Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-3200

311

312

313

314

315

316

317

318

319

320

315 | BranchController Config for Controllers Dell Networking W-Series ArubaOS 6.4.x| User Guide

Parameter Description Description

Security Association

Lifetime (seconds)

Configures the lifetime for the security association (SA), in seconds.

Security Association

Lifetime (Kilobites)

Specifies the amount of traffic (in kilobytes) that can pass between IPSec

peers in the local and remote networks before the security association

expires.

Version Click the drop-down list and select None (to create an IPsec map that

doesn't use IKE), IKEv1 or IKEv2.

IKE policies Select a predefined IKEpolicy, or a policy manually defined on the Con-

figuration>Advanced>VPN Services>IPsec page of the master controller

WebUI. For more information on creating IKEpolicies, seeConfiguring IKE

Policies on page 422.

VLAN Select the VLAN containing the interface of the local branch controller that

connects to the Layer-3 network. This setting determines the source IP

address used to initiate IKE. If you select None, the default is the VLAN of the

controller’s IP address (either the VLAN where the loopback IP is configured,

or VLAN 1 if no loopback IP is configured).

PFS

If you enable Perfect Forward Secrecy (PFS) mode, new session keys are

not derived from previously used session keys. Therefore, if a key is

compromised, that compromised key does not affect any previous session

keys. PFS mode is disabled by default. To enable this feature, click the PFS

drop-down list and select one of the following Perfect Forward Secrecy

modes:

l group1: 768-bit Diffie–Hellman prime modulus group.

l group2: 1024-bit Diffie–Hellman prime modulus group.

l group 14: 2048-bit Diffie–Hellman prime modulus group.

l group19: 256-bit random Diffie–Hellman ECP modulus group.

l group20: 384-bit random Diffie–Hellman ECP modulus group.

Pre-Connect

Select Pre-Connect to establish the VPN connection, even if there is no

traffic being sent from the local network. If you do not select this, the VPN

connection is established only when traffic is sent from the local network to

the remote network.

Trusted Tunnel

Select Trusted Tunnel if traffic between the networks is trusted. If you do

not select this, traffic between the networks is untrusted.

Enforce NATT

Select the Enforce NATT checkbox to enforce IKE and IPSEC NAT Traversal

(NAT-T) on UDP port 4500. This option is disabled by default.

Transform Sets A transform set defines a specific encryption and authentication type used

by the dynamic peer. Click the Transform Set drop-down list to select a pre-

defined transform set or a transform set that was manually defined using

the Configuration>Advanced Services > VPN Services > Advanced page