Release Notes

ManualsBrandsDell ManualsTVs & monitorsW-620

281

282

283

284

285

286

287

288

289

290

283 | crypto-local ipsec-map Dell Networking W-Series ArubaOS 6.4.x| Reference Guide

Parameter Description Range Default

IKEv2 only)

set security-association lifetime

Configures the lifetime for the security

association (SA).

set seconds <seconds>

In seconds 300-86400 7200

seconds

kilobytes <kilobytes>

In kilobytes 1000 -

1000000000

—

set server-certificate

<cert-name>

User-defined name of a server certificate

installed in the controller. Use the show

crypto-local pki ServerCert command to

display the server certificates that have

been imported into the controller.

— —

set transform-set

<name1>

Name of the transform set for this IPsec

map. One transform set name is required,

but you can specify up to four transform

sets. Configure transform sets with the

crypto ipsec transform-set command.

— default-

transform

src-net <ipaddr>

<mask>

IP address and netmask for the source

network.

— —

trusted

Enables or disables a trusted tunnel. enable/

disable

disabled

version v1|v2

Select the IKE version for the IPsec map.

l v1: IKEv1

l v2: IKEv2

vlan <vlan>

VLAN ID. Enter 0 for the loopback. 1-4094 —

Usage Guidelines

You can use controllers instead of VPN concentrators to connect sites at different physical locations.

You can configure separate CA and server certificates for each site-to-site VPN. You can also configure the same

CA and server certificates for site-to-site VPN and client VPN. Use the show crypto-local ipsec-map

command to display the certificates associated with all configured site-to-site VPN maps; use the tag <map>

option to display certificates associated with a specific site-to-site VPN map.

ArubaOS supports site-to-site VPNs with two statically addressed controllers, or with one static and one

dynamically addressed controller. By default, site-to-site VPN uses IKE Main-mode with Pre-Shared-Keys to

authenticate the IKE SA. This method uses the IP address of the peer, and therefore will not work for

dynamically addressed peers.

To support site-site VPN with dynamically addressed devices, you must enable IKE Aggressive-Mode with

Authentication based on a Pre-Shared-Key. A controller with a dynamic IP address must be configured to be

the initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a static IP address must be

configured as the responder of IKE Aggressive-mode.

Understanding Default IKE policies

ArubaOS includes the following default IKE policies. These policies are predefined and cannot be edited.