
User Guide for Cisco Security Manager 4.4
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing Extranet VPNs
Related Topics
Configuring an IKE Proposal, page 25-9
Configuring IPsec Proposals in Site-to-Site VPNs, page 25-21
Configuring IKEv1 Preshared Key Policies, page 25-44
Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs, page 25-50
Configuring GRE Modes for GRE or GRE Dynamic IP VPNs, page 26-6
Configuring GRE Modes for DMVPN, page 26-12
Configuring Large Scale DMVPNs, page 26-16
Configuring an IPsec Proposal for Easy VPN, page 27-10
Configuring a User Group Policy for Easy VPN, page 27-14
Configuring a Connection Profile Policy for Easy VPN, page 27-13
Creating or Editing Extranet VPNs, page 24-63
Creating or Editing Extranet VPNs
Security Manager provides a simplified method of creating a regular IPsec point-to-point VPN between
a device that you are managing in Security Manager and one that is not managed. This type of VPN is
called an Extranet.
Typically, an Extranet is a site-to-site VPN connection between your network and the network of a
partner or a service provider. However, it can also be a VPN connection within your organization’s
network, but between devices managed by different groups, or between a Cisco device and a non-Cisco
device (which Security Manager cannot manage).
Use the Create Extranet VPN wizard to create this type of point-to-point VPN topology. Creating an
Extranet VPN involves specifying the devices, the VPN interfaces that are the source and destination
endpoints of the VPN tunnel, and the protected networks that will be secured by the tunnel. You also
specify the IKE and IPsec proposals and preshared key or certificates required to complete a secure
When you edit an Extranet VPN topology, the Edit Extranet VPN dialog box contains the same pages as
the Create Extranet VPN wizard, with the exception of the IKE proposal page, but the pages are laid out
in a tabbed format rather than being presented as a wizard. Clicking OK on any tab in the dialog box
saves your definitions on all the tabs. For IKE proposals, IPsec proposals, preshared keys, and Public
Key Infrastructure certificates, you must edit the policies directly.
VPN default policies do not apply to Extranet VPNs. The settings defined on the Security Manager
Administration VPN Defaults page are ignored. If you have shared policies that you want to use in
the Extranet VPN configuration, you can assign them to the VPN after you create it with the Create
Extranet VPN wizard. Assigning the shared policy replaces the policy created by the wizard.
You cannot select your pre-defined IKE proposal or IPsec transform set policy objects when creating
an Extranet VPN. If you have existing objects that you want to use, you can edit the relevant policies
after creating the VPN and select the objects. You can then delete the objects created by the Create
Extranet VPN wizard, if desired.
After creating an Extranet VPN, you cannot convert it to a standard point-to-point VPN, where you
are managing both ends of the VPN in Security Manager. Instead, you must delete and recreate the