Quick Setup
The first of
the two wizard modes is the quick setup mode shown in Figure .
Quick setup only needs a single window to complete the
configuration of the VPN. Using the quick setup, you will
configure these parameters: - Outside interface
- IP address of the peer
- Authentication method
(choose one):
– Pre-shared keys (specify the secret
key)
– Digital certificates (select a certificate that was
created earlier) - Traffic to encrypt:
– Coming from
IP subnet configured on the selected source interface
–
Going to defined remote IP subnet
When you are
finished selecting the parameters, click the Next button
to proceed. A summary of the configuration appears. This
provides you with an option to review the actual CLI commands
which will be configured on the router if you choose
Finish. Otherwise, you could choose Back to
change a setting, or Cancel should you wish to abort the
configuration. Using the Step-by-Step Wizard
The
second of the two wizard modes is the Step by step
wizard. This wizard includes a number of screens to
configure the VPN connection as listed in Figure . Specifically
it will permit you to configure the following parameters:
- Connection settings: Outside interface, peer
address, and authentication credentials
- IKE
proposals: IKE proposal priority, encryption algorithm
(Data Encryption Standard [DES], Triple Data Encryption