Users Guide

Table Of Contents
13.IKEv2 site-to-site VPNs between master and local W-7000 Series controllers support traffic compression
between those devices. Select the IP Compression checkbox to enable compression for traffic in the site-
to-site tunnel.
14.Select the VLAN containing the interface of the local controller that connects to the Layer-3 network. (See
Interface A in Figure 49)
This determines the source IP address used to initiate IKE. If you select 0 or None, the default is the VLAN
of the controller’s IP address (either the VLAN where the loopback IP is configured, or VLAN 1 if no loopback
IP is configured).
15.If you enable Perfect Forward Secrecy (PFS) mode, new session keys are not derived from previously
used session keys. Therefore, if a key is compromised, that compromised key does not affect any previous
session keys. PFS mode is disabled by default. To enable this feature, click the PFS drop-down list and select
one of the following Perfect Forward Secrecy modes:
l group1 : 768-bit DiffieHellman prime modulus group.
l group2 : 1024-bit Diffie–Hellman prime modulus group.
l group14 : 2048-bit DiffieHellman prime modulus group.
l group19 : 256-bit random Diffie–Hellman ECP modulus group.
l group20 : 384-bit random Diffie–Hellman ECP modulus group.
16.Click the Route ACL name drop-down list and select the name of a routing access control list (ACL) to
attach a route ACL to inbound traffic on the VPN tunnel interface.
When you associate a routing ACL to inbound traffic on a controller terminating an L3 GRE tunnel, that ACL
can forward traffic as normal, routetraffic to a nexthop router on a nexthop list, or redirect traffic over an
L3 GRE tunnel or tunnel group. For more information on creating a routing ACL, see Creating a Firewall
Policy on page 371
17.Select Pre-Connect to establish the VPN connection, even if there is no traffic being sent from the local
network. If you do not select this, the VPN connection is established only when traffic is sent from the local
network to the remote network.
18.Select Trusted Tunnel if traffic between the networks is trusted. If you do not select this, traffic between
the networks is untrusted.
19.Select the Enforce NATT checkbox to enforce UDP 4500 for IKE and IPSEC. This option is disabled by
default.
20.Add one or more transform sets to be used by the IPsec map. Click the Transform Sets drop-down list,
select an existing transform set, then click the arrow button by the drop-down list to add that transform set
to the IPsec map.
21.For site-to-site VPNs with dynamically addressed peers, enable Dynamically Addressed Peers.
a. Select Initiator if the dynamically addressed switch is the initiator of IKE Aggressive-mode for Site-Site
VPNs, or select Responder if the dynamically addressed switch is the responder for IKE Aggressive-
mode.
b. In the FQDN field, enter a fully qualified domain name (FQDN) for the controller. If the controller is
defined as a dynamically addressed responder, you can select all peers to make the controller a
responder for all VPN peers, or select Per Peer ID and specify the FQDN to make the controller a
responder for one specific initiator.
22.Select one of the following authentication types:
a. For pre-shared key authentication, select Pre-Shared Key, then enter a shared secret in the IKE Shared
Secret and Verify IKE Shared Secret fields. This authentication type is generally required in IPsec
maps for a VPN with dynamically addressed peers, but can also be used for a static site-to-site VPN.
Dell Networking W-Series ArubaOS 6.5.x | User Guide Virtual Private Networks |
364