IPSec Tunnel Groups

• Spoke-and-Hub

• Mesh

• Combination

In a spoke-and-hub configuration, one of the tunnel peers acts as a hub and the remaining peers act as spokes on the hub. This enables you to create a one-to-one tunnel from the hub to each spoke, but it does not allow the spokes to create tunnels among one another. This configuration is useful when you want a central office Policy Enforcement Point to communicate with various remote office Policy Enforcement Points via tunnels, but you do not want tunnels between the remote offices.

In a mesh configuration, each peer is a hub that is connected to every other hub in the group. In this configuration, no matter which peers are communicating with one another, they can communicate via an IPSec tunnel. This configuration is useful if you have several remote offices that you want to interconnect with IPSec tunnels.

A combination configuration is simply a mix of spoke-and-hub and mesh configurations, where the hubs are connected in a mesh configuration with additional peers connected to the hubs as spokes. A mesh configuration provides more flexibility when defining your tunnel configuration.

The tunnel group plays an additional role for manual IPSec tunnels. In a manual tunnel, you must also specify a pre-shared key for each protocol algorithm. For tunnels that use the AH protocol, you must define a key for the algorithm used by the AH protocol. For tunnels that use the ESP protocol, you must define a key for the authentication algorithm (if used) and for the encryption algorithm. For tunnels that use both the AH and the ESP protocols, it may be necessary to define up to three keys, dependent upon the inclusion of authentication in the ESP configuration.

The keys you define in the manual tunnel group are the "inbound" keys for the selected tunnel peer; meaning that they are the keys that the other tunnel peers (the sending peers) must use when sending authenticated and/or encrypted data to the peer for which you are defining the keys. When sending authenticated and/or encrypted data to another peer in a manual tunnel group, the sending peer must use the receiving peer's pre-shared keys.

The setting for assigning pre-shared keys only appears in the Peers panel for manual tunnel groups, because IKE tunnels use a negotiated key, rather than a manual key, for tunnel sessions.

To create a new IPSec Tunnel Group, perform the following task:

Step 2 Right-click the IPSec Tunnel Group branch icon or the icon of the folder in which you want to create the new tunnel group. Point to New, then to IPSec Tunnel Group on the shortcut menu, and then click Manual Group or IKE Group, depending upon the type of group you need to create.

Result: A dialog box appears, displaying a drop-down list of possible tunnel templates on which to base the tunnel group. For an IKE tunnel group, only IKE tunnel templates are displayed in the list. For manual tunnel groups, only manual tunnel templates are displayed in the list.

Step 3 Click the down arrow next to the Tunnel Templates drop-down list, click a template name to select the template, and then click OK.

Result: A new node representing the IPSec Tunnel Group appears under the IPSec Tunnel Groups branch (or folder on the branch) in the Navigator pane, and the Peers property panel for the tunnel group appears in the View pane. The default name of the tunnel group is automatically selected for renaming in the Navigator pane.

Step 4 Type the new name in the Name box, and then press Enter.

Result: The name appears beside the new node and at the top of the Navigator pane.

Cisco Secure Policy Managerenables long names and the use of most alphanumeric or symbol characters. Also, you can use uppercase and lowercase characters. However, you cannot use quotation marks (") or a semicolon (;).

Tips If you cannot edit the name, right-click the new IPSec Tunnel Group icon and click Rename on the shortcut menu.

Step 5 To learn how to configure the tunnel group by adding peers and manual keys (for manual tunnel groups), refer to the following topics:

Modifying a tunnel group enables you to add or remove peers from the tunnel group or to change the pre-shared keys in a manual tunnel group without having to create a new tunnel group and modifying the policies that reference it.

To view or modify an IPSec Tunnel Group, perform the following task:

Step 2 To view the tunnel group settings, right-click the tunnel group icon, point to Properties on the shortcut menu, and then click Peers.

Result: The Peers panel of selected tunnel group appears in the View pane.

Step 3 To modify the settings of the tunnel group, refer to the following topics:

In setting up the peers of a tunnel group, you need to consider the configuration of those peers. Hubs are peers that connect to every other hub in the tunnel group, creating a mesh configuration. Spokes are peers that connect to a single hub. A hub may have more than one spoke, but it will only create tunnels between the hub and each spoke; the spokes on a hub will not have tunnels defined between them.

To add a hub to or remove a hub from a tunnel group, perform the following task:

Note This task is performed from the Peers panel of the selected IPSec Tunnel Group. If the Peers panel does not appear in the View pane, right-click the icon of the tunnel group to be modified, point to Properties on the shortcut menu, and then click Peers.

Result: A tunnel endpoint is added to the list in the Peers box, labeled "Unidentified Hub" or "Unidentified Spoke," depending upon the configuration in which it was added. The settings for the tunnel endpoint appear to the right of the list. For an IKE tunnel group, the settings consist of Name, Interface, and IP Address. For a manual tunnel group, the settings consist of Name, Interface, IP Address, and Associated Keys.

