Users Guide
331 | crypto-local ipsec-map Dell Networking W-Series ArubaOS 6.4.x| User Guide
You can configure separate CA and server certificates for each site-to-site VPN. You can also configure the same
CA and server certificates for site-to-site VPN and client VPN. Use the show crypto-local ipsec-map
command to display the certificates associated with all configured site-to-site VPN maps; use the tag <map>
option to display certificates associated with a specific site-to-site VPN map.
ArubaOS supports site-to-site VPNs with two statically addressed controllers, or with one static and one
dynamically addressed controller. By default, site-to-site VPN uses IKE Main-mode with Pre-Shared-Keys to
authenticate the IKE SA. This method uses the IP address of the peer, and therefore will not work for
dynamically addressed peers.
To support site-site VPN with dynamically addressed devices, you must enable IKE Aggressive-Mode with
Authentication based on a Pre-Shared-Key. A controller with a dynamic IP address must be configured to be
the initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a static IP address must be
configured as the responder of IKE Aggressive-mode.
Understanding Default IKE policies
ArubaOS includes the following default IKE policies. These policies are predefined and cannot be edited.
Policy
Name
Policy
Number
IKE
Version
Encryption
Algorithm
Hash
Algorithm
Authentica
-tion
Method
PRF
Method
Diffie-
Hellman
Group
Default
protectio
n suite
10001 IKEv1 3DES-168 SHA 160 Pre-Shared
Key
N/A 2 (1024
bit)
Default
RAP
Certificat
e
protectio
n suite
10002 IKEv1 AES -256 SHA 160 RSA
Signature
N/A 2 (1024
bit)
Default
RAP PSK
protectio
n suite
10003 AES -256 SHA 160 Pre-Shared
Key
N/A 2 (1024
bit)
Default
RAP
IKEv2
RSA
protectio
n suite
1004 IKEv2 AES -256 SSHA160 RSA
Signature
hmac-
sha1
2 (1024
bit)
Default
Cluster
PSK
protectio
n suite
10005 IKEv1 AES -256 SHA160 Pre-Shared
Key
Pre-
Shared
Key
2 (1024
bit)
Table 6: Default IKE Policy Settings