is anyone managing Site to Site IPSec VPN's between a managed firwall and a 3rd party (unmanaged) firewall with Cisco Security Manager? From the documentation (and testing) it appears that VPN's between managed and unmanaged devices are supported (See "Adding Unmanaged Devices to Your VPN Topology" from http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2.1/user/guide/vpchap.html). Unfortunately CSM generates the error "Security Manager does not support policy discovery for unmanaged devices" when running Policy -> Discover VPN Policies, so all Site to Site VPN's must be defined manually. This is a major process for me as I need to import a large number of devices and VPN's into CSM. Is anyone aware of an easier way to accomplish this?
FYI - The manual process I've bee using is as follows:
1) Discover managed device.
2) Discover unmanaged device (using Add New Device wizard, and unselect "Manage in Cisco Security Manager")
3) Add an interface to the unmanaged device with correct peer IP address. This seems to be required otherwise when you submit changes an error occurs.
4) Create Site to Site VPN.
5) Submit and deploy.
Note that when deploying, CSM still wants to deploy to the unmanaged device (which seems strange to me as the device is not managed by CSM).
If anyone has any come across these issues I'd like to know if you have any workarounds.
Re: CSM and site to site VPN's to unmanaged devices
I worked through my issues with TAC, and eventually CSM developers. They confirmed they are planning to address in an upcoming release, but they advised it would not be available for some time - possible the next major release.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :