User's Manual
358 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide
14.Select Trusted Tunnel if traffic between the networks is trusted. If you do not select this, traffic between
the networks is untrusted.
15.Select the Enforce NATT checkbox to always enforce UDP 4500 for IKE and IPSEC. This option is disabled
by default.
16.Add one or more transform sets to be used by the IPsec map. Click the Transform Set drop down list,
select an existing transform set, then click the arrow button by the drop-down list to add that transform set
to the IPsec map.
17.For site-to-site VPNs with dynamically addressed peers, click the Dynamically Addressed Peers checkbox.
a. Select Initiator if the dynamically addressed switch is the initiator of IKE Aggressive-mode for Site-Site
VPN, or select Responder if the dynamically addressed switch is the responder for IKE Aggressive-mode.
b. In the FQDN field, enter a fully qualified domain name (FQDN) for the controller. If the controller is
defined as a dynamically addressed responder, you can select all peers to make the controller a
responder for all VPN peers, or select Per Peer ID and specify the FQDN to make the controller a
responder for one specific initiator only.
18.Select one of the following authentication types:
a. For pre-shared key authentication, select Pre-Shared Key, then enter a shared secret in the IKE Shared
Secret and Verify IKE Shared Secret fields. This authentication type is generally required in IPsec
maps for a VPN with a dynamically addressed peers but can also be used for a static site-to-site VPN.
b. For certificate authentication, select Certificate, then click the Server Certificate and CA certificate
drop-down lists to select certificates previously imported into the controller. See Management Access on
page 778 for more information.
19.Click Done to apply the site-to-site VPN configuration.
20.Click Apply.
21.Click the IPSEC tab to configure an IKE policy.
a. Under IKE Policies, click Addto open the IPSEC Add Policy configuration page.
b. Set the Priority to 1 for this configuration to take priority over the Default setting.
c. Set the Version type to match the IKE version you selected in Step 10 above.
d. Set the Encryption type from the drop-down list.
e. Set the HASH Algorithm from the drop-down list.
f. Set the Authentication to PRE-SHARE if you use preshared keys. If you use certificate-based IKE, select
RSA or ECDSA.
g. Set the Diffie–Hellman Group from the drop-down list.
h. The IKE policy selections, including any preshared key, need to be reflected in the VPN client
configuration. When using a third party VPN client, set the VPN configuration on clients to match the
choices made above. If you use the Dell dialer, you must configure the dialer prior to downloading the
dialer onto the local client.
i. Click Done to activate the changes.
j. Click Apply.
In the CLI
To use the command-line interface to configure a site-to-site VPN with two static IP controllers using IKEv1,
issue the following commands:
(host)(config) #crypto-local ipsec-map <name> <priority>
src-net <ipaddr> <mask>
dst-net <ipaddr> <mask>
peer-ip <ipaddr>
vlan <id>