Step 2 To select the network object represented by the tunnel endpoint, click the Name box to view a list of the network objects in your network topology that support IPSec and click the name of the network object to be represented by the tunnel endpoint.

Result: The "Unidentified Hub" or "Unidentified Spoke" label in the Peers box is replaced by the name of the network object that you selected in the Name box. If the selected network object is a host with a single interface, such as a server or workstation, the Interface box is set to N/A and the IP Address box automatically displays the IP address assigned to the interface. If the selected network object is a Policy Enforcement Point, the Interface and IP Address boxes are set to Auto select.

Step 3 To specify an interface, click the Interface box to reveal the network object interfaces, and then click the desired interface. You can also select Auto Select, which will automatically select the closest interface to the peer with which the IPSec session will be created.

Result: The selected interface appears in the Interface box, and the IP Address field is automatically populated with the IP address of the selected interface. The IP address appears in the Peers box in parentheses next to the network object name.

Step 4 To specify a particular IP address for an interface that has more than one IP address assigned to it, click the IP Address box to reveal the IP addresses assigned to the interface, and then click the desired IP address. You can also select Auto select, which will automatically select the IP address assigned to the connection to the peer with which the IPSec session will be created.

Caution If the tunnel peer participates in more than one tunnel group, you must use the same IP address for the interface in each tunnel group the peer participates in. Falure to do so will result in tunnel conflicts. To avoid potential conflicts, you should choose Auto when configuring the IP address for the interface of a tunnel peer. With Auto selected, Cisco Secure Policy Manager will automatically select the correct IP address for the IPSec tunnel. If you do not select Auto, you should either select the loopback address for the interface or make sure that the address selected for the interface is the same in every IPSec Tunnel Group the peer participates in.

Step 5 To add more tunnel endpoints to the tunnel group, repeat Steps 1 through 4 until all tunnel endpoints have been added.

Note This task applies to manual tunnel groups only.

To configure a manual key, perform the following task:

Step 2 Right-click the tunnel group icon, point to Properties on the shortcut menu, and then click Peers.

Result: The Peers panel for the selected tunnel group appears in the View pane.

Step 3 To select the peer for which to define the manual keys, click the peer name in the Peers box.

Result: The settings for the selected peer appear to the right of the Peers box.

Step 4 To select the protocol/stage/transform for which to define the manual key, click the protocol/stage/transform combination in the Protocol/Stage/Transform box.

Result: If a key had been previously defined for the selected peer, protocol, and stage, that key appears in the Key box. If a key had not been previously defined, "(specify key)" appears in the Key box. The length of the key required for the particular algorithm and the length of the current entry in the Key box appear above the Key box.

Step 5 To specify the format of the key, select the ASCII check box. When the box is selected, the key appears in ASCII format. When the box is cleared, the key appears in hexadecimal format.

Result: The key appears in the selected format.

Step 6 Select the text that appears in the Key box and type the new key. You can also import a previously saved key by clicking Import Key.

Result: As you type, the Current key length field that appears above the Key box tracks the length of the key. Once you reach the necessary length, as shown by the Current key length message above the Key box, you will be unable to type any additional characters. You will not be able to enter another key or save your changes to the manual tunnel group until you have entered a key of the proper length.

Step 7 To save the entered key to a file:

a. Click Export Key.

Result: The Export To dialog box appears, enabling you to save the key in *.key file format.

b. Type a name for the key file in the File name box, and click Save.

Step 8 To enter another key for the selected peer, repeat Steps 4 through 7. To enter the keys for another peer in the tunnel group, repeat Steps 3 through 7.

Step 9 To save your changes and close the Peers panel, click OK.

Step 10 To save any changes that you have made, click Save on the File menu.

If you change the base template for a manual tunnel group, you will need to define the pre-shared keys for any new or changed IPSec protocols and authentication or encryption algorithms contained in the new template.

To change the tunnel template that a tunnel group is based on, perform the following task:

Step 2 To apply the tunnel template to the tunnel group, perform a drag-and-drop operation to move the tunnel template to the tunnel group icon in the Navigator pane.

Result: The tunnel template is applied to the tunnel group. When you view the Peers panel of the tunnel group, you will see the new template name under Template. If you changed templates on a manual tunnel group, Cisco Secure Policy Manager displays a message box that instructs you to define the manual keys for the new template.

Step 3 To verify that the new template has been applied to the tunnel group, right-click the tunnel group icon in the Navigator pane, select Properties from the shortcut menu, and then click Peers.

Result: The Peers property panel for the selected tunnel group appears in the View pane, with the name of the IPSec Tunnel Template associated with the group appearing under Template.