| Computer-level authentication with a preshared key to create the IPsec security associations (SAs) to protect the L2TP-encapsulated data. |
| User-level authentication through a PPP-based authentication protocol using passwords, SecureID, digital certificates, or smart cards after successful creation of the SAs. |
Note that only Windows 7 (and later versions), StrongSwan 4.3, and VIA clients support IKEv2. For additional information on the authentication types supported by these clients, see Working with IKEv2 Clients . |
| Defining Authentication Method and Server Addresses |
| Defining Address Pools |
| Enabling Source NAT |
| Selecting Certificates |
| Defining IKEv1 Shared Keys |
| Configuring IKE Policies |
| Setting the IPsec Dynamic Map |
1. | Define the authentication method and server addresses. |
2. | In the Mobility Masternode hierarchy, navigate to Configuration > Services > VPN. |
3. | Expand IKEv1. |
4. | To enable L2TP, select Enabled from the L2tp drop-down list (this is enabled by default). |
5. | Select an authentication method for IKEv1 clients. Currently, supported methods include: |
| Password Authentication Protocol (PAP) |
| Extensible Authentication Protocol (EAP) |
| Challenge Handshake Authentication Protocol (CHAP) |
| Microsoft Challenge Handshake Authentication Protocol (MSCHAP) |
| Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) |
6. | Click Submit. |
7. | Click Pending Changes. |
8. | In the Pending Changes window, select the check box and click Deploy Changes. |
9. | Expand General Vpn. Configure the IP addresses of the Primary DNS Server, Secondary DNS Server, Primary WINS Server, and Secondary WINS Server that are pushed to the VPN client. |
10. | Click Submit. |
11. | Click Pending Changes. |
12. | In the Pending Changes window, select the check box and click Deploy Changes. |
1. | In the Mobility Masternode hierarchy, navigate to Configuration > Services > VPN. |
2. | Expand General Vpn. |
3. | In the Address Pools table, click + to open the Add New Address Pool section. |
4. | Specify the Pool Name, Start address(ipv4/v6), and End address(ipv4/v6). |
5. | Click Submit. |
6. | Click Pending Changes. |
7. | In the Pending Changes window, select the check box and click Deploy Changes. |
1. | In the Mobility Master node hierarchy, navigate to Configuration > Services > VPN. |
2. | Expand General Vpn. |
3. | From the Source-nat drop-down list, select Enabled if the IP addresses of clients must be translated to access the network. |
4. | (Optional) If you enable source NAT, click the NAT POOL drop-down list and select an existing NAT pool. |
1. | In the Mobility Masternode hierarchy, navigate to Configuration > Services > VPN. |
2. | Expand General Vpn. |
3. | From the Server-certificate for VPN clients drop-down list, select the server certificate for client machines. |
4. | Click Submit. |
5. | Click Pending Changes. |
6. | In the Pending Changes window, select the check box and click Deploy Changes. |
7. | If you are configuring a VPN to support clients using certificates, you must also assign one or more trusted CA certificates to VPN clients. |
a. | Expand Certificates for VPN Clients. |
b. | In the CA Certificate Assigned for VPN-Clients table, click + to open the Add New Certificate section. |
c. | Select a CA certificate from the drop-down list. |
d. | Click Submit. |
e. | In the Certificate Groups for VPN-Clients table, click + to open the Add New Certificate section. |
f. | Select a Server certificate and CA certificate from the respective drop-down list. |
g. | Click Submit. |
h. | Repeat steps b through g to add more certificates. |
i. | Click Pending Changes. |
j. | In the Pending Changes window, select the check box and click Deploy Changes. |
1. | In the Mobility Masternode hierarchy, navigate to Configuration > Services > VPN. |
2. | Expand Shared Secrets. |
3. | In the IKE Shared Secrets table, click + to open the Create IKE Group section. |
4. | Enter the Subnet and Subnet mask. To make the IKE key global, enter 0.0.0.0 for both values. |
5. | Select the Representation type from the drop-down list. |
6. | Enter Shared key and repeat it in the Retype shared key field. |
7. | Click Submit. |
8. | Click Pending Changes. |
9. | In the Pending Changes window, select the check box and click Deploy Changes. |
The IKE policy selections, along with any preshared key, must be reflected in the VPN client configuration. When using a third-party VPN client, set the VPN configuration on clients to match the choices made above. In case the Aruba dialer is used, these configurations must be made on the dialer prior to downloading the dialer onto the local client. |
1. | In the Mobility Masternode hierarchy, navigate to Configuration > Services > VPN. |
2. | Expand IKEv1. |
3. | In the IKEv1 Policies table, click an existing policy to edit it, or click + to create a new policy. |
4. | In Priority, enter a priority number for this policy. Enter 1 for the configuration to take priority over the default setting. |
5. | From the Enable Policy drop-down list, select Enabled (default value) to enable the policy when it is saved. |
