User's Manual

ManualsBrandsDell ManualsComputer equipmentPowerConnect W-6000

351

352

353

354

355

356

357

358

359

360

Configuring Site-to-Site VPNs

Use the following procedures to create a site-to-site VPN via the WebUI or command-line interfaces.

In the WebUI

1. Navigate to the Configuration > Advanced Services > VPN Services > Site-to-Site page.

2. In the IPsec Maps section, click Add to open the Add IPsec Map window.

3. Enter a name for this VPN connection in the Name field.

4. Enter a priority level for the IPsec map. Negotiation requests for security associations try to match the

highest-priority map first. If that map does not match, the negotiation request continues down the list to

the next-highest priority map until a match is made.

5. In the Source Network and Source Subnet Mask fields, enter the IP address and netmask for the

source (the local network connected to the controller). (See controller A in Figure 36.)

6. In the Destination Network and Destination Subnet Mask fields, enter the IP address and netmask for

the destination (the remote network to which the local network communicates). (See controller B in Figure

36.)

7. If you use IKEv1 to establish a site-to-site VPN to a statically addressed remote peer, in the Peer Gateway

field, enter the IP address of the interface used by remote peer to connect to the L3 network. (See Interface

B in Figure 36.) If you are configuring an IPsec map for a dynamically addressed remote peer, you must

leave the peer gateway set to its default value of 0.0.0.0.

8. If you use IKEv2 to establish a site-to-site VPN to a statically addressed remote peer, identify the peer device

by entering its certificate subject name in the Peer Certificate Subject Name field.

To identify the subject name of a peer certificate, access the command-line interface and issue the command

show crypto-local pki servercert <certname> subject

9. The Security Association Lifetime parameter defines the lifetime of the security association, in seconds

and kilobytes. For seconds, the default value is 7200. To change this value, uncheck the default checkbox

and enter a value from 300 to 86400 seconds. Range: 1000–1000000000 kilobytes.

10.Click the Version drop-down list and select V1 to configure the VPN for IKEv1, or V2 for IKEv2.

11.Select the VLAN that contains the interface of the local controller which connects to the Layer-3 network.

(See Interface A in Figure 36.)

This determines the source IP address used to initiate IKE. If you select 0 or None, the default is the VLAN

of the controller’s IP address (either the VLAN where the loopback IP is configured, or VLAN 1 if no loopback

IP is configured).

12.If you enable Perfect Forward Secrecy (PFS) mode, new session keys are not derived from previously

used session keys. Therefore, if a key is compromised, that compromised key does not affect any previous

session keys. PFS mode is disabled by default. To enable this feature, click the PFS drop-down list and select

one of the following Perfect Forward Secrecy modes:

l group1: 768-bit Diffie–Hellman prime modulus group.

l group2: 1024-bit Diffie–Hellman prime modulus group.

l group 14: 2048-bit Diffie–Hellman prime modulus group.

l group19: 256-bit random Diffie–Hellman ECP modulus group.

l group20: 384-bit random Diffie–Hellman ECP modulus group.

13.Select Pre-Connect to have the VPN connection established, even if there is no traffic being sent from the

local network. If you do not select this the VPN connection established only when traffic is sent from the

local network to the remote network.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 357