6. | From the Encryption drop-down list, select one of the following encryption types: |
| DES |
| 3DES |
| AES128 |
| AES192 |
| AES256 |
7. | From the Hash algorithm drop-down list, select one of the following hash types: |
| MD5 |
| SHA |
| SHA1-96 |
| SHA2-256-128 |
| SHA2-384-192 |
8. | ArubaOS VPNs support client authentication using pre-shared keys, RSA digital certificates, or Elliptic Curve Digital Signature Algorithm (ECDSA) certificates. To set the authentication type for the IKE rule, from the Authentication drop-down list, select one of the following options: |
| Pre-Share (for IKEv1 clients using pre-shared keys) |
| RSA (for clients using certificates) |
| ECDSA-256 (for clients using certificates) |
| ECDSA-384 (for clients using certificates) |
9. | Diffie-Hellman is a key agreement algorithm that allows two parties to agree upon a shared secret, and is used within IKE to securely establish session keys. To set the Diffie–Hellman Group for the ISAKMP policy, from the Diffie hellman group drop-down list, select one of the following options: |
| Group 1: 768-bit Diffie–Hellman prime modulus group |
| Group 2: 1024-bit Diffie–Hellman prime modulus group |
| Group 14: 2048-bit Diffie–Hellman prime modulus group |
| Group 19: 256-bit random Diffie–Hellman ECP modulus group |
| Group 20: 384-bit random Diffie–Hellman ECP modulus group |
Configuring Diffie–Hellman Group 1 and Group 2 types are not permitted if FIPS mode is enabled. |
10. | In Lifetime, enter a value in the range of 300-86400 seconds to define the lifetime of the security association. The default value is 7200 seconds. |
11. | Click Submit. |
12. | Click Pending Changes. |
13. | In the Pending Changes window, select the check box and click Deploy Changes. |
1. | In the Mobility Masternode hierarchy, navigate to Configuration > Services > VPN. |
2. | Expand IKEv1. |
3. | In IKEv1 IPSec Dynamic Maps, click an existing dynamic map to edit it or click + to create a new map. |
4. | In Priority, enter a priority number for this map. Negotiation requests for security associations try to match the highest-priority map first. If that map does not match, the negotiation request continues down the list to the next-highest priority map until a match is made. |
5. | In Name, enter a name for the dynamic map. |
6. | (Optional) Configure Perfect Forward Secrecy (PFS) settings for the dynamic peer by assigning a Diffie-Hellman prime modulus group. PFS group provides an additional level of security by ensuring that the IPsec SA key was not derived from any other key, and therefore, cannot be compromised if another key is broken. In the PFS group drop-down list, select one of the following groups: |
| Group 1: 768-bit Diffie–Hellman prime modulus group |
| Group 2: 1024-bit Diffie–Hellman prime modulus group |
| Group 14: 2048-bit Diffie–Hellman prime modulus group |
| Group 19: 256-bit random Diffie–Hellman ECP modulus group |
| Group 20: 384-bit random Diffie–Hellman ECP modulus group |
7. | In Transforms, select an existing transform to edit it, or click + to open the New Transform section. |
To view current configuration settings for an IPsec transform-set, access the CLI and issue the command crypto ipsec transform-set tag <transform-set-name>. |
8. | From the Encryption drop-down list, select one of the following encryption types: |
| DES |
| 3DES |
| AES128 |
| AES192 |
| AES256 |
9. | From the Hash algorithm drop-down list, select one of the following hash types: |
| MD5 |
| SHA |
| SHA1-96 |
| SHA2-256-128 |
| SHA2-384-192 |
10. | In Lifetime(seconds), enter a value in the range of 300-86400 seconds to define the lifetime of the security association for the dynamic peer. The default value is 7200 seconds. |
11. | In Lifetime(kilobytes), enter a value in kilobytes to define the lifetime of the security association for the dynamic peer. |
12. | Click Submit. |
13. | Click Pending Changes. |
14. | In the Pending Changes window, select the check box and click Deploy Changes. |
1. | Define the authentication method and server addresses: |
(host) [mynode] (config) #vpdn group l2tp Pc futbol 2001 descargar gratis.
2. | Enable authentication methods for IKEv1 clients: |
3. | Create address pools: |
(host) [mynode] (config) #ip local pool <pool> <start-ipaddr> <end-ipaddr>
4. | Configure source NAT: |
(host) [mynode] (config) #ip access-list session srcnatuser any any src-nat pool <pool> position 1
5. | If you are configuring a VPN to support machine authentication using certificates, define server certificates for VPN clients using IKEv1: |
(host) [mynode] (config) #crypto-local isakmp server-certificate <cert>
6. | If you are configuring a VPN to support IKEv1 Clients using pre-shared keys, you can configure a global IKE key by entering 0.0.0.0 for both the address and netmask parameters in the command below, or configure an IKE key for an individual subnet by specifying the IP address and netmask for that subnet: |
(host) [mynode] (config) #crypto isakmp key <key> address <ipaddr|> netmask <mask>
7. | Define IKE Policies: |
(host) [mynode] (config) #crypto isakmp policy <priority>